12
JANUARY • FEBRUARY 2023
WHETHER AS A SIDE HUSTLE OR NEW CAREER, IT TURNS OUT HACKING DOES PAY P10
IN CYBERSECURITY, IT’S BELLUM ROMANUM, OR NOTHING P108
AFTER A YEAR OF THE GREAT RESIGNATION, MAKE 2023 YOUR YEAR OF GREAT REINVENTION P82 W W W. W O M E N I N S E C U R I T Y M A G A Z I N E . C O M
TECHNICAL SECURITY RESEARCH – A REWARDING PROFESSION P134
FROM THE PUBLISHER Cybersecurity offers more ways to Get Rich Quick than ever – but not all of them involve money
H
ackathons. Bug bounties. Recruitment.
Companies are more desperate to fill skills gaps –
The Great Resignation. And, if you’re
and to improve their diversity, equity and inclusion
less morally inclined, COVID scams.
(DEI) credentials – than ever before. That means high
Hacking. Ransomware.
six figures, perks, bonuses – even for those who are fresh out of uni and might have been looked over in
What do all these things have in
the past because they lacked the right skills.
common? They are all ways to Get Rich Quick in cybersecurity. Or are they?
What money cannot do, however, is to compensate for experience. No matter how much you’re paid, you
I have never believed, nor will I, that there are any
also need to ensure that you’re giving value to your
ways to Get Rich Quick. When I was working in sales,
employer – so make sure you put in the hours, attend
I used to get told that if you sell more, you will earn
the seminars, and keep pushing yourself with online
more. But they never mentioned that you would also
courses and certifications.
get taxed more, which makes working harder a double edged sword.
Getting rich quick, and staying that way, are two different things – so here are my six biggest tips
‘Buy property’, others said – but then the market crashed.
about how you can get rich in cybersecurity, and ensure that you can build a career that has real longevity.
Now, it seems the only surefire way for many people to Get Rich Quick is by becoming a
1.
scammer – but to be honest, is there really any
If I was in cybersecurity and had amazing insights and knowledge, and had a lot of industry
Get Rich Quick scheme that doesn’t include some
experience or a good story to tell, I would
kind of scam? There certainly have been a lot of
become a cybersecurity event speaker. Not only
people taking this approach throughout the pandemic
can you make a lot of money once people start
– exploiting the upheaval to make a quick buck any
paying you, but it’s a great way to get noticed.
way they can.
Especially given the explosion of webinars and the return to in-person events, the event market
Thankfully, you don’t have to bend your morals
is screaming out for great security speakers
or risk a SWAT team breaking down your door
– especially women, as the organisers try to
to make more money: thanks to the Great
meet their commitments under the Champions
Resignation, there are more ways to Get Rich
of Change Panel Pledge. Once you get over
Quick out there than ever before.
your stage fright, the exposure itself will be extremely valuable – and it will come with the
Never before, I would suggest, has it been easier
chance to make a lot of money, whether through
for skilled cybersecurity specialists to all but name
subsequent opportunities or by networking with
their price. Cybersecurity was in growing demand
people who can take your career to the next step.
before the Medibank and Optus hacks, but in their
2
2.
Upskill. There are many roles to be filled within
wake companies are absolutely desperate to avoid
a cybersecurity team, so why limit your growth
becoming the next casualty.
potential? Cybersecurity is basically a blue-
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
Abigail Swabey
3.
sky field at the moment, so you can take your
how to deal with it has left us all
career in whatever direction you want with the
exposed. A lot of companies and
confidence that there will be demand for your
individuals would truly value this
skills. So, why not diversify your skillset – which
course – and it would genuinely
will in turn put you in a position to make more
help people to prepare for an
money and excel in your career for the long term.
eventuality that could affect any of
If you’re someone that knows how to hack
us at any time.
computers and do vulnerability assessments, you may want to consider doing freelance
My personal Get Rich Quick story for 2022 has not
work. Platforms like BugCrowd and HackerOne
been about money, but more about momentum,
make this pretty easy, and with new companies
knowledge, leadership, and true value delivered
signing up every day you will never be bored.
from an amazing community.
Additionally, you can look for individual bug bounty programs, run by big companies such as
I’ve put ticks next to key missions I’m truly
PayPal, Sony, Apple, and Facebook. Bug bounties
passionate about, while helping others along the
are a fun way to test your skills, while learning
way. And the more individuals I can help just by picking up
and earning at the same time. The best part is
the phone and talking with them, and steering them in the
that, in most cases, the harder the bounty, the
right direction – the better it gets.
more you’re paid. Not to mention, some of the
4.
5.
biggest companies are paying bug hunters to
Helping promote mentoring, address online bullying,
help them locate flaws in their software. Just
and getting students in front of potential employers –
be sure you track the time you spend, and do
providing help and insight to others is a core mission for
regular head checks against the hourly rate you
me, and it is the way that I gauge the success of my Get
might otherwise be earning.
Rich Quick agenda.
Become a freelance security specialist. Smaller organizations may not have the budget to build-
I truly value this community – especially those standout
out an entire in-house security team. That’s
individuals who are really trying to help, with no ulterior
where you come in as a contracted specialist. In
motive than to make the world a better place. To those
the vast majority of cases, you’ll work remotely
people, I thank you: Bonnie Butlin, Matt Tett, Craig Ford,
and, as the expert, will be in the driver’s seat.
Mandy Turner, Laura Lees, Sai Honig, Tash Bettridge,
This will give you a chance to learn a lot, put your
Jacqui Loustau, Kate Monckton, Elaine Muir, Nicole
skills to the test, and negotiate your pay.
Stephensen, Yasmin London – you, and the many people
Create an online course. Websites like Udemy
like you, are where the real true value lies. And whether it
and SkillShare make it very easy to create and
happens quickly or takes time, this kind of work is making
sell online courses. There are loads of cyber-
us all richer for the long term.
security topics available, and you can easily choose one that has a high demand and create a course around it. The quickest way to earn money, though, is to look for the topics that the students are looking for that have a low number
Abigail Swabey PUBLISHER, and CEO of Source2Create
of courses – then tap into that niche if you have knowledge on that topic. 6.
Create a course for identity theft. No, not how to do it – but how to deal with it. There has never been more awareness of the risks of identity
www.linkedin.com/in/abigail-swabey-95145312
aby@source2create.com.au
theft, or concern that a lack of knowledge about
I S S U E 12
WOMEN IN SECURITY MAGAZINE
3
CONTENTS CAREER PERSPECTIVES
2
FROM THE PUBLISHER
WHETHER AS A SIDE HUSTLE OR NEW CAREER, IT TURNS OUT HACKING DOES PAY
10
How I am richer from being a combat radio operator in the Australian Army Reserves 64
COLUMN Get-rich-quick crypto scams
14
Cyber is not your get-rich-quick option
62
The uncomfortable truth
79
Don’t get poor fast!
90
WHAT’S HER JOURNEY? Kao Hansell
16
Melanie Truscott
18
Belinda Stewart
20
Kylie Watson
22
Lisa Ventura
30
Jenna Salvesen
32
Rachael Greaves
35
Catherine Dawson
38
Johanna Williamson
40
Dr Fauzia Idrees Abro
43
Holly Wright
44
Martina Saldi
46
Farah Chamseddine
48
Reshmi Hariharan
50
Orly Schejter
52
Guidelines for security students and early careers
66
Why I became a cybersecurity expert
72
Transitioning to cybersecurity after 12 years in finance
74
From marketing to cyber Security, changing career through recruitment
76
INDUSTRY PERSPECTIVES When cybersecurity fails, material risk grows
92
AWSN end of year wrap-up
94
Engagement with an impersonator
100
How to have a career that is rich in experience and professional fulfillment 104
TALENT 54 BOARD
JOB BOARD
86
186 THE LEARNING HUB
Balancing risk and productivity in a hybrid world
106
In cybersecurity, it’s Bellum Romanum, or nothing
108
The value of higher education in cybersecurity
110
Taking a proactive approach to cybersecurity
114
The many challenges of managing risk and resilience
116
World Data Exchange (WDX): empowering the voices of its female team to encourage others
120
JANUARY • FEBRUARY 2023
AFTER A YEAR OF THE GREAT RESIGNATION, MAKE 2023 YOUR YEAR OF GREAT REINVENTION
24
A FIRST CISO, THREE TIMES OVER
82 FOUNDER & EDITOR Abigail Swabey
ADVERTISING
TECHNOLOGY PERSPECTIVES BISO – no that is not a typo
126
Identity proofing, identity verification and fraud prevention
131
Technical security research – a rewarding profession
134
Different perspectives
136
Incident response competition
141
Abigail Swabey
161
Charlie-Mae Baker Misty Bland
JOURNALISTS David Braue Stuart Corner
SUB-EDITOR Stuart Corner
158
DEPARTMENT OF REGIONAL NSW DEPLOYS PARENTAL LEAVE SUPPORT PLATFORM ATSE ISSUES DIRE WARNING ON STEM SKILLS SHORTAGE
STUDENT IN SECURITY SPOTLIGHT Savannah Dockerty
146
Roshni Bedi
148
Sheida Sabeti
151
Tshering Wangmo
152
Saman Fatima
154
Eleni Lykopandis
156
98
DESIGNER Rachel Lee
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com).
128
TURN IT UP 188
OFF THE SHELF 190
AWSN is the official partner of Women in Security Magazine
©Copyright 2022 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07 08 MARCH • APRIL
MAY • JUNE
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
Big Picture Easy Reliable No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
Women in Security Mentoring Program Expressions of Interest are now open to join the 2023 intake of the Australian Women in Security Network Mentoring Program
Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by
Powered by
WHETHER AS A SIDE HUSTLE OR NEW CAREER, IT TURNS OUT HACKING DOES PAY by David Braue
Bug bounty programs are helping more and more women hack for a living
A
decade ago, the idea of encouraging
the South Australian Department of Premier and
hackers from around the world to
Cabinet, for example, recently launched a bug bounty
pressure-test your systems would have
program as part of an effort to improve its overall
seemed ridiculous: security, after all, was
cybersecurity posture.
something you managed internally to
keep them out of your network.
That state’s move to embrace crowdsourced testing of its environments seems to have been driven by
Fast-forward a decade, and the continuous
cold hard reality; that the government simply does not
compromise of businesses and data has forced
have enough resources of its own to continuously test
security managers’ hands. As corporations continue
and remediate its security posture.
to pile onto the crowdsourced security bandwagon, demand is surging – and hackers around the world
Fully 234 of that state government’s departments
are finding that the model offers a very real way to
had reportedly not been penetration-tested
turn a hobby into a living.
in the previous three years – far too long in a climate of rising cybercrime and increasingly
Particularly this year – when the background
problematic compromises.
noise of massive cyber compromises has become
10
deafening – ‘bug bounty’ programs are being
Facing similar pressures, organisations as varied as
embraced by corporations and government bodies:
Monash University, Origin Energy, Google, the Swiss
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
Continued support from large online brands suggests the support of a global, crowdsourced security team is well worth the payouts. Apple’s bug bounty program, for one, is said to have paid out over $28.9 million ($US20m) in bounties in less than three years, and anecdotal reports suggest National Cyber Security Centre, and US Department
that discovery of a moderately significant bug can
of Defense have all launched bug bounty programs to
generate the equivalent of a month’s salary or more.
tap the world’s latent market of hacking talent without going through the headaches of trying to recruit their
One researcher, for example, secured a $14,400
own staff.
($US10,000) bounty from GitHub. Shopify recently boosted its maximum payout for a critical bug,
“Crowdsourcing allows you to negate the attacker
doubling it to as much as $A144,000 ($US100,000).
advantage, because people have the same mindsets and skills and tools that attackers have,” Justin
With hundreds of bug bounty programs on offer
Kestelyn, head of product marketing with Bugcrowd,
– Bugcrowd, for one, maintains a long list of
said in explaining the phenomenon that has helped
opportunities for bug bounty hunters – there is no
the Sydney startup – along with rival firm HackerOne
lack of options for profit-minded security researchers
– dominate the explosive market for managing bug
with enough time to put into their research.
bounty programs for corporate clients. Bounty hunters aren’t stabbing in the dark anymore, “If you’re on defence all the time, it’s very difficult to
either: client organisations often provide guidance
anticipate what an attacker might do,” he continued.
for outsourced security testers, with the likes of
But by using a bug bounty program to attract
Uber – which launched its HackerOne program with
financially motivated hackers from near and far,
bounties of up to $21,000 ($US15,000) for critical
Kestelyn said, it becomes much easier to get on the
vulnerabilities – while outlining what parts of its
front foot.
network it wants tested and what types of bugs it considers most valuable.
“You’re viewing your own environment through the mind and lens of an attacker,” he continued, “which is a huge advantage. It’s much easier to be proactive, because you can find flaws and vulnerabilities in your code and products and external facing assets, before attackers find them.”
BECAUSE THAT’S WHERE THE MONEY IS The market for managed bug bounties is expected to explode from $US223.1 million in 2020 to $US5.5 billion by 2027 – increasing by half annually – as businesses increasingly recognise that they can’t hold back the tide of cybercriminal activity on their own. Internal DevOps teams are building connections with the bug bounty hunters – for whom the rewards can be significant.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
11
There may be money available even when the target
community: DC3, Vice said, runs regular outreach
does not offer a bug bounty program: after finding
including recognising security researchers of the
a bug in the network of content distribution network
month and researcher of the year.
Akamai but learning that it doesn’t offer bounties, two Italian security researchers secured over
The diversity of participants “gives a varied approach
$A66,000 ($US46,000) in bounties from its customers
to looking at our vulnerabilities,” Vice said. “We send
– including $US25,200 from PayPal, $14,875 from
them a little swag package as an appreciation from
Airbnb, $5000 from Whitejar, and others.
the DoD for their hard work and effort.”
Lack of financial reward hasn’t proven an obstacle to
The program is now seen as so valuable within
the runaway success of the Vulnerability Disclosure
the department that the VDP’s scope was recently
Program (VDP) within the US Department of Defense’s
expanded 10,000-fold to include all publicly-
Cyber Crime Center (DC3), which has generated more
accessible DoD information systems and networks
than 43,000 reports and over 23,000 remediations
– increasing the scope of the program from 2400
since it was launched in 2016.
potential targets to 24 million.
Despite offering no financial rewards, the program
Rather than paying its researchers money, they
has attracted over 3600 security researchers from
are paid in reputation points that are tracked on
around the world, VDP director Melissa Vice told a
a leaderboard. Researchers can request redacted
recent HackerOne webinar in which she said DC3 is
versions of their reports and publicise them.
“really dedicated to the research community”. “It really gives us that good middle ground where we Far from operating in the shadows, program
can tie in that global researcher community to the
participants are actively engaged as part of a
buttoned-up world of the DoD,” Vice said. “We each get benefit. It’s very reciprocal. And while it’s such a large surface and no organisation can patch everything all the time, having that extra layer of defence is important.”
DON’T QUIT YOUR DAY JOB JUST YET Bug bounties have become strategically important for companies of all sizes – and a critical way of helping compensate for recalcitrant cybersecurity skills gaps that are proving extremely difficult to overcome. They’re also a particularly beneficial way for women to spread their wings in the cybersecurity industry, since bug bounty programs are based entirely on outputs – and the hours are inherently flexible enough to accommodate any lifestyle. Got some time on your hands? Probe some systems and you might score a solid payout. Chat forums are rife with stories of bug bounty hunters regularly earning healthy annual salaries on the back of five,
12
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
six, and seven-figure payouts for finding significant vulnerabilities. Yet does that mean you should quit your day job and become a freelance bug hunter? Not necessarily. For all the headlines getting major payouts, far more vulnerabilities are classified at the lower end of the scale – and hard-earned finds end up paying just a
For companies worried about
few hundred dollars.
the security of their supply chain partners, engaging those firms in a bug bounty program could be particularly valuable – helping identify potential showstoppers that often provide lateral movement across supply chains that leads to compromises affecting every member of those networks. By running repeated testing programs over time – then pairing them with consistent methodologies that evaluate the results and point out areas needing
That’s money, certainly – but it’s important
further improvement – bug bounty programs can
to consider how much time goes into finding
become an invaluable part of the DevOps cycle, while
those vulnerabilities.
helping businesses improve the security posture of key partners and suppliers.
The skills required to participate in such program have a very high market value, and your hourly rate
“If they say they don’t know the answers to these
for a vulnerability find can shrink quickly if it requires
questions, or they say they haven’t had any
many hours’ work to find and properly document
vulnerabilities reported at all, that might be a red flag,”
new bugs.
notes Kayla Underkoffler, senior security technologist with HackerOne, who highlighted the platform’s
It’s also important to remember that may reported
integration with enterprise security tools like
bugs go absolutely nowhere – meaning your hourly
SecurityScorecard as a way of measuring progress
rate will effectively be zero, and that your time would
towards goals such as helping secure widely used
have been better spent servicing a conventional
open source components.
contract at a fixed rate per hour. “Questions around operational metrics will ensure On the positive side, however, participating in the
their vulnerability disclosure program is not just
programs is a great way to build your practical
an endless black hole email address, but a high
hacking skills with the support – and protection
functioning program. We want everyone to take on
from prosecution – that lets you really go after
the challenge of securing their open source software
targets in a way that most hackers would never risk
dependencies through the collective power” of the
doing anonymously.
hacking community.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities. This regular column will explore various aspects of cybercrime in an easy-to-understand manner to help everyone become more cyber safe.
C O L U M N
Get-rich-quick crypto scams Ever since the invention of Bitcoin there have been people keen to get rich from the latest cryptocurrency
PROTECT YOURSELF FROM THESE SCAMS • If you are interested in investing in cryptocurrency
offerings. In pursuit of their goals they have
do your own research using trustworthy sources
developed a new type of investment scam that uses
to determine if the currency is being audited by a
get-rich-quick schemes based on cryptocurrencies
reputable company.
as bait. In one common cryptocurrency scam
• An advertisement on social media or via
criminals advertise on social media using
unsolicited email for a cryptocurrency investment
likenesses of celebrities, and claiming the celebrity’s
scheme or a new cryptocurrency using the image
endorsement of the investment company or crypto
and endorsement of a celebrity is likely to be a
trader. To convince potential victims these criminals might create websites that appear to be genuine
scam, beware! • If an offer to invest in a new cryptocurrency
investment platforms or sites that refer to a new type
appears to be too good to be true, it probably
of cryptocurrency.
is, regardless of research claims, celebrity endorsement or seemingly authentic white papers.
Another type of get-rich-quick crypto scam is referred
• Make sure the website you are visiting is
to as a ‘rug pull’ because the criminal pulls the rug
legitimate and has been created by a genuine
from under investors leaving them with useless
trader or investment expert.
crypto tokens. To do this the criminal might invent
• Beware of URLs that have been created to
a new type of cryptocurrency complete with fake
resemble genuine addresses but are operated
whitepapers, spurious research and fake celebrity
by criminals.
endorsement. They may artificially inflate the value of their currency by putting their own funds into it
In Australia report cybercrime via https://www.cyber.
and, once the currency has gained other investors,
gov.au/acsc/report. In another country, report it to
appears sound and is increasing in value, the criminal
your local police or through the relevant cybercrime
cashes out by selling their crypto tokens leaving the
reporting mechanism.
currency valueless. Fraud such as investment scams can also be These crypto investment scams are portrayed as a
reported in Australia to Scamwatch:
new and exciting use of technology that offers a large
https://www.scamwatch.gov.au/report-a-scam
return from a small investment with minimal effort. The criminals are cashing in on investors’ fear of
Cybercrime is big business – learn from the past
missing out and the temptation to get rich quick, but
and stay safe.
the only people getting rich quick from these crypto scams are the criminals.
www.linkedin.com/in/amandajane1
www.demystifycyber.com.au
14
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
WHAT’S HER JOURNEY?
Kao Hansell Cyber Security Advisor at Digital Resilience
K
ao Hansell’s entry into the world of
managing director, Paul Dewsnap. “He took a chance
cybersecurity was unplanned and almost
after meeting me and has helped steer my career
instantaneous. Looking to change
down the path it is currently on,” she says. “Between
careers and with an eye on becoming
him and the team at Digital Resilience I have been
a programmer, she was researching
able to progress so much.”
courses at TAFE SA when she came across details of an information session on a new cybersecurity
Since then she has gone on to gain seven LinkedIn
course (Certificate IV in Cyber Security, Information
Learning certifications, and cites “constantly
Technology) scheduled to take place just two
learning” as one of the most rewarding aspects of
hours hence.
her role. “I am a lifelong learner and currently my role is supplying me with a constant stream of new
“I got changed, jumped on a train to the city, was
information. On top of that is knowing I am, in my own
blown away by what I heard and decided that I was
way, helping people.” However, her career journey has
going to try cyber instead of programming, which
not been all plain sailing. It began with being set on
was a great decision,” she says. “I enrolled the next
the wrong course by her school career advisor.
morning and started to surf the web for articles and information on what exactly I was getting
Looking back, she would tell her last-year-of-school
myself into.”
self “ignore the career advisor and go into IT.” Had she followed her inclination she says she would be
Her current position— cyber security advisor at Digital
a very different person and would have enjoyed her
Resilience—also happened by chance. “I was still very
work time much more, but acknowledge that her
much trying to figure out where I wanted to be, what
experience in customer facing jobs improved her
was my place and what I enjoyed. Then the current
interpersonal skills.
opportunity arose, and it was like the right place at the right time,” Kao says.
And, Kao says her own experience demonstrates that cybersecurity would benefit by attracting more people
16
That opportunity came about through a chance
with experience in other disciplines. “Bringing people
meeting with Digital Resilience’s founder and
in from other industries has led to new perspectives
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
and new ways to solve problems … and the greater our abilities to protect what matters becomes.”
IMPOSTER SYNDROME STRIKES “It has been challenging trying to absorb all the information. There is so much happening so fast,
N
3 2 0 2 O EW T
and I need to learn on the fly,” she says. “While my studies, past and present, have been helpful, what I have learnt in industry has been amazing. There have been times I have doubted my choices. Imposter syndrome can be a heavy burden when things get tough or stressful. “I like to do my best with whatever I push into, so it has left me questioning if I am actually good enough to be doing what I am doing, or am I going to let down those who have given me my opportunity.” And Kao is not done with study: she has set her sights on ISCA entry level certifications. “These include the cybersecurity fundamentals and the IT risk fundamentals. After that likely sec+ and then I will play it by ear.” Looking forward, Kao says taking on a higher level or more specialised role could be good, but is conscious that there could be a downside. “Moving up or into
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
something more specialised is great, but if it leads to me burning out and not having time to recharge not only will I suffer but my work will as well. Value is not always monetary in nature.” And she notes that employee burnout is a danger to employers as well as employees. “Insider threat is going to become more of an issue in the post-COVID era. We are going to be seeing more people become burnt out and disgruntled.” Insider threats are not the only cloud Kao sees on the horizon. “Things that are very likely to happen are that ransomware will increase, data exfiltration is going to get worse before it gets better and cyber insurance is going to become more difficult to maintain.”
Watch this space
www.linkedin.com/in/kao-hansell
I S S U E 12
WOMEN IN SECURITY MAGAZINE
17
Melanie Truscott Executive Director, Engagement & Communication at CyberCX
M
elanie Truscott is not a cybersecurity
To address mental wellness issues at CyberCX
practitioner but nevertheless plays
Truscott works with a number of organisations,
a key role in cybersecurity: looking
including cybermindz, an Australian organisation
after the health and wellbeing of
founded by Peter Coroneos, former long-time CEO of
cybersecurity professionals as
the Australian Internet Industry Association. It claims
executive director, communication and engagement
to operate the world’s first mental health support
with CyberCX.
program dedicated to cybersecurity professionals.
The company is one of the largest providers of
And while CyberCX might have over 1000
cybersecurity services across Australia and New
cybersecurity professionals, that description, Truscott
Zealand, with a workforce of more than1,100.
says, belies the diversity of the workforce and the
Truscott says her contribution—which also includes
challenges this diversity presents.
reward, recognition and diversity—is “to create the employee experience so that cybersecurity
CHALLENGES OF A DIVERSE WORKFORCE
practitioners can perform at their best.” Looking after
“You’re not managing a group of homogenous
employee health and wellbeing is the most rewarding
workers. You’re managing subsets of cultures and
aspect of her role.
workgroups that have different needs. It’s also these needs, or traits, of different work groups that make
“It’s been long understood that cybersecurity
it super interesting and rewarding, once you get your
professionals are under sustained stress that impacts
head around it.”
their emotional and cognitive health,” she says. “While burnout and stress are not unique to cybersecurity,
A proxy of this diversity, Truscott says, is the wide
we see the negative effects far too often. Add the
range of company-branded merchandise CyberCX
impacts of extensive COVID lockdowns in recent
offers its staff. “We provide everything from
years and it’s meant that mental wellness has gone
custom-made cufflinks through to corporate polo
from being a cornerstone of our health and wellbeing
shirts, through to original artwork hoodies. That
program to the key focus.”
really speaks to the range of roles and the need to understand what works for each group.”
18
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
She adds: “This means engaging directly and building
“Being adaptable and agile is the name of the game,
an environment of trust where people will give you
and accepting you may reach the end of the day
honest feedback (which is sometimes challenging
without having made a start on what you set out to
to hear) and showing vulnerability by being willing to
work on today.”
change or course correct.” Truscott came to her role at CyberCX after working in a similar role in which cybersecurity staff comprised only a portion of her personnel responsibilities. “I saw the growing importance of cybersecurity in the way we do business, how the government interacts with citizens, how
“You’re not managing a group of homogenous workers. You’re managing subsets of cultures and workgroups that have different needs. It’s also these needs, or traits, of different work groups that make it super interesting and rewarding, once you get your head around it”
our major infrastructure and economy operates. Having the opportunity to work with a pure cybersecurity
From her—non-technical—perspective, Truscott sees
organisation focused on securing our communities
the skills shortage as being critical in the near term
was an opportunity I couldn’t let pass me by.”
to the region’s ability to manage threats to economy and society. “This will mean attracting talent from
SURPRISING EMPLOYEE CONCERNS
non-traditional sources. This will also contribute to
Truscott says she does not need to stay up to date
improving the diversity of the industry as we build
on technical advancements in cybersecurity but must
a workforce as diverse as the community we work
nevertheless be attuned to a wide range of issues to
to secure.”
spot anything that can impact CyberCX’s employees and customers. “This means keeping an eye on news
And for anyone hankering after a career in
feeds, social media and, importantly, just engaging
cybersecurity but lacking confidence in their ability to
and talking with people around you. Sometimes
master the technology, Truscott has some reassuring
what you really need to know is what is getting the
words. “We need people who are good at problem-
attention of your employees. It’s not always the issues
solving; who have natural curiosity and enjoy the
you think it might be. There’s always some surprises.”
challenge of finding solutions; who understand that collaboration and working together deliver stronger
And, says Truscott, such surprises demand a
outcomes and, overall, who have a desire to do work
pragmatic approach to her day-to-day activities.
that matters. If that sounds like you, we can teach you
“A ‘typical’ day means balancing the needs of
all the technical skills you need.”
competing priorities, understanding the issues that need urgent attention because they’re the important issues that are going to impact our employees
www.linkedin.com/in/melanie-truscott-8004892
and customers.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
19
Belinda Stewart Business Engagement Manager at Paypac Payroll Services Pty Ltd
B
elinda Stewart is Business Engagement
Stewart says she has always placed great value
Manager at Paypac Payroll Services and
on keeping employees’ personal details safe and
a director of Digital Service Providers
on the importance of privacy and security around
Australia New Zealand (DSPANZ),
this. So her transition into cybersecurity was a
formerly the Australian Business Software
natural progression.
Industry Association.
IMPROVING CLIENTS’ SECURITY
She has worked most of her career in the payroll
“I spend most of my time on compliance in the
industry—she has been with Paypac for almost 20
software development space, delivering client
years—and says handling sensitive personal data,
solutions for their workforce management,
implementing ISO27001 (an international standard
keeping up to date with what is happening in the
for the management of information security) and
industry and striving to continually improve our
following her interest led her into a cybersecurity role
security posture. The favourite part of my role
though what seemed like a natural progression.
currently is working with clients to provide solutions to streamline their business processes and keep
“It wasn’t what I set out to do. However I have
them compliant.”
a great interest in this area and, working in a compliance space, I found a lot of my skills were
And she expects the challenges of compliance to
highly transposable,” she says. “There is always
become greater in the near future, citing consent
room for growth and learning. In a constantly
around personal data and giving individuals greater
changing environment you will always be busy with
visibility into how their personal data is being shared
new challenges.
and used as likely developments. “This would open the door for improved and streamlined business
“I find skills I have in other area of business have
processes with greater availability of trusted data
allowed me to have a well-rounded view and see
and integration of systems even for the smallest
things from the perspective of an end user as well
of businesses.”
as a senior management level to understand how controls can be out in place and work effectively.”
20
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
NO REGRETS
SINGLE TOUCH PAYROLL CHALLENGES
Her current role is far from that she envisaged for
Stewart is also heavily involved in the rollout of Single
herself as a teenager—a career in health science—but
Touch Payroll Phase 2. This is a federal government
she has no regrets. “I have found since my career has
initiative that the ATO claims will reduce the reporting
steered more into this space over the past couple of
burden for employers. However it will require them
years, I have really enjoyed the challenges presented
to report the individual components that make up an
and it has given me a new area of interest to pursue.
employee’s pay and all providers of payroll software
I need to be continually learning and develop my
are making significant changes to their products to
knowledge base to have job satisfaction and working
meet its requirements.
in the cyber space has certainly provided that.” With all these roles, it is perhaps no surprise Stewart As a director of DSPANZ, Stewart says she works
finds time management, task prioritisation and
with her peers at the forefront of business software
keeping up to date with compliance issues to be her
and application development on both sides of the
biggest challenges.
Tasman. “We work collaboratively with government agencies and the business software industry on
How does she maintain a good work/life balance?
major policies and projects that require technology-
That, she says, is the million dollar question. “It’s
led solutions and change to business to business or
always a juggle as a working mother of two primary
business to government processes.
school aged children. There is no one size fits all approach. For me, the most important thing right now
“By far the biggest benefit would be the shared
is flexibility in the workplace to allow me to do my
knowledge and expertise in the business software
role effectively and still be available and present for
development space. Through this platform we
my children.”
see great results in government and industry working together to deliver better policy and user experience outcomes.”
www.linkedin.com/in/belinda-stewart-c-p-s-27956076
SOURCE2CREATE WILL BE RUNNING A FREE 7 EVENT SERIES ROADSHOW AROUND AUSTRALIA
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
Showcasing the Australian Women in Security Awards cohort, and industry experts Hosted by Yasmin London Discussing topics to propel our industry forward Interactive | Engaging | Thought Provoking Bringing brilliant minds together
Reach out to us today for Sponsorship Opportunities
I S S U E 12
WOMEN IN SECURITY MAGAZINE
21
Kylie Watson Lead Client Partner, National Security and Defence at IBM
K
ylie Watson is Lead Client Partner,
and gain, a Graduate Certificate in Cyber Security
National Security and Defence with IBM.
and Data Analytics from the University of New
It is a role to which she neither aspired
England. However she continues to be dogged by
nor envisaged herself holding. It was at
her pre-cybersecurity career history: she cites the
another company in her earlier career,
most challenging aspect of her role as being: “a lot
when she was looking after a data analytics practice
of people automatically assume I’m not technical
and not envisaging getting into cybersecurity when
because I didn’t start my career where they did on the
she discovered the need for it.
networks and in IT many years ago.”
“A lot of data issue root cause analyses were coming
ADVICE FOR CYBERSECURITY NEWBIES
up as password issues, data breaches and unusual
That experience informs her advice to anyone
activity in systems, and ended up being hacks,”
making the transition into cybersecurity from another
she recalls.
industry. “Those that are deeply technical may initially view you with distrust. Be patient. Listen to them.
“We engaged a security engineer to help us
Trust them. Find out what they like to do. Treat them
investigate these further and were introduced to
as human and not a machine. Make sure you get to
the world of cybersecurity.I was fascinated by the
know everyone and speak to the quiet person in the
fact that a hacker could lurk in a system for a while
corner as they will be super valuable for you to know.”
and not be picked up straightaway, so I decided to learn more about cybersecurity. I asked a million
Her other major challenges would be common to
questions of my team and we grew a practice with a
most cybersecurity professionals: “Needing to keep
cybersecurity capability to assist our data team.”
up with everything all the time and cyber attacks coming at us thick and fast.”
Watson says she then realised she needed to go
22
back to university “to fully understand the compliance
While it may have been the security threats to data
and legal frameworks. So she went to study for,
under her care that drove Watson into cybersecurity,
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
she is very specific about the most significant single influence on her career to date: the 2020 attack on software company SolarWinds, described as “one of the biggest cybersecurity breaches of the 21st century.” She says it “blended my engineering and water background with my cybersecurity career. I really felt I ‘got it’ and was able to help my clients through those difficult times.” From Watson’s perspective the most significant development in cybersecurity over the next two years is not a security challenge per se, but its significance has been amply demonstrated by recent cybersecurity failures. “Organisations will need to learn how to effectively communicate with stakeholders when
J O U R N E Y ?
“Those that are deeply technical may initially view you with distrust. Be patient. Listen to them. Trust them. Find out what they like to do. Treat them as human and not a machine. Make sure you get to know everyone and speak to the quiet person in the corner as they will be super valuable for you to know.”
there’s been a cyber attack involving citizen/customer data and will need to get used to the new regulations.”
A BUSY DAY MAJOR CONCERNS
She says a typical day includes “Discussions with
And while ransom-raising appear to have been the
clients end-to-end including advisory on quantum
motivation behind recent high-profile attacks—most
security, identity and access management
notably those on Optus and Medibank—Watson says
strengthening and policies, discussing best ways to
she is more worried about rising geopolitical tensions
replace firewalls, overseeing hybrid cloud migrations,
and nation state cyber attacks. Another issue on her
and running implementations such as integrating
mind is the need for, and the importance of, getting
information between the protected and secret
more women into cybersecurity. “There are not
environments in national security,” along with “Various
enough women. We need more!” she says. “We also
project team calls on financials and governance, lots
need to actively put in place programs to keep women
of admin, coaching people when it gets tough and
and to raise awareness of unconscious bias.”
feeding people on overnight releases.”
If she were to look for another role an important
And, in addition, “reading the news, doing
consideration for Watson would be “How many
certifications, reading journals, watching the
women are in the team, how are they treated, and is
legislative changes and discussions closely and
there a dedicated campaign to increase diversity?”
actively following people on LinkedIn.”
She would also tell her last-year-of school self to “encourage as many of your female friends as
To maintain a good work/life balance with so many
possible to consider technology as a valid career.”
commitments, Watson says she has combined her personal and work calendars and colour coded
Meanwhile, her current role at IBM keeps her very
each of them. “I also make sure I block out time
busy, but is very rewarding. “I have an amazing team
for bathroom breaks and set reminders to eat,
of people around me who banded together during
and I only do work events twice a week outside of
Covid. We all got to know each other quite well in
working hours.”
this difficult time. I love that we can be immersed in something very urgent and complex and next thing we are able to say something that makes everyone erupt
www.linkedin.com/in/kylietechsociologist
into laughter.”
I S S U E 12
WOMEN IN SECURITY MAGAZINE
23
A FIRST CISO, THREE TIMES OVER by Stuart Corner
Writing in the previous edition of Australian Women in Security in the wake of the massive Optus and Medibank data breaches, Simon Carabetta asked what these organisations were doing to support their cybersecurity staff caught up in these traumatic events. (People culture builds resilience, page 60).
S
24
o I asked Lena Smart, CISO of global
“One guy said it was so visceral when he realised
developer data platform company
what had happened, everything just narrowed and he
MongoDB if she thought organisations
threw up in a bucket. My team just looked at me and
in general did enough to look after the
went, ‘wow!’”
mental health of security staff, what
recommendations she would make for doing so, and
The tabletop exercises and playbooks, she says, have
what she was doing at MongoDB. The answer to
an important role in preparing security staff to cope
that last question—which also answered the second
with such a situation. “As long as you know what
question—was, a lot. Her initiatives include “tabletop
your role is, and you’ve done your role play properly,
exercises, because I want my team to experience
you have nothing to worry about, just keep doing
what it’s like to be hacked without being hacked” and
what you’re doing. That’s why we have playbooks.
“many programs to choose from provided by our
That’s why we go through these playbooks, to try and
HR department.”
normalise the situation as much as possible.”
However she acknowledges exercises are no
TIME OFF IS TRACKED
substitute for reality, so she encourages her staff
Smart’s concern for the mental health of her staff
to talk to individuals whose identity has been
extends beyond crisis situations. “I’m very cognizant
compromised and has brought in cybersecurity
of how much time people take off,” she says. “I get
professionals who have been at the forefront of a
a report every month on what time off people are
cyber attack to give talks to her team. One made a
taking, and I will chase them if they haven’t taken off
particularly strong impression.
enough time. I’ve threatened to cut people’s access
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
if they’re checking Slack when they’re on vacation. My point is, if you’ve built a strong enough team, then
Lena Smart
you don’t need to worry about going on vacation. You should look forward to it and come back refreshed. Because if you’re on vacation, and you’re checking email every day, it’s not a vacation, you’re just in a different location.” Smart was appointed MongoDB’s first CISO in 2019 and oversees a team of about 60 people, about a third of whom are in governance, risk and compliance roles. Being the first CISO meant she was able to build a team of her choice from the ground up. However, she says starting with a blank slate brings its own challenges.
governance, risk and compliance and expanding that. And wrapped around all this is what do your
“My guidance for someone who wants to build a
customers—internal and external—want? What do
team from scratch for a company that maybe does
your innovators want? What do your developers want?
not have a CISO is to work out what you’re trying
You need to be listening 99 percent of the time.”
to secure. The first thing I did when I started at MongoDB was to meet with the business unit heads,
Smart was born in the UK, grew up in Scotland,
and ask ‘What’s your most important asset, your
obtained certification from once dominant networking
crown jewels? Is it your data? Is it your people? Is it all
company Novell (at its peak, Novell NetWare had a
of the above?’ Obviously, people are your number one
63 percent share of the market for network operating
asset. But at the end of the day, MongoDB is a data
systems) and spent several years travelling the
platform. So we are securing customer data. So that’s
world building networks. She them moved to the
the crown jewels. So, where is that data? Who has
US and got a job on the help desk of the New York
access to it? Why do they have access to it? That’s
Power Authority (NYPA), which became her entré
how you start.”
into cybersecurity.
DRINKING FROM A FIREHOSE
She progressed to a network management role which
CISOs in such a situation, she says, often become
brought her into contact with network security issues.
overwhelmed by the scale of the task in front of them.
