13
MARCH • APRIL 2023
SOCIAL IDENTITY IT TAKES A SHAPES THE EQUITY GUIDING LIGHT IN YOUR WORKPLACE – TO FIND A WAY SO EMBRACE THROUGH THE IT TO DRIVE DARKNESS • TH T I Y INK REAL CHANGE SA P58 I T P2 •
BE IT •
DO IT • VAL
U E I
T IN TIMES OF CONFLICT, WOMEN ARE STEPPING UP FOR THE CYBER FIGHT P80
YOUR 2023 RESOLUTION COMMIT TO EMBRACING
EQUITY
W W W. W O M E N I N S E C U R I T Y M A G A Z I N E . C O M
FROM THE PUBLISHER Don’t Just Say It. Think It. Be It. Do It. Value It. Truly Embrace It. Social identity shapes the equity in your workplace – so embrace it to drive real change
I
have to be honest: when I first started out with this
that exist between minority and majority groups.
magazine two years ago, I thought ‘Equality’ and ‘Equity’ were the same, so I created content based predominantly around Equality.
SO, YOU WANT TO TAKE ACTION AND EMBRACE EQUITY? If we all lead and advocate for better equity, we will
And then the penny dropped. I realised that
everyone needs to be on the same playing field – with
create a better shared future for our industry and others.
the same rules, but adapted based on circumstances. And if one person needs more resources to create
The issue here is that equity and inclusion need
the same opportunity to create an equal outcome?
to come from the top down, with equity as more
Then that’s what needs to be done so they can both
of a focus than diversity and inclusion. To help all
be successful.
employees improve their skills and grow, CSOs and HR departments must ensure that they do
I understand that some individuals may see this as
the following:
unfair for a variety of reasons – but with the industry, economy, and skills shortage the way they are at the
• Implement clear metrics for tracking progress.
moment, how can it not be fair, or beneficial to all of
• Equip managers with the necessary training
us, to help those that need it the most?
and knowledge for evaluating employees during reviews and promotions processes without bias.
Many communities presently suffer from inequity,
• Create an inclusive workplace where all
including individuals living with disabilities;
employees have a fair chance to advance their
individuals from the LGBTQ+ community; women of
professional skills and rise through the ranks.
colour; graduates; and those that are economically
• Hold managers accountable.
disadvantaged.
• Evaluate and create pathways for professionals to transition successfully into mainstream
For us to embrace equity – and to truly make this the
security roles.
2023 resolution for businesses – we need to allow
• Encourage leaders to express their motivation, as
all to thrive, removing all of the barriers that might
well as acknowledge any barriers, for countering
hold them back. You might not see it now, but in the
inequity; set clear goals toward greater equity; and
long run taking proactive steps will solve the skills
then to take action. By doing this, they signal a
shortage problems across industries – making us a
commitment that becomes the foundation of the
stronger community on the whole.
organisation’s diversity and inclusion efforts. • Develop your employees’ coaching skills by
2
This can only be accomplished by offering targeted
implementing a coaching culture around
support to disadvantaged demographic groups within
a network of champions who enable the
the organisation, and during hiring and recruiting
development, contributions, and career growth of
processes so that we can bridge the opportunity gaps
all employees.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
Abigail Swabey
• Ask the hard questions when you are hiring or internally running talent programs. Ensure everyone has access to on the job training. Don’t make assumptions about individuals’ current capabilities or potential to do other jobs or tasks in the future. And triple check that no specific workgroups have different standards attributed to them. • Rethink and improve your policies, as well as employees’ networking and work arrangements –
Just take one item – any item – from this list, and
eliminating bias and improving inclusivity across
do it well with structure and process. Talk about it,
work groups or divisions.
ask for help, discuss in best practice forums – and that will take your company one step further in the
GET TO KNOW YOUR SOCIAL IDENTITY
right direction.
Our social identities are shaped by age, ethnicity, religion, gender, sexual orientation, education,
At its core, workplace equity is all about empowering
physical ability, race and socioeconomic status.
employees to be their best, and ensuring that
They deliver unique perspectives, and far too often
everyone within the organisation is treated fairly.
they define what privileges of power we perceive as
Everyone expects and receives the same treatment in
being deserved.
terms of opportunity, consequences, and rewards.
Generally, inequity is fuelled by unconscious
To borrow from this year’s theme for International
assumptions and experiences that are tied to social
Women’s Day: Don’t Just Say It. Think It. Be It. Do It.
identity. So, once we teach individuals to identify their
Value It. Truly Embrace It. We need to be doing this
own social identities, we can use communication
everyday, celebrating and working towards a greater
and conversation to shape others’ experiences while
more balanced equity in this world.
removing unconsciously held biases. And that starts with you. So let’s get to it – and Your workplace is representative of the world around
march into 2023 embracing equity for a better,
you, and needs to be supportive of all employees,
brighter future.
regardless of background. By defining diversity through a lens of social identity, all employees have a way to put themselves into a discussion of diversity, equity, and inclusion. If you are looking at this list of action items and thinking ‘wow, this is way above my head / paygrade or just too hard’, think again! It’s not easy – but positive change never is.
I S S U E 13
Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312
aby@source2create.com.au
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2
CAREER PERSPECTIVES
FROM THE PUBLISHER
DESPITE AMBITIONS FOR EQUALITY, SECURITY’S GENDER SPLIT IS STILL FALLING SHORT OF EXPECTATIONS
10
Mentoring in 2023: Creating the ‘Perfect Pair’
48
Five high performing habits to help you reach the next level of best self
52
The nonlinear road to CISO
56
COLUMN All cybercrime victims are equal, but…
14
Let’s make 2023 a year to remember!
44
“From little things big things grow”
66
Agreeing with your partner about how your child uses tech 84
INDUSTRY PERSPECTIVES
TALENT 38 BOARD
WHAT’S HER JOURNEY? Lydia Kretschmer
16
Mandeep Kaur
18
Jacinta Hayward
20
Cairo Malet
22
Jelena Zelenovic Matone
24
Amy Dehner
28
Isabel María Gómez
32
Victoria Allee
36
Tithirat Siripattanalert
42
JOB BOARD
62
106 THE LEARNING HUB
Is it time for a personal C-I-A triad?
70
APAC nations offered free training to counter quantum computing threats
73
The weight of authority
74
Spotting and reporting a scam
76
Leading early: Identifying leadership qualities in yourself for a more fulfilling career in security
78
MARCH • APRIL 2023
58
FOUNDER & EDITOR
IT TAKES A GUIDING LIGHT TO FIND A WAY THROUGH THE DARKNESS
Abigail Swabey
ADVERTISING Abigail Swabey Charlie-Mae Baker
JOURNALISTS David Braue
TECHNOLOGY PERSPECTIVES Are SOCs the new black?
86
Why Zero Trust needs Systems Engineering
88
80
IN TIMES OF CONFLICT, WOMEN ARE STEPPING UP FOR THE CYBER FIGHT
Stuart Corner
SUB-EDITOR Stuart Corner
DESIGNER Rachel Lee
TURN IT UP 110
102 Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
OFF THE SHELF 112
STUDENT IN SECURITY SPOTLIGHT Elizabeth Aidi Kamau
94
Solange Fecci
96
Hyesoo Cho
98
Sarah East
100
SURFING THE NET 116
©Copyright 2023 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 08 07 MAY • JUNE
MARCH • APRIL
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
Big Picture Easy Reliable No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
charlie@source2create.com.au
aby@source2create.com.au
Women in Security Mentoring Program AWSN is pleased to launch the 2023 Australian Women in Security Network Mentoring Program
Looking for ways to give back? We need you Learn more at awsn.org.au/initiatives/mentoring/ Sponsored by
Powered by
DESPITE AMBITIONS FOR EQUALITY, SECURITY’S GENDER SPLIT IS STILL FALLING SHORT OF EXPECTATIONS by David Braue
Can new transparency laws and better data help reach the 2030 gender equality target?
T
he Commonwealth Government’s moves
Announcing the new legislation, the Minister for
to mandate the disclosure of details
Women, Katy Gallagher, said women in Australia
about Australia’s gender pay gap may be
were earning 14.1 percent less than their male
a significant move towards the oft-stated
counterparts. And she said that, at current rates, it
goal of closing the gap by 2030, but the
would take 26 years to close the gender pay gap.
fact that such legislation is necessary highlights just how slow the push towards equality continues to be.
“Women have waited long enough for the pay gap to close,” Gallagher said. “Let’s not wait another quarter
The Workplace Gender Equality Amendment (Closing
of a century.”
the Gender Pay Gap) Bill 2023 — introduced into
10
Parliament on 8 February — will tap data already
During fiscal 2021-22, WGEA figures show women
provided by employers and will force companies
earned, on average, $26,596 less than men. They also
with 100 or more workers to publish data on their
show that, despite 53 percent of employers having
gender pay gap on the website of the Workplace
set some form of voluntary target for gender equality
Gender Equality Agency (WGEA), the national body
in the workplace, just one in five boards of directors
charged with promoting the cause of gender equality
were gender balanced and more than one in five
in Australia.
boards had no women members.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
The new law would see publication of gender pay gap
Australia and other countries facing similar gender
data starting in 2024, improving transparency for a
pay gaps.
business community that has often talked the talk of gender equality without walking the walk.
“At a time when Australia is experiencing a critical skills and labour shortage, too many employers
It is the latest in a series of measures by the
have failed to step up on gender equality leaving
new government designed to shine a light on the
many women no better off than they were 12
business community’s ongoing challenges to deliver
months ago,” WGEA director Mary Wooldridge said.
gender equality.
“This failure to improve needs to be a clarion call for all employers.”
Following the lead of countries such as the UK, US, Canada, and Denmark, Australia recently banned
EQUALITY IN 2030 – OR 2320?
employment contracts that include pay secrecy
Australia’s ongoing struggles to improve gender
clauses, hoping to spur the kind of change that has
equality are echoed in every country. The United
already been observed in other countries.
Nations — which has positioned gender equality as the fifth of its 17 core Sustainable Development
Research has shown that allowing employees to
Goals (SDG) for 2030 — recently warned that it
share and publicly discuss their salaries has reduced
could take nearly 300 years to achieve full gender
Canada’s gender pay gap by more than 20 percent
equality worldwide.
and increased the salaries of US women by between four and 12 percent.
Fewer than half of all women of working age are in the job market, according to the UN. Secretary-general
Authorities hope better numbers and the sense of
António Guterres said only 7.4 percent of Fortune
market competition they bring will do the same in
500 companies had female CEOs, and “Progress
I S S U E 13
WOMEN IN SECURITY MAGAZINE
11
“Women have waited long enough for the pay gap to close,” Gallagher said. “Let’s not wait another quarter of a century.” towards equal power and equal rights for women remains elusive.” Socially and economically disadvantaged women across the world face broad systemic and cultural challenges. However, the relatively well-educated and well-trained workforce of the security industry has the opportunity to help the world move towards broader gender equality.
Despite setbacks to date, Jen Easterley, director of the US Cyber Security and Infrastructure Agency
It will be a long-term fight, and equality efforts
(CISA), remains optimistic that it is still possible for
continue to gather momentum slowly. That is why,
the cybersecurity industry to get to 50 percent women
as well as promoting equality-focused corporate
by 2030.
cultures, businesses, schools and community groups need to continue promoting security and tech-related
The key, she told a panel discussion during the
careers to girls early in their schooling.
recent CES 2023 conference, is “really embracing corporate cyber responsibility as a matter of
According to Yolande Strengers, Professor of
good governance and good corporate citizenship
Digital Technology and Society in the Faculty of
[and] fundamentally shifting the paradigm of how
Information Technology at Monash University,
government and industry work together to ensure
“There is a ‘diversity crisis’ in computing disciplines
persistent collaboration.”
where girls and women account for only 28 percent of enrolments globally in information and
She said increased visibility of gender diversity
communications technology. Progress has been slow,
would be important: by being more open about
and in some cases we are falling further behind.”
cybersecurity’s weak spots, it would become possible to reshape the “episodic, unidirectional,
Women currently comprise around 25 percent of
non-transparent, non-responsive relationship we
the cybersecurity workforce, a figure similar to
have… [into] one that is much more focused on shared
those reported for advanced disciplines like artificial
responsibility for cyber safety.”
intelligence (AI). Strengers said this figure was concerning in light of the need to ensure women are
ALL IN THIS TOGETHER
equally involved in the cutting-edge fields that will
Nurturing a sense of shared responsibility necessarily
shape technology during the rest of this decade.
requires including women more equally in decisionmaking and action around cybersecurity, and that
12
“In order to develop an inclusive discipline that
means building an organisational culture that
invites people in through multiple pathways we must
values the involvement of women from the top
reposition, redefine and recognise that AI and other
of the organisation to the bottom, as opposed so
advanced sciences are social sciences as well as
simply placing them in high-profile policymaking and
technical ones,” she said.
enforcement positions.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
“It shouldn’t be that [in 2023] we have to fight for
In many scenarios, Medeiros explained, “companies
women being in tech,” Jeetu Patel, a Cisco executive
are waiting and deciding if they should be in on an
vice president and general manager who is also
issue or not. There are a lot of social issues going
Cisco’s global executive sponsor for women, said at
around, polarising employees, companies and
the recent Cisco Live! Conference.
societies right now, and maybe nobody wants to be the first person.
“For every decision you make, if you actually have a combination of enough perspectives from women
“But this scenario doesn’t mean you can’t do anything;
in that decision, you will just make a better decision,
it means you should be collecting information on
and we as a world will get better if everyone
what’s going on so you can inform your leadership
has an equal opportunity to participate in the
and your board on what should happen if they really
global economy.”
want to move out of the gate. … Consider yourselves agents of change for good for society, and think about
And while this may seem common sense to many,
the greater implications of all your planning.”
Patel said the ongoing need for new laws and policies shows just how stuck in the old ways the world
WGEA’s Wooldridge said, ultimately, “lasting change
continues to be.
requires employers to make bold, creative choices that send a signal to all employees that gender
“[Equal opportunity] should just be assumed,” he
equality is a core part of their business strategy and a
said. “I hope that, in the next few years, it becomes
priority for those in leadership and managerial roles.”
assumed, so this is not something we have to fight to have. Every leader is accountable to make sure that
Better data “is a chance to measure how your
50 percent of the team, over time, becomes women
organisation’s workforce composition and policies
so that we can have a better team of leaders in
— and strategies for recruitment, promotion and
the organisation.”
retention — shape up against the competition,” she continued, “Because if you’re not making progress
However, to reach these goals it is necessary to have
on these things, your employees will realise there are
the means to track them, which goes back to the
others who are.”
objectives of new pay transparency legislation being introduced around the globe. You cannot change what you cannot measure, which is why improved data collection and transparency can make all the difference for companies that have, despite long-winded corporate mission statements espousing their commitments to diversity, so far failed to build the momentum necessary for real change. “It’s all about knowing what’s happening in society, being a part of it, and being collaborative,” Gartner senior director analyst Donna Medeiros said at the company’s recent Gartner Data & Analytics Summit, where she highlighted the value of better data in driving corporate decision-making around areas such
“At a time when Australia is experiencing a critical skills and labour shortage, too many employers have failed to step up on gender equality leaving many women no better off than they were 12 months ago.This failure to improve needs to be a clarion call for all employers.” - Mary Wooldridge, Director WGEA
as social justice and diversity.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities. This regular column will explore various aspects of cybercrime in an easy-to-understand manner to help everyone become more cyber safe.
C O L U M N
All cybercrime victims are equal, but… Equity refers to being impartial and fair, treating all people the same regardless of any real or imagined differences. How do we apply this concept of equity to victims of cybercrime? Have you ever read about the victim of a getrich-quick fraud and thought “serves them right for being greedy”? How many times have you heard about the victim of a romance scam and thought, “serves them right for being gullible, or desperate”? How about when a large agency is impacted by ransomware or online fraud? How many
to mitigate the risk of cyber threats as much as
of us have read about companies blaming the person
practicable. We also need to react to cybercrime
who unknowingly let the malware in or fell victim to a
effectively. That being said, the blame for cybercrime
business email compromise fraud? What about when
should be laid solely at the feet of the criminals.
an elderly person is scammed by a cybercriminal? Do we feel empathy for the victim that would be lacking if
I say this at conferences. I said it in a keynote last
a younger person had been scammed?
year. I say it in lectures, and I say it frequently in everyday conversations: anyone can become a victim
A very insightful peer-reviewed article by Dr
of cybercrime, none of us is immune. Knowing that
Cassandra Cross, Associate Professor in the School
to be true, we need to ensure we treat victims of
of Justice at QUT, No laughing matter, blaming the
cybercrime impartially and fairly. The exponential
victim of online fraud (2015), found that, despite an
growth of cybercrime means it is only a matter of
increase in awareness of cybercrime, there is still
time before we, someone we know or somewhere we
an “overwhelming sense of blame and responsibility
work will be impacted.
levelled at [the victims.” Unconscious bias can make us feel that a victim Take a moment to think about this. In reality, the
of cybercrime somehow brought it on themselves.
only person, or persons, to blame for cybercrime
Instead, let’s have a New Year with new, healthier
are the criminals. Regardless of what bait was used
thought patterns. Let us all model treating all victims
to successfully trick a victim, whatever unpatched
of cybercrime equally.
exploit a criminal wormed their way through to impact a network, the blame for cybercrime should fall solely on the criminal. Yes, everyone needs to ensure they operate with cybersecurity in mind whether they be a large organisation or an individual, and we need
14
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/amandajane1
www.demystifycyber.com.au
M A R C H • A P R I L 2023
WHAT’S HER JOURNEY?
Lydia Kretschmer Expert Security Operations Manager at European Commodity Clearing AG
L
ydia Kretschmer is a security operations
A MULTIPOTENTIALITE
manager and blue teamer with European
Her first steps to a career in cybersecurity were
Commodity Clearing (ECC), the leading
through self-learning. She read a lot of research
clearing house for energy and commodity
papers, books and articles, followed NGOs that
products in Europe. It is a role far removed
focused on human rights in the digital space and
from those she held earlier in her career: in the
trained herself in information technology with self-
fashion industry.
paced learning courses, mostly Udemy.
“I was actively looking for a profession in which I
Although Kretschmer knew she wanted a career
would never get bored or stuck,” she says, adding
in cybersecurity she had no clear vision of the
“That’s why I try to become comfortable with feeling
roles she wanted to play and describes herself as
uncomfortable because without struggle there is
a multipotentialite: someone with many interests
no progress.”
and creative pursuits. She arrived at her current role serendipitously: she was contacted by a recruiter
Her interest in cybersecurity was first piqued
and “thought it might be a good opportunity to grow
when studying for a bachelor of science in
my skillset.”
Wirtschaftsinformatik (business information systems) at Leipzig University in Germany.
She says she is still trying “to better understand what working conditions fit me best and how to
“I read a lot of articles and books about digitalisation
benefit from previously gained knowledge in my
and the impact it has on society,” she says. “I was
current position.”
particularly interested in privacy and its limitations
16
in the digital world. Eventually I decided I wanted to
Kretschmer describes herself as a well-organised
make an impact in society’s digital transformation by
person who needs a clear structure in her work
protecting human rights in the digital space.”
environment. “Work visualisation is as important as
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
improving the overall security posture,” and adds
“If you want success, start thinking of yourself as a success. Love yourself, know your worth and accept growth. Appreciate life. These things will help you through any situation.”
“I make an impact by improving the overall security posture of the company. That is making me proud.” For anyone contemplating a radical career shift into cybersecurity, Kretschmer’s advice is that success is a state of mind. “If you want success, start thinking of yourself as a success. Love yourself, know your worth and accept growth. Appreciate life. These things will help you through any situation.” She says, in cybersecurity, success depends also on persistent learning and a can-do attitude. “Every
team management. Additionally, I need a clear vision
expert was once a beginner, so the best time to start
and guidance on how being successful at my job is
is now. Apply for the roles you want while constantly
defined by the company.”
improving yourself.”
Her preference is to work remotely with social get-
Aspects of cybersecurity that Kretschmer sees
togethers on rare occasions, but she says “having
coming to the fore in the near future include the use
the opportunity to work in an office from time to time
of artificial intelligence (or more precisely machine
would be awesome.”
learning) to detect threats and anomalies. “In SIEM/ SOC, it is called predictive maintenance. In automated
THE CHALLENGE OF MOTIVATION
security assessment, it is called breach and
She finds the most challenging aspect of her role
attack simulation.”
to be not its technical aspects but “motivating all stakeholders to participate in cybersecurity instead of
For her own role as a blue teamer, Kretschmer says
developing security-averse behaviour, because better
she needs a profound understanding of attack
security often comes with a downside in usability
types and methods and wants to enhance her
and practicability, eg getting things done quickly,
offensive security skills. “If I’m able to analyse an
especially in a highly regulated environment like the
asset like an attacker, I can provide better security
banking industry.”
recommendations as well.”
She aims to overcome these challenges by “always trying to enact a smart and inclusive work
www.linkedin.com/in/lydia-kretschmer-4b3090132
environment to create win-win situations while
I S S U E 13
WOMEN IN SECURITY MAGAZINE
17
Mandeep Kaur Consultant - Cyber Security Architect at EY
CYBERSECURITY CONSULTANT WITH EY After graduation, in mid 2022, she joined EY in Sydney as a consultant cybersecurity architect. “As this is my
M
very first job in cybersecurity, the most challenging aspect was to understand the practicality of any andeep Kaur gained a bachelor’s
process and implement what I had learnt in my
degree in information technology
postgraduate studies,” she says.
from Guru Tegh Bahadur Institute Of Technology in New Delhi in 2018.
“I am enjoying what interests me – learning the roots
She soon realised coding was not
of cybersecurity and how it is applied to architecture
for her but became fascinated by communication
frameworks. Everything I do in my current role is
networks and how businesses are dependent on
rewarding. Anyone choosing this path will continually
routers, switches, etc.
be learning new skills and working to understand new technologies.”
However, she was unable to secure a role in communications and instead joined EY GDS (India) as
Looking forward a few years, Kaur wants to gain
a consultant data analyst in the audit department. She
security certifications such as CompTIA A+ and
was responsible for financial year data transformation
experience different areas of cybersecurity. “No
solutions for various big firms, using the Alteryx data
matter what your end goal or the job title you desire
science and analytics software.
in cybersecurity, the well-rounded practitioner has to spend time in general security areas such as InfoSec,
She held that role for only six months before
CyberSec and AppSec or DevSecOps,” she says.
following her passion for networking by signing up for a master’s degree in information technology in
She is also keen to develop skill in penetration testing
networking from Macquarie University. It was there
and sees people who have come to cyber from other
she discovered cybersecurity.
specialisations as providing valuable role models. “In my experience they teach us the value of a career
“I had a few units related to cybersecurity that took
goal and how this can be found after experiencing
my interest and I started reading more about them,”
different roles and learning from them.”
she recalls. Each semester, when presented with a choice of study units, she opted for those focussed on network security.
18
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/mandeep-kaur29
M A R C H • A P R I L 2023
Our Services Nurture Programs
Podcasts
Magazines
Lead Generation
Speaker Acquisition
Website Creation
No job is too big or too small. Get connected and take control of your business success today!
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
Jacinta Hayward Customer support consultant and aspiring cybersecurity professional
disability sector she started her cybersecurity journey with some TryHackMe exercises. These teach cybersecurity and pentesting fundamentals. She also took some online courses and began watching YouTube videos and listening to podcasts such as The Darknet Diaries.
J
She is now undertaking Security Blue Team’s level 1 course and aims to pass its 24 hour exam. Students acinta Hayward is today a customer
have access to a cloud lab via an in-browser session
support consultant and aspiring
for up to 24 hours and must answer 20 task-based
cybersecurity professional in Perth with
questions by using different tools, investigating
a healthcare tech company. She hopes
different systems, and identifying activity across
to gain a cybersecurity role within a year
multiple tactics in MITRE ATT&CK, a globally-
after being turned on to the discipline by watching a
accessible knowledge base of adversary tactics and
TV program, Mr. Robot. The main character, Mr Robot,
techniques based on real-world observations.
was an insurrectionary anarchist who joined a group of hacktivists that set out to destroy all debt records
“The course and exercises are teaching me practical
by encrypting the financial data of E Corp, the world’s
skills in subjects such as phishing, digital forensics,
largest conglomerate.
incident response and using SIEMs, which I feel are the most important subjects to enable me to pursue a
The program struck a chord with Hayward. “There is
technical role,” Hayward says.
a scene where someone comes home from work and essentially all of the common devices in their home
She also participated in an Incident Response
have been hacked: the temperature of the shower, the
Challenge in November 2022 organised by the
lights, the television and security system,” she recalls.
