DIVERSITY SPAWNS INNOVATION –BUT HOW CAN YOU MEASURE IT? P10
JANE FRANKLAND - FROM FREELANCE DESIGNER TO A WELL KNOWN FIGURE HEAD IN CYBERSECURITY P16
SEVEN METHODS TO USE DIVERSITY AND INCLUSION TO FUEL INNOVATION P70
Why are we letting petty rivalries compromise our work for the greater good? Growing up, I was bullied throughout my entire high school life. I wasn’t one of the ‘cool kids’, or one of the ‘rich kids’. I was more the chess buff, much too geeky, and a tough competitor on the hockey team – which did not put me in good standing with the cliques.
It took me years to overcome the backstabbing, gossiping, and purposeful exclusion. Years to find the confidence to be able to ignore the noise, and let everything wash over my head.
When I was young, I assumed adults would grow out of this sort of behaviour – and most do, becoming the amazing and supportive women in our community who I have been lucky enough to call my friends and colleagues.
These women are not threatened by each other, and go above and beyond to help others succeed. They are true role models.
That’s why it is devastating to see that in many other circles, the same bullying and attack tactics are still in play – with saboteurs who will do anything to go against everything we are trying to achieve.
This sort of behaviour crops up in the most surprising of places – even around the Australian Women in Security Awards, which I have been running for the past five years as a passion project to celebrate people’s contributions to the industry.
The awards are not, and never have been, a money making initiative – in fact, it could have ultimately been my downfall and cost me my company. Events like this take a massive amount of time and money to put together, and it was only last year – after four years of awards – that we just broke even. That’s why these awards cannot run without the support of the industry and sponsors.
In the midst of all this, I have found myself in the very same position as back in high school – encountering more bullies, backed into corners by industry ‘mean girls’, and wondering why I have become a target just for trying to elevate and applaud the amazing women and men of our industry.
You will have heard the mantra that women in security need to “see what they want to be”. These awards are meant to be a major initiative that allows the industry to motivate newcomers and veterans alike to see what they can become within this dynamic and amazing industry.
Incredibly, they also seem to have put a target on my back.
There are deceptive attacks, passive aggression, and unkindness. The bullying I receive before, during, and after the event would crush most people and cause them to give up. There are complaints about nominees, companies, finalists, winners, sponsors, judging processes, awareness, transparency.
There are complaints about who won, and who didn’t. There are whispers, gossip, and complaints to others
This issue’s theme is all about fostering innovation through diversity and inclusion, but I would like to address something that is ultimately stopping us from doing this.
Mean girls’ don’t disappear just because you finish high school
but nobody ever says anything to me personally –until I hear about it afterwards, then commit time to address the whisper campaigns and deal with the hurt.
There is a right way to raise concerns about process, and a wrong way. We have formal mechanisms for handling complaints, which are taken seriously and reviewed externally for resolution. Yet so many people feel the best way to raise concerns is character assassination in the shadows.
This ‘Regina George’ mentality has been present in one form or another during much of my 22 years in the IT security industry – for me and so many other women who are constantly having hurdles thrown in their way.
We struggle enough as women trying to push into a male dominated industry; to bring one more woman into the boardroom; to speak up and be heard during meetings; to gain confidence at conferences. We fight to add more STEM education to our sons’ and daughters’ schools, without having to deal with the ‘mean girls’ or lift ourselves up after our confidence is shattered.
And while these obstinate people comprise a small minority of the people out there, their constant harping and interference consume a disproportionate amount of time and energy that could be better spent elsewhere.
Aren’t we all here to be better to each other, and to support the greater good? If so, I’m unsure why we continue to hurl abuse at each other when we could be using that energy to work together trying to move the needle for women, non-binary and other underrepresented minorities in the industry.
The silver lining, I suppose, is that every year teaches me to become stronger, more confident, and more resilient. All of this pushes me out of my safe zone and into the unknown – where I will keep doing my damnedest to stay positive and supportive for the many amazing people in this industry who do the same.
One day, when I give this all up maybe, I might name and shame the bullies and their advocates, whose identities would surprise you. But in the meantime, I will focus on what I can control – my own actions. I will:
• Kill them with kindness
• Take the high road
• Avoid engaging
• Problem solve
• Find real and true advocates
• Support and uplift others
• Try not to take it personally
• Never stop being me
And I will never allow these negative, toxic individuals to define me. They should not have the power to affect me, or you, or anybody else. Focus on the positivity, and let the negativity of the ‘mean girls’ fall on deaf ears. We can achieve so much success if we just work together and focus on our common strengths, rather than creating problems to divide us.
No job is too big or too small.
We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY!