“One of the first security conferences I went to they
“I’ve seen this happen a few times with folks I have
were talking about hacking the grid. I thought that
mentored externally. They will start the new role and
was interesting, so I went to my boss, and said, ‘I
it’s like drinking from a firehose. They need everything
think people are going to try and hack the power grid.’
today. They are going to change the world. They are
He said: ‘Why on earth would they do that? There’d be
going to have this massive team, and they are going
no power.’”
to be so successful. That’s not going to happen.
FIRST STEP INTO CYBERSECURITY “You need to pick two or three things you know
Undeterred by his attitude, Smart installed a firewall
you can do well and that are going to be positively
into the NYPA network. That was the first step on a
impactful, like identifying your crown jewels,
journey that led her to becoming NYPA’s first CISO.
identifying who has access to them, making them secure. Then going on to look at your policies
“I thought, if this box can stop all these bad things
that will help maintain that security, looking at
happening, I need to learn more about security, and I
I S S U E 12
WOMEN IN SECURITY MAGAZINE
25
just dropped into it. My boss, the CIO, said, ‘You seem
is also supported by what she says is “a really large
to be interested in this, you should go into security,
security champions program, which very much helps
you can be our security person.’ So I was made
with our diversification program”.
manager of security. And then I became director of security.
The program has more than 100 members, a third identifying as female, and all volunteers. “They
“So I got promoted and I was building the team.
are people interested in learning more about
Then he said, ‘I think we need a CISO. So, about 10
security within their own niche world. And they are
years ago, I was made the first CISO of the New York
basically the voice of security within their team,”
Power Authority. I think that’s when people started
Smart explains.
to take security seriously, when they saw there was somebody in the C suite responsible for security.”
“The program helps in many ways, but one of the major ways is with diversity, because we can point
Smart is now into her third role as a company’s
to that group. It also helps as a feeder into my team.
inaugural CISO—prior to joining MongoDB she was the
We’ve had seven people transfer from their existing
first CISO of financial company TradeWeb Markets—
role into cybersecurity or governance risk and
and at MongoDB she says the intent was to have one
compliance through the champions program.
person responsible for security reporting directly to the board. She reports to the CFO who is also the
“I think having programs where you can touch
COO and has her own quarterly meetings with the
hundreds of people at one time with a culture of
MongoDB board.
security is really important. And we are setting up the systems to help people who want to
She is also responsible for governance risk and
move into cybersecurity who might not have the
compliance and business continuity and has just
chance otherwise.
taken on responsibility for physical security, in effect becoming CSO rather than CISO, a trend she says is
“And it’s a two-way street. We have weekly meetings.
increasingly evident in the US.
We have movie nights. We have hackathons. We have competitions, where they get to go to DEFCON
THE POWER OF SECURITY CHAMPIONS
and Blackhat. … And they’ll come to us and say
Smart has a team of over 60 people, about a third
hey, we think this would be a really good phishing
of whom are in governance, risk and compliance,
exercise for my team, because so-and-so is talking a
physical security and business continuity, but she
lot about Christmas. So let’s do a phishing exercise on Christmas. “And they will come to us with some really good ideas in terms of toolsets that we could be looking at, or changing the culture of security or training. There’s so many different things that we look at as a result of this championship program. It is just great.”
NEVER TAKE ‘NO’ FOR AN ANSWER Drawing on her experiences, Smart’s foremost piece of advice to anyone embarking on a cybersecurity career is
26
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
to never take no for an answer without a fight. “One of the first things I tell all the youngsters in my group is, ‘if people are telling you ‘no’, ask them why.’ I’ve seen so many careers stop dead because people have been told ‘you can’t do that’. And usually it’s by other people who don’t want them to get ahead. “So, if someone says you can’t do something, question them. Just ask them, ‘Why don’t you want me to do that? Is there a reason?’ Don’t be rude about it. Don’t
to collaborate on tackling the most challenging
be insubordinate, ask your supervisor if you need
security issues.
guidance on it, but don’t take no for an answer.” Smart says it could help Australia tackle its very And, beyond this she says: “If somebody wants to
challenging and high-profile cybersecurity issue: large
move into a cybersecurity career, don’t get too caught
scale exfiltration of sensitive personal information.
up on all of the different qualifications you can get.
“You’ve got some of the smartest people in the world
I’m seeing people interview for my team who have
at MIT. And this group brings these folks together and
specifically gone and done a degree in computer
will hand them a problem.”
science and then they’re trying to do a master’s in cybersecurity. But their knowledge is about two years
A classic example, she says, was how the group
old. I’m sure the universities are working to rectify
analysed the 2007 attack on US retail chain TJ Maxx.
that, but it’s difficult trying to get a schedule together
Hackers stole data from at least 45.7 million credit
that’s relevant and timely, especially in security.”
and debit cards of shoppers in what was then thought to have been the largest ever loss of personal data.
Smart says she is much more interested in people with an innate sense of curiosity who will explore
“The people at MIT went back and looked at what
cybersecurity issues, driven primarily by that curiosity.
certain people in the company had said in emails
“Someone who went out, downloaded Shodan,
about their investment in security and why they
found as many internet-facing power companies as
weren’t spending money on a certain area. And then
they could, notified the power company CISOs, did
they were able to map all this to show how they
their due diligence, wrote it up in a blog and posted
got hacked. And they did it in such a way that was
it. I would rather hire someone who did that than
mathematically proven. They had charts everywhere
someone who spent four years at university.”
so you could see all these different things that were happening in timelines. And that sparked so much
CYBERSECURITY AT MIT SLOAN
debate. (A ppt presentation of the analysis was
In addition to her CISO roles, Smart was a founding
published in 2014).
member of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity,
“I think it would be great if Australia set up their own
now Cybersecurity at MIT Sloan, headquartered in
group that allows you to get into a room with folks
the MIT Sloan School of Management. It enables
who have experienced stuff like this and how they
security leaders in academia and the private sector
dealt with it.”
I S S U E 12
WOMEN IN SECURITY MAGAZINE
27
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. SUBSCRIBE NOW
08
MAY •
WHOS RUN
JUNE
THANK YOU TO OUR 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS SPONSORS
EVENT PARTNER
SILVER SPONSOR
EMERALD SPONSORS
PLATINUM HEADLINER SPONSOR
BRONZE SPONSORS
AFTERPARTY NETWORKING SPONSOR
SUPPORTING SPONSORS
MERCHANDISE PARTNERS
Lisa Ventura Founder – Cyber Security Unity
L
isa Ventura is nothing if not ambitious.
where the cyber security industry can come together
Her goal, she says, is to “build a global
to talk about the latest threats, key trends and
community in cybersecurity consisting
topics that every cyber security professional should
of all the key membership organisations,
know about.”
government bodies and community
groups, collaborating to help combat the growing
Ventura got into cybersecurity in 2009 when she
cyber threat.”
joined Titania, a cybersecurity software development company founded by her then husband. It was a big
And she has already created a vehicle to realise
transition from her previous role in the entertainment
that goal: Cyber Security Unity, a metamorphosis
industry: working with the host of a TV program:
from an organisation she formed earlier: The UK
Who Wants to be a Millionaire.
Cyber Security Organisation, which she set up after spotting a gap in the UK market for a cybersecurity
“I have always had a strong interest in psychology and
trade organisation.
how the minds of cyber criminals work, ie what drives them to do what they do and to hack into systems,”
Ventura says she created Cyber Security Unity to
Ventura explains. “My ex-husband was a pen tester
“bring all the great work being done in the industry
who undertook work for the likes of the Ministry of
together under one roof and to foster greater
Defence and the UK Government, but he couldn’t tell
collaboration in the industry which has traditionally
me much about what he did as he was bound by the
been missing to date.”
Official Secrets Act. His work always fascinated me. So when I had the opportunity in 2009 to join the
According to its website Cyber Security Unity is “a
cybersecurity software development company he
new global community … to help unite the industry
founded, Titania Ltd, I jumped at the chance to do so,
and combat the growing cyber threat.” It promises
and I never looked back.”
to “hold regular networking meetings and events
30
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
A VERY PUBLIC CYBERSECURITY PROFESSIONAL
raiser, campaigner and community builder through
Forming Cyber Security Unity is only one of Ventura’s
organisations. “I am a member of SASIG, and Cyber
very public cybersecurity achievements. She is also
Security Unity works closely with many other industry
the author of three books focussed on the experience
bodies including CIISEC, the Cyber Scheme and
of working in cybersecurity.
CREST to name but a few,” she says.
“In 2020 I had an idea to compile a book called
However Ventura also continues to build her
The Rise of the Cyber Women which featured lived
cybersecurity skills and has recently signed up
experiences of women who had transitioned into
to complete the (ISC)² Certified in Cybersecurity
cybersecurity from completely different industries
certification. Its online self-paced training and exams
and roles. I wanted to inspire the next generation to
are being offered free to the first million people
consider a career in cybersecurity.”
entering cybersecurity for the first time under (ISC)²’s
and through,” and participates in multiple industry
global initiative, One Million Certified in Cybersecurity. She says the book was so successful she released a second volume in 2021 and followed that with The
Underpinning her achievements, Ventura cites
Varied Origins of the Cyber Men in 2022. “Reading the
James Bore, head of cybersecurity training company
various accounts from those like me was incredibly
Bores Consultancy, as one of her most significant
inspiring and showed me that anyone can move into
influences. “He has been a huge help to me. He acts
cyber security whatever their background.”
almost as an unofficial mentor to help me achieve my goals in the industry and is very supportive of the
Ventura posts regularly on the Cyber Security Unity
work I do.”
website and social media channels “to raise as much awareness as possible about the growing cyber threat and the importance of staying safe online, particularly for small businesses and SMEs who don’t think they have to have cybersecurity on their radar until they are breached, and by then it is often too late.”
www.linkedin.com/in/lisasventura
twitter.com/cybergeekgirl
www.csu.org.uk
Given these various initiatives it is hardly surprising that Ventura describes herself as “an awareness
SYDNEY | MELBOURNE | CANBERRA PERTH | BRISBANE Hosted by Yasmin London Showcasing the Australian Women in Security Awards cohort, and industry experts Discussing topics to propel our industry forward Interactive | Engaging | Thought Provoking Bringing brilliant minds together
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
Reach out to us today for Sponsorship Opportunities
I S S U E 12
WOMEN IN SECURITY MAGAZINE
31
Jenna Salvesen Manager - Advanced Security Centre at EY
J
enna Salvesen had a nonconforming
on‑the‑job learning to build a solid foundation in
journey into cybersecurity. Starting at EY
cybersecurity that enabled her to move across to the
as an Executive Assistant she is a pioneer
cybersecurity team.
in the technical world; breaking barriers, challenging prejudice and successfully
“It was during this time mapping out my transition
paving a new pathway into the Offensive Security
that I became aware of a newly-created role in
sector of Cyber, proving that with determination and
the Advanced Security Centre (ASC), the offensive
perseverance you can create a successful career in
security team, which is a sub-team within the
one of the most highly technical areas of cyber, as
cybersecurity practice specialising in red teaming and
she is now managing one of the largest teams of
penetration testing,” she recalls.
Penetration Testers in the Advanced Security Centre at EY.
“This team never had a non-penetration testing role before. It was such a rare opportunity. I knew it was
As an Executive Assistant Jenna supported two
exactly what I wanted to do, and where I wanted to be.
leaders of the cybersecurity team. “I was bright-eyed
I approached the leaders of the Sydney team to learn
and bushy-tailed and ready to learn anything that was
more about the role and express my interest.”
thrown at me. The more I began to learn about cyber, the more the fascination grew, and the more I wanted
DRIVEN BY DETERMINATION
to know. Everything from building cyber road maps to
Jenna went further than expressing her interest.
facilitating threat intelligence simulations. I couldn’t
“I was so excited and so determined to get this role,
believe I had not discovered this industry earlier. Once
I basically didn’t take no for an answer,” she recalls.
I had I knew it was something I had to be a part of,
“I knew I had the skills they needed to really do the
especially offensive security and red teaming.”
job well and had so much to contribute to make their high-performing team even better, and I wanted to
32
With the full support of the cyber leader at
learn everything about the world of offensive security
EY, she dedicated herself to self-study and
from the inside out.”
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
This, she says, marked the turning point and launch
To build the cybersecurity knowledge needed to
pad of her career into cybersecurity. She had
enable her to reach her goals, she completed a full
joined EY in 2015 and made the transition in 2017,
time cybersecurity course at The University of Sydney
working her way up from roles as a consultant,
which had a major focus on the technical aspects of
senior consultant and then Manager which she
cybersecurity. It was a night course that consisted of
is today in the centre. She says it is a career path
classes in the evenings and assignments completed
largely self‑created.
on the weekends which enabled her to accomplish this whilst also working full time. Other instructional
“I had a clear vision of the role I wanted, and I was
sources that helped her included Security+, The
a woman on a mission. As my role was the first of
Web Application Hacker’s Handbook, PortSwigger—
its kind in my team the role itself and the career
developer of the Burp Suite web application security
progression pathway were not predefined. It took a
testing software, which also offers free online web
combination of leveraging my current skillset against
security training—and Hack The Box.
the needs of the team and our clients, an immense amount of on-the-job and self-study learning and a lot
STUDY WITH PURPOSE
of resilience to break down barriers and challenge the
Jenna is a big believer in studying with purpose,
cookie cutter mould to create my own pathway and
finding courses, certifications or learning materials
continually reinvent my role to be what myself and the
that are specifically going to fill the gaps and get
team never knew they needed.”
her to where she wants to be, but adds, “On the job training and experience are also priceless, where
Her determination culminated in her first red team
you learn the bulk of the necessities, and more than
engagement that enabled her to combine her
you realise. The secret is to find your true interest
innate soft skills with the technical knowledge
and passion, look at the skills you have and find the
she had gained: a red team engagement that
courses or learning opportunities that are going
succeeded in breaching the client’s physical and
to give you the skills you need to complete your
cyber security.
skillset, and find leaders who will support you in your endeavours for success in the role you want to be in.”
SUCCESSFUL RED TEAM EXERCISE “It came after five years of experience in the team
In her current role at EY, and in addition to her
and the blood sweat and tears of determination in
internal management responsibilities, she manages
building those skills,” she says. “I had built up my
two major client accounts, running two streams
technical knowledge to combine with my existing
of pentesting engagements for both: a periodical,
skillset to qualify for the opportunity to be put on a red
business-as-usual pentesting program and a projects
team engagement.
pentesting program.
“I naturally have a strong EQ and I’m a big people
“The periodical program is a predetermined list of
person. I love conversation and building rapport with
critical applications that are required to be end-to-end
people and am good at quick thinking on my feet.
tested annually, mainly to meet regulatory compliance
The engagement was a complete success, achieving
requirements,” she says. “The projects program
every objective given by the client, such as persistent
is the organisation-wide pipeline of applications
access to the building by cloning staff security cards,
that require pentesting before they release brand
remote access to their internal network, even physical
new applications, or updates, changes or new
access into their server room. Achieving this and
implementations to existing applications. Between the
proving to myself that I could do it will always be one
two clients, on average, I run upwards of 200 pentests
of my greatest career highlights.”
per year.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
33
“My day to day consists of running these pentest engagements on the ground with our team of testers from the beginning—initial contact with stakeholder— to scoping, getting them started, gathering and testing entry criteria, overseeing fieldwork, provide QA on the final reports, to the close-out meetings with our clients.” Her role as a Manager is “chaotic by nature” she says as it involves “troubleshooting issues and crisis management, both internally and on the client side when unexpected problems arise in current pentest engagements.” On a higher level she also meets with major client account stakeholders to plan future programs of work, strategise and continually improve pentest
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
programs as well as managing the financial engagement lifecycle and account as a whole. The role and her team also gives back as she notes the most rewarding part is “the learning opportunities and the experiences I get to have within my team. It is one of the most challenging teams I’ve been a part of and requires you to be out of your comfort zone more than you are in it, as it pushes you to continually learn complex technical concepts and be humbled by the infinite amount of information there is to possibly learn. With this comes a great sense of achievement as you look back and realise just how much you have learned time and time again, and with that learning and experience comes privileges and opportunities that wouldn’t be possible without it.” She encourages everyone to “Be bold and take the leap out of your comfort zone and into challenges. Although it might
Running from March through to June across states
Get Notified
be daunting, it’s the only way you will prove to yourself the great things you are capable of!” www.linkedin.com/in/jennasalvesen
34
W O M E N I N S E C U R I T Y M A G A Z I N E
Join our distribution list to be the first to know when tickets go on sale
J A N U A RY • F E B R U A RY 2023
Rachael Greaves Chief Executive Officer at Castlepoint Systems
I
f you are prone to pessimism and fearful of the
BLEEDING EDGE TECHNOLOGIES
future do not listen to Rachael Greaves, CEO and
To counter these threats Greaves says organisations
cofounder of cybersecurity company Castlepoint
will need to rapidly adopt ‘bleeding edge’ technologies.
Systems. Her view of the future in cybersecurity
“Government and industry in Australia have
is dismal in the extreme: a ‘post-privacy’ world in
historically been slower to adopt artificial intelligence
which compromise of personal information will be
and other emerging technologies at the same pace as
the norm.
many other countries, but we can’t afford to lag when our adversaries are racing ahead.”
“We can expect all our personal information to be compromised,” she says. “We can’t use security
Castlepoint Systems, the company she co-founded
questions anymore. We can’t use mobile phone two
in 2016, aims to counter such threats. It promises
factor authentication. Anyone still doing that will be
to “manage, protect and de-risk all your information
targeted (successfully) by what have previous been
everywhere, with no impact on the way you work
fairly inept actors. The low-motivation, low-capability
now. Every item, every system, on premises and in
bad guys will increasingly be stealing our money and
the cloud.”
secrets, because it will become trivial for them to do so.”
Running this company is a far cry from Greaves’ university education, a degree in anthropology and
Meanwhile, sophisticated threat actors in this post-
classics, but she says both were solid foundations for
privacy world will be able to compromise almost
the career she eventually chose.
anyone. “For every soldier, leader or government official they will know where their kids go to school,
“I wanted to understand things deeply, see patterns,
what compromising experiences they have had and
apply rules. That’s what I found so enjoyable
what financial pressure they are under. They will find
about Latin. I am also very values-driven and my
many levers to create trusted insiders, either through
anthropology study gave me a strong foundation
compromise or just sophisticated social engineering.”
in human-centred thinking. The intersection of the
I S S U E 12
WOMEN IN SECURITY MAGAZINE
35
rules‑based, hard edge of cybersecurity with its
on information protection and undertook self-
human-centric, social-good aspect is why it’s been a
study to become certified as a security manager,
perfect discipline for me.”
systems auditor and privacy engineer. She says the combination of experience and qualifications
She adds: “Learning to learn is the most important
she developed over ten years culminated in the
thing you can do at university. Most of my learning
opportunity to security-audit some of Australia’s
is from being able to read, comprehend and apply
largest, multi billion dollar military projects.
information quickly and accurately. Whatever your degree, if it requires you to apply complex
A PIVOTAL EXPERIENCE
comprehension skills and think critically, it will set you
However, throughout her very varied cybersecurity
up for success in this domain.”
career, Greaves cites one incident as being pivotal and a big part of the reason she developed the software
“It’s an extremely rewarding discipline when you have
underpinning Castlepoint Systems: the unlawful
an outcomes-focused brain. I enjoy seeing problems
deportation to the Philippines in 2001 of Vivian Solon,
that might be hidden and bringing them into the light,
a Philippines-born Australian citizen with mental
with evidence and, most satisfyingly, solving them.”
health problems. She was deported because the then Department of Immigration and Multicultural and
ANYONE CAN BE A CYBER PROFESSIONAL
Indigenous Affairs (DIMIA) and other agencies were
Her conclusion: “Anyone can be a cyber professional.
unable to coordinate essential information verifying
You don’t need a technical background at all. If you
her Australian citizenship. She was repatriated in
like to see patterns, understand the nuances of things,
2005. DIMIA officers had discovered their error in
if you are good at identifying risks and red flags
2003, but done nothing.
(by instinct as well as reasoning), if you care about society and the people who live in it you will have a
“Our government didn’t manage its records properly.
rewarding experience in cyber.”
It had a huge impact on me when I found out about it,” Greaves recalls. “It’s a big part of the reason
It was the threat of compromise to personal
I designed my software. We absolutely must
information that first piqued Greaves’ interest
know what data we have, where it is, who is doing
in cybersecurity and set her on the path to her
what to it. If we don’t, real people can experience
current role. She was working as a business analyst
catastrophic harm.
for Austrade and her role included putting the home phone number of every in-country official
“It was hard to get hard numbers on risk and the
into a booklet, which was distributed without
value of information when I had to audit by sampling.
security controls.
Now I can know what every single bit of information in a network is about and what needs to be done with it
“This flagged as risky and I did some research.
in order to protect it.
I quickly found out that, with this information, it was trivial for a bad actor to track these officials, and
“Our Castlepoint software is the cornerstone of our
target them,” Greaves recalls. “It was a real-life
security. Having full command and control of all our
example that the very mundane decisions we make
data and the events on it gives us the evidence we
about data and processes can have serious risks and
need to make the right security decisions.”
consequences for our stakeholders.” And, she says, the Castlepoint software has delivered
36
Greaves left Austrade to take on roles in national
some very specific results. “In the last year we have
security agencies where she focussed increasingly
helped find child predators, helped ensure Indigenous
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
data sovereignty, helped respond to security breaches, and helped prevent them. It’s great to see the benefit of the software we created being realised like that.”
WORKING ACROSS TIME ZONES Castlepoint Systems is headquartered in Canberra, but Greaves is based in London and works across UK, Australia and US time zones, which creates some time management challenges. “I have meetings usually from 4:30 or 5:00 am. But I am offline from 7:30am to 9:00am to get the kids ready and take them to school” she says. “Same in the afternoons: no meetings from 2:30pm until bedtime. It makes for late work nights and early mornings, but it keeps the balance. “As CEO I need to be across everything in my company at a high level, so I am in regular contact with my leadership team. I am also available to all staff to discuss issues and answer questions they want to talk about with me, so a lot of the day is just communication. “I also have desk work to keep up with: we have a strong quality management culture, and documentation is key. And I attend meetings with partners, clients and other stakeholders where I’m required to provide advice or expertise.” “Greaves says that running a cyber company is challenging – and cyber is a challenging field in general. “We have a lot to lose, and very motivated people trying to take it. But if we start taking it seriously, and taking some agency, we can significantly reduce our exposure. We need to know what information we have, where it is, and who is doing what with it. And we finally have the technology to do that, and pull ahead in the race to control our data.” www.linkedin.com/in/rachaelgreavesstlp
I S S U E 12
WOMEN IN SECURITY MAGAZINE
37
Catherine Dawson Associate Solutions Engineer at Cloudflare
L
ike so many Australians Catherine Dawson
FROM SALES TO CYBERSECURITY
lost her job as a result of the COVID
Starting in what was primarily a sales role, Dawson
pandemic. However, her redundancy turned
was soon drawn to the technology behind what she
out to be a blessing in disguise, enabling
was selling. “It wasn’t until I was exposed to the
her to pursue an interest in cybersecurity
presales engineering profession first-hand that I found
that had lain dormant since her undergraduate
myself wanting to learn more about the underlying
days studying for a degree in criminology and
technology: computer networking, web application
criminal justice.
security, and cybersecurity frameworks,” she says.
“There was a unit of work that covered fraud and
After that her transformation into a cybersecurity
cybercrime which exposed me to the patterns of
specialist was rapid. To better develop her technical
offending and cybercrime victimology,” she says.
knowledge Dawson gained a postgraduate
“Whilst the course focused on the broader societal
qualification in networking and cybersecurity and
impact of cybercrime rather than the underlying
at the same time was successful in applying for
technology, it marked the start of my introduction to
Cloudflare’s Associate Solutions Engineering program:
the industry.”
a year-long intensive training program that developed her understanding of Cloudflare’s product portfolio.
So, jobless, Dawson dived straight into cybersecurity,
38
securing a business development role at
“When I first started my position in business
cybersecurity and Internet infrastructure company,
development, I did not think it would be possible
Cloudflare. “The role was the perfect entry point,
to transition to a solutions engineer role given my
because it gave me an opportunity to learn about
non-technical background,” she says. “The technical
industry trends, develop fundamental skills in
knowledge required to architect security solutions
cybersecurity technology and work strategically with
for customers seemed like an impossible aspiration.
customers,” she says.
It wasn’t until a position in the Associate Program
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
was made available as a career pathway in pre sales
“However, I am extremely fortunate to be supported
engineering that I was able to apply and begin the
by an incredible team and mentors.”
intensive 12-month training.” It is hardly surprising that she cites the shift into Dawson is now an associate solutions engineer
cybersecurity as one of her best career decisions,
at Cloudflare, responsible for the technical sale of
explaining she has “always been drawn to and
Cloudflare’s products and credits Stephanie Barnett,
motivated by positions that bring value to customers
Cloudflare’s head of solution engineering for Asia
whilst satisfying my inner urge to continually solve
Pacific, Japan and China with having played a key role
problems and evaluate risk,” adding: “There are
in her rapid transition into cybersecurity.
many rewarding aspects of my current role. As part of the solutions engineering organisation, it
“AN INCREDIBLE LEADER”
is our responsibility to make our technology more
“Stephanie is an incredible leader and role model
accessible, understandable and valuable to our
to many people in the industry,” Dawson says.
customers. It combines problem solving, relationship
“Stephanie was one of the first leaders to give me
building and technical expertise. It also requires
encouragement in pursuing my career goals. I
the development of strong relationships with
remember her words of support to ‘just go for it’ and
cybersecurity stakeholders, and being their ‘trusted
to be confident in my aspirations. It was Stephanie
technical advisor’.”
Barnett who championed the Associate Solutions Engineering program to the business and brought it
And Dawson is not alone among her team in
to life.”
having come to cybersecurity from a very different profession. “A few of my fellow associate solution
It is perhaps not surprising after such a rapid career
engineer colleagues have transitioned from careers
shift that Dawson cites self-doubt and imposter
outside of technology, coming from a range of
syndrome as the biggest challenges in her new role.
careers such as psychology. One was an airline
“There are definitely moments where I compare my
cabin crew member. We all share the same drive,
work to others in the industry. My role requires me to
determination, and ambition for learning and building
work with a broad range of cybersecurity, DevSecOps,
a long-term career in technology.”
and cloud security architect teams to help solve security problems through our technology,” she says.
I S S U E 12
www.linkedin.com/in/catdawson
WOMEN IN SECURITY MAGAZINE
39
Johanna Williamson Senior Manager - Security Strategy and Governance at nbn™ Australia
J
ohanna Williamson, Senior Manager
While this was one pivotal mentoring event,
- Security Strategy and Governance
Williamson sets great store by such relationships
with nbn, is a big believer in “being the
in general, saying she has been very lucky to have
master of your own destiny, and really
built a number of meaningful relationships which
being in the driver’s seat of your career,
have evolved into providing amazing mentors
making it happen.”
and advocates.
She is leading and implementing nbn’s enterprise
PIVOTAL PEOPLE
security and privacy strategy. It is not a role she
“When I first met these individuals, I never knew at
envisaged holding because it did not exist when
the time they would end up being such important
she joined nbn but emerged as a result of how nbn
and pivotal people in my life,” she says. “It’s those
structured its security operations. Nevertheless
relationships that have stood the test of time and
Williamson says, “I absolutely drove myself to be
have been overwhelmingly important for me in
here. I did this by putting myself out there, seeking
moments where I have had to make decisions
out mentors and advocates, seeking out new
about the next step to take in my security career,
opportunities, trying new things and failing.”
when I have thought about pivoting, or sometimes lacked confidence.
So, it came as a rude shock to Williamson earlier in her career when one of those mentors told her: “Jo,
“I cannot stress enough the importance of seeking
you’re not doing enough.” Upon reflection, she realised
out and building a relationship with a potential mentor
the truth of those words. “It drove me to take action,
or advocate in your career, because you just never
to become fiercer and more resilient and ultimately it
know when the next opportunity may come knocking
pushed me forward.”
on your door. Having an advocate there, in the right room with the right people to say, ‘I know someone
40
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
you should speak to who might be perfect for that
was what I wanted to do, so I went back to university
role,’ pays dividends.”
and undertook a graduate certificate in fraud and financial investigation and eventually completed my
And she adds: “For me, my mentor and advocate
master’s degree in the same.”
relationships have naturally evolved over time. You can’t force these relationships, and you may even
Williamson says she “never had second thoughts
have an existing mentor or advocate relationship with
that security was the right choice for me. It only got
someone already and you didn’t even realise it!”
more interesting and opened a world of opportunities, some of which I didn’t even know would be possible.
Williamson has now been working in security for 17
… Never in my wildest dreams did I think I would be
years since starting out as an investigator at Coles,
doing what I am now, with the broad visibility and
a role she gained almost by chance that led her to
remit across the enterprise in nbn.”
where she is today.
JOINING NBN INVESTIGATIONS TEAM When Williamson finished school she went to
For most of her career Williamson worked in security
university, but instead of taking a career-focussed
investigations, fraud management and security
course like most of her peers, she indulged her
operations, physical and personnel. She joined the
passion, with a degree course in Egyptology. Then,
investigations team at nbn six and a half years ago to
realising it was unlikely to lead to a career, got a job in
help build its capability in these areas as a member of
retail with Coles, and stumbled into security.
a new team created under nbn’s converged security model. It was this model that enabled her to greatly
FINDING HER NICHE
broaden the scope of her security responsibilities.
“I met someone from the supermarket’s asset protection team in head office who took me under
“I was lucky to be working in an organisation where
their wing,” she recalls. “I started working for her two
the intersection of all security disciplines and security
days a week, doing all the boring things that she didn’t
risks are managed under the one umbrella,” she
want to do, but were exciting for me. I was introduced
explains. “This provided the opportunity over time to
to the world of physical security, personnel security,
be exposed to many different security streams, work
assurance, asset protection and loss prevention and
with a broad range of stakeholders, gain visibility
eventually investigations - which is where I ended up
of complex problems and challenges that different
finding my niche.
security teams were facing, and ultimately carve a pathway for myself to my current role.”
“Looking back, it is safe to say finding a career pathway is all about trial and error. I would tell my
She says this role—leading and implementing
high-school self to try something and see if you like it.
nbn’s enterprise security and privacy strategy—is
It’s ok if it’s not what you had hoped for or thought it
completely different to what she was doing when she
was going to be, and importantly, it’s ok to pivot.
started working at nbn, and nbn’s converged security model offers up many opportunities with its varying
“Over time I learnt more and more and eventually
workstreams and pathways.
secured a full-time role as a regional asset protection advisor. I continued my on-the-job learning over the
“I love that no two days are the same. I am constantly
next few years and then worked my way into the
engaging with a diverse range of stakeholders at nbn
investigations and fraud management side, which I
and managing complex problems. Sometimes this
ended up loving.
can pose challenges, particularly around managing different points of view, balancing the needs and asks
“This was where my corporate career took off and I
of the business with the fact that operational teams
moved into the telecommunications world. I knew this
are needing to deliver or respond to incidents.”
I S S U E 12
WOMEN IN SECURITY MAGAZINE
41
Looking back, Williamson says her career achievements would not have been possible “without my personal desire, drive and being vulnerable to try something and not succeed. … And to pick myself up again, dust myself off and remember not to let anything stop me.” Today, Williamson describes herself as “a senior manager leading a team of people with broad remit across the enterprise specialising in security strategy and planning for all security disciplines, strategic advice, security program management and security and regulatory compliance: something completely different to what I came into nbn doing.”
THE WORK/LIFE BALANCE STRUGGLE Through all this, Williamson admits to struggling with maintaining a good work/life balance, a challenge made much harder a little over two years ago when she became a mother. “Each day I do the juggling act, trying my best to be a good mum, wife, friend, daughter, sister, family person, colleague, and succeed at work,” she says. “It can be hard to be great at all of these roles all the time and in fact it’s probably impossible. For me, the way I like to find balance is to try and prioritise ‘me’ time. While it sounds easy, it’s not something that I find easy to always execute on. I do find I have to try and schedule ‘me’ time as part of my day or week, otherwise I sometimes let this fall to the bottom of the prioritisation list, and I struggle to make it happen. “Outside of work I have creative interests that are completely opposite to security. It is my way of switching off or recharging. I love interior design and decorating, real estate, cooking and gardening, although I’m not very good at it yet. Plants under my care seem to always die for some reason! Trying to also get outdoors and into nature is also something I find really relaxing and extremely grounding.”
www.linkedin.com/in/johanna-williamson-46374130
42
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
Dr Fauzia Idrees Abro Director MSc Information Security and Director of Distance Learning Programme at Royal Holloway, University of London
D
r Fauzia Idrees Abro’s interest in
a platform to reach out to the wider community to
cybersecurity was sparked when she
extend cybersecurity education and skills.
chose a project on cellular mobile security using a scrambling technique
She says the most rewarding aspect of her role
while studying for her Bachelor of
is “being able to contribute to developing a force
Engineering (Electronics & Communications
of future cybersecurity experts to protect our
Engineering) degree at Pakistan’s Mehran University
increasingly vulnerable digital world.”
of Engineering and Technology. And similar considerations would be the dominant That was in 1995 and the project won her the
factor in any future role. Dr Abro says her main
Institution of Electrical and Electronics Engineers
consideration in deciding to accept a role would be
Pakistan (IEEEP) Gold Medal. This at a time when, Dr
that it would be “in a world-recognised academic
Abro says, “cybersecurity was still evolving and not
institute where I can contribute to designing and
many people were sure about its future.”
delivering cyber education on par with the current market challenges.” She adds: “I would like to play a
Nonetheless, she pursued her passion, researching
role in preparing the cyber experts of the future who
different cybersecurity topics and undertaking formal
can protect our digital world from malicious attacks.”
education in Information Security: a master’s degree in cryptology and information security from Pakistan’s
These future cyber experts will face some new and
National University of Sciences and Technology and
significant challenges, Dr Abro says. “The most
a PhD in information security engineering from City,
significant cyber security development over the next
University of London.
two years will be the extended use of AI for offensive and defensive security. I think quantum computing
Her passion for cybersecurity grew while working
will also bring a paradigm shift in the current
in the military and with it grew another passion:
threat landscape.”
spreading cyber awareness and advocating about its importance. She says her current role as director of postgraduate degrees in cyber/information security at Royal Holloway, University of London, gives her
www.linkedin.com/in/fiabro
THE SOURCE OF DIVERSITY
Holly Wright Security Architect at IBM Development Labs
She says diversity of thought comes from exposure to completely different domains. “It’s vital you give yourself that exposure. Most universities have racing clubs, rocket clubs, robotics clubs – all of which are fantastic places to test and grow the skills you are building at university.
W
“These types of societies make you step outside your domain and think about the full ‘product’ you are hen Holly Wright, a security
building, working together and compromising with
architect with IBM Development
other parts of the system. That mindset is immensely
Labs on the Gold Coast, talks
valuable and is best when it comes from experience.”
about her cybersecurity journey, diversity looms large in almost
every aspect.
Asked what factors would be important if she were
And Wright says she brings a diverse set of personal skills to her role, to such an extent that she was once challenged whether she was suited to her engineering role.
offered a new role—other than core features such as remuneration and the nature of the role itself—Wright
Staff in her workplace were given the Herrmann Brain
cites its potential impact on the diversity of her life as
Dominance Instrument test, designed to measure and
a whole. “At the end of the day, success in my career
describe thinking preferences in people. It identifies
can only happen if I am happy and thriving, and for
four different modes of thinking: analytical, sequential,
me a big part of my happiness comes from friends,
interpersonal and imaginative.
family and hobbies,” she says. “If a role meant that I had to permanently sacrifice a large chunk of that
“The majority of people were showing strong
I would have to consider whether I would be able to
analytical and practical driven styles, which makes
succeed in that role in the long term.
sense in an office full of engineers,” Wright says. “But me, I was the opposite, scoring much higher in the
“Some questions I might consider: are there new
relational and experimental scales. The facilitator
hobbies I could try that would work with the role?
even came over to me and asked me if I really enjoyed
Are there other ways I can adjust my life so that I can
my job as an engineer.
still see friends and family? If I can still ‘keep my cup full’ and take on the new role, then bring it on!”
A BIG PICTURE THINKER “That did make me question whether I was doing the
44
Similarly, her advice to anyone planning to pursue
right thing at the time, but what I realised was that
university education as a route into cybersecurity is to
this difference is really what makes me a valuable
“get involved in university projects and clubs outside of
part of my teams. I am energised when I’m thinking
their coursework, and ideally outside of their domain.”
about the bigger picture and building relationships,
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
and that doesn’t take anything away from my
She adds: “Knowing I am making a difference in the
technical skills. This is what we talk about when we
world from the things I am building here on the Gold
say ‘diversity is key’. It’s the diversity in the way people
Coast is very cool.”
think that makes it valuable.” For anyone contemplating a similar role, Wright says Wright’s career experience started with a Bachelor
there are many pathways. “The most direct pathway
of Engineering at the University of Queensland,
would be studying software engineering and/or a
majoring in mechatronics, and quickly morphed
security-based degree, but I am a living example of
into cybersecurity.
that not being the only route. Having some coding and technology skills is the most important part,
“I didn’t imagine myself going into cybersecurity, but
and learning a bit about machine learning and cloud
an internship opportunity opened up to work with IBM
technologies is going to be very helpful as we move
Security in the Gold Coast Development Labs, and the
into a future where security has analytics embedded
Gold Coast being the city where I grew up I thought I
and security solutions run in more places.”
would give it a go,” she recalls.
TECHNOLOGY VERSUS TALENT SHORTAGES “During my degree I had done a couple of coding
Advances in security technologies, Wright says, will
courses, which helped me secure the internship in
play a key role in an industry struggling with talent
my final year. I picked up a mountain of coding and
shortages, too many disparate tools, too many alerts,
cybersecurity skills during that internship, which
too much to do and too much siloed information.
enabled me to join IBM full time after graduation. I became part of a development team as a software
“I think the next big innovations in the security
engineer, building a world-class, market-leading threat
industry will be aimed at tackling these problems:
detection SIEM product. From there I have grown my
using open platforms to break down silos; the
career, being a team leader, product owner and now, a
adoption of open standards to make data ubiquitous
security architect.
without having to create unwieldly data lakes; and embedding analytics and workflows capabilities at
A PASSION-DRIVEN CAREER
the core of these platforms to enable automation
“I always knew I enjoyed having more responsibility
and reduce the task burden on analysts. Together,
and driving projects, but I didn’t have a specific goal in
these changes will enable organisations to reduce the
mind for where I wanted to go. I think it’s very difficult
impact of the rapidly evolving attack landscape on
to envision exactly what a role will be like until you are
their business.
there. So, I’ve been very happy taking these steps one at a time. My passion for building great things and
“We have seen the sophistication and rate of attacks
getting things done has naturally seeped through into
continue to sky-rocket over the last few years. I think
all the roles I’ve held and has been the driving force
we will continue to see this in the next two years, with
pushing me into the next role. As a result, each step
attackers willing to engineer targeted attacks and
has felt like a very natural transition.”
be patient with their exploitation. We will also see the continued adoption of modern technologies like
Wright says the most rewarding aspect of her role
machine learning and automation further increasing
at IBM is the continuous learning it offers. “I work
the sophistication of campaigns.”
directly with some of the world’s largest organisations to rapidly build prototypes to solve their cybersecurity challenges. Having exposure to some of the hardest
www.linkedin.com/in/h-wright
problems in the security industry and to be working with cutting-edge technologies to overcome these challenges is highly rewarding.”