Australian Women in Security Network (AWSN) and Retrospect Labs that gave her cybersecurity
“It was a very uncomfortable scene to watch, but
aspirations a significant boost: her team came
even more so when I found out that every hack in that
in sixth.
tv show was realistic and something that could be accomplished today. I’ve always had a lot of smart
“This was a one-week practical exercise where I
home devices, so I began to learn about what kind of
worked with a team of four other women. It required
measures could be put in place to secure them.”
skills in digital forensics, communication/PR and governance/risk,” Hayward says.
20
FROM DISABILITY SUPPORT TO CYBERSECURITY
“This was so important to me because I would have
After a number of years in various roles in the
described myself as non-technical when I went into
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
this challenge and after teaching myself how to use various tools, I left the challenge feeling very accomplished and excited about digital forensics. Through this challenge I also met some incredible women on my team and ended up forming another team with some of them to compete in the WA Capture the Flag challenge later the next month.” In addition to being a member of AWSN, Hayward has joined the Australian Information Security Association (AISA). “Both these organisations provide the opportunities to meet like-minded people within the cybersecurity space and there are many events where I can learn new things,” she says. “I am thrilled to have attended some of the AWSN events.”
FUTURE CHALLENGES Looking forward, Hayward sees plenty of challenges for her future cybersecurity career. “I am really interested to see how biometrics will advance and be used for authentication, particularly as we see that it is becoming quicker to crack passwords. There is a lot of research into keystroke dynamics and how they could be used to identify a user based upon how they type. “I’ve also been reading about ChatGPT and although it sounds like there will be some incredible opportunities for good with this, I am concerned that this interface could be used to create malware or assist scammers in creating better phishing campaigns. My main concern is it is so accessible and easy to use that news outlets are already reporting it being used in malicious attacks by people with minimal technical skills.” (ChatGPT is a large language model developed by OpenAI. One of its key features is its ability to generate human-like text responses to prompts, making it useful for a wide range of applications, such as creating chatbots for customer service, generating responses to questions in online forums and personalised content for social media posts).
www.linkedin.com/in/jacintah5155a5a9
I S S U E 13
WOMEN IN SECURITY MAGAZINE
21
Cairo Malet Trust Leader
I
t was an accident. This is the usual answer
The people skills I learnt there landed me my first job
I give when asked how I ended up working in
in technology.
cybersecurity. And while that answer is somewhat accurate, it does not really tell the whole story.
BABY STEPS INTO TECH
The truth is, I never actually intended to work
Driven initially by a desire to stop working on
in cybersecurity. I had never heard of it, and I did
weekends, I quit hospitality and found a tech support
not study anything remotely related to security or
job with a company that valued people skills and
technology. So, you may be asking - how did I end
was willing to teach the tech. This was where I first
up here?
learnt how the internet actually worked, and applied my natural problem-solving skills to troubleshooting
THE DREAM
networking issues. I learned to support all kinds of
My dream job was to be a diplomat. I loved politics
internet access technologies from dialup to NBN, as
and international relations. I believed in collaboration
well as a bunch of related services like mobile and
and social justice, and I had visions of traveling the
IPTV. I do not think I am being dramatic when I say
world, meeting people and making the world a better
the first six months were a baptism of fire, given I
place. To turn this dream into reality, I embarked
once had to handle hardware that was actually on fire.
on a degree in politics and international relations at university.
And while I did not love being yelled at by customers, which happened often, I definitely loved learning how
22
THE REALITY
all the pieces of the technology puzzle fitted together.
While studying, I was also working in hospitality
And being able to fix things was a little exhilarating.
to support myself. Unexpectedly, this experience
I also had a lot of opportunities to fix processes and
transformed me from a shy, anxious kid who hated
policies and provide training to my fellow customer
talking to strangers into a confident, extrovert
service reps; activities I strongly believe solved a
adult (or, at least, a very close approximation).
variety of problems before they even occurred.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
CYBER WHAT?
of a copper mine in Mongolia, the most important
It was there I had my first opportunity to move
part is understanding why they do things differently
into a cybersecurity role. To be honest, the job
and then figuring out how to make security actually
description was a little intimidating. “What in the
work in that context.
world is vulnerability scanning?” I remember asking myself. But once I got past the strange new terms,
BACK TO THAT DREAM
I recognised the role had a strong focus on policy,
Unsurprisingly, I still have not made it into the
process and people. I knew I could do about 80
Department of Foreign Affairs and Trade and I have
percent of it and learn the rest. Fortunately, the
never been on any kind of diplomatic mission. But
security manager agreed with me, and I landed
when I look at my career so far, the main things that
my first cybersecurity role. For two years I learnt
stick out for me are the intelligent and often weird
everything I could, performed my first vulnerability
people I have had the privilege of working with, and
scans, figured out how to do risk assessments,
the positive changes I have managed to make to the
worked on security policy and rolled with the changes
security of the companies I have worked for and (I
that a PCI-DSS audit, an ISO27001 audit and new
hope) the industry overall. That really is what I dreamt
mandatory data retention regulations brought to
of doing.
our company. If I have learnt anything it is that most careers are not I learnt a lot in that first role and, since then, I have
meticulously planned and mapped out. Nor should
made job choices driven by the desire to keep
they be. People are constantly changing, and so is
learning. This is why I have switched between internal
the world around us. Our career trajectories should
roles and consulting roles and worked in security
be similarly fluid. Who knows, we may actually
teams across telecommunications, software vendors
find ourselves doing the things we always wanted
and mining companies. I will not lie, it can be difficult
to do all along (just with a few more computers
adjusting to the changes, because everyone does
than expected).
security differently. But for me that is part of the interest, whether I am implementing ISO27001 for a software vendor or doing a deep dive risk assessment
I S S U E 13
www.linkedin.com/in/cairo-m-137590b9
WOMEN IN SECURITY MAGAZINE
23
Jelena Zelenovic Matone CISO, EU Institution
J
elena Zelenovic Matone’s day job is as
Government and Women4Cyber by the European
CISO for a EU Institution in Luxembourg,
Cyber Security Organisation (ECSO).
but on the side she plays roles championing the cause of women in
“I firmly believe that women are gifted with a natural
cybersecurity. She is president of Women
ability to plan, prepare and deliver in times of crisis or
Cyber Force, a Luxembourg organisation that brings
significant events,” Matone says. “We have the innate
together cybersecurity professionals with different
ability to ‘roll with the punches’ while maintaining our
nationalities, education and backgrounds who want
credibility and integrity, no matter what work or life
to inspire and help future generations to better
throws our way. I am a strong proponent of the idea
understand the importance of women in the sector.
that ‘an ounce of prevention is worth a pound of cure’ and it is crucial for us as women to recognise the
Women Cyber Force, Matone says, has set an
strengths that we possess beyond our intelligence.”
ambitious yet urgent goal to leverage the role of girls and women in the sector and support them
WANTING MORE WOMEN IN CYBERSECURITY
in choosing a career in ICT that aligns with their
She is very keen to get more women into
interests. “We aim to create long-lasting career
cybersecurity. “It is crucial for us as women to
opportunities for women through mentoring and
recognise the strengths that we possess beyond our
empowerment, as well as maintaining a network for
intelligence. With the right opportunities and support,
future work opportunities within the field and helping
we can achieve great things.
each other,” she says. “I believe in the potential of future generations, in their
24
She is also president of the Luxembourg chapter
diversity, newly acquired skills, capacities, abilities
of Women4Cyber, a non-profit private European
and competencies. I believe that, if new generations
foundation that aims to promote, encourage and
of women believe in themselves and acquire self-
support the participation of women in cybersecurity.
confidence then the sky is the limit and the gender
Women Cyber Force is supported by the Luxembourg
gap in the cybersecurity world will be a thing of
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
the past. Only by working together can we make
CAREER DOUBTS ARE NORMAL
a difference.”
However, she says it is normal for individuals to have doubts about their career choices, and for these
Matone has spent her entire career in cybersecurity.
and for others with less clarity of career vision: “It
“It really came naturally to me, and I went into it from
is important to continuously evaluate and reassess
day one. I have spent my studies and my whole career
one’s career path and goals to ensure they align with
in this field, and having a passion for what you do is
one’s values, interests and aspirations. If someone is
the key to drive you forward to success.,” she says.
considering a career in cybersecurity and has doubts, they may want to speak with individuals already working in the field or gain more experience through
“We have the innate ability to ‘roll with the punches’ while maintaining our credibility and integrity, no matter what work or life throws our way. I am a strong proponent of the idea that ‘an ounce of prevention is worth a pound of cure’ and it is crucial for us as women to recognise the strengths that we possess beyond our intelligence.”
internships or other opportunities to gain a better understanding of the field before making a decision.” Matone started as a consultant in the early stages of the US Sarbanes-Oxley Act, passed by Congress in 2002. “I was fortunate enough to have the much-needed experience at that time. I was then supported by excellent managers who helped me pursue it further and obtain my CISA [ISACA Certified Information Systems Auditor] certification,” she says. “From then on, I continued in the field, advancing as time passed. From one global organisation to another. I kept acquiring more knowledge and skills, which was (and still is) crucial to continue in this fast-paced environment where things change almost daily.” For a CISO role such as hers, Matone says no specific degree or field of study is required, but having a
“I find that the good, the bad and the ugly aspects of
background in computer science, engineering,
the job are all worth it if you truly love what you do.
information technology or a related field can
I am constantly challenged and learning in this field,
be beneficial.
which I find extremely rewarding. I enjoy working with both technology and people to solve problems while
“Many CISOs have a combination of education and
also educating others about potential risks.
experience in both technology and business. There is no specific degree or field of study that is required to
“The field of information security is constantly
become a CISO, but having a background in computer
evolving and presents new challenges, but the sense
science, engineering, information technology, or a
of accomplishment and satisfaction it brings is
related field can be beneficial. Many CISOs have a
unparalleled. I believe having a sense of purpose and
combination of education and experience in both
being challenged in one’s work is essential for job
technology and business. In addition to formal
satisfaction. As Steve Jobs once said, ‘Your work is
education, many CISOs also have relevant industry
going to fill a large part of your life, and the only way
certifications such as CISSP, CISM, CISA and others.”
to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love
THE MULTISKILLED CISO
what you do’.”
However, she says a successful CISO needs many
I S S U E 13
WOMEN IN SECURITY MAGAZINE
25
skills other than those demonstrated by cybersecurity
management. Our recommendations may not always
certifications. “Roughly half of the skills needed are
be well-received, so we must be able to effectively
technical in nature, while the others are related to
communicate the reasons for our actions.
people and business. As a CISO, our role is very crossfunctional and requires collaboration with all areas
“At the same time, we must be understanding of
of the organisation, regardless of the projects or
others and their priorities. This is where the challenge
initiatives that come our way.”
lies, because we must know how to efficiently identify areas of critical importance, establish partnerships with key stakeholders, identify the organisation’s
“I believe in the potential of future generations, in their diversity, newly acquired skills, capacities, abilities and competencies. I believe that, if new generations of women believe in themselves and acquire self-confidence then the sky is the limit and the gender gap in the cybersecurity world will be a thing of the past. Only by working together can we make a difference.”
‘crown jewels’, map business risks to technology risks and develop a sound information security strategy that enables the business rather than hindering it. The role of a CISO is not just about managing technology, but also managing the risks that could prevent the organisation and its people from getting value out of information, which is the true ‘crown jewel’.” Hers is a challenging role and Matone says achieving a good life balance can also be challenging. Her strategy is to maintain clear boundaries between work and personal life, such as by not checking work emails after a certain time, or not working on weekends unless it is essential, and setting and maintaining a schedule that allocates time for regular social activities. However, she says it is also important to not be too rigid. “I am open to change, and I am adaptable in my lifestyle as I go through different phases of my life. It is important to be flexible and adjust work-life balance
She offers a very good summary of what a CISO
as needs change.”
role entails. “We must understand the business and its needs as well as the security requirements.
She adds, “Remember that work-life balance is
We must also maintain good relationships with
different for everyone and what works for one person
all stakeholders, including DPOs, IT security,
may not work for another. It is important to find a
various business units, CFOs, CEOs and senior
balance that works for you and your lifestyle.”
www.linkedin.com/in/jelenazelenovic
26
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
Contact us today to find out how you can become an industry contributor, no matter the level of experience. reach out now www.womeninsecuritymagazine.com
Amy Dehner CSO and Director of Global Corporate Security with Steelcase
I
n mid 2022 Amy Dehner took on the role of CSO
In any career move Dehner says the primary
and Director of Global Corporate Security with
factors she would consider would be a company’s
Steelcase, the leading furniture manufacturer of
values, as manifested through its words, products
furniture for offices, hospitals, and classrooms,
and the behaviours of its employees. “If those
based in Michigan USA. The move marked her
core components don’t match what I want to
transition to the private sector after 18 years with
be a part of it’s probably not a position I would
Michigan State Police in multiple roles and, before
ultimately accept.”
that, eight years in the Michigan National Guard.
THE IMPORTANCE OF COMPANY VALUES She says, as a law enforcement executive in a
For Dehner the ‘life’ part of work/life balance is not
state‑level agency, “it seemed a natural transition
something that can be achieved entirely separate
to seek opportunities in global settings where my
from the ‘work’ part. She says a good work/life
skillset would best support operations across a
balance is best achieved when “working for a
diverse enterprise.”
company that truly values those same things,” adding: “having an employer set that tone makes replicating
Dehner knew she wanted to work in physical security
those things on a personal level incredibly easy to
and executive protection and says an important
implement and embrace.”
aspect of finding the right role was to work with a company to assist her to put together a resumé and
At Steelcase she says, “the most rewarding
LinkedIn profile that translated her public sector
part of my work is to be part of a company that
experience into private sector language.
understands the importance of governance, employee engagement and being at the leading edge of
“I didn’t place a great deal of focus on my exact role
product innovation.”
and how it might unfold in my new seat. Instead, I
28
looked for a company that matched my professional
These criteria are very similar to those she would
values and placed a strong emphasis on employee
advise any school leaver aspiring to a corporate
engagement and development,” she says. “I knew the
security career to seek out. “Find the right company,
rest would fall into place if I found an opportunity that
one that values professional development, and the
met those needs.”
rest will take care of itself.”
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
“I didn’t place a great deal of focus on my exact role and how it might unfold in my new seat. Instead, I looked for a company that matched my professional values and placed a strong emphasis on employee engagement and development.”
And to prepare themselves for a corporate security career through university study, Dehner recommends aspiring corporate security professionals to “diversify your learning portfolio with cyber, digital forensics and intelligence analysis courses that allow you to cast a very wide net of academic experience.” She did find the move into the private sector challenging because the policies and processes in a global private sector company were new. “But I’ve quickly found the organisational dynamics with culture, progress and employee engagement are nearly identical to the experiences I had in my public sector work.”
CHALLENGES AHEAD However she sees no shortage of external challenges for all security professionals in the months and years ahead. “I think both cyber and corporate security will be challenged by geopolitical unrest and the associated ripple effects those events can cause. And continued widespread misinformation campaigns being waged across social media platforms and their impact to radicalisation (both domestically and foreign) will continue to dominate cyber and corporate strategies.”
www.linkedin.com/in/amydehner46
I S S U E 13
WOMEN IN SECURITY MAGAZINE
29
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content. SUBSCRIBE NOW
08
MAY •
WHOS RUN
JUNE
Source2Create Spotlight
Podcasts
We can GENERATE LEADS from your PODCAST
We can SCRIPT & CREATE your PODCAST
We can ADVERTISE & SOCIALISE your PODCAST
5 SERIE S PODCA ST AUD$10 ,000 Ex GST
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
Isabel María Gómez Global Chief Information Security Officer at Atento
I
sabel María Gómez, Global CISO and Senior
“We often hear that one of the main challenges is
advisor, has long tested experience in security
the lack of qualified personnel for some security
and information technologies, and in the
disciplines. However, I think some security designs
course of her career has specialized in several
within technology (including software and hardware)
areas related to security. Some of them are
are more challenging,” she says.
Risk Management, Cybersecurity, Continuity and Resilience IT, Privacy, Compliance and
“Much progress has been made in the last decade,
Digital Transformation.
but the underlying problem remains that architectures that have not been cemented with security
She has also a widespread legal, regulatory, technical,
parameters will remain vulnerable. These small
and financial background let her manage and
cracks in protection are a clear target for increasingly
coordinate efficiently different legal and technical
imaginative and innovative cyber attacks.
areas Previously, Isabel has had various executive roles reporting direct to CEO in information security
“Cybercriminals have at least the same tools as
in leading companies in their respective lines of
companies and far fewer obligations. Companies
business, such as Atento, SegurCaixa, Bankia,
must understand that these threats are real, and
and Medtronic.
those of us responsible for cybersecurity must train resilience and responsiveness to stop attacks as
Atento operates 100 contact centres in 14 countries
quickly as possible.”
with more than 90,000 workstations: a potentially massive attack surface.
NEW CHALLENGES AHEAD She sees the cybersecurity challenge likely to
32
Working for companies that operate all around the
get worse as new technologies such as artificial
world Gómez sees the limitations of technology,
intelligence and quantum computing emerge that can
rather than people issues as the biggest
be employed by cyber criminals as fast, or faster, than
security challenge.
they can be leveraged for protection.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
“This is one of the key issues in cybersecurity today:
“I tried to articulate the kind of leadership I would like
these advances are already within the reach of
to develop in the cybersecurity field and over time I
everyone, not just companies. Cybercriminals are
found some guidelines that helped me move forward:
already using these advances to reduce the cost
the pursuit of excellence in all security disciplines;
and time of each attack, making them an ever-
projecting onto others the kind of leadership I would
greater threat.
like to find; and marrying my personal values with my professional development. It is my deep conviction
“One example, without trying to give anyone any ideas:
that integrity, loyalty and adaptability are the best
the use of ChatGPT for the optimisation of language
catalysts in the worst crises.”
models to compose messages in a more effective and credible way in phishing attacks is already one of
As Gómez’s cybersecurity career progressed she
the factors that increase the risk of property loss for
realised she needed to develop other skills. “As you
the company.”
move up the management ladder you need a broader field of vision. I understood it was essential to have
Gómez’s first professional project was to manage the
a more global perspective, one that encompasses
UCA networks of the airports of Madrid, Barcelona
the entire company. So last year I took a General
and Palma de Mallorca. It was, she says, a defining
Management Program at the IESE Business School.
event in her career.
THE IMPORTANCE OF BUSINESS TRAINING “It was an unforgettable baptism in cybersecurity.
“Training at such a prestigious business school
Limited resources, cutting-edge technology and,
allows you to discover the levers that drive business
above all, a demanding reaction capacity to solve
management today, perfect your analytical and
problems in an agile way and at night, when the
leadership skills, develop the ability to resolve
planes were not taking off or landing.
strategic dilemmas, manage complex negotiations and align different stakeholders around a common
“Since then, many events and people have influenced
vision. In short, after this training, I think better and
my cybersecurity career, both intellectually and
with a broader perspective.”
personally. I certainly feel fortunate to have discovered my professional purpose so early.”
She adds: “The message I would give to anyone interested in the world of cybersecurity is to never
IKIGAI: A DEFINITION OF PURPOSE
lose the curiosity to learn. The ability to adapt and
This experience led her to an understanding of the
overcome is key.
Japanese concept of ikigai, the process of defining one’s purpose in one’s working life.
“While it is important to have a good mathematical foundation, you should not lose sight of other broader
The Westernised version of ikigai says you have found
knowledge: philosophy, geopolitics, literature. You
your dream career when your career includes what
should keep on reading a lot and about many things.
you love, what you are good at, what you can be paid
University is the end of the first stage of regulated
for, what the world needs.
knowledge that gives you access to a life full of other training that we do not even know today. As I said
“In Spain, we say that the path is made by walking,”
before, the path is made by walking.”
Gómez says. “At first I was not clear about the specific position I wanted to take. The only thing I was
For Gómez that means walking with others. “What
able to define was the direction I wanted to take, with
I enjoy the most and feel I make progress with is
the belief I would make the decisions that would bring
inspiring conversations. I like to surround myself
me closer to that destination.
with brilliant people who, each in their own field,
I S S U E 13
WOMEN IN SECURITY MAGAZINE
33
bring new approaches and ideas, not only in those related to security, but also in fields more distant from my day-to-day life, such as philosophy, sociology or macroeconomics.”
A SOURCE OF PERSONAL GROWTH “These readings and conversations are an inexhaustible source of personal and professional development and offer extensive room for growth. My last conversation related to cybersecurity helped me to further deepen my understanding of the monetisation of risk impacts for companies. “Working with people with expertise in other environments outside security enriches the teams and provides complementary visions that favour excellence in the response, both internally and externally.”
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
As an example she cites the recent addition to her team of a lawyer specialising in personal data protection. “Although cybersecurity is not his strong point, he has other skills and qualities that make him a great asset to the organisation, providing a regulatory and legal point of view that has allowed us to improve our response in the areas of legal and data protection. “I believe that heterogeneous teams with different and cohesive profiles bring positive points of view for everyone. The challenge is to get them to function as a neural network. Once you discover the synapses between all the components, the benefits are palpable, both personally and professionally.” www.linkedin.com/in/ismgomez
Running from March through to June across states
Get Notified Join our distribution list womeninsecurityawards.com.au/ 2023-alumni-series/
34
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
2023 NEW ZEALAND
WOMEN IN SECURITY AWARDS 9
TH
NOVEMBER
t u O s s i Don’t M
Victoria Allee Founder at LT Strategic Consulting; Director of Security for Corporate Intelligence and Insider Threat at Lam Research
A
s a teenage migrant to the US from
clarity I entered graduate school choosing to major in
the former Soviet Union with very little
international security and looking for a way to serve
English, two family bags and not one
the country that had given me the opportunity to
friend to lean on in what was then a
make something of myself.
foreign land, I instinctively learnt early
that survival and success required perseverance,
I joined the United States Intelligence Community
hard work and a ton of grit. So I went to school, took
where I worked for the next decade and a half. In my
simultaneous English classes and did homework with
time with the US Government I put the mission first
a dictionary in hand. Those teenage years sucked,
but never lost focus on my wider goals: to grow, to
very much. But they were a necessary evil to teach me
never stop learning and to influence others. I worked
that, if I wanted to achieve something, it was on me to
very hard to establish myself in my career. I took on
do it. I do not believe life is here to hand me favours
difficult assignments. I was not satisfied sitting in a
and I consider myself lucky to live in a place where
cushy medium-sized office and going home at five
opportunity exists.
o’clock. I wanted, and needed, more. I always asked for temporary duty assignments in other domestic
I was determined to succeed in whatever I did and
and overseas offices and positioned myself to work
ended up in a security career by chance. I was
extensively outside my agency and build cross-
not sure what I would do with my undergraduate
agency rapport.
double major. Then, one day I looked at my chosen
36
coursework and had an epiphany. I realised 95
All these steps proved worthwhile. In my government
percent of my classes had something to do with
career I worked in three different field offices as
security matters: military intelligence, geopolitics,
well as headquarters, led responses to multiple
conflict resolution, counterintelligence and the like,
terrorist events across the globe, represented the US
probably as a result of my life journey. That was
government in more than 30 countries and personally
when I knew security to be my passion. With that
trained investigators and analysts across several
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
continents. When I resigned I was an executive
the thing that drives us to show up, to do our best,
responsible for intelligence activities and personnel
to be our best. So, believing in myself, I started my
across Africa, Americas, Europe and the Middle East.
own consulting firm. In 2021 I founded LT Strategic Consulting focused on non-cyber security matters:
LIFELONG LEARNING: A CAREER STRATEGY
business strategic planning, risk assessments, global
My decision to leave the government was not
threat reports, analytical support and the like.
the result of a mid-life crisis but rather part of my strategic long-term plan. I believed everyone
The move gave me the best of both worlds. I enjoyed
should lean in as they set their goals, so I sought
educating my clients—companies large and small—
to broaden my experience into the wider security
on how to identify their cyber risk appetite and how to
arena. That required me to move outside my crisis
help their businesses work with security. Meanwhile,
management, incident response and physical security
creating my own company served as an avenue for
comfort zones. It required a step into the unfamiliar:
all things outside of cybersecurity that I held dear.
cybersecurity. I accepted a job with a cybersecurity
It filled the ‘mission-void’ that came after leaving
company as an executive advisor, despite never
government service.
having worked in cybersecurity.
COMING FULL CIRCLE My experience making this transition serves as the
Having gained cybersecurity expertise I took on a new
main lesson I share with my mentees, particularly
challenge that became my dream career allowing me
with women who want to enter security. “Think
to pool everything I had learnt across my almost 20
outside the box. Look at the skillset you have and
years in security and use every aspect of it in one role.
learn (which is also a skillset) how to reshape that experience into what you seek,” I tell them.