A W S N i s p l e a s e d t o l a u n c h t h e 2 0 2 3
A u s t r a l i a n W o m e n i n S e c u r i t y
N e t w o r k M e n t o r i n g P r o g r a m
L o o k i n g f o r w a y s t o g i v e b a c k ? W e n e e d y o u
L e a r n m o r e a t a w s n . o r g . a u / i n i t i a t i v e s / m e n t o r i n g /
Sponsored by Powered by
Three years into its state-wide Plan for Gender Equality, there are already signs the Australian state of Western Australia’s decadal plan is paying dividends.
The project’s performance metrics have shown representation of women in key industries to be up across the board, including in traditionally maledominated sectors such as firefighting. And this year’s addition of Certificate IV in Information Technology (Cyber Security) training for women will build upon the success of the state’s Try a Trade program that gives school students a taste for careers in the building industry
By launching a wide range of initiatives to improve gender diversity across key areas of training, service delivery and career development, the state program –which will be repeated throughout the decade across four different action plans – shows how effective a broad commitment to equality can be.
At least, that’s what the numbers say.
Measuring the actual innovation that diversity enables, however, requires much more than simply counting the number of women: diversity, after all, is a multifaceted issue and companies have historically faced challenges in extending its benefits across the entire business.
It’s a challenge of which Roozan Zarifan, chief information officer with the Los Angeles County Department of Human Resources, was well aware when the county – the most populous in the United States, and the single largest employer in southern California – undertook a major data analytics project to improve the efficiency of hiring practices, of which ensuring diversity had long been a key goal.
Zarifan told the Data+AI Summit 2022 those practices were showing signs of strain. With nearly 353,000 job applications received for the more than 13,000 positions filled during the 2018/2019 fiscal year alone,
it was taking an average of 327 days for applicants to secure their jobs, she said.
Working with Accenture, county data specialists began digging into applicants’ details and conducting high-level data analysis to produce quarterly hiring-related metrics that were fed back to the board of directors.
The project was also envisioned as a key tool to track the county’s progress towards diversity objectives by creating executive dashboards that would improve understanding of the broad spectrum of demographic, gender, cultural, educational, skills and other characteristics of the more than 100,000 workers holding roles across more than 1200 job classifications within its workforce.
“Hiring is a complex activity with many complicated factors,” Zarifan explained, “from the type of examination to number of exam hurdles, to job classifications and much more.”
“The business wanted to know which sourcing channel brought the best eligible candidates, and we wanted to gain insights about the candidates so that we can continue to attract and retain a diverse, talented workforce.”
After two months of data modelling and a five-month implementation, she said, “we’re able to see how efficient we are at each step of the process, where the candidates are coming from, which source yields the best candidates, and where we’re actually losing candidates.”
The dashboards also maintain the results of regular satisfaction surveys through which hiring managers and hired candidates can air their concerns or make suggestions about the work environment, diversity issues, or anything else that concerns them.
“Understanding or identifying hiring trends is pivotal to developing a hiring strategy,” she said, “and we now have access to this wealth of information through these dashboards.”
Quantifying people’s intrinsic attributes is always a fraught process, but as ever more progressive diversity, equity and inclusion (DEI) initiatives tie diversity to conventional business metrics it has become a necessary challenge – if only so that the progress of diversity initiatives can be correlated with other business metrics like profit and productivity and, by extension, the less tangible metrics of innovation.
Yet, in large organisations focused on keeping the wheels turning, tracking gender diversity can be extremely complex – and difficult to correlate with innovation metrics.
Efforts to normalise this process have increasingly borne fruit, with the Washington DC-based Aspen Institute’s Tech Accountability Coalition (TAC) recently launching a comprehensive framework for defining, collecting and reporting on the performance of DEI initiatives.
Designed with input from over 100 tech leaders, experts and community advocates, the Institute’s new Equity Framework lays out a shared set of standards for businesses that Aspen Digital calls “a practical roadmap for industry-wide improvement [built on] common sense standards for how the industry defines terms, collects data and
shares progress.”
“It’s about making sure that businesses and organisations recognise that by not being entirely inclusive – by being representative but not necessarily inclusive – their products are going to be weaker, their bottom line will be weaker, and their leadership will be weaker as a result of it. This is just about sound business decisions."
- CIO consultant Claire Priestley
The framework is structured to facilitate annual reports with actionable recommendations. It outlines five key actions for diversity advocates and business leaders to implement by July 1 – including establishing shared definitions, aligning equity standards for data collection, sharing anonymised aggregate data for benchmarking, determining opportunities for collective action, and shaping the TAC’s long-term vision and structure.
Data to be collected will include gender identity and racial representation of job applicants, interviews, hires, promotions, attrition, executive leadership, middle management, entry-level, and internship levels. 2022 workforce data will be used as the baseline.