I S S U E 12
WOMEN IN SECURITY MAGAZINE
45
Martina Saldi Go To Market Manager - Cyber Security, Data Security and Privacy ANZ at Microsoft
M
artina Saldi is an Italian expat
Fundamentals certification (SC-900), became go to
living in Australia with 14 years of
market manager - cyber security, data security and
experience in product marketing,
privacy for Microsoft Australia and “started to build a
sales and communications, much of
network of people working in the area to understand
it with Microsoft in Italy, Singapore,
their point of view from the inside and what ‘working
India and Japan.
in cyber’ meant for them, and open opportunities for me to learn from them.”
Cybersecurity was not her primary focus, until COVID hit, bringing with it a massive uptick in remote
AIMING FOR MULTIPLE CERTIFICATIONS
working. “The worldwide shift to a hybrid workplace
And SC-900 is just the first step on Saldi’s planned
pushed us all to embrace ubiquitous connectivity,”
cybersecurity certification journey. She has her sights
Saldi says. “Those new connections helped us
set on gaining several ISACA certifications: Certified
become more collaborative but also brought
Information Systems Auditor (CISA), Certified in Risk
evolving risks and breaches impacting people and
and Information Systems Control (CRISC), Certified
companies worldwide.
Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified
“I felt like I wanted to play a part in this. I wanted to
Data Privacy Solutions Engineer (CDPSE).
fight for the good cause of protecting people’s rights. I was sure doing that would bring added value and
Holding down a high-level full-time executive
purpose to my day-by-day job, and it did.
role while studying and gaining multiple industry certifications would make enormous demands on
She decided learning should be the first step in her
anyone’s time and Saldi admits she needs to improve
new passion, so she studied for, and gained in August
her work/life balance.
2021, Microsoft’s Security, Compliance and Identity
46
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
“Because I love my job I tend to spend long hours
the most rewarding aspect of her role, she adds: “I
working without even noticing. But recently I was
also like that I can use my work time to talk about
given some good advice: the busier you get the
something I really care about: diversity and inclusion.
more you need your ‘non-negotiable’ so that’s what
Having that as part of my culture goals within my day-
I am working on right now, having at least two
to-day job is really fulfilling.”
non‑negotiable times with my son and husband during the working week.”
Outside Microsoft she is a member of several women in business and women in security groups, and says
And with a typical working day taken up with “lots of
she feels “very rewarded being around other women
meetings, because I enjoy working with people,” Saldi
and supporting each other through challenges and
says she is also “working on making sure I have two
doubts during our lives.”
hours of focus time each day.” As someone who came into cybersecurity from a Apart from the almost universal challenge of
quite different industry, Saldi says: “I think the biggest
finding sufficient cybersecurity professionals,
challenge for people transitioning into a new industry
Saldi says one the biggest challenges of her role is
is to be humble and reinvent themselves. If you have
customers’ lack of knowledge and their inability to set
a growth mindset and flexibility, you will be open if
cybersecurity priorities.
presented a new opportunity.”
“We need to bring more clarity into the market to help
She adds: “Be as curious and bold as you can.
those organisations starting this journey and those
In an end-to-end management role like mine you
that are already advanced. Approaches and language
need that. Build your knowledge of each part of the
used may vary drastically. Clarity on the next urgent
business across marketing, partners, sales, post sales
step is still a challenge for many organisations.”
and engineers.
However, Saldi does see general awareness of
“An MBA can definitively help in building skills to
cybersecurity has having improved significantly.
manage the complexity of a business, but be bold in
“Cyber is no longer considered a technology risk but
trying different roles and career paths because there’s
a business risk. Employees in each department of an
no better school than the experts in the business and
organisation need improved tools. Concern of a cyber
lived experience.” She adds: “Pick an industry and a
or data incident is now top of mind, not only for the
product that you are passionate about because you’ll
CISO but the entire c-suite and board,” she says.
need to know everything about it.”
“Cybersecurity, data security and privacy are no longer
For herself, Saldi says, having covered several roles
a technology discussion but a culture topic where
across marketing, sales, business development and
people within an organisation, and their preparedness,
go-to-market strategies in different countries and
are the real differentiators. Today we know that basic
companies, “my desired next step was to have a
security hygiene can protect against 98 percent of
role with the full overview of what’s happening in the
attacks. It’s clear why it absolutely comes down to a
business and the opportunity to make decisions to
cyber smart culture.”
drive impact. This is key to keeping me motivated.”
A DIVERSITY AND INCLUSION CHAMPION While “fighting the good fight” to combat cybercrime
www.linkedin.com/in/martinasaldi
and keep customers secure is what Saldi says is
I S S U E 12
WOMEN IN SECURITY MAGAZINE
47
Farah Chamseddine Cyber Security Architect at Microsoft
E
lsewhere in this edition Lena Smart—who
applications, joined a penetration testing course
has been the inaugural CISO of three major
and worked with my manager to dedicate time for
organisations—says she is much more
cybersecurity responsibilities.”
interested in hiring people for cybersecurity
curiosity and will explore cybersecurity issues, driven
FROM SOFTWARE ENGINEERING TO STRATEGIC CONSULTING
primarily by that curiosity, than in hiring those with
With her new-found interest in cybersecurity
university training.
Chamseddine moved from her technical role in
roles who have an innate sense of
software engineering to a strategic consulting role in It was just such a sense of curiosity that took
governance, risk and compliance (GRC) and then to
Farah Chamseddine—now a cybersecurity
her current role in security architecture. She is very
architect at Microsoft—from software engineering
happy with her career choice.
into cybersecurity. “Cybersecurity is a vast field that offers different “I was working as a software engineer in the
opportunities. This has allowed me to have a career
education sector, responsible for reviewing
where I could always develop my skills, experience
applications developed by third party vendors
different roles, and ensure it was the right choice
against functional and non-function specifications,”
for me. The broad spectrum of roles in the domain
she says. “I became really interested in ensuring
have validated that I made the right choice in
these applications were protected against malicious
my specialisation.
or accidental misuse, especially because these applications were used by students and teachers.
“The goal for me was always to continue developing my knowledge and skill set in the areas I am
“I started enjoying the challenge of testing
interested in. And this is what helped me to take on
applications for vulnerabilities until they failed
more senior roles and additional responsibilities.”
and then using these learnings to identify security
48
requirements for future features and applications.
Chamseddine started out with a degree in computer
I started reading books about securing web
science, which she says, “exposed me to the
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
fundamentals of security across the software
working in a massive organisation like Microsoft
development lifecycle.” And, for anyone contemplating
helps me connect and learn from colleagues with
university study as the first step on a cybersecurity
different backgrounds, perspectives and areas they
career journey, she says it is important to consider
are passionate about.”
the wider context of how and where cybersecurity techniques are deployed.
Chamseddine also keeps up with Microsoft’s technical announcements by reviewing the security blogs daily,
CAREER ADVICE
uses LinkedIn to follow CISOs and thought leaders
“Cybersecurity is integrated into every component
and uses her membership of the Australian Women
and layer of an application: from infrastructure and
in Security Network (AWSN) and the Australian
network to the application and data layer. So, my
Information Security Association (AISA) to network
advice would be not to limit working and learning
with peers in the industry, mentor and present about
opportunities to focussing only on cybersecurity.
areas of interest, and attend presentations to learn
Broaden your knowledge and, regardless of the
more about other topics and experiences.
subject, project or internship you are part of, think about the security aspects: how could these
CERTIFICATIONS PLANNED
environments be compromised, and how could
More formally, she is planning to gain the SC-100:
they be secured against attacks. … Be intentional in
Microsoft Cyber Security Architect certification and
your career, have a growth mindset, and focus on
Certified in Risk and Information Systems Control
your strengths.”
(CRISC) qualifications to develop her technical and risk management skills.
In her current role at Microsoft Chamseddine works closely with organisations to improve their
Looking for future cybersecurity developments,
cybersecurity posture and maturity. “While we work
Chamseddine expects the recent high profile data
with stakeholders committed to cybersecurity, the
breaches to significantly raise consumer awareness
challenge their teams face is the shortage in skills.
about the security of their personal data, forcing
This usually restricts their abilities to innovate as
businesses to be very public about their data
they try to focus on short-term security objectives,”
management and security practices.
she says. “Organisations will be driven to consider cybersecurity For Chamseddine a typical day is “split between
as a business enabler. They will be committed to
working with internal teams, completing training
strengthening their cybersecurity defences and taking
and admin tasks as well as meeting with customers
a more proactive approach to protecting critical
to discuss and plan their security, privacy and
assets in order to remain competitive and achieve
compliance requirements.”
their business strategies.”
She adds: “I don’t rely on specific tools as I support
She adds: “Another area that may develop in the
customers in leveraging a number of cybersecurity,
coming years is the use of AI and machine learning
privacy and compliance products. In saying that, I
to support security teams such as GRC and SecOps.
have been working with many customers recently
This can help organisations leverage the scarce
to uplift their multicloud security posture using
skills within their teams and reduce efforts spent on
Microsoft Defender for Cloud.
manual tasks.”
“I find working with government departments to secure services that we all use on a daily basis (e.g.
www.linkedin.com/in/farahchamseddine
transport and health) extremely rewarding. Also,
I S S U E 12
WOMEN IN SECURITY MAGAZINE
49
Reshmi Hariharan Governance, Risk and Compliance Technology Specialist at Microsoft
R
eshmi Hariharan is a governance, risk
(CDPSE) certification, and says her membership of
and compliance (GRC) technology
ISACA also provides an opportunity to network with
specialist with Microsoft, based in
peers in the industry and gives her access to thought
Sydney. It’s a career destination she has
leadership content.
arrived at from a degree in electronics
and communications engineering and, she says,
A PIVOT INTO CYBERSECURITY
“mostly by saying ‘yes’ to all the opportunities that
When Hariharan gained her first cybersecurity role
came my way even if that did not make sense
it represented the realisation of a long-held interest.
immediately.” The only thing that mattered was: “is
“When I was pursuing my undergraduate degree
it different from what I’m doing now, and do I get to
in electronics engineering, there was one subject
learn something new.”
on computer networks and security that got me interested in the basics of security, but I did not
Her initial role in the industry was in marketing, not
have any clear vision of working in cyber back then. I
in cybersecurity. “I was given an opportunity to join
started my career and then pivoted into cyber a few
a cybersecurity firm as a researcher for developing
years later. I was working as a researcher and, many
marketing and thought leadership content,” she says.
times, the topics included cyber. I would think, “oh
“A few months later, I was given an option to join
that’s interesting.”
the governance, risk and compliance team. I started helping out with information security assessments
She says such pivots into cybersecurity from other
and then gradually built my skill and got certified as
skill sets are common. “People pivot to cyber from
PCI AQSA [Associate Qualified Security Assessor] and
different walks of life, bringing in varied sets of
ISO 27001 LA [lead Auditor].”
expertise. There is room for everyone. The key is adaptability and an open mind. You can always find
50
Down the track she plans to gain ISACA’s Certified
roles in cyber that relate to your skillset and values
Information Security Manager (CISM) certification
throughout your career. For me, there is always
and Certified Data Privacy Solutions Engineer
change and something new to learn.”
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
Hariharan says she did not have a clear vision of
industry certifications to demonstrate your interest
the roles she wanted, but was clear about what she
and understanding. And always, be open to the idea to
wanted from each of her roles. “The roles must align
pivot career interests.”
with my values and help me broaden my skill sets. Above all, it is important that I make a meaningful contribution to the people around me.” As to her choice of employer, Hariharan says the most important thing she would look for would be “a company culture where everyone can be their authentic version of themselves, can be part of something bigger
“One misconception that I had when I was younger was that I needed to know coding, which is not the case. From my experience, the roles in cyber continually evolve and change. So start when you can. It doesn’t matter where you are on your journey as long as you are open to learn, curious and adaptable.”
than themselves, and have the support of peers whenever there is a need.” In her current role, Hariharan says every day is Other important factors would be flexibility in work
different. “In every work week, I will have a couple
location and a level of autonomy that reflects trust in
of customer meetings where I get to understand
employees. Her advice to others: “Don’t fixate on one
their cybersecurity governance, risk and compliance
role but rather be open and curious, make the best of
requirements and propose how Microsoft can help
all the opportunities given to you, and one day you will
solve these challenges. The rest of the work week is
be able to connect all the dots.
mostly spent on internal strategy meetings, personal upskilling, professional development and working on
CYBER IS FOR EVERYONE
diversity and inclusion causes that each of us care
“Cyber is for everyone,” Hariharan says. “One
about at Microsoft.”
misconception I had was that I needed to be a nerd in coding to break into cyber, which is clearly not the
She adds: “I enjoy the time I spend with my
case. My view is that cyber is a vast ocean and there
customers to understand their business problems,
is room for the diverse skill sets people can bring in.
and consulting on the right solution while staying grounded on how Microsoft can help from a
“One misconception that I had when I was younger
technology perspective. I find it meaningful knowing
was that I needed to know coding, which is not
I am having an impact in simplifying someone else’s
the case. From my experience, the roles in cyber
business problems and putting into action my past
continually evolve and change. So start when you can.
experiences and current knowledge. I find it rewarding
It doesn’t matter where you are on your journey as
to be able to work in a safe and healthy environment
long as you are open to learn, curious and adaptable.
that is fun, kind and puts employees at the centre.”
“There is no one-size-fits-all course to pursue. Given whatever you study in the curriculum, there is so
www.linkedin.com/in/reshmi-hariharan-a0a62465
much out in the real world. My suggestion would be to speak with people who are doing the roles you are considering, get started with an internship, get some
I S S U E 12
WOMEN IN SECURITY MAGAZINE
51
Orly Schejter Cybersecurity and Privacy Intern at Grant Thornton LLP (US)
Unit 8200 boasts some impressive alumni. “Some of
O
the most recognised alumni of this unit include the CEOs of NSO Group, Check Point, Cellebrite, CyberArk rly Schejter’s cybersecurity aspirations
and Palo Alto Networks,” says Schejter.
are decidedly offensive. She wants to gain the Offensive Security Wireless
INSPIRED BY THE ISRAELI MILITARY
Professional (OSWP) certification along
The Israeli military looms large in Schejter’s
with the Offensive Security Experienced
cybersecurity career trajectory. She says her main
Penetration Tester (OSEP) certification. Both are
motivation came from “watching and learning about
offered by Offensive Security (OffSec), which claims
documentaries of the Israeli military.” Prior to this,
to be “the leading provider of continuous workforce
her interest was piqued by movies and shows that
development, training and education for cybersecurity
were related to hackers. “I thought it was extremely
professionals.” As per the privacy sector, she’s very
interesting how these people outsmart the system,
interested in obtaining the IAPP Certified Information
and that grabbed my attention. So, I started to analyze
Privacy Manager (CIPM) certification.
what can be done better to avoid hackers from exploiting people and organizations.”
Schejter also wants to gain the EC Council’s Certified Ethical Hacker (CHE) certification. Her interest in
However, she did not initially pursue her interest
offensive security is perhaps not surprising, given the
by embarking on cybersecurity education, instead
role of Sivan Tehila, the person she cites as having
enrolling for a major in finance at the Yeshiva
had the greatest influence on her cybersecurity career
University in Manhattan with a double-minor in
to date.
Computer Science and Data Analytics. There, “as I kept studying, I realized, whenever there was a
Schejter is studying at New York’s Katz School
hacking-related topic, I paid attention at a different
of Health and Science for a master’s degree in
level mainly because I was passionate about
cybersecurity, which she expects to gain in 2023.
the topic.”
“Sivan Tehila has been a role model for me during my
52
studies at Katz School of Health and Science,” says
During her studies, Schejter won several awards
Schejter. Tehila spent 10 years in Unit 8200 in Israel,
including the recognized 2022 Student Cybersecurity
which is the elite intelligence unit in the Israeli army
Case Competition issued by ISACA New York
that collects significant information through cyber
Metropolitan Chapter. Additionally, she was part of
espionage and computer hacking.
the Dean’s List for superior academic performance
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W H A T ’ S
H E R
J O U R N E Y ?
during the 2020-2021 academic year. During her school years, she represented Colombia in the ‘Chidon Hatanach Bible Contest’ issued by the State of Israel. She holds an impressive GPA and manages to work and study at the same time. Schejter’s initial career aspirations were cyber forensics with the CIA, but not being a US citizen, she was unable to pursue this goal and instead took up her current role as a cybersecurity and privacy associate at a professional services firm, which, she says turned out to be a much better choice. “I learned a lot about data privacy and have loved it so far. I never thought I would end up in this field, but I’m extremely grateful that this is what happened. I’m truly enjoying the learning process and getting to work with such a great team.”
A FOCUS ON PRIVACY LAW In her current role, Schejter says she has been working with companies to help them meet the requirements of new privacy laws coming into force in 2023. She says: “Since I’m a consumer myself, I find it very rewarding to enhance the privacy culture that helps corporations maintain proper practices that protect the consumer — and themselves.” Looking forward, Schejter strongly believes ransomware will still be considered the biggest cybersecurity threat over the next two years. She also thinks there will be a strong need to develop more sophisticated privacy enhancing technologies, known as PETs — and the need to create technologies that protect consumers against quantum computers. “The future of cybersecurity and privacy is constantly evolving,” concluded Schejter. “The threats companies face today may look completely different five years from now. Cybersecurity professionals must learn to anticipate emerging risks and trends to best protect their clients’ futures.”
www.linkedin.com/in/orly-schejter
I S S U E 12
WOMEN IN SECURITY MAGAZINE
53
TA L E N T B OA R D
Damitha Kumanayaka WHAT POSITIONS ARE YOU LOOKING FOR? Cyber Security Analyst, SOC Analyst, Cyber Security Specialist, Cyber Security Associate Consultant
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? The ideal working environment
PREFERRED STATE:
for me would be one that fosters an excellent
VIC: Melbourne
work culture.
WHAT KIND OF ROLE: I am looking for a technical role.
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: Computer networking, virtualisation, security, cloud technologies, Subject Matter Expert.
Gwen McEvoy WHAT POSITIONS ARE YOU LOOKING FOR?
experience, including in foreign
I’m interested in a Cyber Threat Intelligence position.
languages (Polish and German; reading ability in Russian).
PREFERRED STATE:
I’ve lived and worked in
US/remote, or Hybrid (Colorado)
Kazakhstan, Poland and German, so have contextual knowledge of these countries.
WHAT KIND OF ROLE: Individual contributor (non-supervisory) – for nearly any kind of organization.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Remote work, or a Hybrid position in the Denver,
WHAT’S YOUR EXPERTISE:
Colorado Metro area. Benefits – the usual (in the US):
I have 1.5 years of cybersecurity experience, though
health insurance, 401K, etc.
not in threat intel. I’m a cybersecurity boot camp graduate (broad knowledge/training), but also have a PhD (sociology) and an MA (International Relations).
DM ON LINKED IN
I therefore have extensive research and writing
54
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Pranjali Karve WHAT POSITIONS ARE YOU LOOKING FOR? Cyber security analyst
PREFERRED STATE: Victoria, Australia
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? • Supportive towards training, upskilling and career development. • Full Time permanent role
WHAT KIND OF ROLE:
• Hybrid work
A role in cyber defence team: SOC, vulnerability management, incident response, threat intelligence
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: Completed 6-month internship with Telstra SOC, Stakeholder communications (Cybersecurity teacher)
Amineh Hussein WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT’S YOUR EXPERTISE:
Cyber security entry level work
Cyber security
PREFERRED STATE:
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
WA
Collaborative, respectful work environment
WHAT KIND OF ROLE: Analyst or specialist tech roles
I S S U E 12
DM ON LINKED IN
WOMEN IN SECURITY MAGAZINE
55
TA L E N T B OA R D
Celeste Daniels WHAT POSITIONS ARE YOU LOOKING FOR?
desktop and server support,
Information security manager or Security awareness
SharePoint, information
manager
security.
PREFERRED STATE:
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
Queensland
Hybrid/remote/flexible hours/WFH
WHAT KIND OF ROLE: Autonomous
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: Content creation, analysis, security awareness,
ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role. REACH OUT
aby@source2create.com.au
56
W O M E N I N S E C U R I T Y M A G A Z I N E
misty@source2create.com.au
J A N U A RY • F E B R U A RY 2023
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Sirani McNeill WHAT POSITIONS ARE YOU LOOKING FOR? Entry level cyber security roles
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
PREFERRED STATE:
As I am hearing impaired, will
Victoria, Australia
require workplace adjustments and some mentoring to have the most advantage of my career
WHAT KIND OF ROLE: Technical: Security Operations Analyst, Penetration Testing, Incident Response
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: Web Application Exploits, Penetration Testing, Incident Response
Valentina Corda WHAT POSITIONS ARE YOU LOOKING FOR?
organisational cybersecurity
I am looking to start my career as a cybersecurity
vulnerabilities within the
consultant. This is because, as a postgraduate
business context.
student at the University of Queensland, I recently undertaking an industry-based research project at the
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
CSOC.
I wish to find a supportive work environment where
had the chance to approach the business realm by
people are genuinely willing to take care of your
PREFERRED STATE:
professional growth and where teamwork and an
Queensland.
inclusive culture are the key facets.
WHAT KIND OF ROLE: As I am still in my final year of a master’s degree
DM ON LINKED IN
in cybersecurity, any entry-level role would suit my willingness to learn and acquire practical skills.
WHAT’S YOUR EXPERTISE: I have more than two years of experience in customer service in hospitality, and I am currently engaged in a university research project aiming to understand
I S S U E 12
WOMEN IN SECURITY MAGAZINE
57
TA L E N T B OA R D
Pragati Sinha WHAT POSITIONS ARE YOU LOOKING FOR?
security, information security,
I am looking for an entry-level Cybersecurity positions.
network support, network management
PREFERRED STATE: New South Wales.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
WHAT KIND OF ROLE:
I am flexible to work from home or an office location.
I will prefer a technical role however, I am okay to take up a consulting position as well.
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: I have experience in the following areas: - Network
Raelene Patiag WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT’S YOUR EXPERTISE:
Any internship in the field of technology ideally
I recently completed my degree
within a career path that leads me to a more
in Digital Forensics and I am
cybersecurity focus.
currently studying to complete a few Comptia certifications
PREFERRED STATE:
as well.
NSW
WHAT KIND OF ROLE:
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
I understand that due to my lack of experience I am
Hybrid work where I am able to work within a team
not the most ideal candidate for most industries.
and with a client would be ideal.
However, I am willing to learn as much as I possibly can so being able to experience as many different roles would be ideal.
58
W O M E N I N S E C U R I T Y M A G A Z I N E
DM ON LINKED IN
J A N U A RY • F E B R U A RY 2023
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Rajeshwari Keshoji WHAT POSITIONS ARE YOU LOOKING FOR? Entry level position in cybersecurity.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
PREFERRED STATE:
Willing and able to adapt to any
Victoria, Australia
kind of work environment and seeking a supportive team environment.
WHAT KIND OF ROLE: Entry level
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: Having experience in customer service.
Priyanka Singh WHAT POSITIONS ARE YOU LOOKING FOR?
and IT Automated Controls
I am currently looking for opportunities in the Risk
testing, SOC reporting and SOX
Consulting division. This can bifurcate into roles
Reporting. .
involving Cybersecurity, IT Audits, Assurance and Risk Management.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
PREFERRED STATE:
An ideal work environment should promote a
I am currently a student based out of Atlanta, Georgia.
healthy headspace and provide continuous learning
Post June 2023, I am open to relocation from Georgia.
opportunities by providing opportunities to obtain various certifications. Apart from this a flexible
WHAT KIND OF ROLE:
working structure would also be beneficial.
Senior Consultant or Manager role in IT Risk Consulting.
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: I am currently pursuing masters in the field of Computer Information Systems with a Cybersecurity Concentration. I have 4 years of experience with a big four firm which involved IT Risk Consulting and I performed tasks involving IT audits, IT General Control
I S S U E 12
WOMEN IN SECURITY MAGAZINE
59
TA L E N T B OA R D
Alison Correia WHAT POSITIONS ARE YOU LOOKING FOR?
CompTIA A+. I have about 3
Information Security Analyst/Penetration Tester
months of experience in IT due to my cohort that I completed
PREFERRED STATE:
with Generation USA.
Massachusetts, United States
WHAT KIND OF ROLE:
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
Information Security Analyst/Penetration Tester
My ideal work environment is where I can work with a team, but also independently.
WHAT’S YOUR EXPERTISE: I am a beginner in IT, I have my Google IT Support Specialist certificate and I am working towards my
DM ON LINKED IN
Sanjana Manocha Cybersecurity consultant, GRC.
WHAT POSITIONS ARE YOU LOOKING FOR?
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED?
PREFERRED STATE:
After COVID I miss being
VIC: Melbourne
around people and being in a work family.
WHAT KIND OF ROLE: Consulting
DM ON LINKED IN
WHAT’S YOUR EXPERTISE: University entry level
60
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
Cyber is not your get-rich-quick option I want to air some dirty laundry, something that has
to find the one thing you or your colleagues missed
been bugging me for the last 12 months or more.
and is all they need to win. So, you need to be always
As most of you would be aware, salaries—or should
trying to improve, to be a better version of yourself
I say “expected” salaries—for people in the industry
each day. Yes, you will fail, probably more than once,
are becoming unsustainable long term. We have
but you will need to get back up and keep fighting the
people with one or two years experience asking for
good fight.
salaries of $150k plus, and those with three to five years experience or more wanting salaries in excess
If you do not have a thirst for knowledge or the
of $200K.
personal drive and are in it only for the money you
These rates leave government agencies out of the
certainly come out the other end worse for wear.
game. They can pay nowhere near those salaries except through external contracting (a different discussion). Enterprise customers could, in some instances, afford such salaries, but would be forced to
will not be a member of the industry for long, or will
It is clear the industry needs more experienced people. The level of need is debatable, but we need to eliminate unrealistic expectations. We need to find
reduce team sizes because of the increased cost.
people who want more than a pay cheque and then
I do not have a problem paying people what they are
superstars. We need to bring them in, pay them while
worth. Experienced cybersecurity people have earned
they learn and help them build the foundations we
the right to be paid well. I think we could all agree that
need them to have.
individuals who have been in ICT or cybersecurity for 10-plus years, who have been in the trenches when things got hot, who can walk through fire and come out the other side stronger deserve to be paid a
help them be our next generation of cybersecurity
Take a reality check, right here. If you have no experience in cybersecurity beyond theoretical studies do not ask for a salary you have not earned. Go in
premium. That is not the issue here.
hungry to learn and with the drive to succeed and
What I take issue with is people wanting to come into
a get-rich-quick option, play the lotto, trade crypto,
the industry, wanting to get a start but wanting a top
become a movie star or do whatever you think will
salary immediately. Cybersecurity is not a get-rich-
get you there. If you want a career that is difficult
quick scheme, a pathway to living it up, driving fancy
but extremely rewarding (albeit a little thankless
cars and wearing flashy clothes. If that is what you
sometimes) then you have come to the right place.
want, cybersecurity is not for you. Yes, cybersecurity can pay well—very well—but if you are to survive in
you will be recognised and paid fairly. If you want
See you in the trenches.
this industry you will need drive: a purpose that is far deeper than money.
www.linkedin.com/in/craig-ford-cybersecurity
Money is nice. We all need it to feed our families and
www.amazon.com/Craig-Ford/e/B07XNMMV8R
keep a roof over our heads, but cybersecurity is not an easy career. You will be pushed to your limits and then pushed beyond them. You will need to learn every day just to keep up with the malicious actors who want
62
W O M E N I N S E C U R I T Y M A G A Z I N E
www.facebook.com/AHackerIam
twitter.com/CraigFord_Cyber
J A N U A RY • F E B R U A RY 2023
CAREER PERSPECTIVES
CHARLOTTE BEATTY
HOW I AM RICHER FROM BEING A COMBAT RADIO OPERATOR IN THE AUSTRALIAN ARMY RESERVES by Charlotte Beatty, Technology Consultant at EY and Army Reservist
There is a lot of ambiguity surrounding the word
While I am known as being a ‘Sig’ the ADF training
‘enlist’. There is often a misconception that signing
approach is ‘soldier first’, meaning each enlisted
on the dotted line will mean deployment to a war
member has to maintain a fitness standard and
zone. Probably not fully spelt out are the state-of-
weapon readiness and is provided with free medical
the-art training and access to the latest and greatest
support. The opportunities are many. There are
equipment that Army Reservists (part time soldiers)
options for pistol shooting, gaining a night vision
gain from their part-time job.
goggles qualification, a truck driver’s licence, and always the chance of being deployed on active
I signed on the dotted line as a 19 year old in the hope
service This list does not do justice to the experience
of wearing a green uniform and doing something
of these perks.
different from my bakery job. Due to fortunate
64
timing—and a recruitment drive to support an
Initially I juggled this training with my university
expansion of communications, IT and Intelligence
study timetable and now I juggle it with full-time
capabilities—I landed in the Corps of Signals, where
work as a technology consultant at EY. The skills
I was trained in combat radio warfare. Today, my
developed during my service training have been
experiences in the Army have included training
directly transferable into my professional career
modules in Victoria, a deployment to Communications
and personal life. I firmly believe being in the
HQ during Operation Bushfire Assist in 2019-2020, the
Army contributed to the success of my university
completion of the Cyber Gap Program in 2021 and a
studies and to my professional career. At the end
three week G-Wagon Course at Amberly. (The latter
of the day, if you can keep your cool while firing
was just for fun).
a semi‑automatic rifle under immense pressure,
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
then how hard can it be to sit an exam or deliver a
you were charging forward bellowing your most
client report?
blood-curdling war cry?
It is no secret that a competent, trained and prepared
In order to ‘get rich quick’, you should first find
cyber task force will be an essential component
something you are interested in. While I may have
of Australia’s security. In a recent article for the
bumped up my savings each year through my service
Australian Strategic Policy Institute, Shane Caughey
in the ADF, I would only define myself as ‘richer’
questioned the role of land forces and conventional
through the talented and passionate soldiers I have
warfare in future conflicts. The leader of the
had the honour of working with, the real Australian
opposition and former defence minister, Peter Dutton,
security challenges I have been tasked to solve and
said earlier this year that ‘cyber is the new frontline’.
the once-in-a-lifetime opportunities I have explored.
Simply put, Australia needs more people, and more
For as long as I serve as an army reservist, I am a
women to build a diverse security taskforce.
richer person with a priceless career.
The stereotypes of ‘hackers’ and ‘hoodies in dark rooms’ do nothing to overcome the
www.linkedin.com/in/charlotte-b-57529a124
challenges of cybersecurity recruitment. I have found the best way to get involved is to sign up and figure out the rest later. Whether signing up means signing on a dotted line to enlist in the Army Reserves, pressing submit on your application for the Cyber Gap Program Challenge or choosing to sign up for one of the many hackathons available, making a start as an amateur is the only way to get going. I used my role as an army reservist—a paid, part-time, no lock-in contract, Australian soldier—to get my career in security started. This is not a sponsored article from Defence Force Recruiting. In my experience, money is not the primary motivation that draws people to particular jobs. Passion is the key driver. The rest will follow. There really is no pay that would justify a five-day field deployment in the rain. Motivation is what makes me turn up. Being committed, determined, searching for a challenge, having a lot of fun and laughter. How else are you supposed to manage being described as “a hobbit running into battle” when you thought
I S S U E 12
WOMEN IN SECURITY MAGAZINE
65
MAKSYM SZEWCZUK
GUIDELINES FOR SECURITY STUDENTS AND EARLY CAREERS by Maksym Szewczuk, Safety and Security Design Manager at Western Sydney Airport What do all of these people have in common;
reality of their jobs. Some jobs may seem glamorous,
a security design engineer, a security guard, a
but the reality may be somewhat different. I have
national security policy analyst, a police officer and
a passion for wine and I love the idea of being a
a cybersecurity threat manager? The answer – they
sommelier but as someone who knows several
all work in security, countering crime and terrorism.
professional sommeliers, the reality is long and
The depth and breadth of security careers is vast
demanding hours, often from Tuesday to Sunday with
and becoming wider and more
no weekends free. So I am happy
specialised with time. This article
to indulge my passion as a hobby
will seek to discuss transitioning
and not a career.
into security careers with a focus on security students and those seeking to enter the industry.
UNDERSTAND YOUR MOTIVATION Understand your motivations for
Do you have an interest in security,
a particular role. Is it work/life
have decided to study security,
balance, job satisfaction, salary,
want to get into security or into a
title, company or job impact? You
specific security-related job and are
could be motivated by several of
unsure what to do next? Hopefully
those aspects but many will have
this article will present a few good
undesirable consequences: a
tips on navigating careers, jobs and
high salary often equates to long
security‑related study.
hours and greater responsibilities. Government roles generally pay
It is OK if you do not know what you want to do, but
less than private sector roles, but offer greater job
try to have some idea of what you would like to do.
security and better work/life balance.
Think about all the possible career paths you could
66
consider, try to talk to people in those roles to discuss
Increasingly, people hold multiple different roles
their duties and responsibilities and understand the
throughout their careers, whereas a few decades ago
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
their path through life was often determined by the
Do not underestimate
degree they had gained. You will likely have multiple
the soft skills and
roles and careers over your lifetime. This may be
general principles
confronting for those who dislike change, but those
associated with every
willing to learn new things and adapt to the needs of
security career. These
an organisation and society have many opportunities
skills include;
to gain the skills and knowledge required to thrive in an ever-changing world. Often the best way to
• Risk management
discover if a role is right or you is to go directly to
and the ISO:31000 risk
people working in that role and discuss it with them.
management process. Risk management is the core
The current low unemployment situation offers many
of security activity, albeit with
choices of roles and many opportunities. However
varying contexts. You need to
this is not the case for everybody, particularly for
understand what it takes to manage
those in, or looking for, niche roles.
and articulate risk management, because in most cases risk cannot be eliminated. Nor
You might need to start in security adjacent
is it feasible or economically viable to eliminate
roles where even an entry level role would
all risks. An understanding of how to manage
require experience. Often those entering security
risk is fundamental to security management in all
management roles start in safety-related roles and are given security portfolio responsibilities.
its forms. • Understanding of security principles. These include defence in depth / layered security and
Think of job and technology trends and what specific
the concept of ‘deter, delay, detect, respond’,
roles might be available when you graduate or are
to name but a few examples. All these security
ready to switch fields. Do a Seek or LinkedIn search of
principles will be relevant to every security career.
jobs that might interest you. You might find the majority
The assets being protected (people, information,
of ‘security’ roles are now cyber-related (cybersecurity,
buildings or even gold bars) may change, but the
information security, etc). If you are interested in a
fundamentals of protecting that asset remain the
niche security field, consider what adjacent roles may
same.
give you the experience to enter that particular field.
• Communication skills, written and verbal.
Read deeply and broadly about your particular field of
Solid communication skills are necessary for
interest and determine what ‘over the horizon’ skills,
dealing with people and communicating written
experience and technology are emerging that will put
ideas. From a well-crafted email to a technical
you in a prospective employer’s sights.
specification to a board paper documenting a recommended decision, clarity of ideas and the
CONSIDER NON-TECHNICAL SKILLS
ability to express technical concepts to non-
There are many non-technical skills to consider
technical audiences are key.
as you study or start work. You will need to learn how to develop and maintain high-level stakeholder
Try to understand the meaning of ‘security’ in the
relationships, both within and outside your
broadest sense: from a global, geo-political and
organisation. Consider asking for introductions,
strategic viewpoint to a technical, tactical and
finding common interests or issues or just shouting
operational one. You need not be an expert in that
someone a coffee to pick their brain. Learn the art of
whole range, but you should at least understand and
problem-solving. Be proactive, accept all opportunities
have a working knowledge of a broad range of security
and make opportunities. Accept uncertainty
issues to understand Australia’s strategic positioning,
and change.
crime and counter-terrorism organisations’ roles and
I S S U E 12
WOMEN IN SECURITY MAGAZINE
67
responsibilities,
still studying or not yet in full time work.
national regulatory frameworks and guidelines,
Networking and professional societies — As a
as well as technical aspects
security student or early career entrant, networking
of your chosen field. This
and professional societies are paramount to
could be intrusion detection
building professional networks, gaining exposure
technology (digital or
and becoming a frontrunner when organisations
physical), crime prevention
are searching for new hires. Many professional
measures, etc. A broad
societies such as Engineers Australia and ASIS
knowledge of all aspects of
International have complimentary or discounted
security will allow you to think
student memberships, making them accessible to
holistically about issues and
students who may not be in full- time employment.
engage with stakeholders in a
Students will often be hired for their ability to
deeper and broader context. A single threat control
socially integrate into a team rather than solely for
should not be used in isolation but rather as one in
their technical ability. Furthermore, many roles are
series of layered and complementary measures.
not advertised, because it is easier and quicker to hire known professionals, especially in constricted
Pathways in — Education and professional
labour markets.
certification should not be discounted, particularly in technical fields. Certifications demonstrate
Getting a job — Landing your first security role can
tested knowledge and technical competence, but
be hard, but there are a few things you can do to
neither education nor certification is a substitute
stand out and, hopefully, start your career in security.
for experience. If you find yourself losing out on
Researching the organisation and the role you are
opportunities try to get feedback as to why, and
going for is key. Go into the interview prepared to
consider writing a semi-formal skills assessment and
frame your skills and experience in the context of
mapping gaps and pathways to addressing these.
what you can bring to that organisation and how you
You can check job advertisements for similar roles to
can assist in solving known problems.
understand what skills, experience or education might be required to move forward. Focus on transferrable
You may also want to check your potential manager’s
skills, and do not forget that attitude and confidence
LinkedIn history to see where they have come from
are paramount: ‘fake it till you make it’ if you need to.
and indicate your desire to learn from them based on their experience and career path. Check if any known
68
Many large firms offer formal mentoring programs,
issues affect the organisation through open source
and finding an industry mentor is also a great step
searches or discussions with existing staff and frame
to getting helpful and practical advice. You may even
your words around how you can assist in resolving
find student mentorship programs available if you are
such issues. For example, if information security is
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
your thing, perhaps you can assist with resolving useability and change management issues around
• Criminologist / researcher — academic research, publishing.
multifactor authentication.