I am now Director of Security at Lam Research, a global company in the semiconductor industry, where
I was in the same position when I decided I needed
I am responsible for building out enterprise-wide
to gain ground in cybersecurity. I had no technical
corporate intelligence and insider threat programs.
certifications and no direct cyber experience, but I had
I feel greatly honoured to be in these shoes. I get
what I quickly realised were skills that filled a gap for
to combine in one role everything I know within the
a lot of companies with a security workforce: global
security umbrella: counterintelligence, behaviour
leadership skills, strategic initiative ability, business
analytics, intelligence analysis, cybersecurity and,
acumen, collaboration skills and strong written and
most importantly, leading and managing people.
oral communication skills.
My gratitude for being given this opportunity to continue my passion post-government is very deep.
The rest is history. Through my leadership and
But most importantly, it is proof that you can do
soft skill abilities the private sector saw me as
what you love. You can combine multiple skillsets
someone who their clientele could relate to and
into one great career, and you can (and will) succeed
as someone who could be put in front of a C-suite
post-government service. I hope my experiences
member and translate the complex speech
dissipate the fear in others that arises when leaving
surrounding cybersecurity.
government service.
CREATE WHAT DOES NOT EXIST However, at this juncture I was missing a piece: the
www.linkedin.com/in/victoriav3
passion we all want when we wake up every day,
I S S U E 13
WOMEN IN SECURITY MAGAZINE
37
TA L E N T B OA R D Ayla Narciso WHAT POSITIONS ARE YOU LOOKING FOR? I am looking for Internship or an Entry-level position in Cybersecurity
PREFERRED STATE: New Zealand or any country that offers remote jobs.
WHAT KIND OF ROLE: As an intern or any entry-level positions in cybersecurity
WHAT’S YOUR EXPERTISE: I have knowledge in GRC, Ethical Hacking, and Networking, Coding using JavaScript and Python.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? I currently favour working remotely and, in an environment, where women are treated equally.
DM ON LINKED IN
Raelene Patiag WHAT POSITIONS ARE YOU LOOKING FOR? Any Internship in the field of technology, ideally with elements of cybersecurity learnings, that would lead me into a more cybersecurity focused career.
PREFERRED STATE: NSW, Australia
WHAT KIND OF ROLE: I understand that due to my lack of experience I am not the most ideal candidate for most industries. However, I am willing to learn as much as I possibly can so being able to experience as many different roles would be ideal.
WHAT’S YOUR EXPERTISE: I recently completed by degree in Digital Forensics and I am currently studying to complete a few Comptia certifications as well.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid work where I am able to work within a team, and with clients would be ideal.
DM ON LINKED IN
38
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Alison Correia WHAT POSITIONS ARE YOU LOOKING FOR? Information Security Analyst/Penetration Tester
PREFERRED STATE: Massachusetts, United States
WHAT KIND OF ROLE: Information Security Analyst/Penetration Tester
WHAT’S YOUR EXPERTISE: I am a beginner in IT, I have my Google IT Support Specialist certificate and I am working towards my CompTIA A+. I have about 3 months of experience in IT due to my cohort that I completed with Generation USA.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? My ideal work environment is where I can work with a team, but also independently.
DM ON LINKED IN
Katherine Weissel WHAT POSITIONS ARE YOU LOOKING FOR? Cybersecurity awareness training and consulting, cyber security policy development, crisis management training & consulting.
PREFERRED STATE: Queensland or NSW, Australia
WHAT KIND OF ROLE: Consultant, contract
WHAT’S YOUR EXPERTISE: Security, risk & threat management; security training & advisory; cybersecurity awareness training & advisory; counterterrorism; and, governance & investigations
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid/remote/flexible hours/WFH
DM ON LINKED IN
I S S U E 13
WOMEN IN SECURITY MAGAZINE
39
TA L E N T B OA R D Sweta Bhattarai WHAT POSITIONS ARE YOU LOOKING FOR? Security Operations Centre Analyst/ Cyber Security Analyst
PREFERRED STATE: Western Australia, Australia
WHAT KIND OF ROLE: Entry level
WHAT’S YOUR EXPERTISE: My expertise is in the I.T Security field. After acquiring my Master Degree I have spent a year working at Capgemini, providing first and second level support to internal employees and contractors, this spands across, First level troubleshooting, priority incident resolution, vulnerability management and windows server patching.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Ideally I would like to work in a corporate environment amongst other like minded individuals in my field. I am flexible with my work place and able to accommodate working from home or working in the office.
DM ON LINKED IN
Inna Sobol WHAT POSITIONS ARE YOU LOOKING FOR? Security Awareness, Information Security or Helpdesk roles
PREFERRED STATE: Queensland, Australia
WHAT KIND OF ROLE: A team role
WHAT’S YOUR EXPERTISE: Have completed Cert IV in Cyber Security, Cisco routing, switches, documentation, AWS cloud (currently completing certifications)
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid/office/flexible hours
DM ON LINKED IN
40
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
IN EACH ISSUE WE WILL PROFILE PEOPLE LOOKING FOR A NEW ROLE AND PROVIDE DETAILS OF THEIR EXPERTISE. IF ANY MEET YOUR REQUIREMENTS, YOU CAN CONTACT THEM VIA LINKEDIN.
Fatima Khan WHAT POSITIONS ARE YOU LOOKING FOR? I’m interested in Cyber Threat Intelligence, Governance Risk and Compliance and Cyber Security Analyst related roles.
PREFERRED STATE: I’m primarily seeking a hybrid position in Sydney, Australia.
WHAT KIND OF ROLE: Individual and team based contributor – for nearly any kind of organisation.
WHAT’S YOUR EXPERTISE: • Watchful professional offering comprehensive, hands-on experience identifying, investigating, and responding to information security alerts. Expertise in searching through data-sets to detect threats and anomalies and administering metrics to maintain security processes and controls. Focused on helping businesses safeguard sensitive data from hackers and cyber-criminals. • Expertise in developing, implementing, and documenting security programs and policies while monitoring compliance across departments. Applying leading theories and concepts which contribute to the development, maintenance and implementation of information security standards, procedures, and guidelines. • Developing plans to safeguard computer files against modification, destruction or disclosure while also maintaining the integrity of sensitive data. • Performing risk analysis to identify appropriate security countermeasures.
WHAT’S YOUR IDEAL WORK ENVIRONMENT OR BENEFITS REQUIRED? Hybrid position in Sydney Metro area. Learning and development opportunities. Flexible work practices
DM ON LINKED IN
ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role.
aby@source2create.com.au
I S S U E 13
REACH OUT
WOMEN IN SECURITY MAGAZINE
41
Tithirat Siripattanalert Group CISO and CDO at True Digital Group
T
ithirat Siripattanalert is chief security
Similarly, when it comes to hiring staff, “We are
officer and chief data officer at Thai
looking for candidates with passion for cybersecurity.
telco, True Corporation. She has 23 years
We have upskill training prepared for all new
of leadership experience in the technical
staff in various domains (pen testing, blue team,
and operational aspects of cybersecurity,
advisory, DevSecOps, cloud security, security tools
enterprise data management and risk management,
implementation, etc). We support professional
and more than half a dozen industry certifications.
certificate training, on-the-job training and in-depth technical training. I would like to use coaching
And what does she see as the most important quality
skill to groom my team members to meet the
for an aspiring cybersecurity professional? Passion.
career goals.”
For people transitioning into cybersecurity from other roles, she says: “My only requirement is passion for
She adds: “In addition, soft skills such as
cybersecurity, no matter which background they are
change enablement, communication and
from. I regularly arrange training, such as penetration
influencing are important to being successful
testing, forensics investigation, purple team or
in a cybersecurity career, because we need
security tool knowledge for all staff in any team who
to point out the importance of cybersecurity,
have passion for this knowledge.
change human behaviour and drive security improvement programs.”
“I support staff based on their personal goals and
42
career development plans. I support job rotation and
A CAREER GOAL LONG SOUGHT
training across various cybersecurity domains for
For Siripattanalert her current role is the fulfilment
all staff. They are welcome to take on different roles
of long held ambitions. “I envisioned being a chief
in order to fulfill their career goals. I regularly have
information security officer, managing all aspects
one-on-one meetings on career development plans
of cybersecurity and using my skill and knowledge
with all staff to support them to be successful in the
to help enterprises be protected from cyber attack,”
career goals.”
she says.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
W H A T ’ S
H E R
J O U R N E Y ?
“My only requirement is passion for cybersecurity, no matter which background they are from. I regularly arrange training, such as penetration testing, forensics investigation, purple team or security tool knowledge for all staff in any team who have passion for this knowledge.”
“I was promoted to be chief data officer, fraud
collaborative ecosystem of tools and controls to
management and data protection officer. It has
secure a modern, distributed enterprise. It builds on
always been my great pleasure to have expanded
a strategy of integrating composable, distributed
responsibilities.”
security tools by centralising the data and control planes to achieve more effective collaboration
She says the most challenging aspect of her
between tools. Outcomes include enhanced
role is “optimising investment to get the most
capabilities for detection, more efficient responses,
effective cybersecurity solution. This requires asset
consistent policy, posture and playbook management,
classification, cyber risk assessment, threat modelling
and more adaptive and granular access control —
analysis, project prioritisation and keeping up with the
all of which lead to better security.”
state of art in cybersecurity technology. However, rather than cybersecurity mesh, “The objective is to get the greatest benefits for the
Siripattanalert says her personal priority is to focus
organisation from the minimum security investment
on AI. “At this stage, I would like to learn more on
sufficient to protect critical assets against cyber
how to bring artificial intelligence into automated and
attack, to detect any suspicious activities and stop
accurate cyber detection.”
breaches before there is any adverse impact to the organisation.”
Siripattanalert cites two leading cybersecurity individuals as having been particularly significant in
In addition to the developments most see as having
her career, FireEye founder Sahar Aziz and Vectra AI
the biggest impact on cybersecurity in coming
founder Hitesh Sheth.
years — artificial intelligence, machine learning and quantum computing — Siripattanalert flags
“I met Ashar 10 years ago at an Financial Services
cybersecurity mesh as an important new technology
Industry event in Singapore. His vision for
for the protection of sensitive data. “It offers
cybersecurity is impressive. He is articulate and
enhanced, more flexible and scalable protection
influential in the industry. And lately I met Vectra
beyond the existing physical boundaries,” she says.
founder Hitesh Sheth. . He is humble and puts a lot of
“It will be integrated and interoperable with various
effort into improving service capability and quality. He
security tools in a holistic approach and provide a
told me to treat him as ‘the first line support engineer’.
seamlessly integrated dashboard for the benefits
That has been a critical influence to help me focus on
of clients.”
customer satisfaction.”
CYBERSECURITY MESH: AN EMERGING TECHNOLOGY
www.linkedin.com/in/tithirat-siripattanalert-cisspgcih-cism-pcip-39ab2538
According to Gartner, “Cybersecurity mesh, or cybersecurity mesh architecture (CSMA), is a
I S S U E 13
WOMEN IN SECURITY MAGAZINE
43
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change, Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
Let’s make 2023 a year to remember! I don’t know about you, but 2022 was a big year for
project I worked on in 2022 with the amazing Caity
me. I had challenges. I had wins, accomplishments
Randall. Cyber awareness and education need some
and a few failures. If I am to be completely honest, it
development. We have been trying hard as an industry
was exhausting, but I feel it to have been rewarding
to help increase individuals’ cyber knowledge, to help
on many levels. After three years locked up, isolating
make everyone a little safer online. But, if we look
ourselves from each other, we came out in a big way.
closely, we see we are not making a great difference.
Conferences, events, business; all were thriving and
Caity and I feel cyber education is being offered much
alive with activity.
too late in children’s schooling. So we have produced a book to educate mid-primary through to early high
I am working with Baidam, a 100 percent Australian-
school students about the online world.
owned and operated First Nations business delivering network and application security
The book is called “The Shadow
expertise. I can say with no
World” and will be available in
doubt whatsoever, I love the
May. Get ready. We believe if we
organisation. It is not perfect. It
can teach students along with
is hard work, but we all have the
their teachers or parents all will
same ambition to make a real
learn together and we will make a
difference so, when we move on,
difference to the cyber education
we will leave it better than when
of the entire population, not only of
we came.
young people. To this end we plan to give away 5,000 copies of the
Making a difference; what does
book to primary schools around
that mean really? In the context
the country.
of Baidam it means helping to build and support Indigenous representation in ICT
That’s right, five thousand copies, for free! I will let
and in the cybersecurity industry in particular. The
that sink in for a second because it is huge, right?
company is succeeding in that mission, but slowly. It is a marathon, not a 100 metre sprint. Some big plans
Yes, it is huge, and it is only possible because of an
for 2023 will help give this mission a huge shot in the
amazing organisation that will fund the initial pilot, a
arm. They are plans I am proud to be a part of, and
proof of concept you might say. I will not reveal that
I hope to truly make a difference, not just to Baidam
organisation because I want it to have the opportunity
and its development, not just to the clients who are
to announce its support, and gain the kudos it
our biggest supporters, but to aspirants trying to
deserves from this amazing initiative.
make their way into our sector. Things are going to change, and we will lead the way. Watch this space!
SCHOOL CYBER EDUCATION INITIATIVE The idea is to find fifty primary schools that want to
44
MAKING A SPLASH IN 2023
take part. Each school will receive approximately 100
What about outside Baidam? My writing is going
copies to enable it to give one book to each student in
to make a splash in 2023 (maybe even a tsunami).
either year five or year six. Teachers and students will
Some of you may be aware of a co-authored
be able to use the books to learn together. Students
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
will be able to take their books home and talk to their parents about the contents. We hope giving every student in a particular year a copy of the book will produce wide educational benefits and kickstart generational change. After the dust settles on this initial pilot we will be looking to bring in more sponsors to help us deliver the book to more schools. Our aim is to cover every primary school in Australia. We know that to be a big goal, a mammoth task. But if we do not aim high we
THE
WOMEN IN SECURITY AWARDS
ALUMNI SERIES
will not produce the generational change and the real educational benefits we aim for.
MORE FORESIGHT BOOKS My Foresight book series will also grow with two more instalments to be published in 2023: Shadow and Vulcan. Through them I will continue to encourage young women to see cybersecurity as a career option, to think “Hey, maybe I could do that. Maybe I could be like her.” Yes, you can, yes you should. So, 2023 is not going to be easy. It will certainly be exhausting, but let us not waste time on pointless New Year resolutions. Let us stop talking about making a difference. Let us stand tall together, and put words into action. If you have something you wish to achieve, make a plan, put that plan into motion and do what you say you will do. Let us all make a real difference through education, support for equality and through actions rather than words. www.linkedin.com/in/craig-ford-cybersecurity
Expand your networks Gain critical insights Grow professionally Hone your leadership skills Empower the next generation
www.amazon.com/Craig-Ford/e/B07XNMMV8R
www.facebook.com/AHackerIam
twitter.com/CraigFord_Cyber
I S S U E 13
Don’t miss out WOMEN IN SECURITY MAGAZINE
45
Source2Create Spotlight
Events
Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
CAREER PERSPECTIVES
LIZ PISNEY
MENTORING IN 2023: CREATING THE ‘PERFECT PAIR’ by Liz Pisney, Senior Director of Member Experience at ISACA The spotlight on today’s cybersecurity professionals
For this article I have interviewed both a mentor and
is blinding: the volume and variety of cyber attacks
mentee to gain insights into their experiences
are increasing, placing them under extreme pressure
and advice.
to protect the reputation and wellbeing of the organisations that employ them. These challenges are exacerbated by the widespread shortage of security professionals and a drive to increase gender diversity in the profession.
MEET AN ISACA MENTOR — SALESHNI SHARMA, DIRECTOR, REGIONAL INFORMATION SECURITY OFFICER – ASIA PACIFIC, WR BERKLEY CORPORATION.
No wonder it is critical to develop connectedness and
Sharma is guiding five mentees so is well-qualified
mutual support among cybersecurity professionals.
to reflect on the importance and benefits of a mentoring program.
REINVENTING MENTORING At ISACA mentoring is making a comeback, and a
A driving factor for Sharma becoming a mentor
newly designed program is geared towards finding
was her own experience as a migrant starting out
the perfect pairing, or ‘mentor match’ as we like to
in the information security sector. She says this
call it. This program does much of the hard work by
would have been easier with a mentor. “But at that
recommending pairings between participants who
time there was no such program I was aware of,
have complementary qualities and enabling mentees
and staying in the information security industry
to filter potential mentors according to the criteria
was not easy. It requires continuous support,
most meaningful for them. Mentees initiate matches
learning and development, combined with lots
by sending a connection request to a carefully
of commitment.”
selected mentor who will then accept the request
48
if they have the experience and insight to support
While Sharma was not formally mentored, she
the mentee’s journey. Since the program’s launch in
did have the opportunity to work with outstanding
mid‑2022 more than 1,800 participants representing
leaders from whom she learnt, which aided her career
114 countries have joined.
development. These experiences are reflected in
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
C A R E E R
P E R S P E C T I V E S
her own mentoring style, which she describes as
professionals. “While the gender gap is closing there
attentive, role-modelling and motivating.
are still certain levels in the org chart where females are bypassed for promotions when they are more
She says the most satisfying aspect of being a
qualified, deliver better results and are far more
mentor is learning how the new generation thinks,
experienced than their male counterparts.
reacts and responds. “It is a great environment to share learnings and experiences and is a way to give
“In my experience, mentoring programs provide the
back to the industry and avoid someone making the
support they need to achieve their goals faster. My
same mistakes I made. I love meeting new people,
hope is that just knowing such programs exist will
building my network and working with someone to
encourage more women to join and stay in the
solve problems and achieve goals.
security industry.”
“On occasion, there are moments that challenge me, mentee when things do not seem fair that there may
MEET AN ISACA MENTEE — EVA CHEN, GRC CONSULTANT, IONIZE PTY LTD.
be something bigger and better.”
Chen credits mentoring with giving her the courage
and it is always difficult to explain to a disheartened
to transition into cybersecurity from another industry Sharma also has some advice for anyone considering
and is a strong advocate for the wide-ranging benefits
becoming a mentor. “Start with someone you don’t
mentorship can provide.
know to avoid any bias. And, most importantly, listen to what your mentee is seeking and assist them as if
“Not only was I transferring from another sector,
you are mentoring your own team member. This will
but I was also entering the private sector for the
not only develop your skills but will have a profound
first time, so I was feeling unsettled and started
impact on shaping someone’s career.”
losing my confidence. I sought a mentor who had also transitioned from another industry so I could
She says mentoring is particularly valuable for
relate to their challenges and success stories. It was
developing the careers of female-identifying security
empowering for me to know I had someone in my
I S S U E 13
WOMEN IN SECURITY MAGAZINE
49
corner encouraging me to stay in cybersecurity and
“It’s also important to keep an open mind during
helping me see things from a different perspective,
communication and don’t be afraid to pivot and
outside my organisation.”
re-set your goals. You may discover a mentor’s fresh perspective opens up new areas to explore
Mentoring provided the support Chen needed to
and develops your growth mindset and strategic
reach her goals. “My mentor provided invaluable
thinking. While mentors may not have all the answers,
advice: focus on two or three streams to grow my
they are there to enrich your knowledge and help
cybersecurity skillsets, reflect regularly on what was
you to get where you want to go. For me, a mentor
going well and what could be improved, and keep a
provides a generous gift of their knowledge, time
gratitude journal to help combat negative thoughts.
and perspectives.”
These three pieces of advice guided me through the transition period and helped me to discover the paths
Chen believes there is still a long way to go to close
I want to pursue.”
the gender gap in cybersecurity, although there are many initiatives and support networks trying to do
Chen completed her ISACA mentorship program
so. “It is not just about having more women entering
profile which allowed the system to offer a list of
the industry, it is also about fostering a culture of
prematched mentors. After narrowing the field to five
accepting women being in the security sector and
potential mentors Chen initiated connection requests
giving them opportunities to grow so they will stay in
and was successful with her first connection.
the industry for longer.”
To those considering seeking a mentor, Chen says it
To find out more about ISACA’s new mentoring
is okay not knowing initially what you want to achieve.
program, visit https://mentorship.isaca.org/
“Do take time to think through what outcomes or long‑term goals you hope to accomplish so the mentor can add value, and set a realistic timeframe
www.linkedin.com/in/lizpisney
with your mentor in which to achieve them.
50
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
2023 AUSTRALIAN
WOMEN IN SECURITY AWARDS 12
TH
OCTOBER
t u O s s i Don’t M
VANNESSA MCCAMLEY
FIVE HIGH PERFORMING HABITS TO HELP YOU REACH THE NEXT LEVEL OF BEST SELF by Vannessa McCamley, Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker The wellbeing and mental stamina of many of us have
Social connections are important regardless
been challenged over the past three years. The good
of whether we have introverted or extroverted
news is that research into neuroplasticity (the brain’s
personalities. We are emotionally and cognitively
ability to rewire and function differently) shows we
hardwired for connection and belonging.
never stop learning. When enabled to succeed our brains can build new and lasting behaviours that
Receiving affirmation is a powerful way for us
improve wellbeing and performance, regardless
to achieve personal growth and transformation,
of age.
particularly if it comes in the form of stories describing moments when we are at our best.
The key to enabling your brain is to carve out space
There are ways you can activate your best self at
for daily check-ins, even when you have a lot on.
work every day. Here are five practices for noticing
This allows you to better face known and unknown
and capitalising on everyday opportunities for
obstacles and let go of behaviours that no longer
development based on your best self:
serve your purpose. 1.
Noticing positive feedback
Good diet, movement, sleep, social connections,
2.
Reviewing your successes
gratitude, relaxation and mindfulness are also
3.
Accepting gratitude
important to provide the ’fuel’ your brain needs.
4.
Organising your day based on when you do your best thinking
5.
52
W O M E N I N S E C U R I T Y M A G A Z I N E
Practicing self-care
M A R C H • A P R I L 2023
I N D U S T R Y
Noticing positive feedback
Reviewing your successes
P E R S P E C T I V E S
Accepting gratitude
Organising your day based on when you do your best thinking
Practicing self-care
NOTICING POSITIVE FEEDBACK
REVIEWING YOUR SUCCESSES
Most people are well-attuned to critical feedback.
Conduct after-action reviews of your own work to set
It can be jarring, threatening and emotional and, as
benchmarks and identify best practices for future
a result, quite memorable. In contrast, it is often
work based on key learnings.
easy to let positive feedback on your actions slip by. It might sometimes seem immodest to bask in
If you receive positive feedback, take some time to
the sunshine of praise. Therefore, it takes practice
write reflectively about the experience and to create
to savour moments of positivity and to hold them
a short narrative about what you did and the impact
in your memory. Our brains are more sensitive
it achieved. Journaling is a powerful practice to
to a threat or something bad than to a reward or
help you see ways in which you can bring out your
something positive.
best self.
Tip 1: Capture these moments by creating a place
Tip 1: Reflect on how you can do more of this type of
(digital or written diary/folder) where you can
work, considering your business environment and the
preserve any good comments you receive. Thank you
value and outcomes of your strengths.
letters, social media testimonials and allusions to your work in email threads are all examples of such
Tip 2: Celebrate your wins and milestones along
comments. Capturing this information over the year
the journey. Identify who you want to celebrate
is useful for performance reviews, for sharing during
with and how you want to celebrate. We are often
team updates and/or in meetings with your manager.
so busy moving on to the next task that we do not take time to ‘smell the roses’, which is important
Tip 2: Consciously identify a couple of key affirmation
for self‑motivation and for motivating others
words you can use to give positive feedback to your
we work with. What does your milestone for the
inner self and help you focus on what is important
next 30 days look like, and how would you like to
to you. My key affirmation words in 2022 helped me
celebrate it?
focus on gratefulness, being in the present moment, letting go of the past and being in my precious now.