Participating companies will also be expected to monitor the gender and racial makeup of tech, nontech, retail and manufacturing roles as well as fulltime, part-time and contingent workers.
Optional additional metrics may track individuals’ traits such as disability status, sexual orientation, gender identity, caregiver status, veteran status, socio-economic status and religion. Business metrics may also be tracked. These could be: the percentage of executives and managers with personal DEI objectives; supplier diversity; intern candidate diversity and conversion rate; product inclusion; and progression data around performance evaluation, compensation decisions, time to promotion, and succession planning.
In laying out a vocabulary for standardising the collection and reporting of demographic data, the TAC Equity Framework promises a standardised way of tying recruitment, employment and other metrics to DEI initiatives – enabling companies to track the actual performance of their DEI initiatives and tweak them to address lingering inequities.
By all accounts the persistence of those inequities continues to compromise companies’ ability to turn diversity into innovation, but many businesses do not fully understand the magnitude of their problems until they have a way to measure them.
The need for better metrics around gender diversity was a key recommendation of a recent RMIT University-Australian Women in Security Network (AWSN) collaborative report that found just 17 percent of Australia’s cybersecurity workers to be women. It suggested a range of remedies for businesses to lift women’s participation.
Many of the report’s 40 recommendations relate to measurable performance metrics. These included: conducting an internal gender pay gap audit to ensure equitable salary and benefits; collecting and analysing data on gender equity, diversity and inclusion; benchmarking the effectiveness of specific initiatives; including gender equity outcomes in the KPIs of executives and managers; and more.
Ultimately, it is hoped better monitoring of DEI initiatives will help businesses structure their operations to maximise innovation.
Getting to this point has historically proven difficult, but worthwhile. A recent Notre Dame University-NYUMichigan State University-Northwestern University meta analysis of more than 6.6 million published papers found that mixed-gender teams produce more novel and innovative work than single-gender teams.
The key to realising these benefits, notes UK-based CIO consultant Claire Priestley – former chief digital and information officer with the Royal Borough of Kensington and Chelsea in London, and founder of diversity advocacy group CIO +1 – is to recognise the importance of “intersectionality and inclusion”.
“To me, that’s what it’s all about,” she said during a recent International Women’s Day event. “It’s about representation. It’s about inclusion.”
“It’s about making sure that businesses and organisations recognise that by not being entirely inclusive – by being representative but not necessarily inclusive – their products are going to be weaker, their bottom line will be weaker, and their leadership will be weaker as a result of it. This is just about sound business decisions.”
Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities. This regular column will explore various aspects of cybercrime in an easy-to-understand manner to help everyone become more cyber safe.
Social media users beware!
When a criminal wants information or access to an organisation but cannot infiltrate employees’ or the organisation’s systems directly they will find another way in. There is a criminal campaign targeting employees of governments, critical infrastructure organisations, manufacturers and defence industry players via their employees’ personal social media accounts.
Malware nicknamed Sys01Stealer is being distributed via social media account posts and comments such as those on YouTube, Facebook, Instagram, Twitter, Google adverts, and social media direct messages. It has been active since at least November 2022 it is still very much in use.
Sys01Stealer infected adverts, comments, posts and messages are targeted to specific individuals the criminals have used open source intelligence (OSINT) to identify as being attached to, or associated with, their targets.
Once on an employee’s computer the malware exfiltrates information such as credentials, browser cookies and any sensitive information associated with the person that will help the criminals gain access to the agency they are targeting.
To stay safe from this campaign:
• Be cautious what you share online about your place of work, role, security clearances and associates.
• Do not respond to unsolicited messages or comments from people you do not know.
• Double check any direct message that appears to be from a friend to make sure they sent it.
• Do not click links or download applications from social media posts.
• Use a reputable up to date anti-virus solution where appropriate.
• Stay vigilant.
www.linkedin.com/in/amandajane1
www.demystifycyber.com.au
Jane Frankland
Award-Winning Cybersecurity Leader
It would be fascinating to know exactly how Jane Frankland went from being a freelance designer in the UK—and a nominated Young British Designer who sold her designs and paintings around the world—to become the author of a bestselling book, IN Security, and, in her words “a well-known figure in cybersecurity, travelling the world, speaking, writing and being a voice for the voiceless through the IN Security Movement.”
She offers two answers: “James Bond” and divine intervention! It was James Bond, she says, first piqued her interest in cybersecurity.
“I knew I wanted my own business from being a young child, but I never thought I’d end up doing what I do. Having graduated in art and design, and with a focus on fashion, I never thought I’d end up working in technology, specifically cybersecurity.”