• Researcher / analyst — security related, key policy
Volunteering in all its guises is a fantastic initiative
• Strategic / foreign policy (eg ASPI, academia)
through which early career or student practitioners
• National security policy advisor (government)
can expand their networks and gain experience,
• National security policy / crime journalist
exposure and recognition. Examples of possible
• Lawyer – specialist in cyber, security, terrorism
professional volunteering include internships, writing
• Corporate security policy manager — write
and national security function assessment
research and analysis articles for industry magazines,
organisation security policy
attending conferences and volunteering to assist with professional societies’ activities. Increasingly,
Protective security
personal branding and an active and detailed LinkedIn
• Security project manager — manage security
profile also help.
projects • Governance, risk and compliance officer
Most importantly, try a variety of roles and duties to
• Private/corporate Investigator / surveillance officer
see what you like best. This will change over time and
• Uniformed security officer / concierge – security
with experience, but a list of possible security careers
guarding
could be:
• Security investigations – specific security related
Government and defence
• Security systems administrator — coordinate and
investigations. also common with financial crime. • State police • Counter terrorism • Intelligence analyst / manager • Crime prevention • Cybersecurity • Federal police • Defence (army, navy, air force, civilian) • Protective security / force protection
manage access control, keys, CCTV. • Resilience, risk, assurance — enterprise-wide risk management • Project / facility security officer / manager — implementation and maintenance of all protective security measures • Security director — delivery of the agency’s security plan, policies and procedures.
• Defence security agency • ASIO / ASIS • Intelligence officer • Protective security (ASIO T4) • Corrections / prisons security • Sergeant / sheriff
Security advisory • Security consultant — advise on all aspects of protective security, risk management and security controls/systems. • Emergency and crisis manager / consultant
• Fraud/ anti money laundering / CTF (eg APRA, AUSTRAC) • Security vetting / clearance checking • Diplomatic security • Security technology research • Border Force • Department of Home Affairs Security policy • Crime prevention specialist — crime prevention advisory, typically with police or councils.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
69
info/cybersecurity • Assets / facilities manager — building management • Security risk advisor — security risk administration and advice • Security design / security projects — security SYSTEMS design and project management. • Enterprise risk manager — risk management for organisation. also known as governance compliance and risk (GRC) manager. Security business roles • Security sales — sales and product solutions. • Security technician — repair and service of security equipment. • Security operations / guarding — guarding, response services. • Safety manager • Safety and security coordinator / manager • Countering Violent Extremism Research / Advice
• Security ops team leader / manager – guarding MANAGER. • Security business account manager – new
• Security regulations / assurance / governance
BUSINESS development, solution and product
• Security systems engineer / designer
development.
• Safety consultant • Financial crime and compliance • Defence industry security advisory
• Regional / general manager — grow and lead a security business. • Security business manager — manage and oversee the delivery of security services to clients.
Cybersecurity and information security • Application security administrator
www.linkedin.com/in/maksymszewczuk
• Artificial intelligence security specialist • Blockchain developer / engineer • Governance compliance & risk (GRC) manager • Chief information security officer (CISO) • Cloud security architect • IT security architect • Information security analyst • Cyber intelligence specialist • Security operations center (SOC) analyst • SCADA (supervisory control and data acquisition) security analyst Corporate operational security • Corporate security manager — manage security within a given asset. • Aviation utilities • Casino / events critical infrastructure • Health education • Chief security officer (CSO) — head up all physical/
70
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
We are a mission-driven, not-for-profit organisation that is commited to using our knowledge to make cyber space a safer place for organisations, corporations, agencies and institutions to do business - now and into the future.
With our strong network of national and international partnerships, we can equip Australian organisations with the tools and knowledge to operate safely and efficiently in the digital economy. As an independent non-for-profit, The Centre complements the work of existing research bodies in eventuating cyber security to the forefront of the nations consciousness - while also acting as a translator between business, government and cyber specialists. We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.
Membership Opportunities Affiliate Membership designed for SMEs Premium Membership designed for cyber security vendors and system integrators Platinum Membership designed for the organisations who want to contribute to the cyber ecosystem. Each membership receives discounts on products and services, access to our facilities at LotFourteen, and contributes to the growth of The Centre
Training Including IRAP Assessor Training, IRAP Readiness Training & IRAP Re-Certification Exam
We are committed to growing the nation’s reputation as a cyber security leader that delivers smart solutions and provides economic stimulus in this new world.
The Centre regularly collaborates with its members
We connect the leaders, the thinkers and doers with real opportunities to learn, launch and protect businesses.
A focus of The Centre is to provide SMEs
and cyber professionals to collaborate on training and workshops.
Services with the necessary tools and resources to begin their cyber journey. Cyber Clinics GCA Tool Kit SME Networking events
Creating solutions through collaboration, innovation, and entrepreneurship
BURCU YARAR
WHY I BECAME A CYBERSECURITY EXPERT by Burcu Yarar, Application Security Team Lead at VakıfBank Life is an equation with many unknowns. I have
was to produce qualified personnel for the sector.
always had a passion for equations with many
In line with this goal, it was a highly disciplined
unknowns. This passion makes me feel great, and
learning institution.
one of my wishes is for things to stay that way. Cybersecurity is also a wonderful equation in which
After experiencing informatics in high school, I was
there are many unknowns. I am on the offensive side
sure I wanted to work in the field, so I continued
of this equation.
my undergraduate education in informatics. After graduating I knew what roles in informatics I did not
72
My story is as follows. I first saw informatics as a
want. My choices have always been shaped by what
profession, and decided to choose it, in 2007 when
I did not want rather than what I wanted. I did not
I enrolled in a vocational high school. The school I
want to be a software developer. However, because I
chose was the best in its field at that time. Its goal
had studied informatics in high school and university,
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
I knew many programming languages. So, I found myself in cybersecurity, which, at the time, was a developing and little known industry. You can think of cybersecurity as having emerged to reduce the risks brought on by new technologies, and by organisations producing much more data and using much more complex programs as they tried to adapt to these new technologies. Most importantly, these organisations are operating in a very dangerous environment such as the internet. For all these reasons, organisations need cybersecurity experts to ensure their information security and to be aware of the threats they face.
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
In cybersecurity, my adventure started as a volunteer intern at one of the leading consulting companies in the sector. Then I started my professional life. Seeing the work done, touching living systems and being in environments where I could apply what I had learnt piqued my curiosity every day. In addition, the low number of trained personnel in the sector meant that, by taking the right steps, my career developed rapidly. Then, I quit consulting and entered the corporate world to experience cybersecurity from different perspectives. That process continues: I have had many different institutional experiences. With my passion for learning, some things never seem to end. In conclusion, I would like anyone who wants to improve themselves and progress in cybersecurity to achieve their goals. It is still a developing sector with a significant shortage of trained personnel. If you have a little curiosity and a lot of determination, I will see you in cybersecurity. www.linkedin.com/in/brcyrr
twitter.com/brcyrr
brcyrr.medium.com
I S S U E 12
Expand your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation
Don’t miss out WOMEN IN SECURITY MAGAZINE
73
MALINI MISTRY
TRANSITIONING TO CYBERSECURITY AFTER 12 YEARS IN FINANCE by Malini Mistry, Manager-Cloud Security/Cyber Defense at KPMG Australia and Senior Security Consultant at Capgemini
Many individuals today have traditional linear career paths. Each of us has played diverse roles in our unique professional journey, gaining skills in one domain then transferring these to others. If you are considering a career change into cybersecurity, it is worth noting it provides endless learning opportunities and many rewarding career paths. The profession may not have the glamour portrayed in Hollywood movies, but it is wellpaid and offers great growth potential thanks to continuous technology evolution. Cybersecurity is a great career for anyone with analytical and communication skills who thrives in creative, problem-solving situations. For me, career opportunities tended to appear because I was in the right place at the right time, but I was not excited about the work I was doing. I found
74
myself reflecting on almost a decade in the finance
push me in new directions. That journey began when
industry without much enthusiasm. I knew it was time
a close friend’s data was compromised. She was
to investigate other career opportunities that would
extremely distraught. I felt compelled to assist her
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
and went on to gain education in cybersecurity from Monash University. It was difficult at first! Despite having a limited technical background, I gained inspiration from other tech women and a community of wonderful people eager to assist me. I was upbeat, optimistic and eager to learn something new every day. I would advise anyone interested in a career in cybersecurity to get out of their comfort zone, be open to continuous learning and to be always looking for new challenges. Key recommendations for transitioning into cybersecurity: • Because knowledge is power, you should strive to learn as much as possible by obtaining certifications and taking online courses. These will help you gain an understanding of fundamental concepts and principles. • Prepare for setbacks. Be ready to deal with challenging situations along your journey. Also, develop a growth mindset and remind yourself to stay engaged. • Be determined to make a difference. Attend cybersecurity conferences and events. These experiences will help you grow and develop new skills. At the same time, meet and connect with members of the AWSN community. I hope my story inspires you to get started in cybersecurity, even if your qualifications and experience do not make you a good fit. More important are your desire to learn, open-mindedness and a can-do attitude, regardless of your background or experience. Good luck! www.linkedin.com/in/malini-mistry-34535842
I S S U E 12
WOMEN IN SECURITY MAGAZINE
75
KARINE TOBIN
FROM MARKETING TO CYBER SECURITY, CHANGING CAREER THROUGH RECRUITMENT by Karine Tobin, Consultant at The Network
Karine Tobin arrived in Sydney 12 years ago as a
business helping entrepreneurs set up and grow their
fresh-faced backpacker after a career in sales and
businesses and became a volunteer helping other
marketing spanning 15 years throughout Europe.
cancer patients find their ‘new normal’. She wanted to make a difference in people’s lives and support them
She had worked her way up to being a national brand
in a way only someone who had been through their
manager for three well-known kitchen appliance
experience could.
brands when she was diagnosed with melanoma while pregnant with her second child.
When her health improved, and with a future ahead of her, Tobin was keen to start something new. She
“Seven years ago, I was diagnosed with stage four
was craving learning, ideally something technical
melanoma after the birth of my daughter. It changed
and mentally stimulating to challenge herself.
my life forever,” says Tobin. After the shock of the
“The world we live in is embedded in the digital
news, she went through treatment while taking
world,” she explains. “I’ve always been curious about
care of two young children with only her husband
technologies and how hackers do what they do, so
for support. Life had taken an unexpected turn, her
I decided to learn how they do it. Maybe that way
priorities had changed and her future looked grim.
I could help protect our digital world and make it a
Tobin re-assessed what she wanted to do with the
safer place.” She spent two years in full-time study
rest of her life.
with Learning People Global and discovered a new passion: cybersecurity.
During that time she wrote We Only Live Once: Memoir of a survivor, started her own coaching
76
W O M E N I N S E C U R I T Y M A G A Z I N E
“I’ve studied between school drop-offs and pick‑ups,
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
passing exam after exam: through lockdowns, while
While actively searching for a role in cybersecurity she
homeschooling my two young children,” Tobin says.
was approached by two recruitment agencies looking
“From CompTIA A+ and the fundamentals of IT
to use her technical skills to better serve their clients
to networking essentials and security again with
and candidates in the security market. Given her
CompTIA Network+ and finishing with ethical hacking,
personal experience with recruitment agencies, and
PenTest+ and CEH from EC-Council. The more I
her willingness to try anything that could get her into
learned, the more I wanted to know.”
the cyber world, Tobin became a recruiter specialising in cybersecurity with the technology recruitment firm
Tobin continued to build her knowledge of and skills
The Network.
in cybersecurity and is currently studying for the CISM Certification.
“At least, in recruitment, I could still make a difference,” she says. “With my understanding
BUSINESS SKILLS UNDERVALUED
of the corporate world, business strategies and
However, despite all her qualifications, when the
cybersecurity I could help companies find the skillsets
time came to look for a job, she did not realise how
they required. And with both soft and technical skills,
difficult getting her first opportunity would be. “It
I could understand what people had to offer potential
was quite daunting. I had very poor experiences with
employers. Matching them together requires patience,
recruiters and the roles I got offered either did not
problem-solving, and a lot of consulting / coaching
have the flexibility I needed or didn’t eventuate,” Tobin
skills as well. In this position, I can utilise all my
says, referring to the offer she received to work on
skills and experience from branding, marketing and
the French submarine project, which the government
coaching to my newfound passion of cybersecurity.
scrapped in favour of the AUKUS partnership. “Also, I did not feel that my previous 15 years of experience—
“It’s not just finding adequate technical skills for a job
bringing strategic thinking, problem-solving skills,
description; it’s finding the right soft skills, technical
business acumen and many more soft skills—were
skills and cultural fit for an organisation and, on
valued enough.”
the candidate side, ensuring I am setting them up
I S S U E 12
WOMEN IN SECURITY MAGAZINE
77
to succeed with an employer who is committed to
break into cybersecurity and only a small number of
nurturing and enhancing their skills.”
‘real’ entry-level roles: under a year of experience, or no experience at all.
THE RECRUITER’S ROLE Tobin says actively listening to candidates is critical.
“It is hard seeing only a few organisations willing
“It’s not about the roles I am working on, it’s about
to invest time and training in career changers and
understanding what they’d like to achieve next and
graduates. If there is a ‘cyber gap’ surely hiring and
their potential. Understanding how the new hire will
training graduates and career changers should make
fit within the business strategy, the company culture,
a big difference.”
and the skills required to achieve the outcomes is essential. I always take the time to discuss in depth
She says organisations having the systems in place to
these aspects with my clients before working on
accept people into entry-level roles and upskill them is
any roles.”
the only way the skills shortage will be addressed.
And, she adds, her job is not ‘fit and forget’:
MORE ENTRY LEVEL ROLES NEEDED
place someone in a role and move on to the next
“Organisations need to have more entry-level roles
assignment. “My role is also about developing
available and curated training and shadowing
relationships, engaging with potential clients and
programs where a senior will mentor a couple of
seeking opportunities to develop business. I’d rather
juniors to develop and hone not just their technical
develop long-term relationships with the people I talk
skills but business, social and client interaction skills.
to; they can be candidates one day, clients the next, or
You have to develop them in every facet. The industry
vice versa, it doesn’t matter. What matters is them as
must invest in the future generation, bringing people
a person and their values.”
from other backgrounds and training them instead of trying to recycle seniors over and over again.”
SHORTAGE OF MID-LEVEL CANDIDATES IN PENETRATION TESTING
Tobin’s insights into what cybersecurity skills are
Today, Tobin says the cybersecurity role the most
most in demand also show her developments are
difficult to fill is penetration testing. “Though there are
heading in the near future. She expects to see
many more open roles than available candidates in
laws regarding personal data in Australia being
all areas of cybersecurity, this is certainly the tightest
reinforced—a development almost certain in the
market. Clients want experienced penetration testers
wake of the Optus and Medibank data breaches—
with at least an OSCP [Offensive Security Certified
an increase zero trust approach to cybersecurity;
Professional] certification.”
increased use of artificial intelligence, machine learning, data enrichment and automation;
Apart from the well-publicised shortage of cyber
strengthening of DevSecOps and cloud security.
skills, Tobin says the biggest challenge of her role is finding the right fit for both employer and employee.
On the threat side Tobin expects to see “generalisation
“It requires head-hunting specific skillsets and then
of social engineering, the availability and affordability
making sure the company culture, compensation and
of cybersecurity threats as a service and increased
career progression align with their requirements.”
activities from Advanced Persistence Threats.”
She is also frustrated at the lack of entry-level roles, for which there is no shortage of candidates. “I’m
www.linkedin.com/in/karinetobin
looking at so many junior candidates desperate to
78
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
C A R E E R
P E R S P E C T I V E S
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
C O L U M N
The uncomfortable truth Helping your teen find a healthy balance between their
2.
Place your phone on silent
on-screen and off-screen activities can be a hard slog.
and in another room to
But when you take a minute to slow down and really
reduce the temptation to
think about it, the answer becomes crystal clear.
constantly check it. 3.
It all starts with you. Your eyes are always on your own screen. You walk in the door with the kids/from
Turn off social media and other app notifications.
4.
work/from shopping and go straight to your phone.
Create times to check emails and work communication apps.
You hear a ‘ding’, you pick up your phone. You think
5.
Put your phone on greyscale.
of something that needs doing and immediately pop
6.
Delete social media apps and access them
open your laptop to deal with it while the potatoes are
through the browser instead. This will slow you
boiling on the stove.
down and you will think twice about whether you really want to use them.
Your child comes over to speak to you and you have
7.
one ear on what they are saying and two eyes on your phone. Heading to the bathroom? You take your
Use a notebook to create a written list of things to do instead of using your phone.
8.
Configure email settings so you receive
phone. You sit with your tween/teen to help with
notifications only for VIPs, and use auto-
homework, and place your phone on the desk. You go
responses.
to bed and scroll through your phone and then put it on charge next you to.
9.
Review the apps you have on your phone and, to reduce distraction, delete those you no longer use.
Your phone is always within arm’s reach. Your kids see
10. When working from home create a routine
exactly what you do and how you do it every day. They
for when you are meant to be working so you
repeat what you say, and they mimic what you do.
minimise the use of your devices outside work hours.
You can model healthy technology use for them even when you need to stay in touch for work, or work from home. When you set examples for your kids it is much easier to implement and enforce boundaries and
www.linkedin.com/in/nicolle-embra-804259122
guidelines for their own tech use.
www.linkedin.com/company/the-cyber-safety-tech-mum
Here are 10 simple, practical steps you can take to be
www.thetechmum.com
more mindful of how you are using your technology. 1.
Use your lock screen as a reminder to stop and think about whether you really need to use
www.facebook.com/TheTechMum
www.pinterest.com.au/thetechmum
the device.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
79
Source2Create Spotlight
Events
Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
misty@source2create.com.au
2023 AUSTRALIAN
WOMEN IN SECURITY AWARDS 12
TH
OCTOBER
t u O s s i Don’t M
AFTER A YEAR OF THE GREAT RESIGNATION, MAKE 2023 YOUR YEAR OF GREAT REINVENTION by David Braue
The job you want is out there waiting for you – and so is the money.
O
ver the course of a tumultuous 2022,
was the most in-demand skill, named as a ‘must-have’
changing work patterns wreaked
by 65 percent of the 300 surveyed CIOs and other
havoc on continuity of businesses, of
hiring manager.
supply chains, of careers. Touted as a megatrend late in 2021, the so-called
Those respondents were willing to pay 22 percent
Great Resignation took hold as employees explored
more than usual to secure enough cybersecurity
ways to make their temporary work-from-home
staff, the survey found, highlighting what Robert
arrangements permanent – and, in many cases,
Half Australia managing director David Jones
realised they simply wanted to do something else.
called an “exceptionally strong position from which to navigate potentially more challenging
The changes created a nightmare for managers that
conditions ahead.”
needed to figure out how to keep the wheels turning:
82
one RMIT University survey of Melbourne businesses,
“Increased hiring activity and rising turnover,
for example, found that 70 percent said they simply
alongside an ever-shrinking active job seeker market,
do not have enough cybersecurity workers.
means the competition for talent is growing fiercer.”
Those figures were corroborated by Robert Half’s
Even more challenging for employers: 73 percent of
2022 Salary Guide, which found that cyber security
survey respondents said they expect hiring conditions
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
to worsen in 2023, making it harder to find qualified
and has, executive vice president of global service
employees going into the new year than last year.
delivery Brian Slepko admits, found the current labour market to be “a big challenge”.
Such difficult market conditions are pushing employers to try new approaches to finding suitably
“I’m not sure that most businesses are fully
skilled staff – with the recent Adapt People Edge
comprehending just how concerning this situation
survey finding that 71 percent of HR leaders are
should be,” he recently explained, noting that
looking internally to fill skills gaps, 48 percent are
constraints on staff supply – and attendant rises
creating more internship programs, and 41 percent
in salaries – have become a challenge even in
are increasing outreach with universities to secure
companies whose entire business relies on a steady
skilled students before they graduate.
supply of staff.
Many employers are casting their recruitment nets
“The pendulum has swung in favour of the
far and wide: enterprise software support giant Rimini
employees,” Slepko added, noting that “the
Street, for one, hires hundreds of employees per year
opportunity for people to work wherever they choose
I S S U E 12
WOMEN IN SECURITY MAGAZINE
83
has fundamentally changed the employee-employer
Similar surges are being recorded around the world.
dynamic. Employees are no longer tied to a specific
The average salary for cyber security workers in
local geography – and this allows them to tap into a
the USA is $US114,274 ($A182,000), compared
global market for opportunities to work.”
to £65,249 ($A114,000) in the UK, $S115,500 ($A128,000) in Singapore, €105,933 ($A164,250)
Like many companies, Rimini Street has addressed
in the Netherlands, and €90,400 ($140,000)
the new market dynamic by similarly tapping the
in Germany.
global well of talent: “there’s a lot of great talent at really reasonable prices around the world,” Slepko
Actual salaries clearly vary considerably based
said, “and we’ve got a global team to support our
on experience, skills, and the context of the job –
clients on a global basis.”
but the broad trend is upwards, and that creates opportunities for you to move laterally to a better
WORK IS CHANGING FOREVER – AND SO CAN YOURS
paid role.
In a cybersecurity climate that is only expected to get
It’s also an opportunity to shift to working in
more ferocious than ever – security firm Sophos, for
an organisation that gives you more personal
one, recently predicted that the increasing availability
satisfaction, or one whose sociocultural priorities
of cybercrime as a service (CCaaS) offerings will
– a visible commitment to diversity, for example, or
drive a hacker free-for-all in 2023, while increasing
a mission statement aligned around environmental
regulatory pressure is pushing boards of directors to
values – are more in tune with your own:.
get real about cybersecurity or risk massive fines and personal liability – there has never been a better time
A labour market skewed towards sellers is also an
to consider your career options.
opportunity for women to explore the potential value of new working models – for example, fixed four-day
If you’re looking for more money, odds are that the
working weeks that have become a very real option in
imbalance between supply and demand means it
many companies.
won’t be hard to find: the most recent Hays Salary Guide, for one, noted a range of cybersecurity roles
“There’s definitely a link between businesses and the
pushing well past the $150,000 salary mark, with roles
well-being of employees,” said Gabriela Vogel, senior
in government-heavy Canberra well ahead of the rest
director of leadership, culture, people, and DE&I at
of the country.
Gartner in Paris, who called out efforts to explore
Employer branding employer
84
reputation
W O M E N I N S E C U R I T Y M A G A Z I N E
value proportion
retention
recruitment
attraction
J A N U A RY • F E B R U A RY 2023
F E A T U R E
the four-day working week in countries like the UAE,
organisation can keep enough of the right skills, in
Spain, Japan, Scotland, Belgium and Australia.
cyber security or elsewhere.
Public-sector organisations are finding that
Reinvention-minded employees will walk if they’re
unconventional work weeks, like other new workplace
trapped in a company that doesn’t offer the right EVP
models, may appeal to many workers as much
– and with conditions favouring those with the skills,
as competitive salaries. Other innovative working
employers need to be aware of the risk of attrition
models, such as the ability to leave a public-sector
and responsive to the cues their employees are
role and temporarily work in the private sector to gain
giving them.
certain skills, are also designed to help companies stand out.
“We’re seeing a huge shift now,” Vogel explained, noting that businesses “are running a thorough
“The idea is to use this flexibility to attract employees
diagnosis to understand where they are with
to come work for the public sector as a more modern
employee engagement, well-being, and perceptions.”
version of what the civil servant can do,” Vogel explained. “You’re trying to attract people from the
“Once they start implementing actions and designing
private sector and hope that they’re not going to go
their EVP, they realise each employee wants
back because they’re going to be so attracted to what
something completely different – and there is a need
you’re doing.”
for a more tailored response.”
Ultimately, for all the money available in the market for skilled security specialists – or those wanting to break into the market – many workers are likely to change roles in 2023 because they are still looking for the right employee value proposition (EVP). EVPs vary widely based on employer, job role, salary, working hours, and more – but Vogel argues that the biggest driver for many, and the reason many workers will switch jobs over the next 12 months, is simply to feel valued. Employees “want to feel cared for, want to have deeper connections, and to feel more holistic wellbeing,” she explained. “The EVP is really about what do your employees want, versus what your organisation expects from your employees.” That disparity changes issues such as the salaries that organisations offer, the training they provide, the culture they create, and more – and whereas these used to be delegated to HR organisations, in the new world of work the EVP has become a critical issue simply because it is essential in ensuring that the
I S S U E 12
WOMEN IN SECURITY MAGAZINE
85
J O B B OA R D ACCOUNT EXECUTIVE | BEYOND TRUST REMOTE
AUSTRALIA
You will thrive in a fast-paced environment and enjoy working for an exciting and innovative business which has ambitious growth plans. A strong desire to forge a long term, successful career within the sales industry is key and you will be an excellent communicator with high level organisational skills. ABOUT THE ROLE • Create and maintain sustainable customer relationships to deliver sales growth to meet and exceed targets
requirements and present the BeyondTrust proposition. • Maintain an accurate log of sales activities and customer interactions within the company’s CRM system. • Responsible for accurate and timely opportunity updates and bookings forecast. • Participate in team meetings and share ideas to contribute team performance. SKILLS AND EXPERIENCE
• Advocate for the BeyondTrust platform and our position within the global Privilege Access Management sector
• 2 + years professional sales experience within the computer software sector
• Understand and document customers’ business and IT strategies, priorities and goals; capture this data accurately in CRM system
• Excellent problem-solving skills
• Create and nurture strong collaborative relationships with field sales team members. • Problem solve customer issues or sales blockers • Source quality leads by inquiring about prospect
• IT Knowledge – Microsoft tools knowledge and the ability to use as needed • Tenacity, independence and ambition are required to make this role your own.
APPLY HERE
CYBER SECURITY CONSULTANTS | BEYOND RECRUITMENT AUCKLAND
NEW ZEALAND
ABOUT THE ROLE Cyber Security is booming in the IT Market. Our clients are placing increased priority on building top Security practices. As a result of this increased demand, we are seeing increased vacancy levels in Security related contract roles. We have multiple clients looking for great talent specifically with the following skills and capability. SKILLS & EXPERIENCE REQUIRED • Cyber Security from networking, infrastructure and application background • Supporting a large cyber security technology and business process implementation
86
W O M E N I N S E C U R I T Y M A G A Z I N E
• Able to identify challenges and opportunities before a full company go live • Strong relationship and people management skills • This is a strategic role – reporting into senior leadership • Strong training and people engagement skills are highly desirable • Penetration testing experience desirable Please Note: To be considered for this role you need to be in New Zealand and have the legal right to work.
APPLY HERE
J A N U A RY • F E B R U A RY 2023
SENIOR SECURITY CONSULTANT | TENABLE CANBERRA
ACT
AUSTRALIA
ROLE DESCRIPTION The Senior Security Consultant is responsible for architecting a Vulnerability Management solution leveraging Tenable solutions based on established industry standards and Tenable best practices. Senior Security Consultants should be able to assess and advise clients on best practices for reducing Cyber Exposure risks across their entire attack surface. REQUIRED SKILLS AND EXPERIENCE • Recent in-depth experience performing vulnerability scans, configuration audits, security monitoring with core Tenable products, or other industry solutions • NV1 OR NV2 Security Clearance is Mandatory to apply for the role
• Deep understanding of Cyber Exposure to include the lifecycle states as well as network asset classes. • In depth knowledge of networks, Linux/Unix and Windows administration, patch deployment and system configuration • Outstanding written and verbal communications skills • Understanding of security principles, policies and industry best practices • Knowledge of Auditing and Configuration frameworks such as ISO 17799, PCI, GLBA and HIPAA preferred
APPLY HERE
APS 6 - ICT CERTIFICATION CONSULTANT | DEFENCE AUSTRALIA TURNER
ACT
AUSTRALIA
ABOUT THE ROLE As ICT Certification Consultant, you will be accountable under broad direction to perform and achieve complex information security work within an integrated workforce. As the first point of contact for security advice on technologies present in ICT Systems, you will demonstrate high levels of customer service. You will undertake research and analysis of specific issues relating to the security of ICT systems, reviewing documentation and provide reporting as required. DUTIES INCLUDE • Contribute to the development and/or improvement of processes, procedures, guidelines, standards and
I S S U E 12
architectures in relation to ICT security. • Liaise with other security authorities and stakeholders at all levels on matters related to ICT security. • Manage work take-on and prioritisation within a hightempo operational environment. • Engage in highly complex problem solving and issues management, and coordinating detailed or sensitive projects that impact on strategic, political or operational outcomes for Defence.
APPLY HERE
WOMEN IN SECURITY MAGAZINE
87
J O B B OA R D
SENIOR SECURITY ANALYST | S PARK NEW ZEALAND AUCKLAND
NEW ZEALAND
ABOUT THE TEAM | ROLE
KEY RESPONSIBILITIES
Do you have a keen eye for spotting the odd, unusual or strange? Do you LOVE grep, JQ or awk? Do you enjoy working in an exciting fast paced environment?
• Responding to, coordinating, and leading security incidents by collecting, analysing, and preserving digital evidence.
We are looking for a Senior Security Analyst to join our Detection and Response Team (DART) here in our Auckland Central offices. You’ll be working inside our well-known Cyber Defence Operations group to help detect, defend and respond to new and advanced adversaries. When you are not responding to incidents you’ll be hunting through our network to find the threats, working on developing new use cases and looking for other opportunities to improve our security resilience and posture
• Developing new detections to protect against existing and emerging threats
This role would suit an experienced Incident Responder or an enthusiastic security professional who enjoys high pressure situations and coming out on top. The ideal candidate with have a passion for all things technology and can to pick up and understand new technologies as incidents arise - you will be quick to adapt and be able to speak in technical terms with internal and partner stakeholders.
• Building and improving our security toolsets • Understanding vulnerability advisories and being able to quantify risk, escalate and follow up on remediation activities. • Escalation point for Tier 2 security analysts • Provide mentoring for junior team members to help improve their investigation skills • Offering security expertise and guidance to a diverse set of engineering and business teams.
APPLY HERE
CYBERSECURITY BUSINESS ANALYST | OPTIVER SYDNEY
88
NSW
AUSTRALIA
HYBRID
WHAT YOU’LL DO
WHO YOU ARE
Optiver is looking for a Cybersecurity Business Analyst to join our continual effort to evolve and strengthen our security posture.
• 5 + years experience with and a passion for Cybersecurity in a corporate (ideally financial) environment
As a member of our InfoSec team, you will champion Cybersecurity awareness and best practices throughout the organization, and partner with your global team to contribute to Optiver’s information security vision, program, and control framework. You will collaborate with the business to drive a culture of mindfulness while supporting the ability to move and innovate rapidly.
• Exceptional written and oral communication skills (English)
W O M E N I N S E C U R I T Y M A G A Z I N E
• Organization and attention to detail • Positive attitude and ability to collaborate and build consensus, within a variety of functions and experience levels
APPLY HERE
J A N U A RY • F E B R U A RY 2023
ASSOCIATE DIRECTOR, DIGITAL FORENSICS AND EDISCOVERY | PHARMIWEB.JOBS: GLOBAL LIFE SCIENCE BROADMEADOWS
VIC
AUSTRALIA
THE ROLE
YOUR SKILLS AND EXPERIENCE
Lead a Global Team To Apply Security Incident Handling Processes For CSL To Support The Cybersecurity And Information Security Incident Response Process To
• Required: College degree, preferably in a related technical subject; or advanced degree in business or industry-related subject or equivalent related work experience in cybersecurity and manufacturing.
• Prepare, Identify, Contain, Eradicate, and Recover from cybersecurity events
• Preferred: An advanced degree (MS) in a relevant discipline (or equivalent) including cybersecurity, management information systems, and related technologies related to manufacturing cybersecurity.
You will lead a global team of digital forensics and eDiscovery analysts that will: • Work with the Director, Security Operations to develop and implement a cybersecurity threat analysis structure of common attack techniques to evaluate an attacker’s spread through a CSL system, platform or network.
• Preferred: Project management certification / training / CISSP, CISM, CISO, GIAC-GCED, GIAC-GCIH, or GIAC-CFE certification.
APPLY HERE
NETWORK ENGINEER | LEIDOS AUSTRALIA CANBERRA
ACT
AUSTRALIA
ABOUT THE COMPANY
performing IT Projects team.
At Leidos, we deliver practical solutions to the Federal Government’s most complex IT engineering problems. And, as a Prime Systems Integrator, these are often on a scale and variety rarely seen by other organisations. Whether developing and supporting technology transformation projects for the Bureau of Meteorology, providing software applications for critical Defence missions, or improving the way the ATO supports its service delivery, our work has a direct impact on the lives of Australians, and will certainly impact on your career.
Working in a fast-paced environment in a collaborative team with mixed skill sets, you will be working on project planning, implementation and integration activities. You will be able to take guidance under minimal supervision to complete tasks as part of a project team. Working in the Systems Engineering lifecycle, you will produce high-quality artefacts and deliver value to our customer.
YOUR NEW ROLE We have an exciting and challenging opportunity available for a Network Engineer to join our high
I S S U E 12
THIS ROLE REQUIRES AN NV-1 SECURITY CLEARANCE OR THE ABILITY TO OBTAIN ONE.
APPLY HERE
WOMEN IN SECURITY MAGAZINE
89
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
C O L U M N
Don’t get poor fast! With Australia still suffering from a number of significant data breaches (you know who they are) we have a lot of negativity. So, rather than end the year on a note of doom and gloom, I thought I should take a retrospective look at these breaches. There are three things we can learn: the silver linings in rather dark and stormy clouds, so to speak. These could save you time, money and (in some cases) your business. Cyber awareness is key. Change the narrative from “your staff are your weakest link” to “your staff are your first and best line of defence.” So, no more “speaking at them,” trying to bore them into submission. No more once-a-year conferences and training workshops that focus on the ‘magic’ of a breach with live demos of mobile phone hacks (rather than on what to do to stop them). No more of the same boring awareness training year after year. Make 2023 the year you change it up. Make your cyber awareness training interesting, practical, relatable and memorable. Do not forget your client. While cyber awareness improvements across your organisation—from the mailroom to the boardroom—are key to your business’ cyber safety, what about taking your clients on the journey? In 2023 strengthen your client relationships by helping them build their cyber resilience. Simply add cybersecurity to your onboarding process, annual reviews or even your newsletters and/or email communications. Many clients may not understand phishing scams, the issues that arise from using personal email accounts to store company data, the importance of good password hygiene or staying upto-date on the latest data breaches. Making sure your clients are more cyber-aware could be the best five minutes you spend with them. Good password hygiene is for everyone and forever. Password hygiene might not be exciting, but it sure does pack a powerful punch. Make 2023 the year you review your current password policies. Provide
90
W O M E N I N S E C U R I T Y M A G A Z I N E
them in writing to all staff, check in to see they are being followed and encourage their use in employees’ personal lives. Good password practices are for everyone and should not stop when they leave the office, are at home and/or have stopped working. You may be thinking “This is all very well and good, but what has this got to do with “don’t get poor fast?” Well, by implementing these three recommendations – you might just avoid a cyber breach and then you will not need to pay: • Cyber breach costs: the average cost of a breach was $2.92m in Australia in 2022. • Data breach penalties: the Australian government is to the greater of $50m, three times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover during the breach period. • More data breach penalties: under the National Data Breaches scheme, failing to report a breach can cost from $444,000 for individuals to $2.2 million for companies. • Director penalties: these can cost up to $200,000 for a breach of s180 of the Corporations Act 2001. There are other costs that can result from a data breach, but because we are trying to end the year on a positive note, I shall assume you get the general idea. The takeaway is this: It is cheaper to take action to prevent a cyber breach than it is to wade through one and remediate it! www.linkedin.com/in/karen-stephens-bcyber www.bcyber.com.au karen@bcyber.com.au twitter.com/bcyber2 youtube.bcyber.com.au/2mux
J A N U A RY • F E B R U A RY 2023
INDUSTRY PERSPECTIVES
JO STEWART-RATTRAY
WHEN CYBERSECURITY FAILS, MATERIAL RISK GROWS by Jo Stewart-Rattray, Information Security Advisory Group, ISACA
Following a number of high profile data breaches in
for parliamentary consideration was to increase the
2022, it is clear board members and CISOs will need
maximum penalty from $2.2 million to $50 million, or
to take a broader view of the material risk arising
three times the value of any benefit obtained through
from data breaches and cyber threats. Data breaches
misuse of information, or 30 percent of a company’s
impacting millions of Australians have shaken
adjusted turnover in the relevant period, whichever
consumer confidence and motivated the government
is greatest. Although final legislation is pending at
to act decisively. As a result, boards and directors can
the time of writing, the government’s intention is
expect greater scrutiny.
clear: to strengthen the powers of the Australian Information Commissioner and the Notifiable Data
Boards, directors and security experts will be judged
Breach Scheme.
on their understanding of, and response to, material risk arising from unintended data breaches and
With rising penalties, organisations that previously
more frequent, malicious cyber threats. Material risk,
considered customer data as an asset may need to
including financial impact and reputational damage,
reframe their thinking and see unprotected data as
is growing.
a liability. Privacy breaches may require consumer compensation, for example to cover the costs of
FINANCIAL RISK IS BROADENING
new identification documents. It is possible legal
Financial risk is commonly considered in terms
action may arise from more serious customer losses
of lost revenue and the cost of remediation or
resulting from fraud enabled by the stolen data.
ransom payments following a breach. However,
92
organisations should also prepare for greater
RISK OF REPUTATIONAL DAMAGE
financial penalties if they fail to protect customer
There is a growing sense of desperation among
privacy. Following the data breaches at Optus and
consumers who think nothing can be done to protect
Medibank Private in October 2022, the government
them from cybercrime—as highlighted in ISACA’s
introduced legislation to increase penalties for
Consumer Cybersecurity 2022 survey—and boards
repeated or serious privacy breaches. The proposal
and security professionals need to act.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
The level of consumer concern about data privacy and security—and consumers’ awareness of identity theft, scams, fraudulent transactions and hacking—are important indicators of consumer trust. They illustrate the role cybersecurity plays in protecting consumers, and an organisation’s reputation and competitiveness. The ISACA survey focused on the experiences and perceptions of consumers in relation to cyberthreats and the organisations they engage with. It highlighted the material risk to an organisation’s reputation, financials, competitiveness and potential for growth. When consumer trust falters, a business falters. Boards rely on security professionals to play a critical role in bridging the gap between consumers’ experience and perception of cyberthreats and their expectations of an organisation’s ability to protect
publication of independent grading or scorecards of
them and respond to cyberattacks.
security practices.