ACCEPTING GRATITUDE
They enhanced my listening skills and allowed me
Gratitude is strongly and consistently associated
to make the most of precious moments. 2022 was
with greater happiness. Gratitude helps people
one of the best years for my relationship with my
experience positive emotions, relish good
husband, for helping our son successfully complete
experiences, improve their health, deal with
his HSC to get into his first-choice course at his
adversity and build strong connections. When we
preferred university, and for achieving my work goals.
express gratitude and receive the same our brains release dopamine and serotonin, the two crucial
What could you use as your key affirmation words to
neurotransmitters responsible for our emotions:
help you reach your intentions and goals?
they make us feel ‘good’.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
53
They enhance our mood immediately. When you feel
work for everyone, but when and how they do their
grateful, you experience synchronised activation of
best work are different for every person.
many parts of your brain, giving you positive effects. Tip 1: Identify where and when you do your Some of my clients and I have incorporated
best thinking (morning, afternoon, evening or a
gratefulness into our way of life for a few key reasons.
combination). Protect this deep-thinking time from
It allows us to reflect on what is important to us and
internal and external distractions to maximise your
it enables the good things in our lives to shine bright,
productive time and effort.
regardless of how the day turned out. Tip 2: Allocate 5-15 minute brain breaks to increase Gratefulness allows us to be present and enjoy the
your oxygen level between tasks and projects and
positive things in our busy day rather than them being
help you reset, refocus and energise.
lost. Another benefit of sharing your gratitude with others is that it helps you connect with and appreciate
PRACTICING SELF-CARE
others. You can stimulate the release of dopamine
To optimise the workings of your brain it is vital to
(the brain’s natural feel-good drug) in someone else.
maximise energy throughout your day. The brain is a very hungry organ that can be likened to a mobile
During a recent online high-performance training
phone; if you have lots of apps and windows open,
program one of the attendees shared how grateful
it slows down, shuts down or needs rebooting
she was to be working and to have the option of
and charging. Your brain needs the right balance
working from home or the office, and how much she
of fuel throughout the day and night to recharge.
valued autonomy and choice.
Back‑to‑back meetings, continual emails and multitasking are some of the things that drain its
Tip 1: Keep a journal in which to reflect on the three
energy resources.
things you are grateful for each day. Share your gratefulness with others where and when possible.
I liken self-care practices to the ‘plane oxygen mask’
Research by Dr Joe Dispenza shows that four days of
rule. Every time I am on an aeroplane flight attendants
gratitude strengthen our immune system by almost
explain the oxygen mask rule: put on your own mask
50 percent.
before helping others. Prioritising your self-care is an important health tip. If you run out of fuel/energy
Tip 2: Personalised and handwritten thank you cards
you are not able to fully help and connect with those
can really make a difference when showing gratitude.
you serve.
Such effort and thought can brighten and add value to those you work and collaborate with, and help take
Tip: Consider what activities you can do throughout
your connection to the next level.
your day and week to increase your oxygen level and refuel your brain, including activities like mindfulness
ORGANISE YOUR DAY BASED ON WHEN YOU DO YOUR BEST THINKING
brain breaks.
For decades, work was mostly undertaken in an office
My self-care practices consist of yoga (In my
and between 9am and 5pm. But then COVID-19 forced
experience having the right teacher makes a huge
us to work remotely, and many people discovered
difference), paddle boarding in calm waters, taking a
they could be more productive outside traditional
bath on the weekend with candles and relaxing music,
work hours.
using a five minute mindfulness app in the morning, stretching and reading a book before going to sleep.
54
Others noticed they were most efficient working in
Write down your self-care practice ideas and schedule
small increments of time. There is an optimal way to
the top three in your diary.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
I N D U S T R Y
P E R S P E C T I V E S
Your brain is your supercomputer and the biggest asset you own. How you set it up for success will have an impact not only for yourself, also how you emotionally connect with and influence others. Ask yourself these questions everyday: Who do I want to be? How do I want to show up for myself and for others? What fuels do I need and when do I operate at my best? Why is this important?
ABOUT VANNESSA MCCAMLEY Vannessa McCamley is a leadership and performance expert specialising in neuroscience practices that help individuals and businesses grow in meaningful ways whilst delivering measurable results in healthy ways.She has a passion for helping people and businesses to overcome obstacles and enabling them to reach their strategic goals. She brings a strong background in IT security and more than 20 years of business experience to collaborating with individuals at all levels and from several industries. She is the author of Rewire for Success – an easy guide to using neuroscience to improve choices for work, life and wellbeing.
linksuccess.com.au/rewire-for-success
www.linkedin.com/in/vannessa-mccamley
linksuccess.com.au/contact-us
I S S U E 13
WOMEN IN SECURITY MAGAZINE
55
JENNA WHITMAN
THE NONLINEAR ROAD TO CISO by Jenna Whitman, CISO at Callaghan Innovation
As a 29-year old female CISO with Callaghan
I did not want to become the subject of criticism.
Innovation, I have seen firsthand the challenges
Today, I am glad I took the leap and pushed through a
that come with being a woman in the cybersecurity
barrier that many do not realise is there.
industry, and a professional. Thankfully, I have also seen and experienced the positive impact embracing
Rooted in Callaghan’s culture is a belief that people
equity can have.
should experiment, ‘dive into the unknown’ and, reading between the lines, not be afraid to fail. The
Becoming the youngest CISO in the NZ public
opportunity to experiment and create a rotational
sector (I am accepting challenges on this!) has been
CISO position allowed me, and my counterpart at the
nothing short of an interesting, yet unintentional,
time, to grow, learn and experience the C-suite as a
social experiment in how people respond to a young
safe space. That experience evolved into a full-time
woman in charge. To me, demystifying the barriers
appointment.
to progressing into security leadership is essential to improving opportunity and achieving equity in a sector
I am human, and therefore very much afraid of
known for its antiquated model of what a leader looks
failure: I am guaranteed to have failures ahead of
and feels like (hint: not us).
me. And whilst I have industry-specific education and experience, my behaviour, mindset and aptitude are
To do this, I believe it is valuable to practice
what carry the most weight and are most valued by
authenticity with my newfound platform, which
my leaders, and now my industry peers.
includes sharing the self-doubt I had moving into this role. I was so doubting of my abilities that I
This brings me to what I believe to be the most
tried to talk my own leaders out of offering me the
important aspects of success, equity and
opportunity (something I have only ever seen or
fulfilment: allies.
heard women do). Thankfully, my leaders did not buy
56
what I was selling at that moment. My doubts were
My allies are more than mere mentors. They have
likely fuelled by what I had seen and heard when
reached out to me, offered their wisdom, their
other women were given opportunities. I hid my new
tricks of the trade, openly discussed salaries, made
appointment from nearly everyone in my personal and
introductions and given me their time and energy.
former professional circles for more than six months.
This is what equity can look like.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
C A R E E R
P E R S P E C T I V E S
When I reflect on my path to date, the allies in my professional life who helped me build momentum were themselves breakaways from the leadership stereotype I mentioned earlier. These powerhouse humans were women, they were rainbow community members, they were migrants, they were people with disabilities, and people who came from inequitable backgrounds. As someone who relates to many of those identifiers and who has often felt under‑estimated because of them, this is not only about women helping other women break the
proud of, and I encourage everyone to see value in it.
glass ceiling. This is about demanding change in
Equity and diversity go hand-in-hand; become an ally
favour of openness and diversity in thought, lived
to others and make it a priority to have an ally in your
experiences and values that align with the mission of
corner. Go well.
a security professional. Finally, I will share something more personal. From
ABOUT JENNA WHITMAN
my early to mid 20s, I regularly met with a counsellor
Jenna Whitman (she/her) is the Chief Information
because I was struggling to navigate my path through
Security Officer for New Zealand’s Innovation
life. I had lived in several countries and cities, tried
Agency, Callaghan Innovation. She has a Master
various types of jobs and studied many different
of Strategic Studies from Victoria University,
things. I was in my ‘workshop’ era. My counsellor
a Diploma of Intelligence from the Royal New
made a brief statement that has stuck with me ever
Zealand Police College and is a qualified
since. “Jenna, your path won’t be linear.” At the time,
investigator. She also serves as a sitting member
I was gutted by the fact that my paths through work
for the GovTech Security Community of Practice
and life looked random, but now I can see all the
body. She is a keynote speaker who champions
dabbling, variety and constant change I pursued have
diversity, inclusion and authenticity in the security
given me the depth, breadth and pace demanded of
community. She lives in Wellington.
any CISO. So, I am here to raise the flag and pass this message to others: a non-linear path is something you can be
I S S U E 13
www.linkedin.com/in/jennawhitman
WOMEN IN SECURITY MAGAZINE
57
IT TAKES A GUIDING LIGHT TO FIND A WAY THROUGH THE DARKNESS by David Braue
Mentoring comes in many forms so make sure yours is working for you.
F
or all the talk about how to solve the
shortage that we were attracting a lot of women mid-
diversity crisis in IT, it is easy to forget that
career and retraining them.”
the industry has suffered skills gaps before and, as Leonie Valentine remembers from
Her organisation had an influx of mid-career nurses,
her own experience, become stronger for it.
teachers and “people who just decided they wanted to be in tech.” It invested heavily in retraining those
Valentine was one of many women who joined the
women to become testers, project managers, project
tech industry in the late 1990s, and “sort of fell into
co-ordinators and take on other roles.
technology” as the industry raced to recruit enough staff to address challenges such as the dot-com
“Over time, we actually got them into the higher-skilled
explosion and the Y2K Bug. She believes today’s
positions,” said Valentine, adding that her current
skills-starved tech executives should learn from
organisation maintains pathways from frontline roles
the strategies adopted by their counterparts two
“into what we would call the support office.”
decades ago. She said a few technology team members had Valentine is a former Kaz, Telstra, CSL and Google
come from those frontline roles. “We’ve trained them
executive. She was Australia Post’s executive
up based on their desires. We can support their
general manager for customer experience and
education, and help them through.”
digital technology and now manages a tech-heavy
58
team of more than 70 people. She told the recent
This approach to hiring differs from many companies
ATSE Activate conference, “We had such a dire skills
that evaluate technical candidates based on lists of
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
Despite the optimism such growth might engender, the cold, hard reality is that women make up just 36 percent of enrolments in university STEM courses and only 27 percent of the STEM workforce. And new security and other certifications. However, Valentine
graduates enter an industry where just 15 percent of
said, the flexibility of women and other diverse
women work in STEM-qualified occupations, and face
candidates to grow along with their employers will be
an average gender pay gap of $26,784.
crucial in helping today’s companies surmount the challenges of widespread skills shortages.
As Valentine and a myriad other leaders have found, helping women navigate these many challenges
“Tech really needs a makeover,” she said, flagging
requires a commitment to diversity along with
the importance of constant vigilance by managers
a mentor and a network to support their career
to ensure that diversity objectives are integrated into
development and their personal growth in what is
everyday practice.
often a foreign space.
“If we’re going to embrace the next generation of
Efforts to change recruitment strategies have helped
STEM leaders we also need to think and act very
CSIRO’s Data61 division dramatically improve the
differently about how we embrace talent. I hold my
diversity of its new hires over the past 18 months,
team to account, to the hiring principles. If I’m seeing
according to Stela Solar, director of CSIRO’s National
there are too many women and too many people from
Artificial Intelligence Centre (NAIC).
minorities being pushed out of our process too early, I ask questions.”
Women now comprise 55 percent of Data61’s new hires, Solar said, thanks to the success of initiatives
MENTORSHIP IS MOVING THE NEEDLE
that systematically retrained managers on the
Bringing more non-technical women into the industry
interviewing and hiring of new talent.
will be crucial to addressing the lingering inequalities identified in the government’s recently updated STEM
According to Solar, there is a lot of unconscious
Equity Monitor, which found the number of women
or conscious bias throughout the process, from
enrolling in STEM courses at university had increased
how employers view resumés to how interviewers
by 24 percent between 2015 and 2020.
communicate with candidates in initial meetings.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
59
“Contributing to our success in being able to attract 55 percent women was retraining managers and really focusing on manager capabilities,” she said. “So we cut through the differences and we find the talent.”
Cloud said during
Mentorship has been game-changing for the skilled
a recent webinar that
migrants who have been important in bolstering
there was a wide gulf between
Australia’s inadequate pipeline of domestically
mentorship and sponsorship: the latter
produced workers, and for Engineers Australia CEO
entails actively helping promoting the careers of the
Romily Madew, close collaboration with such workers
women being mentored, but many mentors still see
has made all the difference.
their role as merely advisory.
By engaging directly with skilled migrants working
“In a lot of these forums we focus a lot on mentoring
across a broad range of roles, Engineers Australia has
and say, ‘it would be good if only women had
been able to work closely with them to develop career
someone in a role they could look up to, and see
pathways, internship programs and familiarisation
themselves in, and learn from’,” she said.
programs and provide introductions and networks to help jump-start their careers.
“However, it’s not everything. A mentor will talk with you, and impart their wisdom, but it’s a one-way
“When you have industry working hand-in-hand with employers and connecting skilled migrants straight into opportunities we’re finding that, once they’ve finished these opportunities, they’re more likely to get a job, either within that organisation or another. There are pathways, but they need to be amplified,” Madew said.
MENTORING IS NOT JUST ABOUT MENTORING Amplifying those pathways remains a highly individualised pursuit with each manager or industry veteran finding their own comfort zone when it comes to nurturing and supporting their mentees. However, mentees need more than simply having a mentor imparting advice if they are to succeed. Corie Hawkins, London-based head of customer
“If we’re going to embrace the next generation of STEM leaders we also need to think and act very differently about how we embrace talent. I hold my team to account, to the hiring principles. If I’m seeing there are too many women and too many people from minorities being pushed out of our process too early, I ask questions.”
engineering with the UK/I retail team with Google
60
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
relationship in some ways, where you get someone a little bit more senior and a little bit more experienced talking through things.” According to Hawkins, the true value for women comes when mentors take the relationship a little further. “Sponsorship is where that magic happens. It is where you have someone senior saying ‘I have an opportunity, and I know someone who’s really well suited for this opportunity. Let’s line them up for it’. “I do think women are over mentored and under sponsored. If you think about it critically, who’s talking about you when you’re not in the room? Who’s
“I do think women are over mentored and under sponsored. If you think about it critically, who’s talking about you when you’re not in the room? Who’s thinking about the next opportunities for you, and opening those doors? It’s something I don’t think we’ve unlocked yet.”
thinking about the next opportunities for you, and opening those doors? It’s something I don’t think we’ve unlocked yet.”
Whichever way the mentor-mentee relationship is structured, keeping it mutually beneficial is not
For all their good intentions, many managers fall into
always easy, admits Geetha Gopal, Singapore-based
the trap of having white males mentoring women,
head of infrastructure projects delivery and digital
simply because those males comprise the majority
transformation with Panasonic Asia Pacific.
of management. But it is valuable for companies to also consider ‘reverse mentoring’ in which those
As a self-confessed ‘bossy’ woman who found herself
managers become the mentees to people from
the only female in a team of 150 people, and earning
diverse backgrounds who can provide important
half as much as the men “because that’s how it is
perspectives on the challenges other employees
supposed to be,” Gopal was regularly told to tone
may be facing.
down her opinions and apologise to customers “for no mistake of mine.”
“The mentors who are senior executives in an organisation need reverse mentoring to see what
She told the recent FutureCIO conference, “There
it feels like to be an employee there, and what else
were mentors for me among those men who saw my
they can change to encourage people from diverse
potential and saw how consistent I was in my delivery,
backgrounds,” explained Dr Edwin Joseph, president
and saw how I was made to apologise when I was
of the Multicultural Council of the Northern Territory,
not wrong.
during a recent Australian Computer Society panel discussion.
“They were my allies, and over a period of time they handed me the biggest projects, and now I’ve handled
“We need to see a good many more people from
the biggest data centre migrations in Singapore. It’s
culturally diverse backgrounds in managerial roles,” he
about how consistent you are, how you take feedback
continued. “Because that will really change the actual
seriously, and how you continue to prove you can
organisational culture.”
continue to break down these barriers.”
I S S U E 13
WOMEN IN SECURITY MAGAZINE
61
J O B B OA R D MANAGER - NATIONAL SECURITY AND EMERGENCY MANAGEMENT | NEW ZEALAND CUSTOMS SERVICE WELLINGTON
NEW ZEALAND
ON-SITE
ABOUT THIS ROLE You will lead a team that • supports Customs participation in the National Security System • ensures Customs has a highly effective readiness and response capability to major incidents and emergencies • coordinates the Customs response to major incidents and emergencies of national security significance ensuring Customs’ actions are fully coordinated, both across the organisation and with the AoG response • coordinates Customs participation in All-ofGovernment efforts to enhance New Zealand’s national security (including major event planning, readiness/preparedness exercises, providing advice on Security and Intelligence Board and Hazard Risk Board related matters) • provides general support to the Group Manager II&E by managing assigned projects. You will also be responsible for leading implementation of the II&E Strategy in terms of building resilience and readiness for the future and contributing to the National Security System more
broadly. In addition to supporting the Group Manager II&E you will also provide assurance and support to the Chief Executive and Customs Executive Board on strategic-level national security issues. It requires effectively working across the sector, forming and managing key partnerships and building a strong and capable specialist workforce within team. HOW TO APPLY Please apply online. You will be asked to outline your relevant skills and experience and a few competency based questions along with why you are interested in the role. The online application process takes a bit of time and requires you to provide examples of previous work - specific questions are asked in the online process. It’s best to set aside some time when you won’t be interrupted. If shortlisted, you will be asked to complete online psychometric testing which includes a personality and leadership growth profile that will be used to aid your career development.
APPLY HERE
CYBER THREAT INTELLIGENCE SPECIALIST | MACQUARIE TELECOM GROUP SYDNEY
NEW SOUTH WALES
AUSTRALIA
ABOUT THE ROLE As a member of our growing team, you will perform analysis on new and emerging threats to Macquarie Government, our Products, and our customers.This is a hands-on role that requires an inquisitive, critical thinking individual who is capable of collecting and analysing data and understanding and articulating those threats to Detection Engineers, SOC Analysts, customers and Senior Management.A deep understanding of the Dark Web and an awareness of the tactics techniques and procedures (TTPs) of advanced persistent threats play a fundamental part of the role. YOU LOVE • Being part of something big. • Keeping up to date with the latest in security tech and cyber security.
62
W O M E N I N S E C U R I T Y M A G A Z I N E
ON-SITE
FULL TIME
MID-SENIOR LEVEL
• Continually innovating and improving existing solutions YOU MUST • You have experience and knowledge of tracking attackers through network and endpoint artifacts. • Hands-on experience with at least one major SIEM or SOAR technology Splunk preference. • Experience with OSINT tools such as Shodan • Have an understanding of existing and an interest in emerging threats that may impact Macquarie Government and its customers in the future. This role requires someone eligible for security clearance so you will need to be an Australian Citizen to apply.
APPLY HERE
M A R C H • A P R I L 2023
INFORMATION SECURITY EXPERT, VP | D EUTSCHE BANK PUNE
MAHARASHTRA
INDIA
FULL TIME
ROLE DESCRIPTION CSO Business Information Security tribe is responsible to conducts proactive Information Security (IS) Risk Assessment, controls assess ability and applicability reviews for the emerging technologies to design adaptable IS assessment framework to appropriately assess the security requirement for relevant Business Software, Infrastructures, and End-user developed applications. This role is for Product Owner, who would be engaging Senior stakeholders from Business and technology sides to assess IS requirements. The role holder would be responsible to deliver end to end support for assessments and remediation across the globe to ensure that the Information Security requirements for various assets within the Bank are safeguarded and mitigated from any potential risks. YOUR KEY RESPONSIBILITIES • Partner with senior stakeholders from business and technology to cover Information Security (IS) Risk Assessment, Assurance, Control remediation, and End-user developed applications (EUDA) Governance.
MID-SENIOR LEVEL
• Build strong relationships with various stakeholders, including but not limited to: ITAO / ITAO Delegates, ISO / TISO / Risk Managers/ EUDA Coordinators to complete Assessments and Remediation management • Product owner for squad, to deliver end to end support for assessments and remediation across the globe to ensure that the Information Security requirements for various assets within the Bank. • SME knowledge of Information Security and Risk Management as per IS policy and ISO 27001 • Proactively seek ways to improve upon existing practices and processes. Display insight and ability in identifying issues and develop successful solutions • Focus on utilizing the capacity in an efficient and effective manner. Monthly tracker to be maintained • Represent the process and provide inputs for the Monthly and Quarterly dashboards with performance and with any challenges faced or suggestions to improve the quality
APPLY HERE
CYBER SECURITY SPECIALIST | V ODAFONE ACCRA
GREATER ACCRA REGION
GHANA
ROLE PURPOSE The purpose of the role is to manage the Technology Security Governance, Risk, Compliance and Assurance needs across Vodafone Ghana. To further provide security assurance, guidance and support to high profile projects according to company defined policies and requirements, best practice and local/international standards (PCI, SOX, ISO27001, GDPR, POPIA and Cyber Crime Bill of 2015) relevant to the technology security area. JOB RESPONSIBILITY • Provide accurate and timely reporting of technology security risks identified during project engagement and propose remediation and mitigation options • Participate in creation and execution of technology security strategy • Ensure alignment of information security governance with the Vodafone Ghana’s business objectives, the information security strategy, plans and controls • Ensure compliance with the applicable legislative and regulatory interpretation and corporate risk appetite;
I S S U E 13
HYBRID
FULL TIME
• Lead, develop, manage, and maintain the networkwide information security governance deliverables lifecycle including compliance measurement, deviations, and exemptions • Engage with the stakeholders on compliance to control effectiveness and deficiencies in the design and operating effectiveness of information security controls, design and recommend opportunities for continuous improvement • Interpret and manage the controls and capabilities required for Vodafone Ghana to establish and comply with an information security management system in alignment with information security international best practice and/or industry standard(s) • Develop, manage, and implement the Vodafone Ghana information security audit and assurance plans and schedules, including any specific business needs and requirements (including PCI, ISO27001, GDPR, POPIA, Cyber Crime Bill)
APPLY HERE
WOMEN IN SECURITY MAGAZINE
63
J O B B OA R D GLOBAL CYBER SECURITY PRACTICE LEADER | I NTELLIAS CROATIA
REMOTE
FULL TIME
MID-SENIOR LEVEL
ABOUT THE JOB Intellias is looking for a seasoned leader with a strong technology background, who will shape Intellias Cyber Security technology practice as a part of Intellias technology strategy, in line with a company ambition to become a leading global technology partner. The position will drive Cyber Security technology area with a mission to set up and run special-purpose offerings, such as those around the creative, niche, and trendy technology: Cyber Security Consulting, Penetration Testing, Thread Modeling, Application Security Testing, Cloud Security, Secure SDLC, Manage Detection and Response, Security Operation Center. RESPONSIBILITIES • Setting up and running global Cyber Security Technology Practice; • Design, lead, and manage with the respective team the Cyber Security practice; • Build Cyber Security technology practice around Intellias existing expertise and drive the creation of new services and offering with respective Center of Excellences; • Guide core Cyber Security Center of Excellence team and technology leaders;
• Alignment of our Cyber Security services and offerings across key verticals and domains: Automotive, FinTech, Telecom, Digital, Retail; • Cooperation with sales enablement on measurement, operational framework and tracking of Cyber Security technology practice pre-sales and business development efforts; • Lead the effective collaboration with sales and account management at both new and existing customers to drive new logos and influence revenue; • Extend Cyber Security services and offerings portfolio; • Shaping and executing technology practices strategy in close collaboration with the company’s functional leaders; • Provide leadership and support to the Cyber Security technology practice to ensure revenue contribution, and overall cyber security team success; • The external and internal representation of Intellias vision and roadmap for our Cyber Security technology practices strategy.
APPLY HERE
SENIOR SECURITY OPERATIONS ENGINEER (SOC) | BINANCE MONTREAL, QC
REMOTE
FULL TIME
MID-SENIOR LEVEL
ABOUT THE JOB Binance is the global blockchain company behind the world’s largest digital asset exchange by trading volume and users, serving a greater mission to accelerate cryptocurrency adoption and increase the freedom of money. Are you looking to be a part of the most influential company in the blockchain industry and contribute to the crypto-currency revolution that is changing the world? RESPONSIBILITIES: • Handle 7 × 24 hour security incident response. • Formulation and implementation of security response plan and security assurance for the whole life cycle of the company system. • Lead the team to enhance the ability of security situation perception. REQUIREMENTS: • 3 years+ security emergency response experience. • Experienced in intrusion detection, event tracing
64
W O M E N I N S E C U R I T Y M A G A Z I N E
and log analysis. Familiar with common attack and protection methods, deep understanding of the principles, utilization methods and solutions of common security vulnerabilities. • Experienced in malicious feature extraction ability, familiar with Yara rules, have TTP analysis. • Strong security techniques research ability to lead teams quickly iterate to new technology means or solutions. • Familiar with EDR, HIDS solutions. • Big data development foundation, familiar with Hadoop, Splunk, Elasticsearch, etc. • Deep understanding of security operations: border defense, internal threats, risk management, etc. • Team management experience. • High stress handling ability, adapt to high-intensity work, have good communication ability.