Consumer concerns identified by ISACA include:
Robust digital trust strategies, better communication and transparency and an improved lived experience
• A belief that cybercrime has increased in frequency. • A growing fear of personal identifiable information being stolen.
will all help to build greater consumer confidence and lay the foundations for organisations to thrive. Boards and directors have an increasingly important role to play in achieving that outcome.
• An expectation they will be the victim of cybercrime. • A belief that a business they engage with will experience a cyberattack. • A belief that breaches are being under-reported.
ABOUT THE AUTHOR Jo Stewart-Rattray—CISA, CRISC, CISM, CGEIT— is a member of the information security advisory group, ISACA, vice president - community boards
What should be of most concern to boards and
with the Australian Computer Society and
security professionals is that, once trust is lost,
Director of the National Rural Women’s Coalition.
consumers will sever ties with the business resulting
She has more than 25 years of experience in the
in lost revenue and reputational damage.
security industry. As the director of technology and security assurance with BRM Advisory she
While many security professionals are confident of
consults on risk and technology issues with
their ability to detect and respond to cyberthreats,
a particular emphasis on governance and IT
consumers feel increasingly helpless about
security in businesses, and regularly provides
protecting themselves.
strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing,
However, organisations seen to have more robust
tertiary education, retail and government sectors.
protections and security practices than the norm are held in higher regard. In particular, consumers value more transparent reporting of breaches, businesses with certified cybersecurity professionals and the
I S S U E 12
www.linkedin.com/in/jo-stewart-rattray-4991a12
WOMEN IN SECURITY MAGAZINE
93
MEGAN KOUFOS
AWSN END OF YEAR WRAP-UP by Megan Koufos, Program Manager at AWSN
As we come to the end of the year we at AWSN would
• With the support of the Victorian Government,
like to take a moment to reflect on 2022: it was a
26 women were selected to join the new Security
big year!
Pathways and Women in Leadership initiatives to increase the number of women in technical
As the world and Australia slowly opened up, so did AWSN, with all our chapters moving from online to in-person events. We held 14 online and 32 in-person
cybersecurity and security leadership roles across Victoria. • We partnered with ISC2 to offer members
events across all chapters, including the newly added
free exam vouchers for ISC2’s new entry level
Tasmania and Newcastle chapters.
certification, Certified in Cybersecurity (CC). • Through the generosity of the OSINT
We welcomed a new board, hired our first employees
Combine team, 80 AWSN members were able
and massively restructured our organisation. We also
to participate in a one day OSINT Foundations,
increased our sponsors by 140 percent, welcomed
Attribution and Tradecraft session and career
over 1000 new members and began partnering with
panel, and develop a fundamental understanding
more organisations to provide additional benefits to
of OSINT and the intelligence cycle. All attendees
our members.
appreciated this opportunity. We look forward to doing more with the OSINT Combine team in the
Our award-winning, long-running AWSN Cadets program was rebranded AWSN Explorers to better reflect its role helping members explore the different
future. • We officially began our pilot programs sponsored by the Australian Signals Directorate (ASD)
security domains. We also worked to increase the visibility and importance of cybersecurity to
SECURITY PATHWAYS PROGRAM
potential future cybersecurity professionals, through
This provided excellent opportunities at a heavily
presentations and workshops at numerous high
subsidised price for 105 women—from students to
schools and tertiary education institutions.
stay-at-home mothers returning to the workforce and career changers—to access training and coaching that
94
PILOT PROGRAMS
might otherwise have been prohibitively expensive.
We launched a number of pilot programs in 2022.
Participants were offered technical training, career
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
coaching, CV-writing advice, certifications, mentoring and internship opportunities enabling them to gain the
of security leadership. • A deeper understanding of their individual
technical and soft skills necessary to work confidently
emotional intelligence and strengths, and how to
in the security industry.
use these effectively in leadership positions. • Advice on CV writing, career guidance and the
Through this program, participants gained:
personal branding required at the higher levels of leadership. (Ten women were given personalised
• A better understanding of cyber threats. • More confidence with the ‘technical’ terminology. • Greater understanding of what a career as a SOC analyst, threat hunter or penetration/security tester involves. • Connections with other like-minded women that could be of benefit in the future. • Employment and internship opportunities. • Advice on CV writing and the roles they should
career and CV guidance sessions). • Coaching and training in presentation skills, personal brand development and confidence building. • Peer-to-peer industry connections through their cohort to help build networks after completion of the program. • Three complimentary board communication sessions.
apply for. We also launched the first of our leadership forum In addition: 10 received one-on-one personalised
roundtables to provide a safe space for high-level
career and CV guidance; 12 gained certifications in
strategic conversations and networking, for sharing
CompTIA A+, Security+ and Network+; seven were
of ideas and for the development of solutions to key
offered paid internships at Telstra.
issues in the industry.
WOMEN IN LEADERSHIP PROGRAMS AWSN supported 110 women participating in various coaching and training programs that built on their current experience and supported their career aspirations with mentoring and peer-to-peer industry connections. These programs were targeted to emerging leaders and aspiring c-suite executives. They focussed on presentation skills, global leadership and executive cyber risk training to elevate the profiles of women with a wide variety of roles and experiences in security. Participants in this program gained: • An understanding of what is required at the executive levels
I S S U E 12
WOMEN IN SECURITY MAGAZINE
95
The initial intake has seen more than 108 mentors and 143 mentees join the program and platform to participate in more than 165 mentoring sessions and 120 hours of mentoring. The next intake will join the program early in 2023.
INCIDENT RESPONSE COMPETITION We partnered with Retrospect Labs, for the second year to provide a competition-style incident response exercise for women working, studying or interested in the sector across Australia. It was based on the successful 2021 competition in which 100 women participated. The 2022 competition had 250 spots available thanks to sponsorship by ASD and the
GENDER DIMENSIONS STUDY
Commonwealth Bank of Australia. ASD sponsorship
In August we launched our new survey on gender
also enabled AWSN to offer, prior to the competition,
dimensions in the Australian cybersecurity sector,
a two-day, hands-on incident response training course
a joint project with RMIT Centre for Cyber Security
for 45 women in partnership with Retrospect Labs.
Research and Innovation, sponsored by the Australian Signals Directorate.
For the competition teams of up to five participants with mixed skill sets were formed to work through a
Participation was open to security professionals
scenario that simulated a real-world cyber incident
living and working in Australia of all genders and in
impacting a fictitious organisation. Thirty-one teams
all domains of security. We also encouraged those
completed the competition and the three highest
who have left the sector to complete the, anonymous,
ranked teams received some great prizes (See the
survey questionnaire.
Incident Response Competition article elsewhere in this issue).
We had a fantastic response. All responses were analysed to gain a better understanding of the
Thank you to all our sponsors, coaching and training
barriers that potentially impede careers and the
partners, members, volunteers, staff and community
factors that have helped individuals progress their
supporters for an incredible year. Without you all we
careers in the security industry.
at AWSN would not have been able to accomplish everything we have achieved this year.
We expect to reveal the results of the survey early in 2023.
It has been a big year of learning and growth for us at AWSN. We continue to reflect and expand and
WOMEN IN SECURITY MENTORING PROGRAM
take those learnings with us to an even bigger and
2022 was also the year in which—after five years of
more exciting year in 2023. We have listened to, and
visioning, planning, programming and piloting—the
taken on board, the feedback from our members and
public beta version of the Australian Women in
community and our events and programs are growing
Security Mentoring Program was launched, through
and evolving to support even greater diversity and
Government/ASD sponsorship and OK RDY’s match-
inclusivity in the industry.
making tool for mentors and mentees. It is Australia’s first mentoring program with an associated appbased platform for women in security.
96
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/megankoufos
J A N U A RY • F E B R U A RY 2023
Connecting - Supporting - Inspiring
AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY
Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
DEPARTMENT OF REGIONAL NSW DEPLOYS PARENTAL LEAVE SUPPORT PLATFORM by Stuart Corner
Being pregnant and in paid employment is never going to be easy, but with the wrong workplace culture, it can be nigh on impossible.
T
hat was the experience of recruitment
professional and ambitious women who were feeling
consultant Rebecca Grainger who
disengaged and disconnected from their employer,”
migrated to Australia from the UK in
she says.
2010 and took on a role with a boutique consultancy.
A TOOL TO INCREASE EMPLOYEE ENGAGEMENT
In 2014 she resigned after a miscarriage. “My focus
Those experiences led Grainger to found triiyo,
was looking after my health and stress levels.
described as a “human-centred connectivity tool that
Sadly, it became evident I didn’t have the support of
increases employee engagement and retention during
management, so I felt the only option was to move
workplace transitions. … [a] simple, automated tool
on,” she recalls.
[that] guides managers through every step associated with complex workplace transitions [removing]
She began career coaching and discovered the scale
the guesswork, ensuring each employee has a
of the challenge working women face when pregnant
consistently positive experience.”
or trying to return to work after parental leave. triiyo has just received a significant boost: the
98
“The people who came to me were all women,
Department of Regional NSW has chosen it as the
either on maternity leave, or had returned to work
basis of a customised, online platform to support its
post‑parental leave. In all scenarios, they were
employees on parental leave.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
The department says the goal is to give employees an all-in-one tool “where they can access information, communicate with their colleagues, get paired with a buddy on their team, and stay on track in their career – all at their own pace.” Donna Mcleod, Director Workforce Capability and Talent at the Department of Regional NSW, says the aim was to ensure open communication between managers and their employees at every stage of parental leave: becoming pregnant, putting together a communications plan while on leave, career planning for their return to work.
SUPPORTING THE PARENTAL JOURNEY “We really want to make sure our teams have support and that they’ve got a means of staying connected at a cadence that suits them” she explains. “Being able to access information on the triiyo platform, regardless of gender, will help all parents on
of pregnancy and parenting: from miscarriage and
their journey.
infertility to balancing work with parenthood.”
“In the early days, it’s about creating a safe space
Grainger says triiyo had been designed to be outside
for employees and managers to have an open
company HR systems, “so employees can access a
conversation. Because in the early stages there
safe and confidential space that ensures people get
are a number of scans, blood works and doctor’s
support early on in what many employees fear are
appointments that need to happen, and a number of
career-limiting life phases.”
women feel unwell through the first trimester. So, it’s about talking to employees and asking, ‘How can we
A CUSTOMISABLE PLATFORM
support you? What can we put in place?’ and being
McLeod says the department chose triiyo after
really adaptive.”
evaluating several similar platforms. “It had to be customisable, and it had to have a journey. … It
triiyo says its platform offers a safe and confidential
needed to support people from the time they find
place for employees to access the information they
out they are going to be parents, and have a keeping
need to prepare themselves for the first conversation
in touch mechanism that could be driven by the
about pregnancy and navigate the other stages of
employee. … The level of customisation you can have
their parental leave journey with their manager when
within triiyo, the level of information it contains and
they are ready.
the number of partnerships: we felt it was exactly what we wanted for our people.
“Companies can upload their policies and procedures and create community channels where employees
“Also professionally, we want them to feel they’ve
can connect with colleagues also on leave to share
got colleagues and friends they can check in with [to
experiences and seek advice.
make sure] everything’s okay. It gives our employees access to drive how they want that communication
“Employees also have access to a resource hub
to be. And it gives them a peer network with other
curated by experts to support them in all aspects
parents and carers for when they come back to work.”
I S S U E 12
WOMEN IN SECURITY MAGAZINE
99
NATALIE PEREZ
ENGAGEMENT WITH AN IMPERSONATOR by Natalie Perez, Senior Internal Auditor - Enabling Functions, Medibank Private Ltd
Narrator: It was 28 December 2021 when I received
Me:
a Facebook message at 6:24am from my sister’s
No worries. Okay, I will ask hubby. I just paid our credit card bills.
account. Sis: Sis:
Really? If possible, I need it now.
H i Nats! Good morning. Narrator: I checked the online remittance service
Me:
G ood morning. Hey, it’s only 3:30am there.
that I use to send money overseas. The earliest date
Why are you awake this early?
that the cash would be credited to my sister’s bank account is 4 January 2022.
Sis:
I woke up early today. Hehehehe. Can I ask a favour?
Me:
Sis, the online remitter can only credit the cash on 4 January. You cannot have the cash
Me:
Yes, what is it?
Sis:
C an I borrow some cash for funding? I will return it before the New Year.
earlier than that date. Sis:
Why? I have iPera. Can you not send via iPera? Here is my cellphone number: 091NNNNNNNN.
Me:
S ure. How much do you need?
Sis:
P 40,000, keri?
Narrator: I noticed that the mobile number given to me is not my sister’s usual mobile number.
Narrator: Keri is a Philippine slang word to ask “if you
iPera is a remittance facility of a major
can do something”.
telecommunications company in the Philippines. The recipient is notified via SMS that the cash is
Me:
I can, but I will ask hubby before I take the
available for collection from different agencies such
cash out. Can I ask you what is it for? P40,000
as pawnshops, supermarkets or department stores.
is a large amount. That is around $1200.
iPera can also be set up to link to a bank account for fast and seamless crediting of remittances. It is a very
Sis:
100
I plan to expand a business.
W O M E N I N S E C U R I T Y M A G A Z I N E
popular and well-accepted remittance tool because
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
it is very convenient, and remittances can come from within and outside the Philippines. Me:
D id you change your mobile number?
Sis:
Y es, I did. I am using a prepaid SIM card.
Me:
A h okay. The fastest I can do is to remit via credit card. It will be a cash advance, and I will be charged 22 percent interest.
Sis:
That should be fine. Just go for it because I
does not use her alias with banks. My sister is a
really need the funds now. And don’t worry,
busy person who would not have time to get into
I am expecting a large return on investment
online gaming.
from this business. Axie Infinity is a token-based online video game which Narrator: That is when I became suspicious. I knew
uses Ethereum based crypto currencies. The person
my sister would not let me have a cash advance from
pretending to be my sister is advising that they will be
my credit card. I decided to engage with the person
investing in crypto currency to someone who funds
whom I think was impersonating to be my sister.
players on the online gaming platform.
Me:
W hich business are you getting into?
Sis:
I am investing in cryptocurrency. I will place
Me:
I need the bank address so I can send you P40,000.
P50,000, which will give us a 50 percent
Sis:
Wait. I will give you a bank address: NN
or P25,000 return in three days, which
XXXXX Street, XXXXXX City, Zip Code NNNN.
is December 31, 2021. I will return your
You got everything you need to send the
P40,000 on January 1, plus your P20,000
money, okay?
interest. It will be a happy new year in 2022 for both of us.
Me:
Thanks, but please wait! Let me ask hubby. We are just having dinner.
Me:
S is, be careful with crypto. The industry is unregulated, especially in the Philippines.
Sis:
Nice, enjoy your dinner. If I were you, just go and send the money! You don’t always
Sis:
D on’t worry! I know someone who plays Axie
need to ask your husband for permission.
Infinity. The cash being invested by him is
He doesn’t have to know everything you do.
what he uses to buy his teams, this enables him to fund his scholars for the online
Narrator: Our FB messaging initially ended at 7:33am
gaming platform. I have my bank account
in Melbourne. It was 4:33am in Manila.
details. The Bank name is “X Bank”, and the account number is ‘NNNNNNNNNNNN’. My
On another messaging platform, I alerted my family
account name is: Xxxx Xxx.
that I suspected my sister’s Facebook account had been hacked and someone else was impersonating
Narrator: I can confirm that my gut feeling was that
her. My sister confirmed she had never asked for
the person I was engaging with, was impersonating
money. She was asleep between 3:30 to 4:30am
my sister. The name given is my sister’s alias, which
Manila time (6:30 to 7:30am in Melbourne), which
is also her Facebook account name. I know my sister
was when I was exchanging messages with her
I S S U E 12
WOMEN IN SECURITY MAGAZINE
101
Facebook account. She was worried that the hacker/
five people who reached out to my sister, it was a total
impersonator might have contacted someone else.
of P150,000 (around $A3500) that was remitted into the impersonator’s bank account.
My sister checked her Facebook Messenger for the history of messages in her account. She
In the Philippines, complaints of online scammers,
could not find the exchange of messages we had
impersonators or hackers are reported to a local
from the screenshots I shared. She checked the
government agency called National Bureau of
messages with our family members, and there were
Investigation (NBI). With COVID-19 and lockdowns
no messages of her asking for money. She also
many people have become vulnerable to online
checked if there were messages to her Facebook
scammers and impersonators, and the process to
friends whom she hardly contacts, and there were no
report scams and hackers has been complicated.
messages sent from her account. I investigated the bank account given to me. It was a Two hours later, I got a follow up message from the
valid online banking account. Because of lockdowns
impersonator using my sister’s Facebook account:
many banks introduced online banking products, accepted account applications online and opened
Sis:
H ave you asked your husband? Have you
new accounts after personal details were entered.
sent the money? I really need it. Axie has a
The bank’s marketing pitch was that the banking
cut-off in 30 minutes. I need the cash ASAP.
product is virtual, easy and seamless to open, even in
I will not bother you again when I receive
a pandemic lockdown. I did walk through the process
the P40,000 because I get notified by text as
of opening an online bank account, and I learned that
soon as you send it.
it did not require me to provide evidence to verify my identity and address.
Narrator: My sister changed her account name and password on Facebook. I did not receive further
I rang the bank’s cyber customer care to report the
messages from the person impersonating my sister.
bank account details the impersonator had used to scam my sister’s friends via Facebook. The cyber
Five people have reached out to my sister to check
customer care person advised that I should call NBI
on how she was going and if she received the money
and report the incident. The bank could do nothing
they had sent via iPera. They were dismayed and
further to investigate the account because of the
heartbroken when my sister told them that someone
Philippines’ Bank Secrecy Act.
had hacked into her Facebook account and it was not her who was asking for money. We could not find the messages from my sister’s
I have three questions from this scenario: • Whilst we love automation with the speed and
Facebook account that were sent to the five people
convenience it features, how can we ensure
who remitted money to the person impersonating
it is ethically implemented and protects our
my sister. The five people captured and sent screen-
customers?
shots of the messages with the impersonator from
• How can we make legislation not become a
their Facebook accounts. They asked my sister how
roadblock against countering threats that were
they could get their money back. My sister had no
unknown or unheard of at the time the legislation
answer for them but advised them to call their banks
was written?
and tell them not to release the funds sent.
• How can we make it easy for ordinary people to report or complain when they become victims of
The impersonator’s iPera account and mobile number
scammers or impersonators?
were linked to his bank account therefore, the remittances were automatically credited. From the
102
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/natalie-hingco-perez-74298436
J A N U A RY • F E B R U A RY 2023
THANK YOU TO OUR 2022 NEW ZEALAND WOMEN IN SECURITY AWARDS SPONSORS
SUPPORTING PARTNER
BRONZE SPONSOR
NETWORKING SPONSOR
SUPPORTING SPONSOR
GOLD SPONSOR
EMERALD SPONSORS
SILVER SPONSOR
MERCHANDISE PARTNER
JANINE SEEBECK
HOW TO HAVE A CAREER THAT IS RICH IN EXPERIENCE AND PROFESSIONAL FULFILLMENT By Janine Seebeck, CEO at BeyondTrust Seeking out opportunities to extend yourself will help
TAKING RISKS
you amass a wealth of knowledge and the confidence
A willingness to take risks has also helped me. In
to tackle whatever challenges are tossed your way,
professional terms that means being ok with the
writes BeyondTrust CEO Janine Seebeck.
unknown. It means being prepared to put your hand up and say that you do not know certain things and
Did I embark on my professional career two decades
that you need help. And, sometimes, it can mean
ago with the express object of pulling in the biggest
being willing to throw caution to the winds and have a
possible pay cheque in the shortest possible time, in
crack at something that is daunting, exciting and was
other words getting rich quick?
not in your life plan.
In a word: no. What drove me back then, and still
For me, one of those ‘do or die’ moments came in
does today, was a deep desire to learn and grow,
2008 when my then employer, a publicly listed US
both professionally and personally. I am an intensely
company, tossed out the suggestion that I swap my
curious person and also a hard working one (my
comfortable vice-presidential role for an equivalent
husband would say a workaholic!). Those traits and a
gig in an emerging territory, Australia. I had a
healthy dollop of good luck—being in the right place
husband, dogs, a life. Six weeks later the four of us
at the right time is undoubtedly a gift—have helped
were living that life in Sydney, a city that will always
generate opportunities that have enriched my CV and
hold a special place in my heart, courtesy of the fact it
allowed me to rise up the ranks into the executive
is where my first son was born.
team of a security company that is a recognised leader in identity management.
104
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
BACKING YOURSELF Taking the leap, rather than playing it safe, can be particularly challenging for women, more so than men. We are inclined to feel responsible—for things, people, everything— and to put others first. Making career choices that focus first and foremost on ourselves may not come naturally if there are other competing priorities. And there is also the dread that things might not work out. Then what? My approach has always been to think, ‘what’s the worst that can happen?’. The answer is usually going to be: I will be fired. Is that a big enough issue to hold me back? Probably not. If things do not pan out as planned, there are other businesses, other jobs. Chances are, I will be able to get one of those jobs. Squaring that up in my head
ICT and security spheres. Participate in professional
has helped me feel ok—better than ok, excited and
networks that bring you into contact with other
invigorated!—about taking chances. As the saying
women at various stages of their careers, as Sheryl
goes, if you do not do something, you will never know
Sandberg famously advocated in her book, Lean In.
what you missed. It can be daunting approaching senior leaders if you
FINDING SUPPORT
have only a couple of years of experience under your
While personal motivation and hard work are
belt, but the reality is, those leaders are simply people.
important, career progress is so much easier with
And, if you are genuine, motivated and hardworking,
the right support. That is why it is critical to work
chances are they will be people who are happy to
for organisations prepared to invest in you and your
share information and insights that can help you get
growth by offering well-defined career paths and
where you want to go.
opportunities for advancement. Typically, they will have strong, healthy cultures and values compatible
WEALTHY IN WAYS THAT COUNT
with your own, and you will be actively encouraged to
For me, career development boils down to this:
develop the skills and capabilities that will help you
invest continually in yourself and your career and the
take the next step.
riches—tangible and otherwise—will surely follow. Perhaps not quickly, but if you are up for a challenge,
Work hard, show the leadership team what you are
it is a journey you are guaranteed to enjoy.
made of, and do not be afraid to advocate for yourself and the opportunities you want to see come your way. www.linkedin.com/in/janine-s-b6a7165
Also, it is impossible to overstate the importance of mentoring, particularly in the (still male-dominated)
I S S U E 12
WOMEN IN SECURITY MAGAZINE
105
ALYSSA BLACKBURN
BALANCING RISK AND PRODUCTIVITY IN A HYBRID WORLD By Alyssa Blackburn, Director of Information Management, AvePoint With Australia leading its global counterparts in the
have highlighted the reality that today’s workplaces
shift to hybrid working, local business leaders have
face constant and significant security risks. Whether
been faced with the challenge of not ‘if’ but ‘how’
these are well-funded international crime syndicates
to make hybrid teams, environments and project
using email scams, human error by local teams over-
management work as effectively as possible. Many
reliant on manual processes or data management
executives are still concerned about optimising the
plans (or lack thereof) that involve storing data for
productivity of hybrid workplaces while others are
longer than needed, every business has risks that are
deterred by the cyber risks that come with a digital-
unique to its operations and industry.
first workforce. In fact, any business that has information carries However, focusing solely on either of these business
risk. For years, businesses have competed and
challenges will lead organisations to miss finding the
innovated to get as much customer and prospect
balance between risk and productivity that ensures
data as possible. Data was seen as the end-goal.
teams are collaborating safely while staying engaged.
Today, as has been proven by data breaches in some
Cybercrime continues to rise and many employees
of Australia’s largest organisations, businesses
are likely to leave a company if flexibility and hybrid
are starting to recognise data is an asset, but also
ways of working are not available. Consequently,
a liability.
understanding the implications of hybrid working on the business’ risk and productivity, and then
Consumers have been quick to recognise this and
implementing strategies to minimise risk and
are holding businesses accountable. It is no longer
maximise productivity, need to be front and centre in
acceptable for businesses to treat data security and
boardroom discussions.
management as a secondary business priority. There are effective steps every business can take in the
106
TAKING A PROACTIVE APPROACH TO MANAGING HYBRID WORKPLACE RISK
short and long term to prevent cybersecurity threats
Recent data breaches and cybersecurity attacks on
with treating data protection as one of the most
high-profile companies across a range of industries
important business issues an organisation faces
W O M E N I N S E C U R I T Y M A G A Z I N E
and mitigate the risks of data breaches. These start
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
today. A top-down and end-to-end approach to data
KNOW YOUR BUSINESS, KNOW YOUR RISK
management is necessary to ensure appropriate
It is impossible to effectively prevent a problem you
resources and investments are allocated for
barely understand, and it is impossible to fix problems
sustainable success, and to ensure loopholes or gaps
you cannot see. Just as the members of the C-suite
in security processes do not invite greater risks.
are familiar with financials, sales figures, staff capacity ratios and other insights about their teams’
COLLABORATION LOOKS DIFFERENT TO EVERY GENERATION, INTRODUCING NEW RISKS
operations, it is important to invest the resources and time in tools that help leaders understand how their teams are working, communicating and collaborating.
For the first time we have up to five generations in the workplace simultaneously. When working with
With insights into, for example, how data is being
hybrid teams in the modern workplace, it is common
shared internally, an organisation can invest in
for some team members to prefer collaborating via
appropriate solutions that reduce the time spent
different platforms and channels to others. Younger
finding commonly shared documents, streamline
generations may prefer collaboration tools that
processes for updating important and broadly used
resemble social media platforms, enabling immediate
presentations, or make immediate changes to how
commenting, sharing and reactions. Meanwhile,
data is stored to mitigate the risk of a data breach.
older generations may prefer phone calls, legacy
In addition, organisations should not be holding onto
applications or even in-person meetings.
data that is not required for business purposes. Data and information should be subject to a lifecycle.
Shadow IT is another business challenge that has
Remember, if you do not have something, your risk of
evolved with the acceleration of hybrid working.
it being exposed is zero!
Certain company-approved tools and SaaS applications might be available yet employees still
Any business operating today needs to be embracing,
opt for non-approved tools that may appear easier to
not debating, the various pros and cons of a hybrid
use or more accessible. This introduces another level
workplace. Taking a proactive and preventative
of risk. Employees could be sharing data, clicking on
approach to secure data collection, management and
links or connecting to technologies their employer has
collaboration will ensure employees can work in ways
not assessed or perhaps not previously encountered.
and via channels they are most confident with, and that the productivity benefits of hybrid working will
Every organisation will have ‘collaboration champions’
not be hindered by security risks and concerns.
and ‘collaboration refusers’. Again, when assessing how to get the most out of teams with varied ways of working, the priority needs to be educating and enabling staff to work and collaborate securely, rather than determining which channels or styles of working
www.linkedin.com/in/alyssa-blackburn-62344226
www.avepoint.com
should be encouraged over others.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
107
SIMON CARABETTA
IN CYBERSECURITY, IT’S BELLUM ROMANUM, OR NOTHING by Simon Carabetta, Business Operations Lead at ES2
Picture this. It is the second century BCE. You have
because they simply formalised practices already
been conscripted via a lottery to fight in a land war for
in place, the reforms transformed the army from a
the Republic of Rome. Instead of being issued with
force comprised of casual conscripts into one of
standard weaponry and equipment, you must provide
professional soldiers.
your own. You will have to undergo extensive training along with a number of other inexperienced young
I do not really need to tell you the rest of the story.
men to fight an army from a place you have likely
We all know how powerful the Roman military
never heard of nor would ever travel to. If you are
became and how it was partially responsible for
lucky, you survive and return home victorious, only to
the Roman Republic becoming the Roman Empire.
be told to return to your daily life after receiving your
However, you do need to take two key concepts from
(quite insubstantial) pay.
this article:
This was the way the early Republic raised an army
1.
was little professionalism, and the concept of a
The Marian reforms formalised professional standards
each time a battle or war needed to be fought. There 2.
Bellum Romanum
standing army was unknown. It emerged only when a general by the name of Gaius Marius made a number
What is Bellum Romanum? Translated from the
of sweeping changes to the practices and procedures
Latin, it simply means, Roman War. Why am I
of the army, known as the Marian Reforms.
giving a history lesson on the way the Romans conducted warfare? The answer is relevant to
108
While some historians (don’t worry, this isn’t a history
Australia in the context of cyber warfare and
paper, I will get to my point) dispute that Gaius
our own security industry. We need to wage
Marius deserves all the credit for these reforms,
Bellum Romanum.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
In a way, we have already begun to do so. The
ready? Have we begun making our own version of the
Australian Federal Police was recently reported
Marian Reforms to train and equip the best of the best
to have teamed up with the Australian Signals
in our federal cybersecurity command?
Directorate to create our first offensive cyber unit. We now have foot soldiers provided with
I think one of the best recent examples of such a
the best equipment, tools and weaponry by the
reform of our cyber defences is the ADF Cyber Gap
Commonwealth Government and charged to take
program. This has certainly been a monumental
down the bad guys.
move in the right direction, and has been very timely given the rising tensions in our region, the rise of
That statement is much more sobering when you
information warfare and disinformation campaigns,
recognise who the bad guys are. We know how the
and the increasingly well-armed and well-equipped
completely unjustified invasion of Ukraine by Russia
advanced persistent threat actors across the world.
was the trigger for a massive increase in cyber criminal activity. However, it was when Ukraine’s
Australia has begun to develop a ‘standing army’ of
minister for digital transformation, Mykhailo Fedorov
cybersecurity foot soldiers. We still have much work
(the country’s youngest ever minister) called on the
to do and not much time to do it. However, I feel
international cybersecurity and hactivist community
fairly confident our cybersecurity defence is in the
to attack Russian networks and infrastructure that
right hands. We shall see how things play out over
I started thinking about national cyber warfare
the next 12 months. More reforms? Increases in
readiness. I started to realise how switched on
budgets? Recruitment campaigns? We must realise,
Fedorov is, but also how destructive his call might
as a nation, how important our cyber defences are. It
eventually be. Cyber criminals have no honour, so a
is now a matter of all or nothing. Bellum Romanum, or
message that it is suddenly open season on an entire
cyber devastation.
nation is definitely not one anyone should be sending. It creates a very dangerous precedent. www.linkedin.com/in/simoncarabetta
Back to Bellum Romanum. How does this fit with Australia’s current position? Are we cyber warfare
I S S U E 12
WOMEN IN SECURITY MAGAZINE
109
TRAVIS QUINN
THE VALUE OF HIGHER EDUCATION IN CYBERSECURITY By Travis Quinn, State Director at Trustwave There is a scene in the first season of the Silicon
use to communicate and the technologies we use
Valley TV series where billionaire Peter Gregory
to secure our communications to academia and
is delivering a TED Talk that is, basically, an anti-
the people who chose to pursue a higher education.
university rant. A professorial type in the audience
Early pioneers of packet switching—the basis for
protests. “The true value of a college education is
modern computer networks—were career engineers
intangible!” to which Gregory replies, “The true value
and computer scientists like Paul Baran and
of snake oil is intangible as well.”
Donald Davies.
At this point the professor storms off and the crowd
The Internet itself emerged from research at the
laughs. This is comedy, but it reflects a popular
United States Advanced Research Projects Agency
anti-intellectual meme in tech: the idea that degrees
(ARPA) in the 1960s and 1970s (now known as
have dubious value (Peter Gregory’s own words). This
the Defense Advanced Research Projects Agency
meme surfaces frequently on LinkedIn, and if you
(DARPA)). ARPA was a US government R&D agency
put “Do you need a degree in cybersecurity?” into any
that focused on innovative technologies with
search engine, you will be confronted with articles
national security applications. It was staffed largely
and threads all confirming you do not need a degree
by engineers and research scientists, often leading
to get into the industry. This is true, you do not need
experts in their respective academic fields.
one. We are fortunate in 2022 that you can get by with a mixture of experience, certifications and skills in
Moving on to cybersecurity, we owe many modern
your chosen area. However, in this article I will argue
security technologies and techniques to innovative
that anti-intellectualism in cybersecurity is short-
university and industry researchers. In the case of the
sighted, disadvantages young people in STEM and is
Internet, the most powerful example is cryptography,
counterproductive for the industry as a whole.
particularly public-key cryptography. The history of modern cryptography is long and complex but
110
A useful place to start is with the contribution
pioneers in the field like Alan Turing and Elizabeth
of higher education to the history of IT and
Smith Friedman are widely lauded (and rightfully so).
cybersecurity. We owe the current technologies we
The pioneers of public-key cryptography are less
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
widely known but their commitment to advancing
or method and develop some new approach that
human knowledge through technology benefits us
advances the state of the art. Such research takes
daily, whether we realise it or not.
time, diligence and discipline. It remains principally the domain of academic institutions.
Regardless of what device you are reading this article on you are currently benefiting from public-
Anti-intellectualism also poses a risk to university
key cryptography. It is at the heart of security for
enrolment generally, which reduces the pipeline
the Internet and telecommunications generally (see
of candidates going into postgraduate programs
Diffie-Hellman and RSA). It is difficult to imagine
like doctorates and which has implications for
how different the history of computing and security
specific sectors of our economy (eg, technology and
would be without dedicated academic and industry
medicine). If our most talented young people do not
researchers, but it is clear we owe them a great deal.
view higher education as a valid pathway to, or a component of, a rewarding career, then it is a lose-
Returning to the present, why is anti-intellectualism in
lose outcome for the individuals and for cybersecurity,
cybersecurity a problem? There are several reasons,
because we reduce opportunities for new entrants
but the most pertinent to women in, or aspiring to
into our industry, and hamstring innovation.
careers in, cybersecurity is that it actively discourages young women from pursuing degrees in STEM.
What does higher education give you that industry
Women are already underrepresented in STEM degree
experience, a certification or a short training course
courses globally, and this is a major contributing
does not? Most people would point to the ability to
factor to the underrepresentation of women in IT and
exercise critical thinking and to produce stronger
cybersecurity. If there is a question of how to get
written and oral communication. These are all valid
more women into IT and cybersecurity, the answer is
benefits, but in IT and cybersecurity higher education
to not discourage them from higher education.
confers some unique advantages. Firstly, higher education provides the opportunity to develop strong
Anti-intellectualism also hampers innovation by
fundamental skills and knowledge across your
undermining research programs, directly and indirectly. Relatively few businesses are willing to pay you to be a security researcher, to critically analyse the current thinking around a particular technology
I S S U E 12
WOMEN IN SECURITY MAGAZINE
111
chosen subject areas. In an IT context these might
It rewards experience and is not something to be
include core computer science concepts, networking,
viewed with cynicism.
databasing, programming and more. To conclude, it is clear that anti-intellectualism in IT Normally, training in each of these subject areas
and cybersecurity is detrimental. It fails to recognise
comprises months of research, effort and self-
the debt we owe to pioneering researchers of the
improvement through cycles of feedback. This leads
past and the positive impacts they have had on our
conveniently into the second advantage of higher
lives. It is also counterproductive because it limits
education in IT and cybersecurity: the opportunity
opportunities for young people in our industry, and
to focus on subject matter. Higher education is
constraints innovation.
one of the best opportunities you will have in your life to achieve expertise in a specific subject area
That being said, it should be recognised that
of your discipline. Once you enter the industry, the
university and TAFE are not for everyone, and that is
objectives of your employer tend to dominate and
ok. We are fortunate to have many paths to success
your capabilities in your role are usually measured
in our industry, and we should recognise that all
in terms of minimum requirements, ie, a floor rather
paths are valid where they meet the needs of the
than a ceiling.
individual. For many people, higher education is empowering and creates impetus for professional
The obvious example of this is to be found in how
and personal success. It should be supported and not
advertisements for roles focus on a set of criteria (eg,
carelessly undermined.
years of experience, a specific certification). In this respect, most organisations seek capable generalists rather than genuine specialists. Strong evidence for
www.linkedin.com/in/travis-quinn1
this is to be found in the array of vague multipurpose titles we have (eg, advisor, officer, consultant). The third advantage of higher education is that it fosters the willingness and capability to question commonly held beliefs. Specifically, it encourages students to ask ‘Why?’ and to challenge the way things are done. It is axiomatic that, left to their own devices, people tend to do things the same way repeatedly, because they are naturally averse to change. People in cybersecurity are no different, and this behaviour runs counter to good security outcomes.
Watch this space
The final advantage of higher education in IT and
cybersecurity is not necessarily unique to these fields but is nonetheless important: the power to pivot
careers. Through higher education, whether full-time or part-time, we can completely change the directions of our professional lives. Through education we achieve new knowledge and skills and engage in mentorship with educators and our fellow students. In these respects, education is transformative.
112
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
W E N
TO
3 2 20
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
70
Australian Ambassadors representing a breadth of Australian states
We are bringing you together to expand your networks, gain critical insights into the field, grow professionally, hone your leadership skills and empower the next generation of security experts. The Alumni series will run from March through to June across states.
Watch this space
REUT WEITZMAN
TAKING A PROACTIVE APPROACH TO CYBERSECURITY By Reut Weitzman, Manager, Cyber Security Services at Sygnia
In today’s digital world, data security is crucial
Ransomware readiness is a state that must be
regardless of what type of business you are in.
continually maintained. It is not a one-time event. Therefore, a cybersecurity plan should be a
Data is what businesses rely on to make decisions,
living document that is regularly updated as new
stay competitive and grow. But as our dependence
threats emerge and new technologies become
on data has increased, so has the risk of data being
available. Businesses must keep abreast of the
compromised by cyber breaches, especially by the
latest cybersecurity news to be familiar with threat
accelerated transition to remote work. That is why
actors’ tools, techniques and procedures and
it is more important than ever for CISOs to be better
modify their incident response plan to stay ahead
prepared to respond should an incident occur. Here is
of the curve. Identify the measures needed to
a close look at how organizations can take a proactive
enhance resilience across the entire attacker kill
approach to cybersecurity.
chain: from penetration through lateral movement to execution.
Cyberattacks come in different forms of
114
compromising data through networks. With the rise of
Make sure to allocate the resources and budget
remote working in many businesses, there has been
necessary to enhance the organization’s ability to
a surge in ransomware attacks. Ransomware is a
prevent, detect, respond to and recover from all
type of malware that encrypts a victim’s files enabling
phases of the attack, and keep your up-to-date plan
the attacker to demand a ransom payment to
effective. Many organizations fail to execute their
decrypt them. This cyber-extortion attack can have a
cybersecurity plan, usually due to lack of oversight
devastating impact on a business, producing financial
necessary to ensure proper implementation. Set
loss, reputation damage, operational disruption and
up an assurance process to measure the controls
compliance failures. In severe cases of sensitive
effectiveness, track and test the plan to ensure
data or mission-critical systems being impacted,
it meets key performance indicators (KPIs) and
businesses have had to shut down completely due to
key risk indicators (KRIs) that correlate with the
a ransom attack.
business strategy.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
The question organizations face is no longer ‘if’ a
should include obtaining a basic understanding of
cyberattack will happen, but ‘when’. That is why
the general network architecture and critical systems,
engaging with a strong, dedicated incident response
ensuring familiarity with current visibility capabilities
team armed and ready to go, before an actual incident
and contingency plans, and establishing secure data
occurs, would be a smart move. This approach would
sharing and access processes that can be leveraged
reduce the response time, minimize the impact on the
during an incident.
business and enable faster recovery. Finally, it is important to have a recovery plan in place. A strong incident response team should be proficient
This plan should include steps for how to ensure
in dealing with a variety of threats and have a deep
systems are clean and can be securely restored, how
understanding of how attackers operate. During a
to communicate with customers and employees, and
cyberattack the team would:
how to prevent future attacks.
• coordinate and align the key resources within
To stay ahead of adversaries, start by identifying
the organization to conduct digital forensic
your crown jewels—the most valuable assets—and
investigations across various operating systems,
understanding your vulnerabilities, knowing the many
networks and environments;
ways your defense could be breached and your data
• support technical teams to contain and defeat threats, including hands-on remediation; • advise the executive leadership on managing
compromised. Put in place the protections needed to keep the attack surface as small as possible, maintain a resilient cybersecurity posture, and be prepared to
the crisis and on the strategic dimensions of
respond to incidents. It is not a question of IF, but a
cyberattacks.
question of WHEN.
When onboarding an external incident response team, ensure seamless integration with the organizational
www.linkedin.com/in/reutweitzman
IT and security teams. The onboarding process
I S S U E 12
WOMEN IN SECURITY MAGAZINE
115
NANCY PAVLOVIC
THE MANY CHALLENGES OF MANAGING RISK AND RESILIENCE By Nancy Pavlovic, Director at PAVLOV GROUP We are part of a global ecosystem in which cyber risk is a complex issue embracing data access, storage, usage and more. Data can reveal a lot about every individual. We live in a knowledge economy. Many of us are becoming digital natives while others remain innocent novices. Yet we are only now waking up to the value of our data, value long recognised by those in marketing and sales. They have been analysing our data for years, using it to understand our motivations and influence our buying patterns. Data comes in many forms and can be used for many different purposes. It can be used to change lives. Data is empowering. We all need to know who has our data, what it is used for and for how long it will be retained. More importantly, we need to be notified when our data is breached. Cyber risk has many facets and can impact us in different ways. The World Economic Forum’s (WEF) 2022 Global Risk Report ranked cybersecurity as one of the top five risks. Risk is a universal issue, defined and described by a common language, but one with many industry-specific dialects, all seeking
116
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
to convey similar messages and achieve similar
processes, assets and objectives. Therefore, we must
outcomes. To achieve these outcomes our systems,
prioritise the risks associated with cyber.
processes and people need to be recognised as our most important assets, and the data connected to
The Harvard Business Review article Is Your Board
them must be protected with vigilant governance and
Prepared for New Regulations? by Perlson and
effective risk management.
Hetner (2022), says, “Resiliency is more than just protection; it’s a plan for recovery and business
Data can reveal much about us, and put us at risk
continuation. Being resilient means that you’ve done
if used with malicious intent. When yet another
as much as you can to protect and detect a cyber
data breach is announced, we feel powerless. Risk
incident, and you’ve also done as much as you can
management related to data and cybersecurity is
to make sure you can continue to operate when
everyone’s concern, especially as we move towards
an incident occurs. A company [that] invests only
cashless societies and mobile, digital devices that
in protection is not managing the risk associated
wake us up in the morning, tell us what roads to take,
with getting up and running again in the event of a
when to pay our bills, when to go to the dentist. These
cyber incident.”
devices enable us to shop by tapping. They monitor unauthorised transactions on our credit cards. They
According to the WEF’s Global Risks Report 2022
monitor our blood pressure.
(Insight Report) “in the context of widespread dependency on increasingly complex digital systems,
How many of us were affected by the Optus data
growing cyber threats are outpacing societies’ ability
breach? How many Australians were poleaxed when
to effectively prevent and manage them.” This is
they heard Medibank had been hacked? The list of
hardly reassuring. Specifically, ransomware has
large organisations we rely on that have lost our data
increased by 435 percent, and there is a worldwide
keeps growing. But we cannot put the genie back
shortage of three million cyber professionals. Most
in the bottle. Reputational damage has a long-term
interesting is the fact that 95 percent of cybersecurity
impact on consumer confidence, and a reputation
issues can be traced to human error.
built up over decades can be lost overnight. To meet the global and domestic cybersecurity The WEF says there are “systemic challenges” to
workforce needs of today and tomorrow we need
“improving digital trust” and that “unprecedented
to increase the diversity of professionals working
security risks threaten to undermine economic growth
in cybersecurity. In September 2022 the Australian
and public trust.”
Computer Society chief executive Chris Vein said in an ACS Digital Pulse report: “Australia faces a
Cyber is still seen by many as a technical risk, yet it
shortage of 30,000 cybersecurity professionals …
should be seen as a fundamental risk to the viability
[and] our annual Digital Pulse report forecasts the
and sustainability of a business because it is a
nation faces an annual shortage of 60,000 technology
business enabler. Business leaders and decision-
workers across all disciplines … This demand is
makers have a fiduciary responsibility to make
a great opportunity for Australia. If we can meet
informed decisions to mitigate strategic, tactical and
this demand, we are going to get more Australians
operational risks. The threat landscape is changing.
into high-paying technology roles and give industry
Our risk posture and—dare I say, our appetite for risk—
and government the ability to protect our nation’s
are also changing.
IT systems.”
Risk is inherent in every input, process, action and
At present 17 percent of the cybersecurity
output of a system. Risk management needs to
workforce nationally is female, according to the
be factored into every aspect of a business: its
Australian Bureau of Statistics. To meet demand for
I S S U E 12
WOMEN IN SECURITY MAGAZINE
117
cybersecurity professionals we need to increase the
ability to anticipate, detect, react to and mitigate cyber
percentage of women in the cybersecurity workforce
threats, and build cyber posture and resilience.
well beyond this level. When we think of our border defence, we might think IT Brief reported, in October 2022, “searches online for
of the Departments of Defence and Home Affairs or
cybersecurity training for employees have risen 114
the Australian Defence Force. When we think of our
percent over the past four years.” Australia’s Cyber
communications infrastructure and networks we
Security Sector Competitiveness Plan, chapter 3 - The
might think of NBN. For each of these organisations,
challenge, said Australia needs to close the workforce
who comes to mind: the CISO, the CIO, or the IT
gap, remove startup barriers and strengthen research
helpdesk?. Well, I defer back to Erin Brockovich.
and development. It highlighted the four major
Superheroes are great on a screen in comics and
challenges detracting from the growth outlook for
cartoons, but they are not coming to save you. Now
Australia’s cybersecurity sector:
we have new actors to watch out for, specifically threat actors and threat agents, organisations or individuals with malicious intent. Threat actors can be internal or external. Another event I attended recently was the launch of Cyber Week where the Minister for Home Affairs and Minister for Cyber Security, Clare O’Neil, said:
I was one of 4000+ delegates who attended the
“Cybersecurity is no longer just a boardroom table
AISA Conference in Melbourne in October 2022 and
conversation, it is also a kitchen table conversation.”
amongst the hundreds of presenters and scores of
She is right. We need to be having constructive and
exhibitors and sponsors, the standout for me by far
candid conversations about cybersecurity.
was Erin Brockovich. (A big shout out also to Steve Wozniak and Captain ‘Sully’ Sullenberger).
And in case you missed it, the Australian Government has just passed the Privacy Legislation Amendment
Brockovich said, “Superman is not coming. No one is
(Enforcement and Other Measures) Bill 2022.
coming to save you.” Wow! That packed a punch and
Businesses that suffer repeated or major data
it truly resonated. Allow me to share and eNANCiate
breaches will now have to pay.
that for you. Cybersecurity has become the hottest global and national topic of conversation because it is no longer only an IT problem. Cybersecurity should be everybody’s concern and everybody’s problem. What that means is that we need to become informed about how our data is captured, stored and used; about who has access to it and, more importantly, what we can do to protect ourselves through awareness and education. We need to increase our
118
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
Attorney-General Mark Dreyfus said “the new, larger
The mitigation strategies that constitute the Essential
penalties send a clear message to large companies
Eight are listed below.
that they must do better to protect the data they collect.” Time will tell if the stick approach, without the carrot, will produce increased accountability from big business. The industry stakeholders driving our economy include multinationals, nationals, employers, small businesses, peak bodies, unions, employer groups and, most importantly, our workforce, taxpayers and ordinary Australian consumers of products and services.
The WEF‘s Cyber Resilience Index: Advancing Organizational Cyber Resilience (July 2022) said
The Productivity Commission’s interim report on
“Cyber resilience is the ability of an organisation to
Australia’s data and digital dividend (August 2022)
transcend any stresses, failures, hazards, and threats
said: “Productivity growth is vital for Australia’s
to its cyber resources within the organisation and its
future, particularly as the Australian and global
ecosystem, such that the organisation can confidently
economies emerge and begin to recover from the
pursue its mission, enable its culture and maintain its
economic impacts of COVID-19. … Given the scale
desired way of operating.”
and nature of the economic shock caused by the COVID-19 pandemic, it is expected to have an
Prioritising cyber risk is an imperative. Organisations
enduring impact on Australia’s productivity challenge.
irrespective of size, industry, geography, product,
… The acceleration in the uptake of technology by
or service must commit to implementing
businesses and individuals has stimulated growth
specific strategies to demonstrate they will not
in remote work, online commerce, businesses’
compromise their consumers and customers trust
digital presence and innovative delivery of public
through inactivity.
services like health and education. The pandemic has affected business models in some key sectors
Boardrooms can no longer be ‘bored rooms’. They
and underscored the need for labour mobility across
need informed decision-makers with diverse skills
the economy.”
and experiences. We as a nation need to maximise the diversity of our workforce so we can aspire to
According to the Australian Cyber Security Centre’s
greatness, reclaim our digital sovereignty and develop
Essential Eight security measures, while “no set of
a world-leading workforce.
mitigation strategies [is] guaranteed to protect against all cyber threats,” organisations are recommended to implement eight essential mitigation strategies
www.linkedin.com/in/nancypavlovicmaipm
that make it much harder for adversaries to compromise systems.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
119
JOANNE COOPER
WORLD DATA EXCHANGE (WDX): EMPOWERING THE VOICES OF ITS FEMALE TEAM TO ENCOURAGE OTHERS By Joanne Cooper, CEO & Founder of World Data Exchange As the female founder and CEO of Sydney-based
skilled ICT professionals to maximise its benefits.
World Data Exchange (WDX) I recently led and completed the acquisition of digi.me, catapulting
Unfortunately, the ICT sector is still heavily male-
the company onto the world stage with operations
dominated. In 2021 only 15.9 percent of the EU’s
spanning the globe. I visited our offices in Sarajevo,
workforce with an ICT background were women.
Bosnia where I admired the diversity and skills of our
This percentage has grown little over the past few
software engineering team. I sat down with some
decades, which raises serious concerns. ICT is
female team leaders and asked them to give me their
essential for women’s empowerment, and they should
perspectives on what technology means to them
be equal participants in shaping the digital future.
during rapid digital transformation. Below is what they had to say.
Society links interest in, and success with, computers to boys while women carry most household
120
A FEMALE PERSPECTIVE ON TECHNOLOGY: A DRIVER OF CHANGE
responsibilities and are often challenged to
The growing prevalence of ICT has strongly impacted
accomplishments are often not recognised, and
our everyday life. As the fastest-growing industry,
their careers progress at a slower pace. Researchers
ICT has transformed how individuals and businesses
believe gender stereotypes hold women back. Girls
work and interact. There is a massive demand for
are less likely to be interested in STEM subjects and
W O M E N I N S E C U R I T Y M A G A Z I N E
balance work and home life. Additionally, women’s
J A N U A RY • F E B R U A RY 2023
I N D U S T R Y
P E R S P E C T I V E S
less likely to pursue a career in STEM because it is perceived to be male-oriented. This suggests inequality begins in school. However, women were among the pioneers of computing science. The first computer programmer was Ada Lovelace who wrote an algorithm for computing Bernoulli numbers. During the 20th century many women made significant contributions to technology. The 80s brought computers to people’s homes, often as boys’ toys. Most likely,
Skilful coding is one of many ways in which girls and
this created the foundation for the digital gender
women can contribute to building a digital future.
gap we are witnessing today, because it marked the
There are several successful female data scientists,
beginning of the decline of women’s participation in
project/product managers, QA engineers, DevOps
computer science.
engineers, UX/UI designers, customer service agents and technology sales agents. Closing the
For too long, women’s perspectives have been
digital gender gap would bring many benefits to the
overlooked. If we look around, we find today’s world
economy. Without equality in the workplace, there
to be still primarily a man’s world. During the Covid-19
is not only less talent, but fewer perspectives and
pandemic it was difficult for women to find face
fewer visions. Innovation is fundamental for success,
masks of a suitable size: they were often available
and a diverse team is essential for innovation.
only in men’s sizes. Another example: female crash
Male-dominated teams tend to design products for
dummies are rarely used in crash safety tests. The
men. Such thinking cannot satisfy the needs and
lack of female representation affects women’s
expectations of the other half of the population. Such
everyday life: from irritating inconveniences to life-
products often cannot find a market. Women think
threatening situations.
differently and bring fresh viewpoints that can help products succeed.
Technological progress has opened almost endless career possibilities, and it is time for women to
Today, many women remain invisible in the ICT sector,
take roles in technology with confidence and
often underestimating their capabilities and the value
courage. A female software developer has many
of their experience. Promoting female role models in
challenges to overcome on her career path. First,
the ICT sector is a great way to inspire young girls to
she must deal with more criticism than her male
get out of their comfort zone and believe they have
colleagues. Women are naturally more analytical and
a place in the future of technology. By making the
detail‑oriented than men, and if gender stereotypes
ICT sector more inclusive, girls will be encouraged to
can be overcome, they can make outstanding
take leadership positions and shape the future of the
software developers.
digital world.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
121
A SNAPSHOT OF THE FEMALE TALENT AT WORLD DATA EXCHANGE
years of work as an embedded software engineer, I decided to change my career and move into Android development, which was not too difficult with the
Lejla Bećirspahić – backend team lead
knowledge I had acquired during my studies. That
I come from a family of engineers, so a career in ICT
decision brought me to digi.me, where I started as an
was a natural choice. My family always offered great
Android developer and where I am still improving my
support and always encouraged my problem-solving
technical skills. Constant growth is one thing I like
attitude. My interest in cryptography, discovered
about this job; I always have to learn, improve and
in high school, motivated me to start a career in
keep up with its fast-paced and innovative nature. As
software development. To become a software
for what it is like to be a woman in IT, nowadays, it is
developer, I followed the traditional path by graduating
the same as being a man.
first with a master’s degree in electrical engineering from the University of Sarajevo. A passion for data
Amila Mujak – QA automation engineer
security brought me to an industry first mover in
I chose this profession because I am a person who
Personal Inc as a developer and part of a team-
likes to build new things, solve problems, understand
building emerging platform technologies that first sort
how specific segments work and how they fit
to enable individuals to securely manage, control and
together. I saw technology as a way to express
reuse their personal data. Personal Inc later merged
myself, which motivated me to become a student in
with digi.me in 2017 which has now been acquired
the Faculty of Electrical Engineering at the University
by WDX.
of Sarajevo. After receiving my bachelor’s degree, I started working as a quality assurance automation
At WDX I am working to unlock the full potential
engineer at digi.me. For me, being a woman in IT is a
of personal data. It fills me with great joy and
pleasant experience. The industry provides excellent
satisfaction to be part of an elite engineering team
opportunities for women to take on roles and careers
with now a decade of experience building a product
in ways that best suit them. My colleagues always
that will positively impact human centric data
treat me the same as anyone else, so I do not
protection globally. I spend much time writing code,
experience discrimination.
which requires creativity. This is what I like most about my job. The fun part is when the team gathers
Aida Adilović – general manager
to solve a complex problem and when ideas about
My background, my previous work experience and my
design, architecture and optimisation are thrown
formal education were unrelated to the IT industry,
around. These sessions are always full of enthusiasm
but did not prevent me from joining the company
and excitement, and it feels like nothing is impossible
following the merger of Personal with digi.me in
with good teamwork.
2016, staying in the industry and enjoying the many advantages the IT industry brings. This industry is
Melisa Ramčilović- Android team lead
developing very quickly. It is always dynamic, which
I was always interested in science, which came
has undoubtedly contributed to my personal and
naturally to me(although not so much to the people
professional development over the past six years.
around me). I planned to study medicine, but in the
Although the IT industry brought a new dimension
last 15 days of high school I changed my mind. To
to my life and broadened my horizons, I have
the surprise of many I started studying electrical
remained faithful to my initial career path in finance,
engineering at the University of Sarajevo, primarily
organisation and human resources now within WDX,
because of my love for mathematics and physics. I
working with a phenomenal team of enthusiastic and
finished my studies in the Department of Automation
great engineers.
and Electronics, but unfortunately the opportunities and conditions for working in my profession were poor in Bosnia and Herzegovina. So, after two
122
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/joanne-cooper-50369734
J A N U A RY • F E B R U A RY 2023
Contact us today to find out how you can become an industry contributor, no matter the level of experience. reach out now www.womeninsecuritymagazine.com
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 9
TH
NOVEMBER
t u O s s i Don’t M
TECHNOLOGY PERSPECTIVES
SAI HONIG
BISO – NO THAT IS NOT A TYPO by Sai Honig, Engagement Security Consultant at Amazon Web Services You have probably heard the title CISO or chief
technology? How do we prepare entire organisations
information security officer. Many companies have
when new technologies are rolled out? This is where
someone in this role. In some industries, such as
a business information security officer (BISO) may
finance or banking, the role is mandatory. According
be useful.
to ZDNet, a CISO is responsible for establishing security strategy and ensuring data assets are
A BISO is generally a senior cybersecurity leader
protected. CISOs traditionally work alongside the chief
whose duty it is to bridge the gap between security
information officer (CIO) to achieve these aims.
and the interests of the business. A BISO typically acts as the CISO’s deputy to oversee strategy at a
The CISO works with the CIO and technology teams
granular level. In large organisations there may be
to design, build, test, deploy, maintain and upgrade
multiple BISOs embedded in major business units or
technology systems. The CISO is responsible for
regional teams. For large scale technology rollouts
implementing and maintaining the security of
there may be a BISO who acts as the focal point for
these systems.
business teams.
The fact is, our world is exponentially increasing its
If security is to function as a strategic business
use of technology. With that comes an expectation
enabler there needs to be alignment between
that everyone—including all our non-technical
business priorities and information security priorities.
teams—knows how to use these technologies in a
If security and business teams are not collaborating,
safe and secure manner. Within many organisations
security incidents become more likely as technology
there are a large number of non-technical staff:
use increases. Even with the best monitoring and
finance, accounting, marketing, supply chain, human
the strongest security teams, incidents may still go
resources, education, healthcare, legal, machinists
unnoticed and unresolved.
and so on. A good BISO needs to be:
BRIDGING THE TECH/NON-TECH GAP So, how do we bridge the gap between those in non-technical teams and those in technology teams? How do we communicate safe and secure use of
126
W O M E N I N S E C U R I T Y M A G A Z I N E
• A good listener, to learn about the challenges from both the technical teams and business functions. • A good translator, to translate technology
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
P E R S P E C T I V E S
terminology and jargon for non-technical teams in
Another example: I evaluated a current SaaS vendor
both written and oral communications.
for the legal team before its contract extension was
• A good educator, to help both technical teams and
signed. The legal team was not aware of certain
business functions to understand each other’s
vendor processes or of their own responsibilities as
requirements.
the customer. This evaluation also entailed updating
• A good risk manager, to understand that not all risks can be avoided and to know when avoidance,
internal processes to meet increased security requirements.
prevention or detection is necessary. • Able to function between disparate teams: teams work differently, so flexibility is key.
In another instance I worked with DevOps and engineering teams helping to drive security into the design of new applications and infrastructure.
It would be helpful for a BISO to be someone with experience in both the technology world and the
In many of my roles I have had to work with privacy,
business world, and there are several aspects of
compliance and audit functions to address requests
cybersecurity it would be appropriate for a BISO to
quickly and provide resolution to findings.
oversee. A BISO could serve as a first point of contact for some cybersecurity incidents. They could help
According to Brandon Wales, director of the
de-escalate an issue before it becomes a serious
Cybersecurity and Infrastructure Security Agency
problem requiring resources from other teams. A
(CISA) cybersecurity threats should be treated
BISO could work with partners or third parties on
as business risks. So why not have the business
behalf of the security team to streamline onboarding
involved with cybersecurity? Each year, Cybersecurity
of security services. A BISO could also educate staff
Awareness Month (October)—initiated by the US
on new services or functions as they are rolled out.
President and Congress in 2004—presents a great opportunity to evaluate the need for a BISO to serve
A BISO IN ACTION
as a conduit between business and security. Because,
Here is a real-world example. I worked directly with a
at the end of the day, when there is a breach—large or
contracts team developing a process to evaluate and
small—the (whole) business is at risk.
onboard SaaS providers. This required understanding how current requirements needed to be included before signing contracts and completing security
www.linkedin.com/in/saihonig
reviews prior to onboarding new vendors.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
127
ATSE ISSUES DIRE WARNING ON STEM SKILLS SHORTAGE by Stuart Corner
The Australian Academy of Technological Sciences and Engineering (ATSE) has issued a strident warning about the low number of people with STEM skills coming out of Australia’s education system, saying an urgent rethink is needed to tackle this growing national skills crisis.
A
ccording to ATSE, Australia “lacks the
roundtables held during 2022 led by ATSE fellows and
capacity and critical capabilities to
attended by more than 120 individuals from industry,
be able to deliver on our technology-
academia and government.
powered, human-driven potential both now and into the future.”
Launching the report, science writer and presenter Bernie Hobbs said the report called for a serious
It says steps must be taken urgently “to ensure we
rethinking of Australia’s approach to encouraging
have enough science, technology, engineering and
careers in STEM, and provided a roadmap for building
mathematics (STEM) workers in the roles where they
an innovative workforce.
are needed most … to prevent us from becoming a global digital and technological laggard.”
“Australia will need an extra 100,000 digitally skilled workers and another 40,000 engineers. Right now
128
The conclusions come from a new ATSE report:
we won’t come anywhere near to making up that
Our STEM Skilled Future: An Education Roadmap
shortfall. So the message is clear: all our efforts to
for an Innovative Workforce. Its findings and
get more people into STEM and keep them there have
recommendations are the result of a series of
not worked.”
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
F E A T U R E
TECHNOLOGY SELF-SUFFICIENCY ESSENTIAL
as prerequisites for entry discouraged young people,
A more dire warning came from ATSE president, Hugh
particularly girls, from studying them at school.
Bradlow, talking about what he described as “the elephant in the room.”
“I’ve spoken to many parents, and I’ve run a lot of events with parents around this, especially with
“If there is one thing the last few years has taught us
girls,” she said. “One of the biggest issues is that a
it should be that we cannot rely on autocratic regimes
lot of the universities do not encourage—or do not
for our energy and manufactured goods,” Bradlow
acknowledge—learning of digital skills or engineering
said. “We have to accept that, if Australia’s future
as an assumed knowledge or a prerequisite to go into
is going to be secured, we have to be able to make
university.
our own goods, power our own systems and defend ourselves. We have got to accept that as a new reality,
“So parents advise their children, rightfully, to not
which is a big change from the last 50 years.”
necessarily study these in secondary school and to study the more traditional maths and sciences,
Cynthia Nolan, an education consultant specialising
which is great. However, it does not engender that
in STEM, blamed universities, in part, for the shortage
passion for engineering and digital solutions. And so,
of people gaining engineering and digital skills. She
inevitably, the pipeline keeps reducing.”
said universities’ lack of emphasis on these subjects
I S S U E 12
WOMEN IN SECURITY MAGAZINE
129
FOUR RECOMMENDATIONS
businesses seeking to find appropriate, value-for-
The report makes four recommendations.
money learning pathways to up-skill and re-skill their workforces, and for would-be students to make
• Establish a National Skills Taxonomy to streamline
informed choices about the training they select.”
consistent communication about needs and pathways among Australia’s organisations and
It calls for a number of federal government initiatives
individuals.
to address the issue:
• Prioritise and invest in evidence-based approaches to STEM program development and assessment
• Establish a self-assessment and quality
to ensure education and training is fit-for-purpose
framework for evaluating STEM training skills
and provides value for money.
(based on its proposed skills taxonomy),
• Promote and support a culture of lifelong STEM learning in the workforce to ensure Australia has the skills it needs now and into the future. • Raise the profile of STEM careers in Australia to showcase their accessibility and attractiveness.
assessing skills imparted and competency levels. • Establish a centralised directory of qualityassessed STEM training programs to support the selection of appropriate training pathways and programs. • Support education providers to establish priority
STEM SKILLS TAXONOMY SOUGHT It says the lack of a comprehensive skills taxonomy “introduces challenges for individuals
STEM training programs, quality assessed against the framework. • Establish a centralised resource of self-serve
and organisations to communicate the skills they
STEM resources, quality assessed against the
have – and need – in a shared common language …
framework.
[and] results in a lack of clarity around pathways for upskilling, reskilling, or transferring skills between
The report also calls for industry peak bodies to
comparable roles across sectors.”
work with the federal government to establish simple industry standards for digital skills such as those in
It argues that a comprehensive skills vocabulary
cybersecurity, artificial intelligence and data analysis
and taxonomy could help solve this challenge and
“to enable the acknowledgement of skills acquired
enable rapid mobility into areas where capacity and
through diverse educational mechanisms such as
capability are needed most.
micro- credentialling, on-the-job training and vendorprovided training.”
The onus for doing this would fall on the federal government. The report says the government should: • Continue to expand and define its skills
MORE SUPPORT FOR DIVERSITY AND PARENTING WANTED In addition, digital employers should “showcase their
vocabulary, prioritising STEM skills in urgent
willingness to attract, retain and promote candidates
demand.
from diverse educational, experiential and cultural
• Use the skills vocabulary to map a taxonomy of roles and highlight adjacent job families.
backgrounds, and embrace continuous workplace learning via diverse educational mechanisms.”
• Provide industry-specific skill demand forecast information to all Australians.
They should also “develop flexible work arrangements and robust parental leave policies to improve
EVIDENCE-BASED APPROACHES NEEDED
retention for people with caring responsibilities
The report also argues that there is little curation
in engineering careers,” and “conduct genuine
and evaluation of the quality and effectiveness of
and regular audits of their structural and cultural
the many STEM learning resources and training
impediments to genuine diversity at all levels.”
programs, saying “this raises challenges for
130
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
CAROL CHRIS
IDENTITY PROOFING, IDENTITY VERIFICATION AND FRAUD PREVENTION by Carol Chris, Regional General Manager for Australia and New Zealand, GBG
Identity theft and fraud cause some of the biggest
and prevention methods. Business leaders need to
business challenges and financial losses in Australia.
ensure they are getting the foundations of their fraud
According to the Australian Cyber Security Centre
prevention approaches right, and this process starts
(ACSC), cybercrime is now so commonplace that
with understanding the importance and role of each
Australians are being targeted by cybercriminals
step in the process.
every seven minutes. Fraud was the most frequently reported online crime, accounting for 27 percent of incidents.
IDENTITY PROOFING VERSUS IDENTITY VERIFICATION Identity verification is the entire process of confirming
Online fraud is often the result of a stolen online or
an identity genuinely matches the person claiming
digital identity being used to illegitimately access
to be linked to that identity. This process can involve
funds, purchase products, open accounts, connect
taking and verifying personal information such as
with someone’s network, conduct scams and more.
a name, date of birth, addresses and other relevant
Identity proofing and identity verification are critical
factors specific to the individual. This is also referred
parts of any digital onboarding process—particularly
to as ‘know your customer’. It comprises a range of
for financial institutions—to help prevent fraud and
compliance and regulatory requirements in certain
mitigate the risk of fraud.
industries, particularly the financial services industry.
However, with technology and fraud evolving rapidly,
Identity proofing is one part of the identity verification
it can be difficult to keep up with the latest solutions
process. While it was once common for a customer
I S S U E 12
WOMEN IN SECURITY MAGAZINE
131
steps and the latest technology to make this process as smooth and fast for the customer as possible. In fact, identity verification processes that are too lengthy and complex could deter customers from applying for a product or service in favour of one offered by a competitor. The first step is to share a document scan. Optical character recognition (OCR) technology that can automatically analyse a document against a range of anti-tampering checks and ensure it has not been altered will ensure this process is fast and accurate. In the second step a simple selfie, which consumers today are all too familiar and comfortable with taking, will help the organisation conduct a face match. This uses biometric technology to match someone’s physical characteristics with their digital information. Face matches are critical to ensuring the person providing the documents is the person presented in the digital documents. This online form of face matching has also been proven to be more accurate to bring their passport or driver’s license for in-person
than human beings conducting cross checks at, for
verification to start the process of opening a bank
example, an in-branch bank counter.
account or taking out a home loan, the increasing digital nature of consumer and business interactions
The third step is a liveness check using biometric
has led to digital identity proofing now becoming
technology. Until this point, a fraudster could submit
the more common and trusted form of verifying
an identity document of someone else, followed by
someone’s identity.
sharing someone else’s photo or recently taken selfie, without necessarily being caught out. A liveness
This trend, rapidly accelerated by the pandemic,
check requires the individual to physically prove
has also caught the attention of identity thieves and
they are the person claiming to in front of the screen
fraudsters around the world. Consequently, it is now
or phone.
critical for businesses, particularly those handling personal information and data, to take proactive
Some liveness checks require the customer to
measures to ensure digital identity documents
make extravagant—and sometimes embarrassing—
are thoroughly examined for potential fakes or
movements. These can deter customers looking
fraudulent behaviour and securely collected, managed
for something fast, simple and non-invasive. The
and stored.
less demanding this stage of the liveness check is for customers, the more likely they are to swiftly
DIGITAL IDENTITY PROOFING AND THE SECURITY BENEFITS OF BIOMETRICS
move through it, enabling a business to quickly and accurately confirm someone is who they say they are.
Take the example of a customer needing to remotely
132
prove their identity to open a new bank account via
Last, but not least, while the above three-step process
their mobile app. The most secure and reliable ways
is a best practice approach for identity proofing, every
of verifying this customer’s identity will use multiple
organisation will have different requirements. Some
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
P E R S P E C T I V E S
businesses, for example, may have compliance or regulatory constraints while others may prioritise certain aspects of the customer experience and incorporate technologies to ensure the overall verification process fits with the flow of their product or service. Consequently, it is important to recognise that businesses looking to design or implement their own digital proofing processes will need to take a customer-centric view and implement something that keeps customers secure during the customer journey without deterring them. Also, consumers need to be forewarned—and invested in completing the identity proofing and overall identity verification process—by it being made clear to them that the process is needed to protect their own data.
COMBATTING FINANCIAL FRAUD Taking measured steps towards ensuring a customer, partner or business is who they say they are will produce a trusted record of every person and organisation being interacted with. If criminal behaviour takes place down the track it can be traced back to the person involved based on the verified identity data at hand. Simultaneously, certain products and services can be kept out of reach of known criminals. For example, banks can ensure known money launderers are not allowed to open new accounts or make certain types of transactions. This is one of the most important steps towards proactively preventing fraud. Just as criminals often hide behind masks when conducting a crime, fraudsters regularly hide behind someone else’s stolen digital identity to conduct an online crime, such as money laundering or a scam. With Australian businesses losing millions of dollars to fraud every year the best action they can take to mitigate these losses is to implement proactive measures such as investing in digital identity proofing and verification processes. www.linkedin.com/in/carol-chris-80a4772
I S S U E 12
WOMEN IN SECURITY MAGAZINE
133
MARISE ALPHONSO
TECHNICAL SECURITY RESEARCH – A REWARDING PROFESSION by Marise Alphonso, Information Security Professional
Cybersecurity incidents and data breaches typically
encourage security researchers to find vulnerabilities
result in bad actors getting rich—or aiming to do
in their products.
so—by requesting ransomware payments, conducting scams or selling data on the Dark Web. For the good
Bugcrowd and HackerOne are platforms that pool
people working to stop them getting rich a number
the skills of the world’s ethical hackers and security
of—rather more modest—rewards are available,
researchers to enable organisations and governments
particularly in technical security research.
around the world to benefit from their skills in finding software vulnerabilities. According to the June 2022
134
Software development is an expensive exercise and,
Australian Cyber Security Centre (ACSC) Cyber
despite rigorous and agile approaches to software
Threat Report, rapid exploitation of critical security
development, security vulnerabilities are frequently
vulnerabilities was widespread in the 2022 financial
uncovered. Security researchers play a pivotal
year with attackers targeting various technical
role in discovering zero-day vulnerabilities in the
systems. These findings highlight the need for more
infrastructure, technology and applications that power
cybersecurity professionals skilled in identifying
systems around the world.
vulnerabilities.
Google’s Project Zero is an example of a security
IMPROVING SECURITY RESEARCH SKILLS
research program that provides details on
Numerous resources can be used to improve
vulnerabilities discovered in proprietary or open-
knowledge and skills in security research. HackerOne
source software. It gives developers 90 days to
offers Hacker101, a free educational resource
address an issue before making the vulnerability
to empower the hacker community. While some
public. Many software companies run bug bounty
knowledge of programming or networking may be
programs offering a reward or recognition to
useful, Hacker101 caters for the beginner, introducing
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
P E R S P E C T I V E S
platform and programming requirements. Another
target certain parts based on attack techniques in line
reference is Mossé Cyber Security Institute’s
with STRIDE.
vulnerability research training resources which include certifications individuals can earn.
Use of STRIDE together with the Open Web Application Security Project’s (OWASP) list of the top
Capture The Flag (CTF) competitions provide a
10 vulnerabilities facilitates a structured approach to
great environment and opportunity for hackers or
discovering software vulnerabilities. Threat modelling
security researchers of various skill levels to solve
by software development teams is powerful because
challenges and improve their understanding of
it enables security to be built-in not bolted-on.
security vulnerabilities ranging from cryptography
However, for security researchers, penetration testers
and programming to process exploitation and
or red teamers, these techniques are equally useful
reverse engineering. These competitions are typically
for finding weaknesses in the design, implementation
run at security conferences or via online portals.
and operation of a system.
Competitors can be individuals or teams who solve challenges to uncover software vulnerabilities.
As technology continues to power our lives, security research will continue to require skillsets and
CTF101 provides introductions to each challenge area
capabilities able to discover weaknesses in technical
typically covered in a CTF competition, and CTF Time
systems used by individuals, organisations and
has a listing of worldwide CTF events that individuals
governments worldwide. The Common Vulnerabilities
or teams can sign up for. Every December, SANS
and Exposures (CVE) system used to rate technical
holds a Holiday Hack Challenge which is a festive-
vulnerabilities will live on for years to come as the
season-based CTF that is a lot of fun.
basis for remediation activity. The world needs more people focused on the good side of technical security
Knowledge of threat modelling techniques such
research. Kudos to today’s security researchers and
as STRIDE (spoofing, tampering, repudiation,
those aspiring to the profession.
information disclosure, denial of service and elevation of privilege), developed by Microsoft, can assist a researcher to understand how to target a system. By
www.linkedin.com/in/marisealphonso
performing reconnaissance, a researcher can build a picture of a technical system or environment and
I S S U E 12
WOMEN IN SECURITY MAGAZINE
135
DIFFERENT PERSPECTIVES by Emily Goodman, Cyber Security Consultant at EY Jay Hira, Director of Cyber Transformation at EY Sarah Box, CyBox101 (consultancy) Baby Lyn Nagayo, Cyber Security Manager at EY Kavika Singhal, Cyber Security Consultant at EY
INTRODUCTION
As an adolescent I had no idea about paying bills or mortgages, the tough real estate market, the process of getting a bank to grant a loan, or the determination and hard work needed to save sufficient money for
Emily Goodman
a deposit. I simply wanted something, and I wanted it quick.
When I was growing up there was a house for sale in the next suburb. My family and I went to the open
As human beings the notion of ‘get-rich-quick’ is
house where the real estate agent selling it put on a
appealing. The wealth we seek may not always be
grand display to show the house’s best aspects.
financial. It could be a new bike, the latest fashion item, or perhaps a new phone we have had our eye
I remember walking through the wide front door and
on. This theme also runs through the evolution of the
seeing a pianist playing on a white grand piano. As we
cybersecurity industry. I got together with some of
walked through the house we saw modern, spacious
my cybersecurity mentors and friends to explore and
rooms and living areas with chandeliers shining
share our different perspectives around this theme.
brightly. Outside, the garden was filled with greenery, the pool’s water fountain flowed and glistened on that hot summer’s day. It was the perfect house. My dream house. It was all a mere twelve-year-old could
STORY 1: WANT OR NEED
ever want. At the time this house was worth a few million Australian dollars, and I wished my parents would buy it. I even asked my mother if she could purchase it using her credit card!
136
Jay Hira
Thinking back, seeing that dream house I wanted
I was thirteen and the only one of my group of friends
so much to live in was a picture-perfect moment.
without a bike. I wanted one so I could join all the bike
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
rides. For months I begged
P E R S P E C T I V E S
STORY 2: CASH OR KIND
my parents for a new bike. I did lots of research, found the perfect bike and presented its details to my parents.
Sarah Box
Unfortunately, the model I was after was INR300 (300 Indian Rupees, equivalent to $A5) more than the standard price of a new bike. “Please, Mum and Dad, I need this one!”
Growing up I thought I was hard done by because there was never a great deal of cash floating around my household. My friends always had the latest
As my fourteenth birthday approached my
clothing and shoes, and spare cash to spend at
father posed a challenge: if I could earn INR150 in
the corner store. I became frustrated and did not
a week he would cover the rest. I could not believe
understand why my parents were always working, yet
it. My research and pleading had worked! Or so I
I always had cheap shoes and a lunch order only once
thought. I usually walked past a construction site
per fortnight.
on my way to and from school, and I sprinted to this construction site hoping to find paid work. I
Fast forward to when I was fifteen and had the
succeeded.
opportunity to go to work with my mother who worked at a nursing home. She would say hello to
On the first day I was tasked with unloading bricks
everyone who passed her by: the cleaners, the delivery
from a truck for INR20. I was out of shape and this
staff, even those who were unkind to her. I remember
labour was tough. The next day was even more
asking why she always said hello to everyone. Her
challenging. It was boiling hot and the work was more
reply was simple: “Treat everyone how you wish to
physically demanding. For INR35, I was tasked with
be treated. We do not know what others are going
digging and ploughing. Determined to get my bike,
through and it might just help someone smile.”