APPLY HERE M A R C H • A P R I L 2023
RISK ENGINEER | S UNCORP GROUP GREATER MELBOURNE AREA
ON-SITE
FULL TIME
GREAT BENEFITS
ABOUT THE JOB
KEY RESPONSIBILITIES INCLUDE
• Permanent full-time opportunity • Spend time in a variety of industries insured by Vero, learn and share your knowledge of property loss control supported by experts in the team • A customer focused culture that delivers on excellence and provides a flexible work environment • Melbourne based • Hybrid role (home/city office/site) - control your day and workload
• Adopt a customer first approach in the promotion and delivery of our Risk Management proposition. • Drafting of risk improvement recommendations to policyholders, designed to minimise the potential and/or consequence of a loss • Undertake site based and desk top technical risk assessments at the request of Underwriting Staff • Provide guidance and advice to underwriters upon request regarding property related risk exposures and their mitigation • Represent Suncorp, and in particular Vero to brokers and customers • Deliver property related risk management service, guidance and advice to customers and demonstrate Vero’s point of differentiation. • Initiate, facilitate and enhance stakeholder relationships at all levels internally.
The purpose of this fantastic role is to provide a Risk Management service with a focus on providing property and asset protection. This role also involves the preparation of quality and timely reports on existing or new business for our property underwriting team. These reports are designed to provide an assessment of property exposures for underwriters to assist them in effectively underwriting the business. As well as providing the underwriting team with a clear and accurate assessment of potential loss scenarios arising from major risk exposures across a variety of industries.
APPLY HERE
FTS CONSULTANT - EDISCOVERY (ENTRY LEVEL) | CLAYTON UTZ CANBERRA
ACT
AUSTRALIA
HYBRID
FULL TIME
THE FORENSICS AND TECHNOLOGY SERVICES TEAM Clayton Utz is a leading Australian top tier law firm. Our Forensic & Technology Services (FTS) practice group is one of Australia’s fastest growing forensic practices and is an integral and thriving part of the firm. Rapid success and growth enables us to engage individuals who are seeking an opportunity to further drive the FTS practice, and be a part of our market leading projects working alongside a group of exceptional people. KEY RESPONSIBILITIES • Develop your skills in eDiscovery, digital forensic collection and analysis supported by appropriate training • Working with Nuix and Relativity to prepare relevant workflows for all phases of review and analysis from collection and processing through to production • Responsible for managing all phases of projects and communicating the status of tasks to team members to ensure tasks are completed in an accurate and efficient manner (within strict deadlines) • Assisting the team in the coordination of resources for specific components of large projects or the I S S U E 13
overall coordination of smaller projects including instructing and assessing the work of Analysts and Paralegals • Proactively manage own workload, meet set KPIs and accurately record time spent on tasks SKILLS & EXPERIENCE • Unrestricted working rights for Australia • A drive to learn and contribute to a high performing technical team • Tertiary qualifications in Law, Computer Science, IT, Software Engineering or similar • Up to 2 years’ experience working in data analytics and/or IT (not essential) • Demonstrated your ability to clearly and concisely present data, conclusions, and recommendations that is easily understandable to a variety of audiences • Experience working in a team with strong time and project management skills
APPLY HERE WOMEN IN SECURITY MAGAZINE
65
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
C O L U M N
“From little things big things grow” Diversity and equality: small words with big meanings, sometimes so very big you do not know where to start or what to do. I would like to start with a true story about how one person’s ‘small’ actions made a big difference to the people involved. Back in the days of WW2 a young country lass knitted over 500 pairs of socks for the troops overseas and with each gift included a small note of support for the boys. So, in their darkest hours they were reminded that, while far away, they were never far from the thoughts of those back home. It was a small action that made a big impact.
approachable and available. Informal coffees (virtual and real) can provide a ‘real leg-up’ to those breaking
Sometimes the small actions of a single person can
into the industry. I know we are all busy, but spending
make a big impact. So right here, right now, let us look
a little time with a ‘newbie’ providing practical
at two things everyone can do to grow diversity and
guidance is priceless. You could even invite them to
support equality in our industry.
an industry function as your guest!
Look beyond the CV.
And for those who are wondering about the story: it is
When you are inundated with CVs for a job vacancy,
true. The country lass was Jean Stephens and she
work experience placement, internship or whatever,
was my grandmother.
it is tempting to take a ’tick-the-box approach’ to cull the numbers. I get it. Time is money, but it might be well worth your while to choose a few candidates that stand out for qualities that cannot necessarily be taught: problem solving, lateral thinking, relationship building. Technical skills can (on the whole) be taught, but those other skills, not necessarily. Diversity, equality and inclusion need to be more than buzzwords. Actions speak louder than words. Make yourself
66
W O M E N I N S E C U R I T Y M A G A Z I N E
www.linkedin.com/in/karen-stephens-bcyber
www.bcyber.com.au
karen@bcyber.com.au
twitter.com/bcyber2
youtube.bcyber.com.au/2mux
M A R C H • A P R I L 2023
INDUSTRY PERSPECTIVES
A PROGRAM THAT CONNECTS, SUPPORTS AND INSPIRES FEMALE TERTIARY STUDENTS AND EARLY CAREER PROFESSIONALS EXPLORE A CAREER IN SECURITY. EXPLORERS WILL BE ABLE TO ACCESS MONTHLY WORKSHOPS, MENTORING OPPORTUNITIES AND INDUSTRY CONNECTIONS
"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Explorers program today!" - Liz B, Co-Founder
Studying or an Early Career Professional in information security? Learn more at .awsn.org.au/initiatives/awsnexplorers/
OU Y E AR
INTEREST
E D?
Global Contributors
WANTED OUR NEXT ISSUE'S THEME:
Issue 14: Fostering innovation in cybersecurity through diversity and inclusion
WAYS YOU CAN CONTRIBUTE: Contribute to one of our
editorial sections
What's Her Journey Career Perspectives Industry Perspectives Technology Perspectives Student in Security Spotlight
Run a listing for
any of the following
Submission Have a book? Deadline: Have a podcast? March 24th Have a blog? Have free training and learning opportunities available?
REACH OUT TO ABY@SOURCE2CREATE.COM.AU TODAY
www.womeninsecuritymagazine.com
SAI HONIG
IS IT TIME FOR A PERSONAL C-I-A TRIAD? by Sai Honig, Engagement Security Consultant at Amazon Web Services
According to the Merriam-Webster dictionary
just started getting a group of similar professional
accountability is “an obligation or willingness to
women together. She expressed frustration about one
accept responsibility or to account for one’s actions.”
woman to whom she had given a ticket to a capture the flag (CTF) event. The woman did not show up
As information security professionals we naturally
and did not respond after the event. I suggested to
hold ourselves accountable for ensuring the systems
my contact that, instead of complaining to me about
and data under our care are kept secure. We are
someone I did not know, she should dedicate no
constantly reminded of the C-I-A triad (see diagram
further time or thought to the no-show and not invite
on the next page).
her to any future events.
How are we doing with our accountability to each
This woman who reached out to me had been
other in information security? I have had reason to
inspired by what she had read about New Zealand
ask that question for myself. I have read comments
Network for Women in Security (NZNWS). I told her
where individuals and organisations have been
that, over the last three years, my fellow co-founder
publicly abused. This goes above sharing information
Tash Bettridge and I had heard from many women,
about doing better. It is outright abuse. Our profession
and men, who had said they wanted to assist with
is stressful enough without the additional stress that
NZNWS. However, when we asked them to join us, we
results from personal attacks.
were met with silence. We have even been recipients of negative comments. Rather than complain about
I suggest creating your own personal C-I-A triad, as I
those who would ignore us, or even try to thwart
have done and as I will explain later in this article.
us, the two of us moved forward with our own limited resources.
Recently, I had a conversation with a woman who
70
reached out to me about setting up a network for
Eventually others saw what we were trying to
women in information security in her country. She had
do and joined us. We now have an active crew
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
P E R S P E C T I V E S
CONFIDENTIALITY
ri eg Int
Co
ty
nfi den tiali t
y
I N D U S T R Y
AVAILABILITY
INTEGRITY
Availability of ambassadors who have taken personal
I reflected on the many times she had received
responsibility and accountability for preparing
support from me, which I had given without question,
and presenting events in line with our mission.
and I gave myself permission to speak my truth to
We are also fortunate to have international partners
her. I told her, politely and privately, that I could no
such as Women in Security magazine join us in
longer continue the friendship. This may sound harsh,
our efforts.
but in doing so I relieved myself of continuing to help someone who did not demonstrate accountability to
ACCOUNTABILITY TO SELF
me, my time or the connections I had built through
As women we are expected to give more readily of
my reputation.
ourselves in our many roles. We are also expected to more readily forgive others. In doing so, where is the
EMPLOYER ACCOUNTABILITY
accountability to ourselves? Do we continue to drag
Employers should show accountability towards
others along who reap the benefit of our hard work
all their employees. How do they show respect for
with no effort on their part? Do we sit in silence while
your hard work, experience, knowledge, teamwork
others take credit for our hard work? It can be a tough
and mentoring? This can be done in many ways
decision. As women, we are expected to be kind,
including, but not limited to, offering paid educational
forgiving and to serve everyone.
opportunities, mentoring and leadership opportunities and, of course, promotions.
I once offered friendship and connections to someone I knew. She would come to me only when she
In addition, does the enterprise’s environment accept
needed something from me. During the years of our
our many faceted selves? Does the enterprise hold
‘friendship’ I only asked her to do one thing for me, at
itself accountable for helping us grow or when we
an event, and I expressed how important it was to me.
face workplace challenges? I have left an employer
She committed to do as I asked but when the event
because of racist statements made by others.
occurred, she failed to fulfil her commitment. She did
I received no support from management, and I grew
not even express any remorse.
to distrust my colleagues.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
71
The need for information security professionals is growing as are their responsibilities and workloads in line with the number and types of cyberattacks. So, why is accountability of employers to information security professionals falling? We see this in the number of reasons for the ‘great resignation’. Our profession is seen only when something negative occurs. The general public does not see what it takes to keep systems and data safe. Staying on top of new technologies and the threats they bring is stressful. Sometimes we take that stress out on each other. In looking back at the C-I-A triad, I can share my personal triad: • Confidentiality – I have kept conversations between myself, other individuals and organisations confidential. I could have shouted to the world about the negative things said or done to me. I could have shared names of those who have tried to thwart our efforts to create NZNWS and make it a viable entity. • Integrity – I maintain integrity by keeping my commitments. I also maintain integrity by sharing any difficulties I may have in keeping commitments to others. I expect the same level of integrity from others. If you make a commitment to me and are not able to keep it, just tell me. Otherwise, you lose my trust which is awfully hard to gain back. • Availability – I allow myself to offer my precious time and network to those who will benefit. However, that availability may increase or decrease based on the type of interactions we have. So, as women and as information security professionals, should we adopt one of the core tenets of our profession for the conduct our personal interactions? Is it time for you to create your personal C-I-A triad?
www.linkedin.com/in/saihonig
72
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
I N D U S T R Y
P E R S P E C T I V E S
APAC NATIONS OFFERED FREE TRAINING TO COUNTER QUANTUM COMPUTING THREATS Monash University has teamed up with the Oceania
stronger relationships and data protection across the
Cyber Security Centre (OCSC) — an organisation
entire region.”
established in 2016 by eight Victorian Universities and the Victorian Government to advance cybersecurity
Specifically, the program will train cybersecurity
education and research in Australia and the Indo-
and information technology professionals from
Pacific — to train organisations across Asia Pacific
participating organisations to understand and
how to protect information from the threats posed by
develop the capability to deploy NIST Post-Quantum
quantum computing.
Cryptography standards.
They have launched the Post-Quantum Cryptography
PQCIP is being funded by the US Department of State
in the Indo-Pacific Program (PQCIP) through which
and all components will be available to identified
they will work with organisations and government
participants free of charge. It will run from 2023
bodies in Malaysia, Indonesia, Samoa, Tonga, Vanuatu,
to 2025.
Papua New Guinea, Kiribati, Federated States of Micronesia, Tuvalu, the Cook Islands and Nauru.
Cybersecurity experts from Monash and OCSC will provide participants with an assessment of their
OCSC head of research and capacity building, Dr
current post-quantum cybersecurity capabilities,
James Boorman, said the program aimed to give
tailored education, planning and cyber threat evaluation.
participants advanced understanding of postquantum cryptography, comprehensive knowledge
According to the program website, “Participants will
of related tools, and the ability to develop their own
finish the program with an advanced understanding
transition plan to secure their organisations from
of post-quantum cryptography challenges, knowledge
quantum computing threats.
of the tools to meet them, and [will] develop their own evaluated transition plan for their organisation
“The training will be adapted to fit the local needs, be
… Through the course of the program, participants
available online for reference after the course and free
will learn to identify their knowledge gaps and what
for anyone managing or working in IT or cybersecurity
vulnerabilities against quantum computing attacks
within most government entities and organisations in
already exist in their systems.
any of the 11 countries, excluding military, intelligence or law-enforcement,” he said.
Organisations interested in participating in the program are requested to email their name, the name
“Collaboratively standardising and enhancing
of the organisation they work for and their nationality
cybersecurity within these countries will result in
to pqcip@monash.edu.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
73
SIMON CARABETTA
THE WEIGHT OF AUTHORITY by Simon Carabetta, Business Operations Lead at ES2
Back in 2020 I was kindly invited by a friend of mine
because I did not want my words to carry the weight
from the security industry to share some time with
of authority.
him during his regular weekly guest spot on AM radio at the prime time of 9pm on a Wednesday
Every event I present at, every interview I participate
night. I was pretty excited at the chance to talk about
in and every chat I have with friends, family and
the upcoming Cyber Week events I was organising
colleagues, I preface my statements by saying I am
through the job I held at the time.
not an expert, but an observer with a passion for what I do and the industry I work in.
However, it did not take long for me to be caught entirely off guard when the DJ introduced me as a
Looking back at that radio interview, I think I saved
cybersecurity expert.
it from becoming messier than it could have been, because a lot of the expected technical questions did
Expert? Surely he had gathered some open-source
not come. Instead, I was asked about the future of
intelligence and vetted me online? A quick look at my
careers in security, what some of my top tips were,
LinkedIn profile would have shown him otherwise. Or
and I got the chance to plug my events, which made
maybe he just took my then job title as justification
for a lot of fun in the end. Some light-hearted jokes
for the expert moniker. Either way, I was completely
were thrown around. The interview ended with a firm
thrown. The only thoughts sprinting through my mind
handshake and a “We’ll need to get you back on the
in the nanoseconds I had to reply were on how I could
show again, mate” from the DJ. He was a nice fellow.
come up with a polite way to inform him, and the
I had a good time with my mate on the show, and it
audience, that I was certainly no expert.
was something I will remember fondly as being the time I saved myself from some real trouble.
Why would I make this correction such a priority?
74
Because words matter. When a trusted radio
These days, I still feel very uncomfortable being
personality with a decent audience and following
referred to as a cybersecurity expert, purely because
introduces a guest as an expert, the audience will
I am not. There are very many real experts in this
take everything that guest says as advice and pass
industry and I am sure they will not mind being called
that information on to others. It was not about saving
out: the likes of local West Australian experts such
face, and it certainly was not down to ego. It was
as Rachel Mahncke, Vanessa van Beek, and my
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
I N D U S T R Y
P E R S P E C T I V E S
amazing colleagues Andy Battle and Steve Simpson. These are all experts, and I am extremely proud to say I have worked with them all or collaborated with them in some way. When I began formulating the main content for this article, I really started thinking about what makes an expert. Do experts recognise themselves as such? Do they also try their hardest not be referred to as such? (Even though all the aforementioned legends certainly are). Does expert status require acronyms in front of and at the back of a person’s name (I have no idea what many of these mean) along with the coveted PhD? Does it require a long list of formal qualifications, certifications and dissertations? Does it simply require experience in a field and an extensive knowledge of all the subtle nuances of different avenues within security? Is expert status all of the above, or am I completely off the mark? However, of one thing I am certain: the weight of authority is definitely something I do not want to bear in my career right now. Yet, if I want to progress
I do not have sufficient fingers to count the number of
further, I will certainly have to accept it. At the
times I learnt more from my students in my teaching
time of writing, I am in two distinct fields: project
days than I learnt at university or through my teacher
management and cyber/information security. It is
mentors. My experience in security has been similar.
at their intersection that I enjoy managing projects
I am excited to begin my formal security education
because they are security projects. And I enjoy the
this year through the awesome Charles Sturt
security projects because I do not have to deliver
University. However, I also know, when the course
them personally (you are meant to laugh out loud
finishes in October this year, I will still have so much
at that!)
more to learn, and a lot of that learning is going to come from colleagues, peers, mentors and mentees,
I am in no way an expert on project or program
for years to come.
management, and I am certainly nowhere near being a security expert, but my passion for both
So, maybe one day I will consider myself comfortable
is evidently there (more so for security) and I am
with the term ‘expert’… sometimes. I will probably
learning more each day about both areas through
still not like people referring to me as such, but at
the work I do, mostly thanks to the informative and
least I will be able to carry the weight of authority,
helpful colleagues I am surrounded by. It is the latter
sometimes. Why? Because words matter.
who allow me to understand that an expert does not become an expert inside a bubble. Experts become experts because of their peers, their mentors and
www.linkedin.com/in/simoncarabetta
even their own students.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
75
SPOTTING AND REPORTING A SCAM by Jay Hira, Director of Cyber Transformation at EY Kavika Singhal, Cyber Security Consultant at EY Sarah Box, Willyama Services - Project Manager
INTRODUCTION
SPOT A SCAM
Jay Hira
Kavika Singhal
On New Year’s Eve as I was sipping a cuppa, getting
Scammers are becoming increasingly sophisticated,
ready to bring in the New Year with the family, my
but their ultimate goal is to steal your money or
phone rang. It was a dear friend, and their voice was
personal information. To guard against these
shaking. They told me they had fallen for a scam
attempts, familiarise yourself with the following
and needed me to lend a hand. I could hear the
three steps.
fear in their voice and the noise of fireworks in the background, which made it clear they were calling
1.
Psychological awareness: protecting yourself from psychological manipulation.
from a crowded public place, probably trying to escape the chaos of the celebration.
• Be vigilant. Stay vigilant and think critically before My friend had received a call from someone claiming
responding to any requests for money or personal
to be from the tax office informing them they had
information.
an outstanding debt. The caller had used convincing
• Identify red flags. Look out for red flags such
lingo and official-sounding jargon, and my friend was
as unrealistic offers, impersonation of authority
so worried about the consequences of not paying the
figures, and false senses of urgency. These are
debt that they transferred the money as requested.
common tactics used by scammers to trick their victims.
I could feel their fear, and knew we had to act swiftly. The rest of the New Year’s Eve celebration was a little
• Trust your instincts. If something seems too
subdued, but we went through a series of steps to
good to be true, it probably is. Do not be afraid to
control the damage and report what had happened
say no if you feel uncomfortable or unsure.
through appropriate channels. 2. In early January when Australian Women in Security
Technical measures: safeguarding your devices and online identity.
magazine editor Abigail Swabey reached out to check if our team was planning to contribute to Issue 13,
passphrases that are at least 12 characters long
everybody to stay vigilant and be aware of the tactics
and include a combination of uppercase and
used by scammers, and remind them of the channels
lowercase letters, symbols, and numbers.
they can use to report a scam.
76
• Strong passwords. Use strong passwords or
we thought we would share this story to remind
W O M E N I N S E C U R I T Y M A G A Z I N E
• Multifactor authentication. Enable multifactor
M A R C H • A P R I L 2023
I N D U S T R Y
P E R S P E C T I V E S
authentication for extra security on your social
go. You can log your report on their website
media and email accounts.
at https://www.cyber.gov.au/acsc/report and
• Regular security checks. Regularly check the
track the progress of your case. In addition to
security and privacy settings on your social media
reporting scams, the ACSC also offers valuable
and email accounts to ensure they are up to date.
resources for small and medium businesses to
• Report unrecognised payments. Report
help them educate their staff and team members
any unauthorised transactions to your bank
on cybersecurity best practices.
immediately. • Avoid suspicious links or messages. Do not
2.
Scam Watch. The Australian Competition and
open suspicious links or messages from unknown
Consumer Commission (ACCC) runs Scam
sources.
Watch, a website dedicated to tracking and reporting scams in Australia. You can find
3.
Social awareness: spreading awareness and
information on the latest scams and threats as
preventing others from becoming victims.
well as real-life stories and advice on protecting yourself and your business. To report a scam,
• Share your stories. If you are a victim of a scam
head to https://www.scamwatch.gov.au/.
or know about one, share your story with your friends and family to help prevent others from becoming victims. • Educate others. Spread awareness and educate
3.
Western Centre for Cybersecurity Aid & Community Engagement (Western CACE). If you have been the victim of a cyber incident,
those around you about the dangers of scams and
the Western CACE provides free services to help
how to protect themselves.
you respond and recover. They specialise in data
• Create a safer community. Every small action
breaches, ransomware, payment fraud, security
can help create a safer and more informed
controls and activations and offer a range of
community. By spreading awareness and sharing
toolkits designed for small to medium-sized
your experiences you can help protect others from
organisations. To access their resources, visit
falling victim to scams.
https://mycace.org/.
SUMMARY REPORT A SCAM
Jay Hira
Sarah Box
To protect ourselves and our loved ones from scams we must educate ourselves about common
Spotting a scam is crucial in the fight against
scams and how to prevent them. Reporting a scam
fraudulent activities. However, scammers are
helps bring scammers to justice and prevents
constantly evolving their tactics, making it essential
others from falling victim. Let us all resolve to keep
for individuals, businesses and organisations to stay
our community safe by educating ourselves and
vigilant and informed. To help you protect yourself
reporting scams.
and others from scams, here are three important channels you can turn to for support and resources, and for reporting when you have fallen prey to
www.linkedin.com/in/jayhira
a scam.
www.linkedin.com/in/kavika-singhal
1.
www.linkedin.com/in/sarah-b-25670667
Australian Cyber Security Centre (ACSC). If you have been the victim of a scam or security breach that involved the loss of personal information or funds, the ACSC is the place to
I S S U E 13
WOMEN IN SECURITY MAGAZINE
77
STEPHANIE ROBINSON
LEADING EARLY: IDENTIFYING LEADERSHIP QUALITIES IN YOURSELF FOR A MORE FULFILLING CAREER IN SECURITY by Stephanie Robinson, Head of Partnerships at AWSN
It is more than twenty years since I started working
challenges. It was not until I stumbled into security
in security to establish the first cybersecurity centre
that I really felt I was not merely doing a job but
in a UK University. Looking back I now realise how
was part of something massive for society, and I
much confidence I showed in taking forward an idea
ran with it. I look back and remember how I was
considered a little (if not a lot!) off piste, academically.
constantly nervous, expecting someone to brand me an imposter, who ‘doesn’t belong here’. I still have
Twenty years ago there was little interest in
to catch myself occasionally apologising for not
generating investment in what were perceived as
being ‘technical’.
geeky or niche projects. However, this was a project that would shape my career and open up many new,
I felt out of my depth when I think of my younger
exciting and innovative opportunities, and one that
self sitting at the table at our first pitch meeting to
would eventually lead me to becoming the first female
industry with people who had done extraordinary,
director of advancement in engineering in one of
exciting things. I was out of my depth, but I did not
Australia’s top universities.
really care. I just wanted to be a part of it for as long as I could, take notes and try to fly under the radar.
In my early career I worked mainly in fundraising
78
roles. I loved the idea of knowing ‘what’s next’ in the
After studying law I had worked briefly in a legal
world. I worked with industry and philanthropists
practice, making coffee, becoming a pro with the
to fund new buildings, develop new medical
photocopier, preparing the mail. I could see it would
interventions and support the next generation
be a long route to partner and at that time, of the 12
of academics so they could solve our big global
partners in my practice only one was a woman.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
I N D U S T R Y
P E R S P E C T I V E S
She had built her career ‘the hard way’ and, getting
Because I was not the academic or the funder of
ready to retire, she was not going to make it easier for
the original concept I minimised my contribution for
women entering the profession. She was aggressive
years. I downplayed my role and modestly refused
and rude at times, disrespectful and loud. I could
to take credit for any success. However, with the
not relate to her style, but she was assigned as my
benefits of hindsight and greater experience, I can see
mentor regardless. I remember asking her in my first
there was more value in the part I played. I brought
week after being given particular instructions on
energy. I brought the ‘can do attitude’ and the follow
how to make a cup of tea (I am from Yorkshire so
through. I wrote a business plan for the first time in
those familiar with the culture will see the offence!)
my life, blatantly ignored polite professional barriers
“How do I get to where you are?” Her response was
that slowed me down, and I annoyed my boss by
that I would work it out for myself if I were good
committing time disproportionately to this project
enough. I left not long after.
when I had a whole portfolio of projects to fund.