I got to work. I was exhausted from the previous day but pushed on. As the morning went on, I started
Her words inspired me, and ever since I have followed
to feel light-headed. Halfway through the job,
her example. This could be challenging at times,
I blacked out.
especially when colleagues questioned my kindness, asking “Why do you say hello to them?” Like my
When I returned to my senses, I was at home and
mother, I simply said “Why shouldn’t I?”
saw my worried mother above me. I was glad to be home and out of the hot sun, but I was devastated.
Christmas could be a hard time of the year for some,
I knew I would not be getting the bike and awaited a
including my mother and grandmother. Together, they
stern lecture from my old man. However, to my great
would make treats for those who had helped them
surprise he embraced me (my father was not much of
during the year. These treats were not expensive,
a hugger). He told me he was very proud of my hard
they were simply chocolate-coated sultanas or
work and determination. He agreed to buy me a bike,
macadamias piled into a coffee jar and decorated
but it would not be THE bike.
with tinsel and a card. The recipients of these handmade Christmas gifts included the garbage
While I was disappointed, this experience taught
collector, the postman and even the hairdresser or
me a valuable lesson about wants versus needs.
local corner store owner. I fondly remember their
What I wanted was a fancy bike with all the bells and
gratitude, because of the thoughtfulness put into
whistles. This would get lots of attention from my
making those gifts.
friends. What I NEEDED was a bike. A bike would give me the autonomy to see my friends and the ability to
Now I am older and have gone through my own
participate in the community.
financial hardships I reflect on times when I had little
I S S U E 12
WOMEN IN SECURITY MAGAZINE
137
cash. I continued to show kindness to those around
had stolen the phone and was trying to make money
me with zero expectations of anything in return.
from his illegal act. This was quite normal behaviour,
As Christmas is now around the corner, my children
especially in Manila.
and I have begun thinking about Christmas gifts for our friends and family.
At the time I owned an old Nokia phone which I was hoping to replace with a Samsung incorporating a
We could easily order products online from large
camera. The Samsung model I wanted just happened
companies. However for me, it is about making
to be the model the teenager on the bus was trying
something with thought and love, even if we are time
to sell me. “What are the odds?” I thought to myself.
poor. Things we have made over the years include
I was a student back then, working three to four jobs
small potted succulents taken from our garden and
at a time to finance my studies and did not have
topped with Christmas decorations recycled from the
enough money to buy a new phone. So, this was
previous year, reinbeers (bottles of beer topped with
perfect timing. I had just received pay from one of my
‘antlers’, an idea plucked from Pinterest) and bath
part-time jobs. I would not hurt if I was to buy a cheap
salts with essential oils in recycled salsa jars.
phone with the specifications I wanted. So why not consider the new phone this teenager was selling?
These are our gifts. I could go on about the day‑to‑day
Ignoring my gut feeling that this was a stolen phone,
interactions helping people, but I won’t. I will note
I agreed to buy it because I really wanted this new
that my children are often commended for their
Samsung phone.
kindness, which is so important to me as a parent. I know parents and teachers who say kindness shown
I asked the teenager to help me put my sim card into
means more than cash. Do not get me wrong, cash is
the new phone, but he refused and said we should
amazing, and can make life very easy. But if you have
not be exchanging the phone and my payment inside
the cash to splash and do not have a kind heart then
the bus, because he would get caught. At this point,
the cash means absolutely nothing, in my opinion.
I was certain I was about to buy a stolen phone. Yet, I did not care and continued with the transaction. I was
I will finish with this quote from Harold S Kushner—
happy. I had been wanting a new phone for quite
author of the best-selling book When Bad Things
a while.
Happen to Good People—“Do things for people not because of who they are or what they do in return, but
The teenager and I got off the bus and started
because of who you are.”
walking towards the café, as was my intention. He handed me the phone and I gave him a Php500 bill. He disappeared into the busy streets of Manila and I went into the cafe. I went directly to the washroom
STORY 3: SCAM OR SHAM
to check the phone. To my dismay, it would not turn on. I could not click any of the side buttons and there was no way to open the back cover to check the battery and the sim card slot. It took me a minute or
Baby Lyn Nagayo
so to realise it was a fake phone! It was one of those display phones they use in shopping centres. I was
A decade ago, in November 2012, I was riding a public
devastated to realise I had given my hard-earned
bus in Manila on my way to a cafe to meet my now
money to a scammer in exchange for a sham. Was it
husband, Patrick. During the bus ride, I sat beside
a scam or a sham? I would say both.
a male teenager who started talking to me about
138
a mobile phone he was selling cheaply for Php500
The lesson I learnt from that incident was to always
(approximately $A15). Immediately, I assumed he
do the right thing and trust my gut.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
P E R S P E C T I V E S
STORY 4: BLACK, WHITE OR GREY? RIGHT OR WRONG?
Kavika Singhal Cyber-attacks are costing more each day. Is being a Black Hat hacker a ‘get rich quick’ scheme? This question led me to delve deeper into the basic concepts of the black, white and grey areas of cybersecurity. Black Hat hackers are motivated primarily by financial
CONCLUSION
gain, revenge or publicity. A renowned black-turnedwhite hacker has a different take on that. With a
Emily Goodman
controversial past, he found himself on the FBI’s most
Reflecting over our shared stories, it is clear we all
wanted list. His antics had cost organisations millions
had experiences where we rushed into something
of dollars. However, after spending several years in
head-first without taking time to assess the merits of
prison he now consults to organisations and helps
our decisions. Perhaps this is the underlying factor
protect them against such attacks. His addiction
that drives a cyber-attack, or the motivation for a
to hacking grew out of curiosity and the intellectual
hacker to act unethically.
challenge, but he soon succumbed to the temptation of money and fame.
We are all on a journey of learning from our mistakes. The experiences of our different ‘get-rich-quick’
Another controversial group, the grey hackers, is
scenarios have shaped our personal growth and
motivated to change the world with ‘Robin Hood’
taught us gratitude. Now, when I drive past what
hacking tactics. Its members wage war against
I once thought was my dream house, it no longer
terrorism, fight for LGBTQ rights, shut down child
invokes the same desire. I would rather work hard,
pornography websites and much more. Making
set my goals and earn my achievements. I will leave
money is not a motive for this group, so should
you with one last quote from Harold S Kushner “If you
they be recognised for their talent and hard work?
concentrate on finding whatever is good in every
Not necessarily.
situation, you will discover that your life will suddenly be filled with gratitude, a feeling that nurtures
What differentiates black, grey and white hackers is a
the soul.”
strong sense of right and wrong, their moral compass. The definition of this varies according to a person’s value system and background. Surprisingly, it is quite similar to how money is viewed, spent and pursued: it is subjective.
www.linkedin.com/in/emily-goodman-b9a023144
www.linkedin.com/in/jayhira
www.linkedin.com/in/sarah-b-25670667
www.linkedin.com/in/baby-lyn-nagayo-09821210b
www.linkedin.com/in/kavika-singhal
I S S U E 12
WOMEN IN SECURITY MAGAZINE
139
MEGAN KOUFOS
INCIDENT RESPONSE COMPETITION by Megan Koufos, Program Manager at AWSN
For the second year running the Australian Women
in the industry who they may not know. We hope
in Security Network (AWSN) and Retrospect Labs
they come away with an appreciation of the incident
partnered to provide a competition-style incident
response process, and of other areas they could
response exercise for women across Australia
potentially move into.”
working, studying or interested in the sector. Forty-eight teams each with up to five members
The 2022 competition was based on the success
participated in the competition. It started on 7
of the 2021 competition, which saw 100 women
November 2022 and ran for one week.
participate, but had 250 spots available. AWSN had also offered, prior to the competition, a two-
The competition was very timely, coming as it did in
day, hands-on incident response training course
the wake of recent high-profile data breaches suffered
in partnership with Retrospect Labs and with
by major Australian organisations. These incidents
sponsorship from ASD. It enabled 45 women to
highlighted the importance of end-to-end incident
make sure they had the right foundational knowledge
response processes. They showed there is more to
and skills.
incident response than its technical aspects, and they demonstrated the importance of having people with
For the competition teams of up to five participants
diverse skills working together to respond effectively
with mixed skill sets were formed to work through a
to an incident.
scenario that simulated a real-world cyber incident impacting a fictitious organisation.
AWSN Founder and Executive Director, Jacqui Loustau, said the competition had given women
The scenario was designed to test participants’
in cybersecurity from different backgrounds an
incident response skills. It incorporated a number
opportunity to gain hands-on experience of the end-
of common aspects of incident response.
to-end incident response process.
These included forensic artefacts that participants had to analyse to identify various indicators of
“They get to experience the technical side,
compromise, understand what malicious activities
management of the media, dealing with the legal
had occurred and the tactics, techniques and
implications and communicating with executives. It’s
procedures adversaries had used to execute
also a chance for them to meet and work with others
their attacks.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
141
Participants were also required to perform
involved and interested in incident response. We love
tasks related to managing the media, providing
these events. We love enabling them, and we think
communications to senior leadership, and dealing
it is important to give back to the community whilst
with the legal and privacy implications of the incident.
also making the community stronger through the addition of even more awesome incident responders.”
Experienced mentors were available on call to support participating teams when they got stuck. Teams
WINNERS
also had access to a case management platform on
All teams made us proud. Congratulations to
which to track tasks and progress and coordinate
everyone who took part in the competition, and a
their efforts (Essential to any incident response
big congratulation to the 31 teams that completed
operation, and particularly useful when managing an
every task and every aspect of the competition. We
incident remotely).
were impressed to see how dedicated every single team was, how much perseverance they displayed,
Teams were required to complete a number of
and their desire to learn and improve. But it was
tasks and submit a number of artefacts to a panel
a competition, so there had to be a winning team!
of judges—experts in their respective fields—who
Apart from striving for the glory of being crowned
assessed their performance against key criteria.
the winning team, everyone competed to test their incident response skills, to gain hands-on experience
142
Retrospect Labs Co-Founder, Ryan Janosevic, said
in responding to a malicious incident and for prizes
preparation for a cybersecurity incident was crucial to
that went above and beyond the norm for events
enabling an effective response.
like these.
“We need diverse teams with diverse skill sets in incident response if we are going to achieve good
HUGE CONGRATULATIONS TO THE FOLLOWING TEAMS:
outcomes. Exercises are a great way to help train our
OUR WINNING TEAM
incident response teams and help get them ready for
Simone Van Nieuwenhuizen, Imogen Turner, Amy
an incident. Partnering with amazing organisations
Nightingale earned the title Winners of the 2022
like AWSN means we help to get more women
AWSN Incident Response Competition.
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
T E C H N O L O G Y
Each team member received:
P E R S P E C T I V E S
to use. • Helen Hendersen from Board Impact for providing
• An opportunity to meet security leaders at
guidance, tips and tricks on what to include in
either the Australian Signals Directorate or the
an executive briefing and Carl Woerndle from
Commonwealth Bank.
MyEmpire for his presentation on how a cyber
• Their choice of a SANS training voucher or a Cyber Leadership Institute training voucher. • Competition merchandise.
incident can affect an organisation, and what to consider during an incident. • Mentors - CJ Fairhead, Laurie Tonks, Daniel Hood, Jayme B and Phoebe Whelan who generously
SECOND PLACED TEAM Nidhi Singla, Kristy Reid, Rebecca Barnett, Della Susan Jose.
gave their time to support the competition and its participants. • Judges - Kevin O’Sullivan (from Kinetic IT) evaluated the teams’ ability to produce an
Each team member received:
effective executive briefing. Karen Croughan (privacy legend) looked at the legal and
• An opportunity to meet security leaders at
compliance considerations produced by each
either the Australian Signals Directorate or the
team. Shanna Daly (incident response guru
Commonwealth Bank.
at Cohesive) examined teams’ forensic skills.
• Their choice of either a Retrospect Labs
Christine Eikenhout (from the Australian
Ransomware Live Fire training voucher, a Cyber
Cyber Security Centre) assessed teams on the
Leadership Institute training voucher or a DDLS
effectiveness of their media statements and ability
training voucher.
to communicate.
• Competition Merchandise.
• SANS Institute, Cyber Leadership Institute, DDLS, Australian Signals Directorate (ASD), and
THIRD PLACED TEAM
Commonwealth Bank of Australia (CBA) for their
Samira Shaikh, Vannessa Van Beek, Qianyi Li.
generous donation of the incredible prizes.
Each team member received:
We love being involved in providing these learning and networking events in collaboration with
• AWSN membership.
government, private sector, startups and industry
• Competition merchandise.
groups. They provide women with the opportunity to try out incident response, get hands-on experience
This initiative was a huge effort by the community.
and build confidence. They also demystify some of
Thank you to:
the technical parts of cybersecurity and contribute to increased diversity in security. These events are
• The Retrospect Labs team – Ryan Janosevic,
also important to help Australian security startups.
Connor Shannon and Jason Pang for all of their
By providing opportunities for practical application
hard work creating the new scenario, managing
of their services and tools they support learning
the logistical aspects of the competition and
experiences, help them grow, stress-test their
enabling it to be successfully (and seamlessly)
offerings and gain exposure in the industry.
delivered to participants through their cybersecurity exercise platform, Gauntlet. • The Australian Signals Directorate (ASD) and
Watch out for upcoming Incident Response Training starting in 2023.
the Commonwealth Bank of Australia (CBA) for generously sponsoring the competition. • The Cydarm team for generously providing their
www.linkedin.com/in/megankoufos
case management system for participating teams
I S S U E 12
WOMEN IN SECURITY MAGAZINE
143
Thankyou Platinum
Gold
Silver
Bronze
STUDENT IN SECURITY SPOTLIGHT
Savannah Dockerty grew up in Queensland and is in the first year of study for a Bachelor of Information Technology degree at CQ University. SAVANNAH DOCKERTY Bachelor of Information Technology Student, CQ University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
With all the coverage of the Optus data breach,
to be as up to date as possible. However, I recognise
cybersecurity is being discussed more on a basic
this is difficult to accomplish because of how fast
level. Whenever people have wanted to discuss this
cybersecurity is evolving. I think my course is doing
breach I explain I hope to pursue a career fighting
a good job of being as current as possible. I believe
cyber crimes such as this and being involved in the
we will always be learning new techniques, but this
teams tasked to track down those responsible for
is more likely to be in a job or a placement. There is
such breaches.
only so much content that can be covered in a general
I believe it is important for information on technology
bachelor’s degree course.
What cybersecurity role would you most like to be hired into when you graduate, and why? I hope to secure a role more focussed on cybercrime
What aspect do you find least interesting or useful?
and cyber criminals than other aspects of
Workforce specialised units are not too interesting,
cybersecurity. Given how technology is changing, it
in my opinion. Most of them discuss topics that
is not farfetched to expect most criminal activity to
I understand and have practiced in my previous
soon be online. This would mean cybersecurity being
work (such as teamwork and communication
prioritised and more people who can help track down
skills). Although these units are easy to pass, I do
such activity online being needed.
understand there is a reason for them being present. People who undertake study are often considered
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
‘introverted’ (lacking effective communication skills), meaning it is important they understand how to work in a team environment. Hence these units are included.
Reactions were all very positive. Because IT is so heavily embedded into every workforce, everyone recognised how secure jobs would be.
146
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?
A high percentage of people undertaking this course
In high school we had a guest speaker discuss their
I have moved to study on-campus and have struggled
job in cybercrime (specifically regarding cyberbullying
to form friendships in a new place while studying a
cases). After this talk I thought about getting a job
course that has only three other students present, on
in IT.
a good day.
W O M E N I N S E C U R I T Y M A G A Z I N E
are online students—on-campus students are practically non-existent—so it has been a bit isolating.
J A N U A RY • F E B R U A RY 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so please provide details? Although I have no workforce experience—only study—there have been challenges to being a woman in this field. I do not believe I have felt discriminated against as such, but I do find myself making sure I am not being taken advantage of. There have been a couple of occasions in my first year where male classmates have asked for a substantial amount of assistance from me. Although I have been happy to help with easy questions, I’ve had to terminate these conversations, for example telling them they should ask the lecturer themselves, or that all their questions were answered in the recorded lecture, etc.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
147
Roshni Bedi was born in India but spent most of her childhood in Kuwait and Dubai. She now lives in Melbourne and is about to start her third year studying for a bachelor’s degree in information technology at Monash University. ROSHNI BEDI Bachelor of Information Technology Student at Monash University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
I did not enjoy coding, I avoided any technical or
Cybersecurity is so much more than the stereotype
such passion for the field inspired me to choose IT as
movies have constructed in our brains. A career in
my degree.
computer-based subjects, but my perspective slowly changed when I opened my mind to cybersecurity and its possibilities. My father and I always had conversations about his job, what it entailed and what he enjoyed about it. Listening to him speak with
cyber is basically the same as being in forensics or the police. We work as the ‘cyber police’ protecting
After some research, and speaking to people working
the digital world from cybercriminals and tracing
in cyber I decided to enrol in my current course. It
any malicious activity or attacks. We are always
has changed my perspective of technology and its
developing ways to defend systems, data and
benefits. I enjoy studying, researching and testing the
computers from being compromised by attackers in
tools and technologies cybersecurity offers, and am
the most effective and simple manner.
proud of my decision to become a second-generation cyber professional.
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
Furthermore, I love being engrossed and having
Cybersecurity for me included hours of coding and
news, data breaches and attacks, or talking with my
trying to break into systems and being something of a
father about cybersecurity concepts and how things
‘tech-god’. However, being able to study it at university
work. I would attribute all my achievements to him.
intellectual conversations about current cybersecurity
has helped me understand the technical and nontechnical side of this profession.
In addition to your studies, what employment experience do you have in cybersecurity?
I have learnt how easy it is to be attacked and have
I am in my second year and have applied for several
your data stolen by someone who is simply a script
internships with Big Four banks and consulting firms
kiddie, and seen the detrimental impacts that can
so I can expose myself to the industry and experience
have. Studying in this field has equipped me with the
corporate culture alongside university culture. I will
knowledge and skills to protect personal information
be starting as an EY Consulting summer intern in the
and to understand what measures can be taken to
banking and financial sector, and I have also secured
defend myself from cyberattacks.
a 12-month internship with National Australia Bank as a security analyst next year. I am looking forward
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
to starting at both organisations so I can learn from a team of supportive and talented professionals and advance my skills as a cybersecurity professional.
My decision to choose cybersecurity as a career was guided by my father, himself a cybersecurity professional. In high school I was a science student with a passion for biology and chemistry and did not particularly enjoy computing or IT. Because
148
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
S T U D E N T
I N
S E C U R I T Y
What aspect of your studies excites you the most?
S P O T L I G H T
For me, hands-on learning is the most exciting part
Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?
of university. More than memorising content and
I am an active member of AWSN, and being a part of
watching lectures, I enjoy workshops and tutorials
a community of exceptionally talented and inspiring
where I am taught how to work with tools and where
women has helped me gain confidence and inspired
I experience cyber technologies in action in real
me to grow and flourish as they have. AWSN has
time. I have loved working with technologies like
been a crucial part of my journey in cybersecurity
Wireshark, GNS3, Burp Suite, etc and I have enjoyed
because it has helped me develop interpersonal skills
the opportunity to simulate cyber attacks against
such as networking, public speaking and working
machines to see their impacts in real life.
as a team with new people. Attending several networking events, gatherings and workshops has
What aspect do you find least interesting or useful?
helped me build a professional network I can depend on for guidance and support whenever I need.
In addition to hands-on learning my studies involve watching lectures, reading textbooks and doing
I am involved in several exciting events like Incidence
research. These studies are more passive and self-
Response and CTF, which encourages women to
paced and do not excite me as much. Having said
work in teams and challenges us to push each other
this, it is still very important to understand underlying
to learn and apply new skills.
fundamental concepts and learn the theory side of things.
Is there any aspect of cybersecurity you think should be given greater focus in your course, or any aspect you think should be given less focus?
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details? Cybersecurity and IT are quite male-dominated industries. Personally, I have found it daunting at times because most of my peers and my teachers
Having studied cybersecurity for two years now, I
have been men. Whenever I have walked into
think it is important to move the focus onto training
a class for any of the subjects I have taken at
students for industry and what to expect in the
university, I have always been surrounded by more
corporate world. I have faced these challenges, and
men than women. However, my feelings of being
university has not really shed light on building non-
disadvantaged and scared changed when I noticed
technical skills like networking, public speaking or
all my peers as well as the teachers were supportive
confidence in the workplace. Although it is crucial for
and wanted me to excel.
students to understand cybersecurity concepts and learn how to use technologies, it is equally important
I have made long-lasting friendships with several
to train students on topics such as how to apply
people at my university, and also become part of
for internships or jobs, how and what to expect in
a close-knit group of women who support each
interviews, how to build a professional network in
other throughout all our classes. Furthermore,
the workplace, etc. I think such training would greatly
organisations like AWSN have helped me feel more
benefit students when they graduate and have to look for their first jobs.
I S S U E 12
WOMEN IN SECURITY MAGAZINE
149
confident and secure in being a woman in a male-dominated industry and I feel proud to be in this field.
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interviews? As mentioned above, I have been interviewed by both EY and NAB for their internship positions. Both companies required an initial written application with some questions as well as a resumé and academic transcripts. After being accepted by both, the second stage included interviews with the appropriate team members. Because I am quite an extrovert and love talking to new people, I found the interviews quite fun and exciting. I also had to participate in group interviews with other interviewees in which we worked on a case study while being assessed by interviewers. I loved having the opportunity to express my views as well as listen to a variety of opinions on the same topic, because it gave me a more holistic perspective on problems and how people approach them. Furthermore, the one-on-one interviews with panellists were quite enjoyable and comfortable because they played out more like conversations in which we were getting to know each other.
www.linkedin.com/in/roshni-bedi-4a5089215
150
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
Sheida Sabeti was born in Perth and has lived there all her life. She is in the final year of a Bachelor of Science course at Edith Cowan University, majoring in cybersecurity. SHEIDA SABETI Bachelor of Science Student at Edith Cowan University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
personal favourite topic is coding, in various languages.
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why? I find the networking aspect particularly challenging
Cybersecurity is evolving and we are becoming
because it is the most difficult for me to understand
more technologically advanced every day. As we
and not a topic on which I want to undertake further
continue to advance, new vulnerabilities and threats
research.
are emerging. There are many areas one can explore programming, security consulting and many more.
What is your favourite source of general information about cybersecurity?
Cybersecurity gives people the freedom to explore
My favourite source of cybersecurity information
different areas whilst still gaining experience in a field
would be the Australian Cyber Security Centre
they love.
(ACSC). I find it to be the most reliable because it is
in cybersecurity: governance, penetration testing,
an Australian Government body and anybody can
What cybersecurity role would most like to be hired into when you graduate, and why?
understand the information it provides.
I enjoy a variety of fields, so whilst I do not have a specific role in mind, I would enjoy gaining experience
What measures do you have in place for your personal cybersecurity?
in a vast range of fields including data analysis,
I follow various cyber safety practices. One is
security consultancy and governance.
following password security rules. I ensure I use a minimum of 15 characters including uppercase
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
and lowercase letters, numbers and symbols. I
My initial interest in computing grew out of an interest
unknown links I receive. I also perform daily antivirus
in gaming I have had since I was a child. However, I
scans on my desktop computer.
use multifactor authentication. I do not give out personal information unnecessarily and never click on
never considered cybersecurity as a career until my enter and a course I could undertake at university. So
With the benefit of hindsight, would you change your career trajectory to date, and if so now?
I chose computer science ATAR during my final two
Honestly, I would not. When I was younger I would
years of high school. I enjoyed the topics discussed
deliberate on what courses I should study and
because of the way my teacher taught the subject
whether I would like them, but I fell in love with
and made it very enjoyable. I also sought advice from
computing and I would not change what I learnt, the
him regarding which university would be best, as well
people I met and the experiences I gained in any way.
as if it were a good course to take.
It has shaped me into the person I am today.
mother suggested it. She knew it was a good field to
What aspect of your studies excites you the most?
www.linkedin.com/in/sheida-sabeti-b7659420b
The ability to learn a multitude of topics. However, my
I S S U E 12
WOMEN IN SECURITY MAGAZINE
151
Tshering Wangmo was born and grew up in Bhutan. She has lived in Perth since 2016 where she is studying for a master’s in cybersecurity at Edith Cowan University’s Joondalup Campus. She has completed the third semester of her final year and is looking for internship opportunities to enable her to meet course requirements. TSHERING WANGMO Master in Cybersecurity Student at Edith Cowan University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
ourselves safer online with technologies like
Whenever I get asked by my friends and other people
recent news on data breaches become interested and
around me about what I am studying I respond
ask me more about my course.
multifactor authentication. The bottom line is: people need to be cautious and maintain privacy online, just as they do in real life. People who understand the logic of this and see the
with: “I am studying for a master’s in cybersecurity.”
technology (IT).” I often tell them “Firstly, I am not that
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
tech savvy and, yes, it is tough and challenging, but it
I applied for the course because there was no
is doable, if you are interested to learn it.”
requirement to have an IT background. I obtained
The comment I most often get is, “Wow! That sounds heavy, but you must be good at information
a bachelor’s degree in computer applications a Often, I get asked how a non-IT person can learn
long time ago, but my work experience for the past
cybersecurity because you need to know how to hack
six years has been in projects and administration.
a computer. My usual response is that cybersecurity
I enrolled in my course knowing it would
is not only about hacking, in fact hacking is the reason
be challenging.
why there is the need to learn cybersecurity, and it all begins with yourself. If you are using your phone,
The course started well but became increasingly
computer, WiFi at home for yourself, or for children to
challenging with each semester, because there
play online games, you will need to know the basics of
were so many aspects of cybersecurity to learn,
being safe online.
from networks to communication skills, coding to data science, project management to ethical
It is not difficult to make people understand why
hacking. By the time I was in my third semester I
it is important to be safe online. In my personal
felt somewhat lost having many career options in
experience with my own family, if I explain about the
cybersecurity and not knowing where my skills could
need to have strong passwords and update software
take me.
regularly, they do not take me seriously.
152
I notice there are others who do not bother about
What cybersecurity role would most like to be hired into when you graduate, and why?
being safe online. To make them understand
When I graduate, I would most like to be hired as a
why they need to bother, I explain that, just as
red team ethical hacker, because in 2020 when the
we would secure our house to protect our family
pandemic started, I knew I needed to get into a career
from thieves or intruders, we build walls or fences
where I could leverage my current skills. After two
to protect ourselves in the online world. Further,
semesters I was on pregnancy leave, during which
we use strong doors with locks and keys which
I realised how important our time is and how we as
are analogous to strong passwords in the online
woman always have to make compromises between
world. And, just as people’s houses can be made
personal life and career. This realisation gave me
safer with digital smart products, we can make
the opportunity to take the leap into a career where I
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
S T U D E N T
I N
S E C U R I T Y
could balance family life by working from home, or from anywhere in the world.
S P O T L I G H T
Are you involved in the wider cybersecurity community, eg AWSN, if so how and what has been your experience?
What do you see as having been the most memorable and/or significant event in your cybersecurity journey to date, and why?
I have been an associate of the Australian Computer
The most significant event on my career journey
which is free for students. I attended the first Student
was learning about information warfare. We had
of Cyber event in Perth in 2021 where it was great to
a group presentation and each person got only
see so many new faces, learn about other people’s
two minutes to present. My presentation was
aspirations and what local cybersecurity businesses
about offensive security, and I had only two slides,
are coming up with. I attended the CyberCX annual
one for an introduction and one on a funny meme
event in 2020 where it was great to meet prospective
that made everyone in the room laugh. All I did
employers in cybersecurity. I participated in the EC-
was stage a live demonstration on Twitter showing
Council’s online Mega Cyber Challenge 2020 where I
how information can be rapidly amplified, whether
won a $200 voucher towards any online EC-Council
it is true or false. Our group got the best mark
course. I participated in CyberCx’s annual AppSec
and, to my surprise, I earned an extra mark for
hackathon in 2020 and received a certificate and
that presentation.
one-month free subscription to Pentester Lab. I have
Society as a student ambassador and a member of the Australian Information Security Association (ASIA),
volunteered in Coder Dojo assisting awesome kids.
In addition to your studies, what employment experience do you have in cybersecurity? I worked for six months in an IT company as a
What is your favourite source of general information about cybersecurity?
project support coordinator and was fortunate to
I have subscribed to the Australian Cyber Security
be working with project managers developing and
Centre (ACSC) for data breach updates and
standardising all IT operations manuals and assisting
mitigation strategies. I get the latest news on
in cybersecurity policy drafting.
information security and much information from ASIA events and from the ACS. Its website has an
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
online learning portal that is helpful. While driving I
To be honest, this course is difficult and challenging.
providers on LinkedIn.
listen to podcasts like Darknet Diaries . I follow the Hackers Academy and other cybersecurity service
There are no easy units. In particular, the for me as a mid-career student, new education
What measures do you have in place for your personal cybersecurity?
learning system, juggling work and family, while also
During my first semester I changed the passwords
being totally new to cybersecurity.
for our WiFi network, my son’s iPad, email services
cybersecurity unit in the first semester was difficult
and started cleaning up my social media profiles
Is there any aspect of cybersecurity that you think should be given greater focus in your course, or any aspect you think should be given less focus?
by taking out all personal information, deleting lots of unknown people on my friends list and I stopped uploading details of every moment in my life.
I think there should have been more on building presentation and communication skills.
I S S U E 12
www.linkedin.com/in/tsheringwangmo
WOMEN IN SECURITY MAGAZINE
153
Saman Fatima was born in Lucknow, India and now lives in the US, in Atlanta, where she is in the first semester of a master of science course in information systems – cybersecurity at Georgia State University. SAMAN FATIMA Master of Science Course Student at Georgia State University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
and passion for cybersecurity. They supported me to
Having spent five years in cybersecurity and having my friend the dark world of security, not to scare
What do you see has having been the most memorable and/or significant in your cybersecurity journey to date, and why?
them but to make them understand how putting
There have been many memorable moments:
seen what happens on social media, I would show
move to the US to study for my master’s degree after five years working in industry (Yes, it is tough). A host of friends in my cyber community have helped and contributed to my journey tremendously.
information about yourself on social media—saying “Hey I am at the WTC”—can be dangerous because it creates data that can be harvested for open-source
• Starting a new community (non-profit) with my colleague/friend/sister Aastha Sahni in 2021.
intelligence (OSINT), etc. I would try to impress upon
• Being nominated for cyber awards.
them the importance of putting ‘security first’ in both
• Coming to the US for my master’s.
their physical and digital lives.
• Learning about attacks and gaining knowledge about different domains, getting my work
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
• Starting a student chapter of WiCyS at my
I was a beginner in cybersecurity studies five years
• Being a community leader, having people learn
ago with little exposure, but now it has become
published, presenting it and being acknowledged. university. from me, and vice-versa.
a BEAST! I have been introduced to multifactor authentication. I have learnt that no browser is safe.
My biggest achievements have been when I have
I have learnt to love cookies, but that cookies can
been able to help others with cybersecurity.
steal a lot of data. I have learnt that social media exposure can be a bane, and to be careful with every detail exposed.
In addition to your studies, what employment experience do you have in cybersecurity? I have been trained in identity and access
What cybersecurity role would most like to be hired into when you graduate, and why?
management. I have long been a cybersecurity
I really want to become a cloud engineer. I am
communities.
enthusiast and I am an active member of cyber
strongly inclined toward the usage and benefits of the cloud: putting data there, deciding which deployment
• I am the cofounder and vice-chair of the Breaking
and service model best suits the organisation, and
Barriers Women in Cybersecurity (BBWIC)
safeguarding the data with appropriate controls.
Foundation. • I am a volunteer instructor at CyberPreserve.
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why? My family members are supporting my enthusiasm
154
W O M E N I N S E C U R I T Y M A G A Z I N E
• I am a global member, mentor and mentee at Women in Cybersecurity (WiCyS). • I am an ambassador for Snyk, a Bostonbased cybersecurity company specialising in
J A N U A RY • F E B R U A RY 2023
S T U D E N T
I N
S E C U R I T Y
cloud computing. • I am an ambassador and advisor at Women
S P O T L I G H T
environment as part of my curriculum. I would not otherwise have had this opportunity.
in Cloud (WIC), a community-led economic development organisation for women entrepreneurs and professionals.
What is your favourite source of general information about cybersecurity? These are the sources I follow:
I started my career in early 2017 with Tata Consultancy Services working with SailPoint’s
• Cyberpreserve Weekly News.
identity and access management technology and
• BleepingComputer for the latest technology news.
entered the world of cybersecurity when I became
• SANS Training.
a data engineer with Macquarie Group. I am now a
• Women in Security Magazine.
graduate student at Georgia State University studying
• Podcasts by ITSP Magazine, Snyk, Philip Wylie,
security analysis, application architectures and
Human Factor, Security Metrics, etc.
business analysis. I have five years’ experience as a DevOps engineer. I
What measures do you have in place for your personal cybersecurity?
have obtained two industry certifications—CyberArk
I change passwords for all my major accounts
Trustee and Microsoft AZ 900—and I aim to collect
monthly and for my low-priority accounts I change
more in coming years.
the passwords quarterly.
I love to learn and grow in cybersecurity. I have been a speaker at conferences including OWASP Appsec 2021, Day of Security 2022, SANS New2Cyber Summit 2022, GDG DevFest UK & Ireland 2022, DevSecCon 2021, c0c0n 2021, Rainbow Secure Cyber Symposium 2021, Tech(k)now Day 2021 & 2022, the Hackers Meetup and various local and virtual meetups.
• My passwords are passphrases, no one can crack them. • I check what permissions all my mobile apps have. • I use multifactor authentication on all applications that support it. • I ensure I install all software updates and patches in a timely manner. • I run antivirus scans weekly or monthly,
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
depending on device usage levels.
www.linkedin.com/in/saman-fatima-30
Cybersecurity is changing every day. I feel being part of it, learning about it and implementing it in real-life is my thing, and I am quite happy with my role.
What aspect of your studies excites you the most? I got to mount a few attacks in a controlled
I S S U E 12
WOMEN IN SECURITY MAGAZINE
155
Eleni Lykopandis grew up, and lives, in Melbourne. She has just completed the second year of a bachelor’s degree course in cybersecurity and criminology at La Trobe University. ELENI LYKOPANDIS Bachelor in Cybersecurity and Criminology Student at La Trobe University
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
internship but was extended into further employment,
I feel it is pretty similar. At the very start, I thought I
many areas of cybersecurity and the work different
would be doing computer work only, but interpersonal
cyber teams do. I’ve worked on security assessments
communication and soft skills are needed to succeed
and reporting but the bulk of my work to date has
in cybersecurity. Other than that, I have always
been within the PAM and IAM landscape. I am being
been aware of the wide breadth of fields available in
rotated next into the cloud security team, and I can’t
cybersecurity. That was something that drew me to
wait to start working on some projects there.
and I absolutely love the work I do. I have been rotated into different roles, which has exposed me to
this career in the first place.
What cybersecurity role would you most like to be hired into when you graduate, and why?
What aspect of your studies excites you the most? I still have a while to go before my studies are
I’m not completely sure, but I am super interested
finished. So my answer to this question will change
in digital forensics. I am studying a cybersecurity/
as I learn more. Currently, I really enjoy studying
criminology double degree so digital forensics seems
the evolving threat landscape and looking into the
like the perfect choice because it spans both. I have
future of cyber attacks, especially cyber warfare and
attended a few workshops and CTF competitions run
disinformation. Historically, we’ve seen disinformation
by my university or by external agencies and I have
spread through espionage and propaganda, but it
always performed best in the digital forensics stream,
has been confined mainly to the country of origin.
when there is one. It is definitely something I want to
Now that disinformation can be spread over the
explore further.
internet, it can reach a much larger audience. With the development of deep fakes and AI we’ve already
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
seen disinformation spread through fake press
I had a very positive reaction from everybody when
especially to the untrained eye, and has set a very
I said I wanted to study cybersecurity (at least
dangerous precedent for the future.
conferences in which Ukrainian President Volodymyr Zelenskyy was telling Ukrainian troops to stand down and stop fighting. The video is very believable,
from those who knew what cybersecurity was).
have a support system around me. My mum was a
Are you involved in the wider cybersecurity community, eg AWSN if so, how and what has been your experience?
bit apprehensive at first because I “already spend too
I currently belong to the Australian Information
much time in front of a computer,” but she definitely
Security Association (AISA), the Australian Women in
warmed to me studying cybersecurity.
Security Network (AWSN), Women in Cybersecurity
Everybody commented on the job prospects and the futureproofing of employment, and it was nice to
(WiCyS) and the Australian Computing Society (ACS).
156
In addition to your studies, what employment experience do you have in cybersecurity?
I get deeply immersed in the cyber and tech industries
I was really lucky to get a position as an information
range of events that have helped build on the skills I
security officer in the Australian Bureau of Statistics
have learnt at university. Additionally, a lot of the talks
at the end of my first year. It was originally an
and presentations I have attended have illustrated
W O M E N I N S E C U R I T Y M A G A Z I N E
through these organisations. I have attended a wide
J A N U A RY • F E B R U A RY 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
the different areas of cybersecurity I could get a job in. These organisations have been instrumental in getting me involved in the cybersecurity industry, keeping me up to date on current events, and even making new connections in the industry.
What’s your favourite source of general information about cybersecurity? I keep up to date mainly from various Slack workspaces that have specific news channels. I open these daily, so it’s easy to scroll through and click on an article that interests me. Additionally, I have newsletters focused on tech/cyber news, such as the ACS’s Information Age, sent to my email. If I want to do further research into a topic I generally start from various cyber-based twitter accounts and see what articles they have linked to, or I go onto other news/information websites such as IT News, Krebs on Security and many others. I also listen to the occasional cyber podcast when I’m going for a walk or making my way to the office. Another great way I have found to stay up to date is to simply talk to my friends studying cybersecurity at university and seeing what has interested them recently.