When I took a job in development at a university in
I believed 100 percent in the ability of my academic
Leicester, I was tasked with asking the academic
group and partners to make the cybersecurity
department heads for development projects. Most
centre happen. They were my security rockstars.
people I met gave me standard and uninspiring
I saw myself in a supporting role and felt lucky to be
answers or suggested they did not have time for
working in such a fascinating, emerging field.
anything new. Then I met the head of technology. Looking back, I have only one regret: that I did not At that time more than 90 percent of students in
recognise the leadership I showed or allow myself
all subjects were male. It was the smallest faculty
the confidence to own my contribution. My advice
on campus and in the past there had been minimal
to anyone in a similar position is to take regular time
engagement with flashy people in development.
out to reflect on what you have achieved and keep a running list of lessons learned.
I asked my question “If money was no object, what would you be doing?” The answer I got changed
In those early years I exhausted myself at times trying
my perspective, compelling me to find a way to
to live up to misconceptions about what leadership
realise the vision described to me: a cybersecurity
should look like, but I have learned to embrace my
centre, a telescope looking into the vastness of the
female (and other) labels and celebrate them.
internet universe. Learning to recognise my own leadership qualities Just over five years after that initial pitch
has not only helped to advance my career, it has given
conversation, the centre, including its industry
me the freedom to celebrate my successes and, most
research partners and academics, were relocated to
importantly, recognise that self-leadership is vital for
a world top ten university where it now contributes
a fulfilling career and for helping others to become
to generating hundreds of millions of dollars in
more fulfilled in theirs.
income from partnerships. In addition to its academic contribution, the centre has been at the forefront of
To find out more about AWSN programs, networks,
gender equity action and, today, attracts an equal
and leadership, visit www.AWSN.org.au
split of genders as well as backgrounds, ethnicity and cultures. The application process for its world-leading courses remains creative and accessible to those
www.linkedin.com/in/stephrobinson1
who can demonstrate their passion for security.
I S S U E 13
WOMEN IN SECURITY MAGAZINE
79
IN TIMES OF CONFLICT, WOMEN ARE STEPPING UP FOR THE CYBER FIGHT by David Braue
Women are spearheading Ukraine’s response to Russian cyber aggression – and winning
A
s Russia’s invasion of Ukraine drags into
on Promoting the Role of Women in Preventing,
its second year, its seismic effects are
Investigating and Prosecuting Cybercrime.
still being felt around the globe – not the least because of the heart-rending
“Because of our women in this sphere, we are
vision as families were separated, men
fighting really hard to protect our cyber space,” she
under 60 years of age were sent to the front lines,
continued. “We have an IT army, and there are lots of
and millions of women and children fled the country
volunteers. Girls joined this army, and we are hitting
for safety.
the aggressor back. And we are doing good.”
For Natalia Tkachuk and myriad other women who
“We are doing good, but of course it’s still not enough
stayed to fight a very different kind of war, however,
for women in this sphere,” said Tkachuk, a 20-year
the past year has been one of fighting back – and,
veteran of law enforcement and national security.
she argues, “we’re not losing [but] winning in the cyber war.”
“All this time I was talking about equal rights, and opportunities, and obligations for men and women.
“In Ukraine, we have a totally different cyber
But when this war came, I understood that still there
threat landscape” in which typical concerns about
are differences [due to the conscription of men and
ransomware have been eclipsed by “sophisticated,
the evacuation of so many women].”
well-planned… state-sponsored cyber attacks
80
against our critical infrastructure,” Tkachuk told the
Yet the choice is there for women who want to stay
recent Council of Europe International Conference
and fight – and on the front lines, or on the cyber
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
lines. In Ukraine, she said, “there are thousands and
Despite Russian government cybersecurity teams
thousands of girls fighting shoulder to shoulder with
and affiliated groups launching volley after volley of
men – and I think that we need to have the same
cyber attacks on Ukraine’s critical infrastructure –
in cybersecurity.”
a strategy that spawned disastrous outcomes for the entire world when NotPetya escaped its Ukranian
“There are many talented, intelligent young girls who
target – it was kinetic attacks with missiles and tanks
want to obtain an IT education, who want to do their
that left the country cold and without power through
career in combatting cybercrime,” she continued, “and
the winter.
we need to share this message that nobody can take this right from them.”
FIGHTING TOGETHER IN NEW WAYS With national critical infrastructure under more
The role of women in Ukraine’s cyber defences is far
pressure from cyber attackers than ever, the
from the first time women have resolved to fight for
empowerment of the women cybersecurity specialists
their country in times of conflict – even when they
fighting in Ukraine is a lesson for every country
were not allowed to fight in combat, during previous
– and a look back at the last year of global cyber
wars women played significant roles in support,
conflict highlights just how incessant the attacks
logistics, code-breaking, manufacturing war materiel,
have become.
and more – yet amidst the carnage in Ukraine their determination and success on the cyber battlefield
In January alone, for example, Russia-linked hackers
has been significant.
targeted Latvia’s Ministry of Defense with a phishing
I S S U E 13
WOMEN IN SECURITY MAGAZINE
81
campaign, while Serbian cyber specialists blocked
Security and Home Affairs Clare O’Neil recently told
attacks on the country’s Ministry of Internal Affairs;
Cybercrime Magazine, with an “unbelievably diverse
Malaysia’s national defence networks were attacked
workforce – more so than any other part of the
and successfully defended; Albanian government
Australian Government that I can think of.”
servers were targeted in ongoing campaigns; Nepalese government websites were hit with denial
Increasing the diversity of cyber incident management
of service (DoS) attacks; and the UK’s Royal Mail
teams will be crucial to ensuring that cybersecurity
was seriously disrupted after a significant attack by
teams not only come together in times of crisis, but
Russia-linked hackers.
that they maintain a baseline defence on an ongoing basis – and this, O’Neil said, requires a mindset shift
Unlike Ukraine, most of those countries are not
on the part of government and business leaders alike.
currently fighting a simultaneous kinetic war – but the damage that cyber attacks can cause is no
“We cannot reduce cyber risk to zero,” she explained,
less problematic.
“[because] the Internet is porous and in everything. Even if we take all the essential precautions, and
That’s why, even as governments bolster their cyber
we do all of the things to fortify our countries, cyber
teams to better defend against cyber attackers – and
attacks will continue to occur.”
to directly take them on in recognition of significantly escalated mission statements – there have never
That means building diverse and effective cyber
been more opportunities for women to rise to the call
response forces is intimately tied to national defence:
by supporting national cyber defence efforts.
“part of our resilience for the future,” O’Neil said, “is how quickly we can get back off the mat and start
Women are playing a significant role in the cyber
punching back at these people.”
defence organisations in Australia, Minister for Cyber With a range of women working in cyber investigations and intelligence support – as well as what Australian Federal Police (AFP) Cybercrime Operations leading senior constable Jessica Neilsen called “a huge leadership team of females” – there are signs that the call for diversity is bearing fruit in. many countries. “One of the things that I’m really proud of being a woman and a police officer is the impact that women are having not only within cyber crime, but across all crime types,” said Neilsen, who was among the AFP cybersecurity specialists called to investigate what she only described as “a significant ransomware incident” late last year. “Being able to work effectively and harmoniously with our male counterparts is really key to our success,” she added. “We have a lot of support from our male counterparts in the AFP, and I’m really proud of that because we can’t do this all by ourselves. It takes a great team to achieve results.”
82
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
F E A T U R E
Yet in many countries, efforts to engage women in
“We live in a world where the critical infrastructure
cybercrime operations are still in very early days.
that Americans rely on every hour of every day to get our water, our communications, our transportation,
Having begun working in law enforcement at the
our healthcare, and our education, is underpinned by
age of 25, Shqipe Salihu – an IT forensic expert who
a technology base that was created, effectively, in an
is just one of two people conducting forensic cyber
insecure way,” said Jen Easterley, director of the US
investigations within the Kosovo Police Unit for
Cyber Security and Infrastructure Security Agency
Examination of IT Equipment – found that “it was very
(CISA), during the recent CES 2023 conference.
hard for me to be respected as a professional.” That insecurity had become a liability during the But with the support of both male and female peers,
Russian invasion of Ukraine, with CISA launching its
she said, she was able to engross herself in a field
Shields Up! campaign to rally global businesses after
that she came to love.
it became clear the conflict would have repercussions far outside of Eastern Europe.
“The challenge of learning something completely new, that is very complex but also very useful, dragged me into forensics,” she explained.
In Ukraine and outside of it, Easterley said, stiff resistance to cyber attacks had confounded Russia’s perceived cyber
“It took me a couple of years to
advantage – and helped limit the
settle into everything and to be
blast radius to ensure that the war
respected, but I’m very thankful
didn’t spawn another NotPetya.
for the people that I had around who helped me and supported
Russia “thought it was going
me to go through all obstacles.”
to be a quick and easy drive down to Kyiv,” she explained,
ALL HANDS ON DECK
“but they found themselves in
As women embrace their potential
a gruelling ground war… and are
in the context of national cyber teams,
fighting against a force that have
other countries are beginning to see the
shown themselves to be incredibly resilient
same call to arms – building new cyber capabilities,
and courageous.”
empowering women to participate, and passing new laws that give cyber teams more agency – that has
In Ukraine and elsewhere, that defence force
helped Ukraine’s cyber defence to be so effective.
has staved off cyber disaster for now – but that does not mean, Easterley warned, that the world
Cyber teams are increasingly finding that “being a
can be complacent in staffing the cyber teams
woman is an advantage,” Ukraine’s Tkachuk said.
defending them.
“Women are smart, intelligent, and empathic – and sometimes that’s very important to solve some very
“It’s not the asymmetry of capability” that is the
difficult criminal and cyber crime cases.”
problem, she said. “It’s the asymmetry of ethics.”
Yet as government cyber agencies recruit women and
“It’s because these countries – and we’re seeing it
men alike, the realities of limited resources means
kinetically with Russia and Ukraine – will do things to
they are also looking to step up their engagement
critical infrastructure that we won’t do. And so I worry
with private-sector organisations – which are
more about these capabilities being used in really bad
becoming collateral damage in a time of major
ways, by people who don’t have the democracy and
conflict, online and off.
values that we have.”
I S S U E 13
WOMEN IN SECURITY MAGAZINE
83
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
C O L U M N
Agreeing with your partner about how your child uses tech It is normal for parents to occasionally have different
out of school commitments and chores. You will then
views on how they should parent their children. It is
gain an idea of the times of day your children have
therefore understandable that tech usage rules for
‘free-time’ and this can help with deciding when they
children can be difficult for parents to agree on.
can use their screens.
One parent may enjoy playing online games and
In some situations, it could be helpful to map out
see no reason to restrict the children from doing the
what is currently happening over a few days so you
same. The other parent may have experienced sleep
can compare this with your new, loosely planned, day.
issues and noticed a difference when they stopped
If you have ever viewed the reports from Apple Screen
using their screen an hour before to going to bed.
Time on your own screen usage, you may have been
What about children using phones in their bedroom?
shocked at how much time you spent on your device.
This issue can cause enormous tension. So how can
The same could happen here by comparing ‘today’ to
you come up with guidelines and boundaries for tech
your new plan.
use in our home when you and your partner do not see eye-to-eye? Try these tips.
You cannot change your partner’s behaviour, but
See if you have any similar views around screen
technology you desire in your home. It only needs
time and try to agree on those. For example, your
one parent to start taking small actions to make a
partner might be all for allowing the children to watch
difference to how tech is used in the home. Children
TV before bed, but maybe you can both agree that
see and hear more than we realise sometimes!
they should not use their screens as soon as they get
Continue to model how you would like tech to be used
up in the morning.
in your home so your children have an example to follow.
Try to understand, and respect, each other’s
Continue to offer up screen-free activities to your
differences. For example, your partner may believe
kids. Take a few moments to note down the off-
they are bonding with the children by sharing screen
screen activities your children enjoy. You can even
time. They may like to relax by using their screen, and
include them in this activity. They may suggest things
so let the children do the same.
you did not realise they enjoyed! Create a list you can
You may believe the children are not getting sufficient exercise or not socialising enough. If you can each understand the other’s views, compromise might be easier to achieve. It can often help to work out how a normal day should look for your children. Your partner may then be able to see there are other activities your children should be engaged in rather than spending time on their screens.
you can continue to model the behaviour with
pop onto the fridge/wall or, even better, near your central charging station. This can offer alternative activities when your children go to pick up their devices. www.linkedin.com/in/nicolle-embra-804259122
www.linkedin.com/company/the-cyber-safety-tech-mum
www.thetechmum.com
www.facebook.com/TheTechMum
Loosely planning their day will allow you to include time for getting ready for school, meals, homework,
84
W O M E N I N S E C U R I T Y M A G A Z I N E
www.pinterest.com.au/thetechmum
M A R C H • A P R I L 2023
TECHNOLOGY PERSPECTIVES
NIGEL PHAIR
ARE SOCS THE NEW BLACK? by Nigel Phair, Chair, Australasian Council, at CREST International
In cybersecurity, a security operations centre (SOC) is
AN SOC IS CRUCIAL
still a relatively new concept with multiple definitions
A SOC is responsible for an organisation’s overarching
and scope. What a SOC should and should not do is a
cybersecurity practices, which can include prevention
matter for debate, but working in one—particularly for
and incident response. By its very nature, a SOC forms
aspiring cyber professionals—is becoming a specific
a crucial part of an organisation’s compliance and
career path.
risk management strategy. It is focused on people, processes and technology and on managing and
A quick search on Seek and LinkedIn reveals a
enhancing an organisation’s security posture.
multitude of SOC jobs ranging in seniority and technical ability. At face value, working in a SOC
Organisations may consider setting up a SOC when:
would seem a solid career path.
they start handling more sensitive data; the threat landscape has changed, or become more concerning
A SOC is staffed by a team created to protect
and requires improved security; when the organisation
organisations from cybersecurity breaches by
(and therefore the attack surface) has grown larger.
identifying, analysing and responding to threats. SOC teams comprise managers, security analysts and
Ideally a SOC should have a holistic view of the
security engineers. The best SOC team members
organisational threat landscape, of the endpoints,
have an enquiring mind, use a broad range of
servers and software used, and of any third-party
tools and observations to make assessments and
services and traffic flowing between assets. To
enjoy the team environment. Like all cybersecurity
increase agility and ensure peak efficiency a SOC
environments, having team members with diversity
should keep detailed records and maintain full
in background and thinking will boost the team’s
understanding of the cybersecurity measures
capabilities and produce better decisions that will
currently enabled, along with all the workflows used.
ultimately make an organisation more resilient. To
86
create such an environment SOC managers should
A SOC is usually overseen by a SOC manager, but
liaise closely with an organisation’s business and IT
may also contain security analysts as the first line of
operations teams.
defence, and security engineers who may be software
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
T E C H N O L O G Y
P E R S P E C T I V E S
or hardware specialists charged with maintaining
management policies. For organisations dipping
and updating the SOC’s tools and systems. A set of
their toe into the SOC water, outsourcing to a trusted
tiered roles is needed to provide the range of skills
external provider should result in cost saving, access
and qualifications required. Individuals are placed in
to experienced professionals and fast response times.
the appropriate tier based on their skills, qualifications and experience.
SOC GUIDANCE Choosing the right level and style of managed SOC
It is at this point that various Seek and LinkedIn job
is crucial, and it is worth taking the time to do your
advertisements often become a little confusing.
due diligence. Look for recognised, reputable industry
Depending on where you are in your cybersecurity
players that offer high levels of customer service,
career, spending time in a SOC would be a
certified technicians and round-the-clock support.
worthwhile endeavour. CREST, the global not-for-profit community of
SOC VARIANTS
cybersecurity businesses and professionals working
Some organisations create their own SOC. Some
to keep information safe in a digital world, has
outsource those functions to a dedicated provider
recently released guidance on SOCs. It covers: what
whilst some adopt a hybrid model (often using a
a SOC is and why you need one; when and how to
tiered approach). Each of these models has different
create one; the functions, activities and advantages of
benefits, but it is important for organisations, and for
a SOC; the different types of SOC; the types of people
aspiring job candidates, to fully understand the scope,
required to work in a SOC.
role and positioning of a SOC. It is important not only to understand what a SOC is, Similarly, organisations must measure SOC team
but, when choosing an outsourced provider to know
performance to continuously improve their processes
they have been independently evaluated. CREST
and demonstrate return on investment. It is important
accredits, certifies and quality assures 300 member
to have metrics on the scale of activity in the SOC and
companies worldwide, some of which have attained
how effectively analysts are handling the workload.
SOC accreditation.
A quick internet search reveals many SOC providers with different service offerings, pricing models and
I S S U E 13
www.linkedin.com/in/nigelphair
WOMEN IN SECURITY MAGAZINE
87
GINA MIHAJLOVSKA
WHY ZERO TRUST NEEDS SYSTEMS ENGINEERING by Gina Mihajlovska, Cyber Security Manager at EY
The release of NIST publication 800-207 on Zero Trust
between technical and human-centred processes that
Architecture (ZTA) gave the cybersecurity community
have been developed to support the management of
the preliminary systems engineered processes to
engineering disciplines. It ensures all likely aspects of
deliver ZTA. These processes leverage know-how,
a project or system are considered and integrated into
developed over decades, on the design, integration and
a whole.
management of complex systems over their lifecycle. At its core, systems engineering uses systems thinking
NIST Special Publication 800-207 defines ZTA as new
principles to organise this body of knowledge. The
way of developing a security enterprise architecture.
outcome of such efforts is an engineered system
NIST white paper CSWP 20, Planning for a Zero
which combines components that work cooperatively
Trust Architecture: A Planning Guide for Federal
to collectively perform a useful function.
Administrators, focusses on the implementation of the cybersecurity principles to be applied to services
Systems engineering enables organisations to
and data flows. In 2020 NIST introduced an approach
successfully perform the many functions needed
for the implementation of ZTA to assist organisations
for successful system design, implementation
with the complexity of moving their technology and
and, ultimately, decommissioning: engineering,
operational environment from a security model based
reliability assessment, logistics, team coordination,
on protecting the perimeter to a zero-trust model.
testing and evaluation, designing for maintainability,
Implementation of this model requires systems
and many others.
engineering thinking. It enables organisations to thoughtfully and intelligently undertake the definition,
88
Systems engineering also permits the complexities
information capture and risk management of
and difficulties associated with the delivery of large
the complexities and difficulties encountered as
and/or complex projects to be managed successfully.
they transform their technology, resources and
Systems engineering uses work process optimisation
processes from perimeter protection security to
methods to deal with the, often significant, overlaps
zero‑trust security.
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
T E C H N O L O G Y
P E R S P E C T I V E S
However, the successful use of the NIST model is
The diagram below demonstrates the NIST proposed
dependent on an organisation’s ability to articulate its
logical flows which emphasise the interactions
zero-trust security architecture strategy and delivery
between policy and operational controls needed to
programs. A well-articulated strategy is a prerequisite
achieve a zero-trust environment. Publication 800-
for the introduction of the security architectures
207 says a zero-trust deployment in an enterprise is
that underpin a zero-trust security organisation. It
made up of numerous logical components. These
necessitates an acknowledgment that the objective of
components may be delivered through an on-
a model based on zero-trust is to support a lifecycle
premises service or through a cloud-based service.
that combines existing security processes with any
The conceptual model shows the basic relationship
processes developed to establish zero-trust.
between the components and their interactions. NIST has presented this as an ideal model showing
There are numerous historical examples showing
logical components to demonstrate how their
how systems thinking has been instrumental in
interactions are broken down across the policy engine
creating the focus necessary to enable the change
and policy administrator. These logical components
management needed for a business model update
use a separate control plane to communicate while
in an area critical to an organisation’s business and
application data is communicated on a data plane.
commercial health. NIST SP 800-207
ZERO TRUST ARCHITECTURE The model aims to bring together the strategic
The interdisciplinary nature of systems engineering
architectural focus, the organisational thinking and
and to regenerating any lifecycles underpinning the
zero-trust security.
organisational change management the decision making necessary for transitioning to 3 is well-suited LogicaltoComponents of Zero Trust Architecture
business strategies essential creating market There are numerous logicaltocomponents that make up a ZTA deployment in an enterprise. These differentiation andbe growth. Therefore, well NIST has communicatedservice. a set of The components may operated as anhow on-premises service or produced throughand a cloud-based an organisation protects model customer flows that can be with the conceptual framework inconfidential Figure 2 shows thesystems basic engineered relationship between theused components and responds to exposures threats ZTA showing Maturity Model to support the transition a andinformation their interactions. Note that thisand is an ideal model logical components and totheir is quickly becoming a market1,differentiator is zero-trust architecture. Maturity four interactions. From Figure the policythat decision point (PDP) is brokenThe down intoModel two has logical reinforced through the introduction of fit-for-purpose phases and is reminiscent of waterfall project delivery components: the policy engine and policy administrator (defined below). The ZTA logical architectures for azero-trust. models that map application each phase todata a pathisto assist the components use separate control plane to communicate, while communicated on a data plane (see Section 3.4).
This publication is available free of charge from: https://doi.org/10.6028
Figure 2: Core Zero Trust Logical Components
Image source: NIST Special Publication 800-207
The component descriptions: Policy engine (PE): This component is responsible for the ultimate I• SSUE 13 W O M E N decision I N S E C U R I to T Y grant MAGAZINE access to a resource for a given subject. The PE uses enterprise policy as well as input from external sources (e.g., CDM systems, threat intelligence services described below)
89
identification of associated delivery tasks during the transition. Ideally, the model should be used to implement the automated processes and systems, and the architectures and designs that enforce policy decisions and gradually evolve an organisation to a zero-trust security posture. The model offers significant guidance to practitioners of systems engineering on how to approach an undertaking that continues to baffle and confuse many in the security community. Organisations would struggle to implement zero-trust without this model. The holistic nature of the model guides organisations in the planning needed to achieve a successful deployment of the solutions essential to implementing zero-trust security. Finally, it is beyond scope of this article to fully explore the depth and importance of the relationship between security and systems engineering. Rather, the article has tried to provide a brief analysis of the important connections and dependencies between ZTA, systems engineering thinking and the need for further discussions on approaches to its implementation. Systems thinking allows organisations to successfully manage the difficulties and complexities encountered during the transition from perimeter-based to zerotrust security. Systems engineering can also generate organisational knowledge that can be used to inform business thinking in regard to what/where/when/ how to invest in security to ensure customer data continues to be protected in the future. This is article part 1 of a 6 series on ‘Using the NIST Zero Trust Maturity Model to create the no-trust security organisation.’ www.linkedin.com/in/ginamihajlo
90
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
THE
2023 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
12
NEW ZEALAND WOMEN IN SECURITY AWARDS
9
OCTOBER
NOVEMBER
womeninsecurityawards.com.au
womeninsecurityawards.co.nz
WANT TO BE PART OF IT? Register your interest today by contacting aby@source2create.com.au
Connecting - Supporting - Inspiring
AS A FORMAL NETWORK MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD A STRONGER FUTURE
With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters.
Memberships are now a 12-month cycle Corporate packages available Learn more at www.awsn.org.au/members/join/
STUDENT IN SECURITY SPOTLIGHT
Elizabeth Aidi Kamau was born and grew up in Nairobi, Kenya. Today she lives in Perth where she is in the second year of study for a bachelor’s degree in cybersecurity at Edith Cowan University. ELIZABETH AIDI KAMAU Bachelor of Cybersecurity Student, Edith Cowan University
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
So far, I think only my high school principal has been
I am studying cybersecurity whose role I believe is to systems and devices. I am an ‘online police officer’
Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?
who finds and catches bad guys on the internet in a
One of my early mentors who I met while in my
fun and exciting way. It’s like being Batman in Gotham
second year of high school.
protect individuals’ and organisations’ data, networks,
against my decision, because it is not a common career choice back home. My parents have been my biggest supporters all along, and my mentors have been very encouraging and supportive as well.
city where the city is the internet in which we find and catch the bad guys to protect the city.
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why? Working with Dr Michelle Ellis [Outreach and engagement co-ordinator in the School of Science at
I thought it would be more technical and difficult to
ECU] on various workshops, and having an amazing
study. My experience now is that it requires much
interaction with some high school students. Also
greater attention to detail than simply being good at
taking part in competitions such as the incident
maths. You need to keep up with the latest technology
response competitions hosted by Woodside and
as well as learn advanced persistent threat patterns.
Retrospect Labs was quite memorable.
What cybersecurity role would most like to be hired into when you graduate, and why?
What aspect of your studies excites you the most?
I would love to join a blue team as either a security
What excites me most is when I think I know
analyst or security system administrator. I also find
something only to discover I do not. There are so
being a security consultant interesting. However,
many changes in this dynamic industry. There is
that is something I would have to work towards. This
always something new to learn.
is mainly because I love working one-on-one with
understand and enjoy working with the tools we use
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
to analyse data and I have been having an exciting
My initial challenge, which I am sure many
time learning to use them.
international students experience, was a change of
people and working in teams rather than the normal stereotype of a tech guru working individually. I
environment and trying to quickly adapt to a different
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
system. I was previously accustomed to sitting exams and finals at the end of the semester, which has not been the case here. However, my university has been extremely understanding and supportive throughout my whole learning experience.
94
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management? Oh yes, I do see a need for, and I want to gain, non‑cyber skills. I previously completed a green-tech program with the Future Females Business School [an accelerator for female entrepreneurs and aspiring business owners] on how to run a sustainable and environment-friendly business. This gave me an understanding of how to start and run a business and a perspective on why it is important to keep that business cyber-safe. I am also taking a short online course on project management with Coursera. I also took part in public speaking and interpersonal communications training offered by Strathmore University back in 2018.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience? Yes, I am. I love to network and listening to other people’s views and experiences. I am part of Australian Women in Security as well as Second Thursday of the Month, to which I was introduced by Raymond Schippers [Perth based blue team lead at Canva]. I also take part in the Girls Programming Network with Dr Michelle Ellis’ help and guidance. With every chance I get, I attend the Student of Cyber events, which enable me to learn from and get to know people outside my university cohort.
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/ interviews? I have been applying but I have yet to be offered an interview. I am looking forward to volunteering in any institution to gain some experience.
www.linkedin.com/in/beth-kamau
I S S U E 13
WOMEN IN SECURITY MAGAZINE
95
Solange Fecci grew up in Chile and now lives in Adelaide where she is studying to be software engineer at 42 Adelaide and studying cybersecurity program development at La Trobe University. 42 Adelaide is a not-for-profit programming school that opened in 2021 to provide tuition-free coding in a self-driven and peer-dependent environment. It is backed by funding from the SA Government, SA business LoftusIT and multiple industry partners. SOLANGE FECCI Software Engineering Student at 42 Adelaide
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
Overall, I am eager to be part of a team that makes a
I would explain to them that cybersecurity is an
cyber attacks. I would tell them that cybersecurity
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
professionals are in high demand as the number
When I first decided to pursue a career in
of cyber threats continues to increase. I would
cybersecurity I was met with a positive reaction from
also mention that a career in cybersecurity offers a
my family members and I am thrilled to have found
variety of opportunities such as incident response,
like-minded individuals at 42 Adelaide who share
penetration testing or threat intelligence and that it
my interest in cybersecurity. Building a community
allows people to specialise in different areas that
and connecting with others in the field are crucial
interest them. Additionally, I would highlight the
when pursuing a career in cybersecurity, because
potential for professional growth and development,
they enable the exchange of valuable information
and for high earning levels.
and resources.
What cybersecurity role would you most like to be hired into when you graduate, and why? I am most interested in an incident response role that
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
allows me to use my technical skills to quickly identify
I have been greatly influenced by the leadership and
and mitigate cyber threats, as well as to develop
accomplishments of women like Wye Ping Lee [Skilled
incident response plans to prevent future incidents. I
Service Hub Cybersecurity lead at PwC Australia].
am particularly drawn to roles that focus on forensic
Having the opportunity to meet her at a conference
analysis because I believe understanding the full
at PWC and learn from her experiences was a truly
extent of a cyber attack is crucial for developing
enlightening experience. She is a shining example
effective incident response plans.
of the impact that one person can have in the field
exciting and rapidly growing field that is essential to protecting businesses and individuals from
real impact in protecting organisations and individuals from cyber threats and I am confident my technical skills and passion for incident response will make me an asset in any role I pursue.
of cybersecurity. I am also interested in roles that involve working with a team of incident response experts because I believe
Furthermore, I have been greatly inspired by the work
collaboration and knowledge sharing to be essential
of outstanding women in cybersecurity in Australia,
for quickly identifying and mitigating cyber threats.
particularly by Teresa Janowski [founder and CEO
Additionally, I would like to work in a company that
of STEM Fast Track.] Her dedication to encouraging
encourages continuous learning and professional
female students to enter the STEM professions
development because I believe staying up-to-date
through STEM Fast Track is truly admirable. Overall, I
with the latest tools, techniques and best practices is
am grateful to have had the opportunity to meet and
essential for success in this field.
learn from Teresa and hope to follow her in making a positive impact in cybersecurity.
96
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
What do you see has having been the most memorable and/or significant event in your cybersecurity journey to date, and why?
AISA branch meetings and conferences in Adelaide
The most memorable cybersecurity event I have
These events have been great opportunities for me
attended so far was the cyber conference organised
to learn about the latest trends, technologies and
by AISA in Adelaide in August 2022. It was an
best practices in the field, as well as to share my own
amazing experience, filled with important and
knowledge and experiences. My experiences with
interesting speakers, and I had the opportunity to
AISA and AWSN have been very positive, and I believe
learn about various Australia and South Australia-
being an active member of the community has
based cybersecurity companies and the focus of
greatly contributed to my professional development.
I have had the opportunity to network and connect with a diverse group of cybersecurity professionals.
their work.
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why?
What is your favourite source of general information about cybersecurity? I have several. One of my go-to sources is Cybercrime Magazine from Cybersecurity Ventures, which provides a wealth of information on the
As a student with an interest in cybersecurity I
latest trends, threats and best practices in the
understand the importance of gaining certifications
cybersecurity industry. It also provides various
in the field. In addition to my studies at 42 Adelaide,
research reports that can be quite informative.
I have completed cybersecurity certifications from Cisco and from La Trobe University. The certification
I also follow several prominent cybersecurity experts
I gained from La Trobe was in cybersecurity program
and thought leaders on social media platforms
development. That course taught me how to develop
such as LinkedIn, Twitter and YouTube. They offer
a roadmap for effective security management
valuable insights and perspectives on various
practices and controls.
cybersecurity topics and keep me informed of the latest developments in the field.
In terms of future certifications, I am planning to start a course related to cybersecurity incident management at the Australian Cyber Collaboration
www.linkedin.com/in/solange-fecci-78a43723a
Centre. I believe this course will be beneficial because it will provide me with the knowledge and skills required to effectively respond to and manage cyber incidents, which is a critical aspect of cybersecurity.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience? Yes. Specifically, I have been a member of both AISA and AWSN since 2022. My experience with these organisations has been amazing. Through attending
I S S U E 13
WOMEN IN SECURITY MAGAZINE
97
Hyesoo “Lauren” Cho was born in Seoul, South Korea and completed her primary school education there. She moved to Melbourne with her family but now lives in Hobart where she is in the third year of study for a Bachelor of Information Communication with a major in cybersecurity at the University of Tasmania. HYESOO CHO Bachelor of Information Communication Student at University of Tasmania
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
my friends, family and I could also be victims has influenced me the most to choose this path and to be able to protect myself and others.
protecting the connection between the ‘real world you’
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
and the ‘cyber world you’ so it can do things through
Yes! For example, in one of the units I took as part
the network for you.
of the course we were told to find and share with the
Cybersecurity is all about protecting the things that help you exist in the cyber world. In other words, it’s
class some interesting cybersecurity related news
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
from the past few weeks. I found it a very interesting and clever way to learn how to stay on top of current cybersecurity trends.
Before I began my study, I thought cybersecurity was a room full of machines staring at a monitor all day.
What aspect of your studies excites you the most?
But it turns out to be a cool job. It’s like fighting on the
It’s always exciting when you do the hands-on
front line of the battlefield protecting the world where
exercises such as penetration testing of virtual
another you, a cyber you, exists.
machines. It is also exciting to accomplish protection
another boring job where you sit at a desk locked in
against mock attacks.
What cybersecurity role would you most like to be hired into when you graduate, and why? There are many possibilities and options once I finish
What aspect do you find least interesting or useful?
my major which I am considering. But I am very
I hate to say this, but I still hate writing long reports.
eager to spread awareness of how important it is to protect people in the cyber world as much as in the real world.
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
It’s always very challenging to accept the fact that
No opposition. We all agreed how cool
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
cybersecurity is.
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
98
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why? people are out there always searching for new ways and new targets to attack.
I am always open to learn new things but I have not thought about undertaking any non-cyber related
The devastating news we hear every day about people
training yet. But as I study my course I am discovering
being targeted and losing their property because of
how important it is to learn and understand the minds
malicious attackers breaks my heart. Knowing that
of the malicious attackers and how victims fall for
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
their ploys. Perhaps learning about social engineering would be a great help to understand and prevent these attacks.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience? It’s always interesting and helpful to stay connected with others and learn about what they do and how they do it. Also, knowing that there are so many women like me in this field helps me stay motivated.
What is your favourite source of general information about cybersecurity? Reading the cybersecurity related articles on ZDNet is always interesting. It helps me to stay on top of current cybersecurity issues and sometimes it is fun. I also found it very entertaining when I read the story about how a certain song by Janet Jackson became a threat to some old laptops.
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details? Not at all. However, I always wish to see more women like me in the field.
What measures do you have in place for your personal cybersecurity? I like the phrase ‘zero trust security’. It’s my strategy. I believe no one exposes themselves to attacks because they want to. So I always double check on my security and remind myself I can always become one of the victims.
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interview? Unfortunately, not yet. I am still too busy learning new things.
www.linkedin.com/in/hyesoo-cho-8a25a623a
I S S U E 13
WOMEN IN SECURITY MAGAZINE
99
Sarah Jayne East grew up Newcastle, NSW and now lives in Northern Canberra where she has just completed a Bachelor of Politics and International Relations at the University of Canberra. She specialised in national security with a major in law, policy and culture. She will shortly take up a role with the Australian Signals Directorate as a cybersecurity analyst. SARAH EAST Bachelor of Politics and International Relations Graduate at the University of Canberra
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
my hardest course, the pandemic ensured I had to redefine my entire learning process. It severed most of my connections with the security and defence industries.
My family felt disbelief at the prospect of me entering the cyber sphere. Having minimal cyber skills or
I had to learn how to motivate myself and to stop
outward enthusiasm led family members to react with
comparing myself to peers whilst managing my
suspicion. I felt hurt that they did not believe I would
time and personal life better. The pandemic was a
be capable of this career path. However, this will not
challenge and a significant hinderance to my studies,
impact my performance and they are still supportive,
but it enabled me to become a stronger person and a
and a little bewildered.
better student.
What aspect of your studies excites you the most? and national security. The ability to plan for unknown
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
and unlikely scenarios and the capacity, knowhow
I have worked in various roles in my career. These
and resources to both respond and adapt are exciting.
include roles in retail and hospitality and roles at a
The skills these courses taught empowered me to be
university, embassy, medical centre and lobbyist firm.
confident in how I approach time-sensitive situations
Throughout my career, I have used transferrable skills
and my planning.
like interpersonal communications and management.
Within my studies, I focused on international relations
I believe my role in cybersecurity is to connect data Studying national security excited me because of
to users, translating for individuals what is ‘going
its power to protect people. I think this is part of the
on’ digitally.
reason I went into cybersecurity. The digital realm can cause harm. Protecting individuals from threats,
In my view, communication is a fundamental skill in
identifying these threats and responding correctly can
every job because employers are looking for friendly
change lives.
people to work with, not just efficient employees. I am not currently motivated to complete additional
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
non-cyber skills training because I feel qualified by
Within my studies the most difficult course I
cannot be understated.
previous experience in these areas. However, the importance of interpersonal relations and connectivity
undertook was economics. However, transitioning to virtual learning created a significant hurdle in my learning trajectory. This challenge was prominent throughout my entire career due to COVID-19.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience? I have had amazing experiences with the wider
100
Learning how to adjust to this challenge engendered
cybersecurity community. These include Women
great character growth, but also shaped how I
In ICT, the Australian Women in Security Network
approach tertiary education. Whilst economics was
and various cyber conferences. These experiences
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
S T U D E N T
I N
S E C U R I T Y
S P O T L I G H T
have brought me closer to the industry and to
more interest in coding languages and people with
emerging technologies. They have also given me
interests in cybersecurity. I would have attended
the opportunity to network with amazing leaders
more cybersecurity events and conferences at the
and female role models. Women in STEM at the
beginning of my degree and I would also have looked
University of Canberra provides a great entry into
into cybersecurity-focused companies and clubs.
cybersecurity for students. Having a like-minded support network such as Having a supportive community, and especially
Women in STEM on campus changed my outlook
vocal female support, can be career-changing. It is
on cybersecurity. I would be more involved in the
good knowing other industry individuals have your
industry because you never know who you will meet
back, and when you have access to the knowledge,
and what great advice they will have to offer you.
connections and experience of expert leaders, you
The wider cybersecurity community outside your
Have you already sought employment in cybersecurity, if so, what has been your experience of applications/interviews?
workplace and immediate circle can offer a safe
I applied for a cybersecurity position by chance.
place to network.
I felt underqualified and never believed I would
leave every conversation wiser.
get the position. After applying, I attended the
What measures do you have in place for your personal cybersecurity?
interview with the goal of making the most out of
Personally, I ensure I have multifactor authentication
difficult but required well-written answers. However,
on everything. I do not autosave passwords. I try to
in the interview, I was pleasantly surprised by how
avoid personalised ads, saved preferences and sites
passionate and welcoming the interview panel was.
that are known for mining data. I frequently check to
It was by far one of the best interview experiences I
ensure my passwords and accounts have not been
have had, and I got the role.
the experience. The application itself was not too
hacked and I block apps from using camera, audio and GPS tracking when not open. www.linkedin.com/in/sarah-j-east
I am constantly attempting to improve my cybersecurity awareness and hygiene. Most individuals will already screen spam mail, block potential fraudulent numbers and try to keep their data safe. Whilst I have not perfected my own cybersecurity protection, I will usually refer to the Australian Cyber Security Centre for advice on ransomware, email security and other issues.
With the benefit of hindsight would you change your career trajectory to date, and if so now? In hindsight, I would not change much. I would take
I S S U E 13
WOMEN IN SECURITY MAGAZINE
101
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
Olivia & Jacks learnings about AI Olivia and Jack were both fascinated by the world of artificial intelligence (AI) and had recently spent some of their free time researching and learning about it. One day, while discussing their new interest with their parents, they noticed a worried look on their parents’ faces. They immediately knew their parents were concerned about the potential negative impacts of AI on society. Olivia and Jack wanted to ease their parents’ worries and decided to take action. They began by educating themselves even more about AI and its capabilities, as well as its limitations. They also read about the various ethical concerns surrounding the technology and the efforts being made to address them. As they learnt more, Olivia and Jack realised their parents’ concerns were not unfounded. OLIVIA’S AND JACKS’ LEARNINGS ABOUT AI • They understood that one of the biggest threats is the potential for AI to be used to manipulate or exploit children. For example, some AI-powered chatbots have been found to use manipulative tactics to trick children into giving away personal information or sending money. This can put children at risk of identity theft, cyberbullying, or even physical harm.
• Another threat is the potential for AI to be used to spread misinformation or propaganda. With the rise of social media, it is becoming increasingly easy for bad actors to spread false information or extremist ideologies to children. This can be particularly dangerous for children who are already vulnerable, such as
102
W O M E N I N S E C U R I T Y M A G A Z I N E
those with mental health issues or those who are experiencing bullying or social isolation. • Finally, there is the risk that AI will be used to create more immersive and addictive digital experiences that can take children away from the real world and negatively impact their development. Studies have shown that excessive use of digital devices can lead to problems such as addiction, depression, and anxiety. However, they also saw that the benefits of AI could be enormous, such as the ability to diagnose diseases more accurately and the potential to reduce human error in critical industries. Their parents appreciated that Olivia and Jack had educated themselves and were aware of these threats. They already had limits on screen time and were monitoring the apps and websites Olivia and Jack used. At school the teachers were also discussing the need for their pupils to be critical consumers of information. Olivia’s and Jack’s parents knew it was important to stay informed about the latest developments to ensure that Olivia and Jack would stay safe and healthy in the digital age. Navigating the many benefits and challenges of AI will hopefully build a brighter future Olivia and Jack and the wider community. Author’s note: This story was written with the assistance of ChatGPT www.linkedin.com/company/how-we-got-cyber-smart
facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
M A R C H • A P R I L 2023
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER
Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist
2. LYDIA KRETSCHMER
03
04
Expert Security Operations Manager at European Commodity Clearing AG
3. MANDEEP KAUR
Consultant - Cyber Security Architect at EY
4. JACINTA HAYWARD
05
06
Customer support consultant and aspiring cybersecurity professional
5. CAIRO MALET
Trust Leader
6. JELENA ZELENOVIC MATONE
07
08
CISO, EU Institution
7. AMY DEHNER
CSO and Director of Global Corporate Security with Steelcase
8. ISABEL MARÍA GÓMEZ
Global Chief Information Security Officer at Atento
09
10
9. VICTORIA ALLEE
Founder at LT Strategic Consulting; Director of Security for Corporate Intelligence and Insider Threat at Lam Research
10. TITHIRAT SIRIPATTANALERT
Group CISO and CDO at True Digital Group
11
12
11. CRAIG FORD
Cyber Enthusiast, Ethical Hacker, Author of A Hacker I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
12. LIZ PISNEY
13
14
Senior Director of Member Experience at ISACA
13. VANNESSA MCCAMLEY
Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
14. JENNA WHITMAN
15
16
CISO at Callaghan Innovation
15. KAREN STEPHENS
CEO and co-founder of BCyber
16. SAI HONIG
Engagement Security Consultant at Amazon Web Services
104
W O M E N I N S E C U R I T Y M A G A Z I N E
M A R C H • A P R I L 2023
17
18
17. SIMON CARABETTA
Business Operations Lead at ES2
18. JAY HIRA
Director of Cyber Transformation at EY
19
20
19. KAVIKA SINGHAL
Cyber Security Consultant at EY
20. SARAH BOX
Willyama Services - Project Manager
21
22
21. STEPHANIE ROBINSON
Head of Partnerships at AWSN
22. NICOLLE EMBRA
Cyber Safety Expert, The Cyber Safety Tech Mum
23. NIGEL PHAIR
23
24
Chair, Australasian Council, at CREST International
24. GINA MIHAJLOVSKA
Cyber Security Manager at EY
25. ELIZABETH AIDI KAMAU
Bachelor of Cybersecurity Student
25
26
26. SOLANGE FECCI
Software Engineering Student
27. HYESOO CHO
Bachelor of Information Communication Student
27
28
28. SARAH EAST
Bachelor of Politics and International Relations Graduate
29. LISA ROTHFIELD-KIRSCHNER
Author of How We Got Cyber Smart | Amazon Bestseller
29
I S S U E 13
WOMEN IN SECURITY MAGAZINE
105
THE LEARNING HUB
CYBERACES: CYBER SECURITY TRAINING COURSE We live in a networked world keeping in touch with friends, paying bills, operating a city’s energy grid, strengthening national security - it happens online. The need to secure our networks has never been greater. The number of cyber-attacks is increasing dramatically and there aren’t enough people with the right skills to fill missioncritical jobs needed to ensure our security online. Developed from our library of professional development curriculum, SANS Cyber Aces Online is an online course that teaches the core concepts needed to assess and protect information security systems. And it’s free!
VMWARE LEARNING: VMWARE TRAINING Internet security is one of many free online courses that are offered by WMware Training, which offers a suite of courses having to do with computers and a business environment. VMware Learning provides training and certification programs to grow your skills and leverage opportunities available with VMware solutions. Helps grow your career and advance your credibility with employers, colleagues, and clients. VMware Learning Paths are designed to help you identify course needs based on your VMware product focus, your role and skill level.
The course material is updated regularly to keep pace with changes in technology and threat landscape. It is an engaging, selfpaced, easy-to-use combination of tutorials and videos where learners will come away with a solid foundation for building a career in cybersecurity or just strengthening their own home network.
SAYLOR.ORG: CS406: INFORMATION SECURITY This course covers information security principles, an area of study that engages in protecting the confidentiality, integrity, and availability of information. Information security continues to grow with advancements in technology – as technology advances, so do threats, attacks, and our efforts to mitigate them. In this course, we discuss the modes of threats and attacks on information systems. We also discuss an important area of threat mitigation that saw rapid development in the twentieth century: cryptography. Information security is concerned with user identification and authentication and access control based on individual or group privileges. The basic access control models and the fundamentals of identification and authentication methods are included in this course.
It’s available as open courseware so learners can take it anytime and anywhere.
VISIT HERE
106
W O M E N I N S E C U R I T Y M A G A Z I N E
VISIT HERE
VISIT HERE
M A R C H • A P R I L 2023
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
EIT DIGITAL: SECURITY AND PRIVACY FOR BIG DATA For learners who are interested in cybersecurity, EIT Digital’s free online security courses, including Security and Privacy for Big Data – Part 1, are a great way to start learning about security in the digital world. This course teaches students the basics of cryptography, including how to manage security access within their network systems. EIT Digital is a leading education provider in the digital security world. They work to make technical education available to professionals around the world. The organization works to make content public on a regular basis, allowing people to access their content for free in an effort to make the digital world a safer place for all.
VISIT HERE
I S S U E 13
ERASMUS UNIVERSITY ROTTERDAM: INTERNATIONAL SECURITY MANAGEMENT The International Security Management course at Erasmus University Rotterdam is one of the many free security courses online that can teach students how to stay safe and secure in today’s ever-changing world. In this course, students learn about organized crime and illicit trade, and how these activities run rampant in the digital world. Students also learn about current efforts being made to take down people who participate in these activities online. Erasmus University believes in providing students with an education that’s engaging and fun, while also providing a deep understanding of the subject at hand. The University films its digital courses at several locations throughout Europe, allowing students to see their instructors in their home environment.
VISIT HERE
GEORGIA INSTITUTE OF TECHNOLOGY: INFORMATION SECURITY Georgia Institute of Technology’s Network Security course is one of several free online security courses that can teach students how to keep themselves safe when sharing their information online. This course is applicable both on a personal and business level and can be useful for professionals who want to learn how to keep their work information safe. Students in this course learn the basics of systems security, cryptanalysis, and cryptography. It’s recommended that students already have an intermediate understanding of technology before entering this course. This 15-week course requires 10 to 15 hours of study per week, or more if students are lacking in the understanding of basic cybersecurity concepts.
VISIT HERE
WOMEN IN SECURITY MAGAZINE
107
THE LEARNING HUB
GOOGLE: IT SECURITY: DEFENSE AGAINST THE DIGITAL DARK ARTS Technology giant Google is no stranger to IT security issues, and the company is providing free online security courses to people who are interested in learning more about how to protect themselves in cyberspace. Google’s free course, IT Security: Defense against the digital dark arts, teaches students how to identify and protect themselves against nefarious agents online. While this course delves deep into complicated online security concepts, it also teaches students how to break down those concepts and explain them to others who may not have technical expertise. Google is one of the top technology research facilities in the world, and learning from the tech giant is a fantastic addition to a resume. Google asks the hard questions when it comes to technology, and isn’t afraid to look at what isn’t working and how it needs to change. From firewalls to encryption, this course tackles the hard aspects of technology and breaks them down in a way that students can understand.
VISIT HERE
108
W O M E N I N S E C U R I T Y M A G A Z I N E
HONG KONG UNIVERSITY OF SCIENCE AND TECHNOLOGY: INFORMATION SYSTEMS AUDITING, CONTROLS, AND ASSURANCE Hong Kong University’s Information Systems Auditing, Controls, and Assurance is one of many available free online security courses that teach students how to understand the information they’re putting online, and how to control who does and does not have access to that information. This teaches students how to manage information in the workplace as well, and how to place controls on information to choose who does and does not have access. This course is taught by Garvin Percy Dias, an associate professor of business at Hong Kong University. Students who have taken the course state that Dias is a fantastic instructor who explains things in a way that is clear and concise, and students feel that he truly cares about them as individuals.
VISIT HERE
LEIDEN UNIVERSITY: SECURITY & SAFETY CHALLENGES IN A GLOBALIZED WORLD In today’s digital world, staying safe is more important than ever. Leiden University’s Security & Safety Challenges in a Globalized World is one of many free security courses online that teach students how to protect themselves against global security threats. In this class, students learn about global security threats, and why digital security is such a vital part of keeping individual countries safe. Professors at Leiden believe in studying both practical applications of knowledge and theoretical applications. In this course, students will bring in several disciplines as they learn about network security, including crisis management, medicine, and terrorism studies. Students will also have the opportunity to study and analyze real-life cases that allow them to think about how they would handle a security crisis.