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so please provide details? Despite all the progress to encourage women into cybersecurity, and more broadly into STEM, there has still been some discrimination. I experienced it only from certain classmates at university. I would say it was very subtle, but definitely still noticeable. Much of the discrimination has devalued my input and opinions and made to feel as if I had to do twice as much just to be on the same playing field as men. One time a man I had just met challenged me to show my grades to prove I was worthy of studying cybersecurity (of course, he never offered to show me his grades). Luckily, this behaviour is no longer tolerated. So the instances of discrimination are now very limited.
www.linkedin.com/in/elenilykopandis
I S S U E 12
WOMEN IN SECURITY MAGAZINE
157
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
No technology rules at Camp Sunshine! Olivia and Jack are very much looking forward to going to summer camp in the upcoming school holidays. Camp Sunshine will be so much fun! They are excited about going canoeing, horse riding, tree surfing, fishing, and having lots of fun with the other children. Lots of their friends from school and their basketball team are going, and they are also excited about making new friends. They have been on school camps before, but this one will be different, because it will be with children they have not met previously. Their mother and father went to the information evening to learn about Camp Sunshine, including the rules and what they would need to pack. They were told children would be allowed to take their devices to Camp Sunshine and keep these in their rooms. Olivia and Jack’s parents were very worried after hearing this. At school there are rules governing the use of devices. For example, mobile phones, tablets and wearables need to be handed to the teacher at the beginning of the day and then collected at the end of the day. At home, Olivia and Jack’s parents make sure all devices have parental controls and are kept on the kitchen bench overnight. They also have a house rule that no devices are allowed in bedrooms, especially at night. Olivia and Jack’s mother spoke to the camp supervisor, Penny, to learn more about the tech rules at camp. Penny said Camp Sunshine did not have any tech rules, but the organisers were discussing what rules they should implement. Olivia and Jack’s mother said: “We would feel more comfortable sending Olivia and Jack to camp if there were tech rules to keep all the kids safe online.” Penny spoke to the other camp leaders who agreed keeping the kids safe online was very important. At Camp Sunshine they had sun
158
W O M E N I N S E C U R I T Y M A G A Z I N E
safety rules, water safety policies and rules around respectful behaviour. Penny said she would speak to the other camp organisers about the importance of having tech rules. She also said some of the children had brought devices to the previous year’s camp and sent rude messages to each other. After some careful planning Penny sent a letter to all parents setting out Camp Sunshine’s tech rules. • Devices can be brought to camp by older children. However, they are not allowed to be kept in the dorm rooms. They must be handed to the camp leaders at the start of the camp and the children can use them to call their parents after breakfast if necessary. • Younger children are not permitted to bring devices to camp. However, anyone needing to call home can ask the camp leaders to use the camp phone after dinner. • Any devices found will be removed and stored in the camp office and handed back to parents at the end of camp. This way the children can still keep in touch with their families if they feel anxious or miss home, but the chances of them viewing inappropriate content, or being a victim of cyberbullying, are reduced. The parents thought this was a great idea. Olivia and Jack were excited to go to camp and knew that, unlike last year, they would not need to take their devices. However, they were just as excited to go canoeing, horse riding, tree surfing, fishing and having lots of fun with the other children. www.linkedin.com/company/how-we-got-cyber-smart
facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
J A N U A RY • F E B R U A RY 2023
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
Trust and Security at Atlassian The cornerstone of our cloud applications and services is security — our mission depends on it. So, we’re committed to ensuring the unfaltering safety and security of our customer’s data and to providing products that help unleash the potential in every team. Visit atlassian.com/careers for our latest opportunities in Security.
NZWIS
THESE ARE YOUR
R 2022 FINALISTS
NEW ZEALAND’S MOST OUTSTANDING WOMAN IN IT SECURITY WINNER
Erica Anderson COO and Director, Safestack and SafeAdvisory
FINALISTS
NOMINEES
Erica Anderson
Erica Anderson Hilary Walton Aimee Lin Kate Pearce Kat Lennox-Steele Ngaire Kelaher Rudo Tagwireyi Melonie Cole Denise Carter-Bennett Ankita Dhakar Tarryn Roth Kandice Mclean Yael Lord Cherry Liwag Jenny Botton
COO and Director, Safestack and SafeAdvisory
Hilary Walton CISO, Kordia
Aimee Lin Chief Product Officer & Technical co-founder, DataMasque
Kate Pearce Head of Security, Trade Me
164
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
BEST FEMALE SECURE CODER SPONS
ORED
Atlassi
BY
an
WINNER
Justina Koh Security Consultant, ZX Security
FINALISTS
NOMINEES
Justina Koh
Justina Koh
Security Consultant, ZX Security
Grace Lee
Grace Lee
Darya Kokovikhina
Senior Security Consultant, CyberCX
Darya Kokovikhina Software Developer, Best Practice Software
I S S U E 12
WOMEN IN SECURITY MAGAZINE
165
BEST INDUSTRY INITIATIVE THAT SUPPORTS DIVERSITY, INCLUSION AND EQUALITY SPONS
WINNER
ORED
Spark N
BY
Z
She# She Sharp
FINALISTS
NOMINEES
She#
She#
She Sharp
Spark NZ Blue Heart Program
Spark NZ Blue Heart Program Spark NZ Ltd
#10KWāhine initiative Microsoft
166
W O M E N I N S E C U R I T Y M A G A Z I N E
#10KWāhine initiative OMGTech AWS She Builds
J A N U A RY • F E B R U A RY 2023
BEST INNOVATIVE BUSINESS “RESHAPING THE FUTURE” OF THE SECURITY INDUSTRY WINNER
DataMasque Limited
FINALISTS
NOMINEES
DataMasque Limited
DataMasque Limited
Cyber Tribe
Cyber Tribe
Mindshift
Mindshift Hacking for Heroes Security Lit NZ KPMG
I S S U E 12
WOMEN IN SECURITY MAGAZINE
167
BEST PLACE FOR WOMEN TO WORK IN SECURITY SPONS
WINNER
ORED
Spark N
BY
Z
Xero
FINALISTS
NOMINEES
Xero
Xero
Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice
Price Waterhouse Coopers New Zealand - Cyber and Digital Identity Practice
Spark New Zealand Limited
Spark New Zealand Limited ZX Security Tauranga City Council Trade Me Netsafe
168
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
BEST SECURITY MENTOR WINNER
HIGHLY COMMENDED
Ivy Macapagal
Robyn Campbell
Security Analyst, ESR - Science and Research
Partner, Cyber & Privacy, PwC
FINALISTS
NOMINEES
Ivy Macapagal
Ivy Macapagal
Security Analyst, ESR - Science and Research
Amina Aggarwal
Amina Aggarwal
Robyn Campbell
Security Design Consultant, Spark NZ
Jan Thornborough
Robyn Campbell
Laura Bell
Partner, Cyber & Privacy, PwC
Hilary Walton
Jan Thornborough Founder & Director, Intelligensia
Katherine Pearce Michelle Crowe Jaimee Pasig Scotland Symons Laura Smith
I S S U E 12
WOMEN IN SECURITY MAGAZINE
169
BEST SECURITY STUDENT WINNER
Caitlin Mojica Graduate Security Analyst, Xero
FINALISTS
NOMINEES
Caitlin Mojica
Caitlin Mojica
Graduate Security Analyst, Xero
Malahat Rehan
Malahat Rehan DevSecOps Engineer, Snapper Services
Ayla Narciso Student, Developers Institute
170
W O M E N I N S E C U R I T Y M A G A Z I N E
Rachel Grimwood Ayla Narciso Danielle Domingo Daphne Gumban Elle Wright
J A N U A RY • F E B R U A RY 2023
BEST VOLUNTEER WINNER
Abby Zhang Security Analyst, Kordia SecOps and Chapter Lead- NZNWS and SheLeadsTech Liaison- ISACA Auckland Chapter
FINALISTS
NOMINEES
Abby Zhang
Abby Zhang
Security Analyst, Kordia SecOps and Chapter Lead- NZNWS and SheLeadsTech Liaison- ISACA Auckland Chapter
Toni James Katherine Lennox-Steele
Toni James Security Engineer, Salesforce
Katherine Lennox-Steele Founder of Cyber Tribe, Customer Success Manager and Security Consultant, Unisphere, Cyber Tribe
I S S U E 12
WOMEN IN SECURITY MAGAZINE
171
IT SECURITY CHAMPION WINNER
Amina Aggarwal
Anupurna Kaw
Security Design Consultant, Spark NZ
Cyber and Cloud Security professional, Microsoft
FINALISTS
NOMINEES
Amina Aggarwal
Amina Aggarwal
Diana Yang
Security Design Consultant, Spark NZ
Anupurna Kaw
Aastha Sharma
Jenny Botton
Kyla Butcher
Sarah Burgess
Coco Liu
Mikala Jane Anstis Easte
Tiffany Chu
Head of Corporate Information Security, CCL
Megan Young
Sarah Burgess
Cherry Liwag
Teodora Bear
Anupurna Kaw Cyber and Cloud Security professional, Microsoft
Jenny Botton
Product Owner - Security, Xero
Mikala Jane Anstis Easte Manager Security Assurance and Governance, Reserve Bank of New Zealand
172
HIGHLY COMMENDED
W O M E N I N S E C U R I T Y M A G A Z I N E
Vanessa Piper Mae Koh Yolanda Wilke
Vivien Hii Akarsha Palle Jaimee Pasig Nadia Yousef Ivy Macapagal
J A N U A RY • F E B R U A RY 2023
MALE CHAMPION OF CHANGE WINNER
Paul Platen
Andrew Thorburn
Chief Information Officer, SSS - IT Security Specialists
Enterprise Security & Risk Manager, Atlas Gentech NZ
FINALISTS
NOMINEES
Paul Platen
Paul Platen Andrew Thorburn Andy Crawford Nyuk Loong Kiw Rob Lonie Adwin Singh Bill Moses Craig Maskell Eugene Gibney John Martin David Higgins Dan Richardson James Dickinson Simon Howard
Chief Information Officer, SSS - IT Security Specialists
Andrew Thorburn Enterprise Security & Risk Manager, Atlas Gentech NZ
Andy Crawford Professional Services Delivery Lead, Spark NZ
Nyuk Loong Kiw Head of Security, Spark NZ
Rob Lonie Sales Leader in Cybersecurity, Microsoft
I S S U E 12
HIGHLY COMMENDED
WOMEN IN SECURITY MAGAZINE
173
MOST INNOVATIVE EDUCATOR IN CYBERSECURITY WINNER
Te Pūkenga - New Zealand Institute of Skills & Technology Unitec
FINALISTS
NOMINEES
Te Pūkenga - New Zealand Institute of Skills & Technology
Te Pūkenga - New Zealand Institute of Skills & Technology
Unitec
Education Arcade
Education Arcade Founder, Education Arcade
Dr Mahsa Mohaghegh Director of Women in Technology, Auckland University of Technology
174
W O M E N I N S E C U R I T Y M A G A Z I N E
Dr Mahsa Mohaghegh Jennie Vickers Melonie Cole Mindshift
J A N U A RY • F E B R U A RY 2023
THE ONE TO WATCH IN IT SECURITY SPONS
ORED
Westpa c
WINNER
Justina Koh
Senior Consultant - Security, Microsoft
Security Consultant, ZX Security
Meaghan Bradshaw Senior Consultant - Security, Microsoft
Justina Koh Security Consultant, ZX Security
Amaryah Halo Information Security Analyst, Kiwibank
Lauren O’Sullivan Senior Consultant, CyberCX
Megan Young Security GRA Specialist, Spark NZ
I S S U E 12
HIGHLY COMMENDED
Meaghan Bradshaw
FINALISTS
BY
NZ
NOMINEES Meaghan Bradshaw Justina Koh Amaryah (Ama) Halo Lauren O’Sullivan Megan Young Amina Aggarwal Aleisha Hoult Ann Babuji Denise Carter-Bennett Dimpal Tailor Keerthana (Kiya) Kumar Emma Harrison Jenna Whitman Ila Vala Jennie Vickers Rajbir Kaur Katja Feldtmann
Prinka Rana Narmada Kohli Hazel Schapel Marnie McLeod Remya Kumar Tahira Begum Tessa Anton Sheree Fleming Tina Bautista Jamie McClymont Richa Sharma Chloe Ashford Isabella Riddell-Garner Olivia Uhrle Patience Mitchell Vanessa La Luna
WOMEN IN SECURITY MAGAZINE
175
UNSUNG HERO SPONS
ORED
Atlassi
BY
an
WINNER
Tandi McCarthy
Sai Honig
Lead Security Consultant, ZX Security
Engagement Security Consultant, Amazon Web Services
FINALISTS
NOMINEES
Sai Honig
Tandi McCarthy
Antionette Murray
Engagement Security Consultant, Amazon Web Services
Sai Honig
Robyn Campbell
Duo, a division of Sektor 1stTuesday and Project Wednesday
Janice Lecias
Lesley Maguire
Georgia Kitt-Lobo
Tina Bautista
Liz (Elizabeth) Schoff
Kathleen Aparte
Tandi McCarthy Lead Security Consultant, ZX Security
Duo, a division of Sektor - 1stTuesday and Project Wednesday Duo Team Members, Duo, a division of Sektor
Georgia Kitt-Lobo Cybersecurity Consultant - Governance, Risk and Compliance, Datacom
176
HIGHLY COMMENDED
W O M E N I N S E C U R I T Y M A G A Z I N E
Melonie Cole Sarah McMaster
Eva Knotkova Beth Jackson
Phoebe Soon Chloe Ashford
J A N U A RY • F E B R U A RY 2023
n’t t Do O u is s M
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 9
TH
NOVEMBER GET NOTIFIED
Join our distribution list to be the first to know when tickets go on sale
SUZY CLARKE
HOW WE INCREASED GENDER DIVERSITY IN SECURITY @ XERO by Suzy Clarke, Executive GM - Security (CISO) at Xero In November 2022 my team at Xero won the Best Place for Women to Work in Security award at the inaugural NZ Women in Security Awards. In our submission we said 33 percent of the Xero security team, globally, were female and that the percentage of junior team members identifying as non-male was much higher. These figures contrast starkly with the industry average for non-male cybersecurity professionals of less than 20 percent.
Afterwards a few people asked me how we had
seeds for a discussion on how we can improve
created such a gender diverse global team. Gender
diversity in security across the industry—and how I
is only one facet of our diversity and inclusion effort,
could contribute—I was more motivated to write down
but an important one. Security, like so much of the
my approach.
tech industry, has historically been male-dominated, so providing opportunities for all genders at every
So here it is. While still very much a work in progress,
experience level (and in particular cis-women, trans
hopefully you will be able to take something useful
and/or non-binary individuals) is critical to our work.
and actionable from my approach and apply it in your own context.
At first I was hesitant to reveal our approach, because,
178
from my perspective, there is still more we need to do.
THE XERO CONTEXT
I did not want to hold up Xero as having ‘solved’ the
We are particularly fortunate at Xero to have an
diversity problem, because that is not true. However,
environment and culture that supports diversity
when I reframed my answer to one that sowed the
and inclusion in multiple ways. Fundamentally, Xero
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
champions diversity and inclusion to create better outcomes for our people and our customers, and this approach starts at the top. For example, in our FY22 annual report we published our commitment to diversity. It states that Xero directors are responsible for ensuring our business is “increasingly representative of the communities in which we live and work” and that a work environment where everyone feels they “belong and can thrive” is important. In line with this commitment the Xero board has set an ambitious gender diversity target of having 45 percent of employees at all levels of Xero identifying as female by 2025 (an increase from 40 percent in 2020). At the time of our nomination for the Best Place for
they can be exactly who they are and get the roles
Women to Work in Security award the Xero board was
they deserve.
43 percent female and our executive leadership team was 40 percent female—a number that has since risen
In the technology function we have a comprehensive
with the announcement of Xero’s first female CEO.
and a focus on bringing onboard diverse engineering talent. This program aims to increase female
As my team said in our award submission: “By having
engineering promotions by 10 percent. In security we
women represented through all layers of leadership,
have made good use of both initiatives by taking in
women here at Xero know three things: women are
a large number of graduates every year, converting
valued, women can lead and women are critical to the
at least half of them to permanent employees in
future of security.”
security, and then committing to helping them grow their careers with us.
Looking more broadly, we also have a number of workplace policies at Xero that are supportive of
If you want to read more about a specific example,
diversity. We offer a generous primary carer parental
check out this post about one of our security analysts
leave package to all Xero employees, regardless of
Ana Ramirez who started with us as a graduate. Or
gender, as well as a referral program under which
read about how one of our existing security graduates
employees of Xero can refer their friends to open
Caitlin Mojica (pictured with me above) won Best
roles with us for a cash bonus. We often gain diverse
Security Student at the NZ Women in Security Awards.
candidates through this process. One of our core values at Xero is #human and we
THE SPECIFIC CHOICES WE MADE IN SECURITY @ XERO
have a number of initiatives to support that being
Given all those initiatives around gender diversity at
a reality every day. Most important to our drive for
Xero, you might think all I had to do was turn up in my
greater diversity is our Ally Skills training designed
role as executive general manager of security and just
to ensure all our team members understand what it
watch my team magically become more diverse as it
means to be an ally for diverse communities across
grew. If only!
the organisation. Psychological safety is another fundamental part of the Xero culture, and everyone
As simple as that would have been for me, a much
is supported to reach their full potential knowing
more intentional approach was required. When I
I S S U E 12
WOMEN IN SECURITY MAGAZINE
179
joined Xero 3.5 years ago in 2019, the security team
That journey merits a dedicated article. It enabled
was significantly smaller and our gender diversity
us to advertise more roles, such as people leads and
was around 20 percent, a number in line with the
product owners, where security-specific experience
industry average.
was not required. As a result, we saw a pipeline with more diverse candidates.
Having worked in security for more than 20 years I had seen firsthand the power of bringing more diverse
Additionally, when we have open roles at any level
people into the team. I knew the lived experience
within security, I ask our talent team for diversity
of being the only female team member for years at
statistics on the candidate pipeline. We consistently
a time, so I felt an obligation to increase diversity.
see fewer diverse candidates applying for our security
Also, as a gay woman, I knew the difference between
engineering roles. To change this, I have asked the
having a diverse team and truly having inclusion.
talent team to be more proactive in approaching external candidates. I have also promoted our open
One of the first things I did was tell people I wanted to
security roles internally on our Women in Tech Slack
see more diversity in the security function. That might
channels.
seem obvious, but we often overlook the obvious: simple things that can have a big impact.
Finally, of course, I report regularly on our diversity statistics and share these with the team, following
When it came time to hire a new general manager
Peter Drucker’s advice: “What gets measured gets
layer reporting to me, I worked closely with our talent
managed.”
team to proactively identify and approach female security leaders. Xero’s global presence gave us the
WHAT’S NEXT?
advantage of being able to hire in multiple markets.
While it feels strange to type this, an award-winning
This helped increase the pool of candidates. Once I
level of diversity is not the end goal for us at Xero.
had hired two general managers I set them the task
Maintaining and increasing diversity is not a one-off, it
of increasing diversity within our leadership team by
needs ongoing laser focus.
giving each specific objectives. I can see from our current statistics that staff at At the time of our award submission the wider
senior and lead levels in engineering within the
security leadership team reporting to me was
security function are mostly male. Knowing our junior
predominantly female. So I think setting specific
and associate levels in engineering roles are more
objectives was effective.
than half non-male, I could relax and think we will eventually increase diversity as people progress in
We also took a creative approach to bringing people
their careers.
into security. Rather than being narrowly focused on requiring specific security experience or certifications,
However, I do not believe this approach will suffice,
we looked for candidates who could bring curiosity,
and I do not want to simply wait for that to happen.
culture fit and a ‘hacker mindset’ to their roles. By
I am also well aware that gender diversity is only one
taking that approach we hired many new team
of many aspects of diversity. This is just the start of
members from adjacent roles within Xero, including
our journey.
from our customer experience team. Another big move we made in 2021 was to introduce
www.linkedin.com/in/suzy-clarke-46a3624
a product management function within security to effectively ‘productise’ our approach to security engineering.
180
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
HAVE YOU EVER DREAMED OF BEING A
"This technological thriller is the hacker world having such global impact to the unsuspecting world that it makes you very aware the power within the web…” - Trevor, indiebook reviewer
ORDER NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER
Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist
2. KAO HANSELL
03
04
Cyber Security Advisor at Digital Resilience
3. MELANIE TRUSCOTT
Executive Director, Engagement & Communication at CyberCX
4. BELINDA STEWART
05
06
Business Engagement Manager at Paypac Payroll Services Pty Ltd
5. KYLIE WATSON
Lead Client Partner, National Security and Defence with IBM
6. LENA SMART
Chief Information Security Officer at MongoDB
07
08
7. LISA VENTURA
Founder – Cyber Security Unity
8. JENNA SALVESEN
Manager - Advanced Security Centre at EY
09
10
9. RACHAEL GREAVES
Chief Executive Officer at Castlepoint Systems
10. CATHERINE DAWSON
Associate Solutions Engineer at Cloudflare
11. DR FAUZIA IDREES ABRO
11
12
Director MSc Information Security and Director of Distance Learning Programme at Royal Holloway, University of London
12. JOHANNA WILLIAMSON
Senior Manager - Security Strategy and Governance at nbn™ Australia
13
14
13. HOLLY WRIGHT
Security Architect at IBM Development Labs
14. MARTINA SALDI
Go To Market Manager - Cyber Security, Data Security and Privacy ANZ at Microsoft
15
16
15. FARAH CHAMSEDDINE
Cyber Security Architect at Microsoft
16. RESHMI HARIHARAN
Governance, Risk and Compliance Technology Specialist at Microsoft
182
W O M E N I N S E C U R I T Y M A G A Z I N E
J A N U A RY • F E B R U A RY 2023
17
18
17. ORLY SCHEJTER
Cybersecurity and Privacy Intern at Grant Thornton LLP (US)
18. CRAIG FORD
19
20
Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
19. CHARLOTTE BEATTY
Technology Consultant at EY and Army Reservist
20. MAKSYM SZEWCZUK
21
22
Safety and Security Design Manager at Western Sydney Airport
21. BURCU YARAR
Application Security Team Lead at VakıfBank
22. MALINI MISTRY
23
24
Manager-Cloud Security/Cyber Defense at KPMG Australia and Senior Security Consultant at Capgemini
23. KARINE TOBIN
Consultant at The Network
24. NICOLLE EMBRA
Cyber Safety Expert, The Cyber Safety Tech Mum
25
26
25. KAREN STEPHENS
CEO and co-founder of BCyber
26. JO STEWART-RATTRAY
Information Security Advisory Group, ISACA
27
28
27. MEGAN KOUFOS
Program Manager at AWSN
28. NATALIE PEREZ
Senior Internal Auditor - Enabling Functions, Medibank Private Ltd
29. JANINE SEEBECK
29
30
CEO at BeyondTrust
30. ALYSSA BLACKBURN
Director of Information Management, AvePoint
31. SIMON CARABETTA
Business Operations Lead at ES2
31
32
32. TRAVIS QUINN
State Director at Trustwave
I S S U E 12
WOMEN IN SECURITY MAGAZINE
183
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 33
34
33. REUT WEITZMAN
Manager, Cyber Security Services at Sygnia
34. NANCY PAVLOVIC
Director at PAVLOV GROUP
35
36
35. JOANNE COOPER
CEO & Founder of World Data Exchange
36. SAI HONIG
Engagement Security Consultant at Amazon Web Services
37
38
37. CAROL CHRIS
Regional General Manager for Australia and New Zealand, GBG
38. MARISE ALPHONSO
Information Security Professional
39. EMILY GOODMAN
39
40
Cyber Security Consultant at EY
40. JAY HIRA
Director of Cyber Transformation at EY
41. SARAH BOX
CyBox101 (consultancy)
41
42
42. BABY LYN NAGAYO
Cyber Security Manager at EY
43. KAVIKA SINGHAL
Cyber Security Consultant at EY
43
44
44. SAVANNAH DOCKERTY
Bachelor of Information Technology Student
45. ROSHNI BEDI
Bachelor of Information Technology Student
45
46
46. SHEIDA SABETI
Bachelor of Science Student
47. TSHERING WANGMO
Master in Cybersecurity Student
48. SAMAN FATIMA
47
184
48
W O M E N I N S E C U R I T Y M A G A Z I N E
Master of Science Course Student
J A N U A RY • F E B R U A RY 2023
49
50
49. ELENI LYKOPANDIS
Bachelor in Cybersecurity and Criminology Student
50. LISA ROTHFIELD-KIRSCHNER
Author of How We Got Cyber Smart | Amazon Bestseller
51
51. SUZY CLARKE
Executive GM - Security (CISO) at Xero
I S S U E 12
WOMEN IN SECURITY MAGAZINE
185
THE LEARNING HUB
AWS SECURITY ONRAMP WORKSHOPS
ANALYZE AND VISUALIZE DATA WITH POWER BI
THINK CYBERSECURITY FOR GOVERNMENT
Security Onramp is a free, in person, security health-check workshop for IT professionals. You will base line your business to align with security best practice and: (i) Learn how to create a culture of security within your organisation, (ii) Assess you security posture across 8 foundational controls, (iii) Walk away with a prioritised improvement plan to build a healthy security posture
Microsoft Power BI Certification Training Course (Online): Power BI is quickly becoming the world’s most powerful self-service business intelligence platform, and an absolutely essential tool for data professionals and beginners alike. With Power BI you can connect to hundreds of data sources, build complex relational models using simple and intuitive tools, and design stunning, interactive dashboards from scratch.
Cybersecurity threats against local and central government continue to test both resources and stamina. Now, more than ever, there is a need for vendors and government to come together to find the best way to tackle sophisticated and complex cybercrime. Cybersecurity for Government conference program is designed to build bridges across this government-vendor ecosystem.
VISIT HERE
SOEBIT TRAINING - LEVEL 1 EXTREME HACKING
CYBERSECURITY FUNDAMENTALS FOR THE ECC
Rocheston RCCE Level 1 course will delve into the basics of cybersecurity along with hands-on labs. This RCCE1 course covers the foundation of hacking technologies. It looks at Web application attacks, Trojans and Malware, Denial of Service attacks, metasploit, firewalls, cryptography, cracking passwords, hacking the cloud, etc. This course is 100% Linux based.
Emergency communications centers (ECCs) have been battling cyberattacks for years. The frequency and intensity of cyberattacks will continue to grow. Taught in real-time by a cybersecurity expert in the APCO Virtual Classroom, Cybersecurity Fundamentals for the ECC is an interactive one-day course addressing the critical pieces of information that all ECC employees should know.
®
VISIT HERE 186
VISIT HERE
W O M E N I N S E C U R I T Y M A G A Z I N E
VISIT HERE
VISIT HERE
CYBER SECURITY RISK ASSESSMENT The course is based around a practical case study that will be developed across the three days of the course taking the delegate through the SRA process. The course is a modular structure of classroom tuition followed by a practical case study, which will take the participant through the SRA process as identified in IEC 62443-3-2.
VISIT HERE J A N U A RY • F E B R U A RY 2023
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
SOEBIT TRAININGROCHESTON CERTIFIED CYBERSECURITY SPECIALIST RCCS-JAN 2023 SOEBIT- Rocheston Certified Cybersecurity Specialist - RCCS will primarily provide you with a working knowledge of all the fundamental threats to cybersecurity in our everyday life. (i) Identify the challenges, (ii) Safeguard a company’s/individual’s privacy, (iii) Save time, energy and money, (iv) Be less anxious, (v) Defeat a threat.
VISIT HERE
SECUREYES CYBERSECURITY CERTIFICATION PROGRAM, BATCH #8, CLASS OF 2022 To fill the skill-gap in this job market, SecurEyes, a leading Bengaluru based cybersecurity firm has been running an online skill development course - the SecurEyes Cybersecurity Certification Program. Candidates who are passionate about cybersecurity and have completed their graduation or are in the final year/ semester can apply for this course. Gender, age, physical/ social/ financial challenges are no bar if you are interested in applying.
VISIT HERE
RIT CYBERSECURITY FUNDAMENTALS An introduction to and an extensive overview of the various branches of computing security. You will learn cybersecurity concepts, issues, and tools that are critical in solving problems in the computing security domain. Opportunities to learn essential techniques in protecting systems and network infrastructures, analyzing, monitoring potential threats and attacks; devising, implementing security solutions for organizations large or small.
VISIT HERE
RIT NETWORK SECURITY
NETWORK SECURITY ADVANCED TOPICS
PEN TESTING SHORT COURSE
The issues and facilities available to both the intruder and data network administrator will also be examined to illustrate their effect. You will learn the principles and concepts of wired and wireless data network security. You will be guided through a series of laboratories and experiments in order to explore various mechanisms for securing data networks including physical layer mechanisms, filters, applications and encryption.
This is the 6th course in the intermediate, undergraduate-level offering that makes up the larger Cybersecurity Fundamentals MicroBachelors Program. We recommend taking them in order, unless you have a background in these areas already and feel comfortable skipping ahead.
This 4-week free short course will help you gain an in-depth understanding of the security posture of your IT environment, a penetration test highlights those areas that need fixing and which areas can withstand a concerted hacking attempt. A wellwritten report detailing the findings of a penetration test can be invaluable to an organisation looking to protect themselves from cyber risks.
VISIT HERE I S S U E 12
VISIT HERE
VISIT HERE WOMEN IN SECURITY MAGAZINE
187
TURN IT UP
WORK HARD, BE KIND & AMAZING THINGS WILL HAPPEN By Dominic Vogel & Christian Redshaw featuring Dina Atwell Dina has spent the majority of her career at the State Department, but for the last three years, she has called Capital One home. The motto that Dina lives by is: “Work hard, be kind, & amazing things will happen!”
CLICK TO LISTEN
STORIES OF INFOSEC JOURNEYS With Aditi Bhatnagar Aditi Bhatnagar is an Independent Security Researcher focusing on Android security, cloud, web apps, and wireless network attacks. She is currently a Product Security Engineer at Atlassian and has previously worked as a Core Engineer building features for endpoint security products at Microsoft. Through her initiative, Infinite Hacks, she is spreading cyber awareness.
CLICK TO LISTEN 188
W O M E N I N S E C U R I T Y M A G A Z I N E
WHO IS FORESIGHT? With Craig Ford and The Security Collective We welcome back author Craig Ford as he and Claire dive a little deeper into his latest book ‘Foresight’ which has been nominated for an Aurelis Award in the young reader category. Aside from the book, Craig and Claire discuss the ongoing challenges of the cyber skill shortage and the state of cyber in Australia over the past 12 months.
CLICK TO LISTEN
THE CYBER SIBLINGS With Anu and Sumeet Ever heard of rug pulls and pig butchering? Be smarter than the scammers and learn how common crypto scams work in detail. The US Federal Bureau of Investigation (FBI) estimates that, between January and March 2022, more than US$1.3 billion dollars in cryptocurrencies were stolen by cybercriminals.
CLICK TO LISTEN
SIMPLY SECURITY: ES2 With Simon Carabetta, Eduardo Gallardo, Aaron Kelder, Frederic Drouin In this episode we discuss Digital Identity and the problem Australia faces in finally implementing a single, secure digital ID for people. We also discuss the latest cyber headlines and of course our cyber security tip of the week.
CLICK TO LISTEN
THE CHIRAG D JOSHI SHOW With Chirag Joshi With things moving at a frantic pace in the world of cyber security and their real impact on people and businesses, the importance of quality journalism in this area has never been greater. From understanding cyber warfare and large-scale ransomware attacks to massive data breaches, we need reliable, authentic reporting to separate the noise from what matters.
CLICK TO LISTEN J A N U A RY • F E B R U A RY 2023
RECOVERING HACKER TURNED AWARD-WINNING FILMMAKER With Alissa Knight, Erika McDuffie and Jax Scott Movie producer, award-winning filmmaker, and viral sensation, Alissa Knight joins 2 Cyber Chicks for an authentic chat about her career from hacker to producer and her accolades in between. Alissa is a pioneer in the industry and revolutionises cybersecurity content while paving the way for future generations.
CLICK TO LISTEN
THE MONICA TALKS CYBER SHOW With Monica Verma In this episode Monica Verma, CEO & CISO, talks with Debbie Reynolds “The Data Diva”, on the myths around privacy as human rights, privacy challenges related to social media, artificial intelligence and emerging technology, as well as how it’s disrupting our private and business worlds. Support the show.
CLICK TO LISTEN I S S U E 12
RISKY BUSINESS With Patrick Gray On this week’s show Patrick Gray and Adam Boileau discuss the week’s security news, including: Twitter’s wheels haven’t fallen off yet but they sure are wobbling. Hundreds of millions stolen from FTX mid implosion and security researchers looking at Mastodon and much more…
CLICK TO LISTEN
SMASHING SECURITY With Graham Cluley and Carole Theriault A couple unexpectedly find $10.5 million in their cryptocurrency account, and in Cambodia people are being forced to commit scams. All this and more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are flying solo again this week. Warning: This podcast may contain nuts, adult themes, and rude language.
CLICK TO LISTEN
CRYPTO-GRAM SECURITY With Bruce Schneiier (read by Dan Henage) As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news. This is the audio version of the Crypto-Gram Newsletter, and is read by Dan Henage.
CLICK TO LISTEN
CYBERSIDE CHATS BY EPIQ With Jerich Beason Privacy & compliance expert from Microsoft, Ingrid Rodriguez, joins hosts Jerich Beason & Whitney McCollum to discuss taking risk out of silos. They talk about how the entire organisation needs to have an understanding of the enterprise risks.
CLICK TO LISTEN WOMEN IN SECURITY MAGAZINE
189
OFF THE SHELF
THE WEAKEST LINK Author // Arun Vishwanath
An expert in cybersecurity lays out an evidence-based approach for assessing user cyber risk and achieving organizational cyber resilience. Phishing is the single biggest threat to cybersecurity, persuading even experienced users to click on hyperlinks and attachments in emails that conceal malware. Phishing has been responsible for every major cyber breach, from the infamous Sony hack in 2014 to the 2017 hack of the Democratic National Committee and the more recent Colonial Pipleline breach. The cybersecurity community’s response has been intensive user training (often followed by user blaming), which has proven completely ineffective: the hacks keep coming. In The Weakest Link, cybersecurity expert Arun Vishwanath offers a new, evidencebased approach for detecting and defending against phishing—an approach that doesn’t rely on continual training and retraining but provides a way to diagnose user vulnerability. The Weakest Link will revolutionize the way managers approach cyber security, replacing the current one-size-fits-all methodology with a strategy that targets specific user vulnerabilities.
BUY THE BOOK 190
W O M E N I N S E C U R I T Y M A G A Z I N E
CYBERSECURITY FOR SMALL NETWORKS Author // Seth Enoka
This book is a straightforward series of projects that will teach you how to secure different facets of household or smallbusiness networks from cyber attacks. Through guided, hands-on exercises, you’ll quickly progress through several levels of security— from building a defensible network architecture to protecting your network from adversaries and monitoring for suspicious activity. The first section will teach you how to segment a network into protected zones, set up a firewall, and mitigate wireless network security risks. Then, you’ll configure a VPN (virtual private network) to hide and encrypt network traffic and communications, set up proxies to speed up network performance and hide the source of traffic, and configure an antivirus. From there, you’ll implement back-up storage strategies, monitor and capture network activity using a variety of open-source tools, and learn tips to efficiently manage your security. By the end of this book, you’ll be armed with the skills necessary to effectively secure your small network with whatever resources you have available.
BUY THE BOOK
THE ART OF MAC MALWARE: THE GUIDE TO ANALYZING MALICIOUS SOFTWARE Author // Patrick Wardle
Defenders must fully understand how malicious software works if they hope to stay ahead of the increasingly sophisticated threats facing Apple products today. The Art of Mac Malware: The Guide to Analyzing Malicious Software is a comprehensive handbook to cracking open these malicious programs and seeing what’s inside. Discover the secrets of nation state backdoors, destructive ransomware, and subversive cryptocurrency miners as you uncover their infection methods, persistence strategies, and insidious capabilities. Then work with and extend foundational reverse-engineering tools to extract and decrypt embedded strings, unpack protected Mach-O malware, and even reconstruct binary code. Next, using a debugger, you’ll execute the malware, instruction by instruction, to discover exactly how it operates. In the book’s final section, you’ll put these lessons into practice by analyzing a complex Mac malware specimen on your own.
BUY THE BOOK J A N U A RY • F E B R U A RY 2023
GRAY HAT C# Author // Brandon Perry
Learn to use C#’s powerful set of core libraries to automate tedious yet important tasks like fuzzing, performing vulnerability scans, and analyzing malware. With some help from Mono, you’ll write your own practical security tools that will run on Windows, OS X, Linux, and even mobile devices. After a crash course in C# and some of its advanced features, you’ll learn how to: • Generate shellcode in Metasploit to create cross-platform and cross-architecture payloads • Automate Nessus, OpenVAS, and sqlmap to scan for vulnerabilities and exploit SQL injections • Write a .NET decompiler for OS X and Linux • Parse and read offline registry hives to dump system information • Automate the security tools Arachni and Metasploit using their MSGPACK RPCs Streamline and simplify your workday by making the most of C#’s extensive repertoire of powerful tools and libraries with Gray Hat C#.
BUY THE BOOK I S S U E 12
CRYPTO DICTIONARY: 500 TASTY TIDBITS FOR THE CURIOUS CRYPTOGRAPHER Author // Jean-Philippe Aumasson Expand your mind—and your crypto knowledge—with the ultimate desktop dictionary for all things cryptography. Written by a globally recognized cryptographer for fellow experts and novices to the field alike, Crypto Dictionary is rigorous in its definitions, yet easy to read and laced with humor. You’ll find: • A survey of crypto algorithms both widespread and niche, from RSA and DES to the USSR’s GOST cipher • Trivia from the history of cryptography, such as the MINERVA backdoor in Crypto AG’s encryption algorithms, which may have let the US read the secret communications of foreign governments • An explanation of why the reference to the Blowfish cipher in the TV show 24 makes absolutely no sense • Discussions of numerous cryptographic attacks, like the slide attack and biclique attack (and the meaning of a crypto “attack”) • Types of cryptographic proofs, such as zero-knowledge proofs of spacetime
THE SMART GIRL’S GUIDE TO PRIVACY Author // Violet Blue
The whirlwind of social media, online dating, and mobile apps can make life a dream—or a nightmare. For every trustworthy website, there are countless jerks, bullies, and scam artists who want to harvest your personal information for their own purposes. But you can fight back, right now. In The Smart Girl’s Guide to Privacy, award-winning author and investigative journalist Violet Blue shows you how women are targeted online and how to keep yourself safe. Blue’s practical, user-friendly advice will teach you how to: • Delete personal content from websites • Use website and browser privacy controls effectively • Recover from and prevent identity theft • Figure out where the law protects you—and where it doesn’t • Set up safe online profiles
• A polemic against referring to cryptocurrency as “crypto”
• Remove yourself from peoplefinder websites
• A look toward the future of cryptography, with discussions of the threat of quantum computing poses to our current cryptosystems and a nod to post-quantum algorithms, such as lattice-based cryptographic schemes
Even if your privacy has already been compromised, don’t panic. It’s not too late to take control. Let The Smart Girl’s Guide to Privacy help you cut through the confusion and start protecting your online life.
BUY THE BOOK
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
191
THE
2023 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
12
NEW ZEALAND WOMEN IN SECURITY AWARDS
9
OCTOBER
NOVEMBER
womeninsecurityawards.com.au
womeninsecurityawards.co.nz
WANT TO BE PART OF IT? Register your interest today by contacting aby@source2create.com.au