VISIT HERE
M A R C H • A P R I L 2023
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
OPEN SUNY: INTERNATIONAL CYBER CONFLICTS For students who want to learn more about cyber warn, International Cyber Conflicts at Open SUNY is one of many great free online security courses offered by the school. Students in this course leave understanding the characteristics of cyber conflicts and threats, and what is currently being done around the world to improve cybersecurity. Taught by Sanjay Goel, students speak highly of this course, stating that Goel’s description of the psychology behind certain cyber behaviors is fascinating. This course digs deep into not only how people use cyberspace to facilitate conflict, but also why they choose this medium. Students walk away from this class with a deeper understanding of the threats of today’s digital world.
AMNESTY INTERNATIONAL: DIGITAL SECURITY AND HUMAN RIGHTS Amnesty International’s Digital Security and Human Rights course provides students is one of many free online security courses that can give students peace of mind in today’s everchanging world. For students who have ever been concerned about protecting their online identity, this course is the perfect way to delve into exactly how dangerous the online world can be, and exactly who has access to personal information. Staying safe online is a human rights issue, and this course teaches students not only how to protect their own rights, but how to protect the rights of others. Amnesty International has a long‑standing history of fighting for the rights of people who cannot fight for themselves. This free course allows the organization to reach an audience around the world with information that can help them to stay strong in the fight for human rights. Students in this course get the opportunity to connect with others around the world who share the same commitment to protecting others from injustice.
VISIT HERE
I S S U E 13
VISIT HERE
NEW YORK UNIVERSITY: INTRODUCTION TO CYBER SECURITY SPECIALIZATION New York University’s Introduction to Cyber Security Specialization is one of several free online courses designed to help students understand the complexities of staying safe in an increasingly online world. In this class, students will learn how to develop a plan to stay up to date on the latest in cybersecurity, learn about the latest security techniques (as well as what techniques are now out of date), be able to summarize why security matters, and discuss the basics of cybersecurity. NYU works hard to develop students into lifelong learners and prioritizes helping students make plans that keep them coming back to get more from their education. This mindset is key in staying at the top of an ever‑changing digital world.
VISIT HERE
WOMEN IN SECURITY MAGAZINE
109
TURN IT UP
GET SMARTER ABOUT CYBERSECURITY & SUSTAINABILITY With Sarah Wieskus With reports suggesting the earth has only 27-years left before it runs out of food, and that 1.7 planets are needed for man’s increasing consumption and waste, it’s vital IT decision makers and cybersecurity leaders consider how they can be less wasteful and more impactful in terms of our planet...
CLICK TO LISTEN
OWNER DO IT / CYBER PROFESSIONAL PODCAST With Alan Brinker Alan talks about the crossover from physically picking a lock and how that can help build the right mindset to do it in the cyber world. Alan makes some good points on how abilities from outside IT and cyber can really help and transition to this field, if applied appropriately.
CLICK TO LISTEN 110
W O M E N I N S E C U R I T Y M A G A Z I N E
THE CYBER CRIME LAB PODCAST
SECURITY SIMPLIFIED
With Andrew Anderson
With The 443
The Cyber Crime Lab Podcast is a show about cybercrime and cybersecurity. We explore the changes coming for the cyber security space, what threats they bring, and what businesses can do when prevention isn’t enough. Host Andy Anderson interviews experts in the field of cyber security and victims of cyberattacks, providing practical examples and solutions.
Get inside the minds of leading white-hat hackers and security researchers. Each week, we’ll educate and entertain you by breaking down and simplifying the latest cybersecurity headlines and trends. Using our special blend of expertise, wit, and cynicism, we’ll turn complex security concepts into easily understood and actionable insights.
CLICK TO LISTEN
THINK LIKE AN INTELLIGENCE ANALYST – DECIDING WHAT MATTERS AND HOW TO SHARE IT With WOMEN WHO PROTECT Sandy Perez joins host Dr. Marisa Randazzo to discuss what the work of an intelligence analyst really entails, the purpose of fusion centers and why they vary from state to state, and more...
CLICK TO LISTEN
CLICK TO LISTEN
FRAUD BUSTING With Traci Brown Traci Brown has spent the last 20 years reading people and uncovering secrets hidden in plain sight in crimes, politics and billion dollar business deals. This podcast reveals the real and unpolished truth about fraud and threats to your bottom line. From jaw-dropping stories, you’ll learn what to do to spot fraud and protect yourself from personal and business losses.
CLICK TO LISTEN M A R C H • A P R I L 2023
THE WOMEN IN TECH SHOW
THE WOMEN WHO CODE PODCAST
With Edaena Salinas
With Women Who Code
‘The Women in Tech Show’ has a vast coverage of topics for women in IT. Examples of discussion areas are AI, software design, engineering, developing, design and general career advice. Host Edaena Salinas is a Software Engineer who recognizes the need to promote awareness of the many women currently shaping the future of technology.
Women Who Code’s mission is to inspire diverse women to excel in technology careers. In this podcast, we talk with technology leaders from around the world about their journies in the industry, their love of technology, trending innovations, the future of work, and ways that we can improve diversity, equality, and inclusion.
CLICK TO LISTEN
TECH SISTERS STORIES With Fatimah Akanbi Tech Sisters is a community that supports Muslim Women in Tech through storytelling, mentorship, and collaboration. We know how important it is to have role models who look like us. These interviews are how we put the focus on our incredible sisters, the work they’re doing, the challenges they faced, and the lessons they learned
CLICK TO LISTEN I S S U E 13
CLICK TO LISTEN
STELLAR WOMEN ON THE POWER OF PERSISTENCE, PERFECTIONISM, AND AI With Kelly Friedman Stellar Women celebrates female leaders making their mark in technology. These women share their stories and practical tips to inspire emerging leaders, build a supportive community of allies, and promote gender equity and empowerment.
CLICK TO LISTEN
DEEPER THAN TECH With Deeper Than Tech Hey everyone! Deeper Than Tech was created with the beginner in mind. Here, we will talk about advancing your tech career, our experiences being black women in tech, along with various tech topics to give you the confidence to succeed in your new role and so much more!! Join us as we go beneath the surface of an everchanging industry.
CLICK TO LISTEN
ARE WE DOING ENOUGH With Sheryl Sandberg “We need women at all levels, including the top, to change the dynamic, reshape the conversation, to make sure women’s voices are heard and heeded, not overlooked and ignored.
CLICK TO LISTEN WOMEN IN SECURITY MAGAZINE
111
OFF THE SHELF
WOMEN IN THE SECURITY PROFESSION Author // Sandi Davies Women in the Security Profession: A Practical Guide for Career Development is a resource for women considering a career in security, or for those seeking to advance to its highest levels of management. It provides a historical perspective on how women have evolved in the industry, as well as providing realworld tips and insights on how they can help shape its future. The comprehensive text helps women navigate their security careers, providing information on the educational requirements necessary to secure the wideranging positions in today’s security field. Women in the Security Profession describes available development opportunities, offering guidance from experienced women professionals who have risen through the ranks of different security sectors.
CONFIDENT CYBER SECURITY: HOW TO GET STARTED IN CYBER SECURITY AND FUTUREPROOF YOUR CAREER Author // Jessica Barker The world is more digitally connected than ever before, and with this connectivity, comes vulnerability. It is therefore vital that all professionals understand cyber risk and how to minimize it. This means that cyber security skills are in huge demand, and there are vast career opportunities to be taken. Confident Cyber Security is here to help. This jargon-busting guide will give you a clear overview of the world of cyber security. Exploring everything from the human side to the technical and physical implications, this book takes you through the fundamentals: how to keep secrets safe, how to stop people being manipulated and how to protect people, businesses and countries from those who wish to do harm.
REAL-WORLD BUG HUNTING Author // Peter Yaworsk The latest addition to this guide. If you have been following me on social media or in general at all in the past few months, you know that I am mostly doing Bug Bounty Hunting and educating myself in this area at the moment. This book is very new (it was released in 2019) and up-to-date. Peter is a seasoned security professional who tries to give people with zero knowledge in this area an entry point – and I think he achieved this. This book easily makes it in my Top 3 of my favorite Hacking Books of all time. This book is very well written and goes in-depth into all the important topics regarding Web Application Security / Bug Hunting. After covering Bug Bounty Basics, it takes you through all of the most common Web Vulnerability.
Featuring real-world case studies from Disney, the NHS, Taylor Swift and Frank Abagnale, as well as social media influencers and the entertainment and other industries, this book is packed with clear explanations, sound advice and practical exercises to help you understand and apply the principles of cyber security.
BUY THE BOOK 112
W O M E N I N S E C U R I T Y M A G A Z I N E
BUY THE BOOK
BUY THE BOOK M A R C H • A P R I L 2023
KINGDOM OF LIES: UNNERVING ADVENTURES IN THE WORLD OF CYBERCRIME Author // Kate Fazzini Kingdom of Lies is a brilliant and bold debut, as full of suspense as the best crime thrillers.” --Linda Fairstein, New York Times bestselling author of Blood Oath In the tradition of Michael Lewis and Tom Wolfe, a fascinating and frightening behind-the-scenes look at the interconnected cultures of hackers, security specialists, and law enforcement. Kingdom of Lies follows the intertwined stories of cybercriminals and ethical hackers as they jump from criminal trend to criminal trend, crisis to crisis. A cybersecurity professional turned journalist, Kate Fazzini illuminates the many lies companies and governments tell us about our security, the lies criminals tell to get ahead, and the lies security leaders tell to make us think they are better at their jobs than they are.
BUY THE BOOK I S S U E 13
THE THRILLING ADVENTURES OF LOVELACE AND BABBAGE Author // Sydney Padua Meet Victorian London’s most dynamic duo: Charles Babbage, the unrealized inventor of the computer, and his accomplice, Ada, Countess of Lovelace, the peculiar protoprogrammer and daughter of Lord Byron. When Lovelace translated a description of Babbage’s plans for an enormous mechanical calculating machine in 1842, she added annotations three times longer than the original work. Her footnotes contained the first appearance of the general computing theory, a hundred years before an actual computer was built. Sadly, Lovelace died of cancer a decade after publishing the paper, and Babbage never built any of his machines. But do not despair! The Thrilling Adventures of Lovelace and Babbage presents a rollicking alternate reality in which Lovelace and Babbage do build the Difference Engine and then use it to build runaway economic models, battle the scourge of spelling errors, explore the wilder realms of mathematics, and, of course, fight crime--for the sake of both London and science. The Thrilling Adventures of Lovelace and Babbage is wonderfully whimsical, utterly unusual, and, above all, entirely irresistible.
BUY THE BOOK
CULT OF THE DEAD COW: HOW THE ORIGINAL HACKING SUPERGROUP MIGHT JUST SAVE THE WORLD Author // Joseph Menn Cult of the Dead Cow book refers to one of the oldest and most revered hacking groups that the United States has ever produced. You may have heard about it recently when president hopeful – Beto’ O Rourke announced that he was the part of the group. Well, this book puts them back at the center of attention and explores their many exploits. It is mostly concerned with how the group was responsible for the development of TOR, and how they compelled many US Corporations to up their security protocols to the next level. The book is all about the history of ‘Cult of the Dead Cow’ and their subsequent impact on America.
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
113
OFF THE SHELF
THE CODE BOOK: THE SCIENCE OF SECRECY FROM ANCIENT EGYPT TO QUANTUM CRYPTOGRAPHY Author // Simon Singh Simon Singh brings his readers a fascinating book that details the entire history of encryption sprawling back to Ancient Egypt. Yes, you heard it right. According to Simon, the foundations for cyber security protocols that we cherish today could be traced back to the scriptures and antiquated espionage tactics associated with ancient Egyptian culture. The book spares no detail in depicting how encryption has shaped the world we know today. From the inception of the e-commerce industry to ending the invasive Nazi regime, encryption can be credited for them all. ‘The Code Book’ puts historical context to the word encryption and affiliates it with many famous historical events and personalities. You will be amazed and left awestruck by the time you’ve turned its last page. No book looks into such a modern aspect of our world like encryption through a historical lens like Simon Singh does in this book.
BUY THE BOOK 114
W O M E N I N S E C U R I T Y M A G A Z I N E
THE LOUDEST DUCK: MOVING BEYOND DIVERSITY WHILE EMBRACING DIFFERENCES TO ACHIEVE SUCCESS AT WORK Author // Laura A. Liswood The Loudest Duck is one of the most popular workplace diversity books on the market. The book advocates for a meaningful approach to diversity. For example, by urging leaders not only to hire distinctive candidates, but to recognize and appreciate the strengths in those differences. Laura Liswood illustrates the scope of diversity in the workplace and suggests actionable steps to build inclusive organizations. The Loudest Duck offers a set of practical tools to help managers and colleagues understand and respect different viewpoints. The author challenging readers to notice subtle inequities and overturn ingrained ways of thinking. Notable Quote: “Companies are ultimately looking for increased creativity, better ideas, and multiple perspectives, so they will in fact benefit from diversity. However, we will see that achieving this takes much more effort than merely assembling a workplace that looks like Noah’s ark.”
BUY THE BOOK
BLINDSPOT: HIDDEN BIASES OF GOOD PEOPLE Author // Mahzarin R. Banaji and Anthony G. Greenwald Blindspot is one of the best selling diversity books in recent years. Psychologists Mahzarin R. Banaji and Anthony G. Greenwald explore the subject of unconscious biases, examining how experiences and ideas subtly shape ways of thinking. Relying on scientific methods such as the Implicit Association Test, the authors show how to spot and confront preconceptions. The book frames bias as a human characteristic rather than an individual character flaw, making it easier for readers to accept the truth of their own prejudice. Blindspot argues that not only “bad people,” hold secret biases. Rather, every person must analyze their assumptions, stop hiding behind good intentions, and aim to be more open and supportive of those unlike themselves. Notable Quote: “Blindspots hide both discriminations and privileges, so neither the discriminators nor the targets of discrimination, neither those who do the privileging nor the privileged, are aware. No small wonder that any attempt to consciously level the playing field meets with such resistance.”
BUY THE BOOK M A R C H • A P R I L 2023
SHADOW Author // Craig Ford In this thrilling second instalment to the Foresight series, Shadow offers a fresh insight into the opposing hacker of the series – Shadow. Shadow must make choices that will lead him down many paths that were never expected in the outset. Find out what makes Shadow tick and experience the thrilling events from Foresight with a completely new perspective. Shadow is fun, dangerous and dives further into the hacking world which Foresight first exposed.
FORESIGHT Author // Craig Ford HAVE YOU EVER DREAMED OF BEING A HACKER? To anyone who meets her, Samantha is just a good-hearted teenager who wants to finish school and go to college. Yet she has a secret life... She has spent years living two lives, one as Sam which the world sees most and one as Foresight, who Sam feels is her true self where she is a passionate and gifted hacker. She has never found a system she could not bend to her will. She is the essence of a true magician within the dark recesses of the web which many dare not enter. Foresight and Sam never mix. This is something that Sam goes to extreme lengths to ensure...
PROTECTING OUR FUTURE Author // Jane Leclair Protecting Our Future, Volume 1, brings together cybersecurity experts to assess operational challenges and workforce needs in a range of Critical Infrastucture Sectors and Subsectors. Contributors examine the very real threats faced by each sector, and suggest best practices. Sectors discussed in Volume 1 include: military, healthcare, telecommunications, finance, education, utilities/ nuclear, government, small businesses/ nonprofits, and the international arena. This book is an excellent foundational resource for students, practitioners, and employers who not only want to develop a clearer understanding of what is required when building a cybersecurity workforce, but who need to develop top-of-mind awareness in the areas most directly impacting the future of our nation’s security.
THIS IS HOW THEY TELL ME THE WORLD ENDS Author // Nicole Perlroth Zero-day: a software bug that allows a hacker to break into your devices and move around undetected. One of the most coveted tools in a spy’s arsenal, a zero-day has the power to silently spy on your iPhone, dismantle the safety controls at a chemical plant, alter an election, and shut down the electric grid (just ask Ukraine). For decades, under cover of classification levels and nondisclosure agreements, the United States government became the world’s dominant hoarder of zero-days. U.S. government agents paid top dollar-first thousands, and later millions of dollars-to hackers willing to sell their lock-picking code and their silence. Then the United States lost control of its hoard and the market. Now those zero-days are in the hands of hostile nations and mercenaries who do not care if your vote goes missing, your clean water is contaminated, or our nuclear plants melt down. Filled with spies, hackers, arms dealers, and a few unsung heroes, written like a thriller and a reference, This Is How They Tell Me the World Ends is an astonishing feat of journalism. Based on years of reporting and hundreds of interviews, New York Times reporter Nicole Perlroth lifts the curtain on a market in shadow, revealing the urgent threat faced by us all if we cannot bring the global cyberarms race to heel.
BUY SHADOW BUY FORESIGHT I S S U E 13
BUY THE BOOK
BUY THE BOOK WOMEN IN SECURITY MAGAZINE
115
SURFING THE NET
WOMEN IN CLOUD By Marisa Pecoraro Stay up to date with the latest from Women in Cloud news and insights from industry thought leaders and women tech entrepreneurs. Women in Cloud celebrates the female entrepreneurs in the tech world.
MODELEXPAND DIVERSITY, EQUITY AND INCLUSION CONSULTING
2023 IDENTITY SECURITY TRENDS AND SOLUTIONS FROM MICROSOFT
By Michelle Pleitez
By Alex Weinert
As the year comes to an end, it is a great time to review your current DEI initiatives and make sure they are still aligned with your strategic business goals. This is an opportunity to take a step back and think about what’s working well, what needs some improvement, and how to make DEI initiatives more effective for the new year.
I wanted to kick this year off by having a quick look at the trends in identity security, what you can do about it, and what Microsoft is doing to help you. One of the things we talk about on the team is “shiny object syndrome”—there are a ton of innovative and scary attacks and research out there. Unfortunately, each one tends to pull us into “but what about…” where we’re being asked how we will handle the nascent headline grabber. This approach can whipsaw teams and prevent the completion of our defense projects, leaving us exposed to old and new ones.
In this Culture + Diversity event series, panelists from Gitlab, Stanford’s Children’s Hospital, and Western Digital shared their experiences and insights on how to plan your 2023 DEI strategies.
READ BLOG 116
W O M E N I N S E C U R I T Y M A G A Z I N E
READ BLOG
READ BLOG M A R C H • A P R I L 2023
MITIGATE RISK BY INTEGRATING THREAT MODELING AND DEVOPS PROCESSES
ENCOURAGING WOMEN TO EMBRACE THEIR CYBERSECURITY SUPERPOWERS
By Simone Curzi
By Lauren Buitta
Agile and DevOps are without any doubt two of the biggest security trends of recent years. The rapid rise of the cloud has only fueled the need for flexibility and dynamicity. Therefore, it’s natural for developers and organizations to seek methodologies and tools for addressing new requirements faster and innovating more efficiently.
How do girls identify their superpowers in cybersecurity while women continue to make gains? To explore this key question, Microsoft Security in partnership with Girl Security, a nonpartisan, nonprofit organization preparing girls, women, and gender minorities for careers in national security, co-hosted an event on April 27, 2021, alongside thirty or more girls and women in high school and university from across the United States and globally.
One of the main principles of Agile and DevOps is “shift-left.” By this term, we mean the ability to anticipate some activities, make them more effective, and reduce their cost. For example, shiftingleft quality means that you should anticipate testing to identify and fix bugs as early as possible. If we look at it through the lens of Microsoft Security Development Lifecycle, threat modeling is one of the best candidates for shifting left security. But how to do that? Threat modeling has traditionally been somewhat separate from DevOps automation processes. Therefore, we need new ways to make it an integral part of Agile and DevOps.
READ BLOG I S S U E 13
Joining the Girl Security participants was an extraordinary panel of women in cybersecurity from Microsoft Security, including Amy Hogan-Burney, General Manager of the Digital Crimes Unit, Associate General Counsel, Microsoft; Vasu Jakkal, Corporate Vice President, Microsoft Security, Compliance, and Identity; Ann Johnson, Corporate Vice President of Security, Compliance, and Identity, Business Development; Edna Conway, Vice President, Chief Security and Risk Officer, Azure Microsoft Corporation; and Valecia Maclin, General Manager Engineering, Customer Security and Trust, Microsoft Corporation.
READ BLOG
WOMEN LOVE TECH / ARE YOU REALLY WHO YOU SAY YOU ARE? By Robyn Foyster Tehani Legeay was on track towards a career as a dentist, but when her life suddenly changed course, so did her plans. A committed learner, Tehani rebuilt her skill base and today finds herself at the forefront of the fight to protect Australians against identity fraud. As General Manager of ID, Fraud and AML at leading data, analytics and technology company Equifax, Tehani is focussed on stopping sophisticated fraud rings in their tracks and allowing businesses and customers to establish that someone is who they say they are. “I look after a portfolio of fraud and identity services,” explains Tehani. “The whole purpose of that is helping Australian businesses grow safely. We do that by helping them verify identity and prevent fraud through a range of solutions. Every business is different, and they get to choose what identity verification means to them. I feel a great sense of responsibility and privilege to be able to deliver that safety to Australian businesses and really help the Australian economy.”
READ BLOG WOMEN IN SECURITY MAGAZINE
117
SURFING THE NET
ACCIDENTALLY IN CODE By Cate When I talk about Diversity, Equity and Inclusion (DEI), I’m typically coming at it from an angle of systematic change. The purpose of DEI, as I see it, is to dismantle a rigged system and move to something more equitable. This is why the concept of “no politics at work” is seen as antithetical to effective DEI, because what does a person do when their entire existence has been politicised? The frustrating thing about DEI, is that often when organisations talk about DEI what they mean is the performative type of DEI. The appearance of progress, without the challenge of systematic change. The percentage points that can be shared externally, like there’s been progress, when the balance of power remains the same. The updates that start and end at the company website, and leave out the hiring process, the promotion process, and anything else that might threaten the status quo.
READ BLOG 118
W O M E N I N S E C U R I T Y M A G A Z I N E
OVERCOMING IMPOSTER SYNDROME By Anita Ihuman Imposter syndrome is a very common phenomenon among individuals, both in the workplace and outside of it. It is characterized by self-doubt and the fear of being exposed as a fraud or as not good enough. I had my struggles with imposter syndrome, and I would love to share this experience with you. This article is a recap of how I won, failed, and experienced 2022. In this article, I will share the goals I had for 2022 and the challenges I encountered. I will share how I dealt with imposter syndrome and avoided self-sabotage. What is Imposter syndrome? Imposter syndrome is an internal psychological experience that causes individuals to think they are frauds. It often makes people unable to internalize their accomplishments and instead attribute them to other factors. Its so common that it affects up to 70% of the population. The term was coined by clinical psychologists Dr. Pauline Clance and Dr. Suzanne Imes in 1978, but the phenomenon has been around for centuries.
READ BLOG
5 REASONS TO CELEBRATE INTERNATIONAL WOMEN’S DAY/ INSPIRED HUMAN By Perrine Farque International Women’s Day, which takes place on 8th March each year, is an annual event that celebrates women around the globe and all the inspiring achievements women have made both historically and in today’s world. Having begun in 1910, International Women’s Day is a tribute to the amazing women who successfully campaigned for women’s rights. In addition to being a celebration of women, it is also a great opportunity to reflect on and raise awareness of issues that women have faced historically and are still facing today such as inequality in education, lack of women in decision-making positions, gender inequality, sexism, racism, navigating careers and motherhood and many more. This year’s theme for International Women’s Day is Embrace Equity. Equity can be defined as giving everyone what they need to be successful - providing equal opportunities for all - that’s very different from giving everyone the same thing to make them equal, which assumes that we all started out at the same place. Wrong! Equity is also not just a term thrown around as a ‘nice to have’, it’s a must-have and we need to shout out about that.
READ BLOG M A R C H • A P R I L 2023
Source2Create Spotlight
Content Content allows you to establish, share, and strengthen your brand. It helps build relationships which is why we are shining the light on our content service. Content strategies don’t just define the goals your content is intended to achieve, but also the procedure, processes and governance required to get there. We can show you how to manage your content effectively. We can then use that content to attract, acquire and engage your customer and new prospects, deepening your relationships. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
THE
2023 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
12
NEW ZEALAND WOMEN IN SECURITY AWARDS
9
OCTOBER
NOVEMBER
womeninsecurityawards.com.au
womeninsecurityawards.co.nz
WANT TO BE PART OF IT? Register your interest today by contacting aby@source2create.com.au