Her entry in the industry was through Corsaire, a business that started in her home in 1997 and grew into a global penetration testing and cybersecurity consultancy sold to Mettlesome Holdings in July 2012. Starting Corsaire, she says, was intentional. “I knew exactly what I wanted to achieve and by when. Growing and
selling it though was down to divine intervention. The journey I’ve had with KnewStart has been very different though.”
KnewStart is Frankland’s London-based consultancy that provides advisory, brand elevation, and women leadership services.
As to other career influences, Frankland invokes the translation of an old Yiddish proverb, “Mann Tracht, Un Gott Lacht.” It translates as “man plans, and God laughs.”
Frankland explains, “As ‘man plans, and God laughs’ I’ve always found I’ve been steered by God, source, my higher self, intuition, in the direction I’m supposed to go in and my roles have developed in ways I never would have imagined.”
In addition to being the CEO and owner of KnewStart, Frankland also runs The Source Platform for women in cyber, which she founded in 2021 to make women in cybersecurity the standard not the exception. It exists to help women and businesses who value them and offers career development and talent acquisition services.
However it is none of these entrepreneurial endeavours that Frankland cites as the biggest influence on her cybersecurity career but the writing of her book, IN Security, published in 2017. From that came her IN Security movement. “It’s where I use my leadership and influencer skills to act as a voice for the voiceless, campaign for change, research and offer scholarships,” she says. There is an IN Security Tribe manifesto
“Never in my wildest dreams would I have imagined I’d become a well-known figure in cybersecurity, travelling the world, speaking, writing and being a voice for the voiceless through the IN Security Movement. I’m humbled by the effect the book and the movement have had on so many people in the world, especially at a time when so many women have felt alone in cybersecurity.
“I love the people aspect of my role and anything that enables me to impact a person positively. That could be solving a problem for them and taking away some workplace pain. It could be inspiring someone when I’m speaking at an event, mentoring, coaching and training individuals or groups so they develop skills and advance in their career.”
In addition to her roles at IN Security, The Source and KnewStart, Frankland’s LinkedIn profile lists no fewer than six roles as current. So it is hardly surprising she cites time management as a massive consideration when trying to maintain a good work/life balance.
“Making time for daily activities outside of work like walking my dog, high intensity training, journaling, meditating, reading, and then having monthly Reiki, regular catch ups with friends and family and occasional trips to the theatre, horse riding and swimming help me stay energised and motivated, as well as reducing stress.
“Planning ahead and making prioritised lists help me manage my workload more efficiently and set aside time to relax. Additionally, clear communication with my team, family and friends makes all the difference in striking the right balance between work and life.”
And working on her work/life balance has spawned yet another Frankland project. “I’ve actually developed a methodology for this,” she says. “It’s called IN Focus and anyone can get it now (from my website). It helps you focus amidst so much distraction and build the habits, rituals and behaviours you want at work and at home, so you can achieve better work-life integration, health and joy.
“I start by looking back - daily, monthly, quarterly, bi-annually and yearly, and I document as much data as I can so I can pull out the wisdom. By looking at eleven areas of my life, it gives me a truer, more accurate, whole picture of what’s gone on and what to expect going forward. Reflection is key for setting meaningful goals and managing work life balance.”
And of course, with her many cybersecurity roles, staying current is yet another demand on her time. “Reading is my main way to stay up to date on the latest cyber threats and trends, as well as best practices for security solution,” she says.
“I’ll read blogs, news sources, and books. In addition to reading, I’ll watch videos on YouTube and listen to podcasts and speakers when I attend conferences. I also get a lot from talking to people in my network. By taking advantage of different content sources I find I can gain a more holistic understanding of the landscape and stay ahead of the curve.”
“I knew I wanted my own business from being a young child, but I never thought I’d end up doing what I do. Having graduated in art and design, and with a focus on fashion, I never thought I’d end up working in technology, specifically cybersecurity.”
However, for any aspiring cybersecurity professional learning about cyber as a priority is not what Frankland advises. Rather she would tell someone to study the social sciences at university, such as anthropology, economics, geography, history, law, linguistics, politics, archaeology, psychology, and sociology.
“By diving into the complexities of these subjects, you can gain a better understanding of the world around you and how our interactions shape our individual and collective experiences. I see it as being very relevant in cybersecurity, especially in regard to the human aspect, and governance risk and compliance (GRC).
“Studying these opens a world of fascinating insights into how humans interact with each other and their environment. With an interdisciplinary approach you can explore topics such as culture, communication, cognition, behaviour, learning and development from different perspectives.”
And, in her experience, people transitioning into cyber with different backgrounds and experiences have become valuable assets for the industry. “Just like I did, they bring with them new perspectives, skills and experience which can help fill the gaps in current cyber capabilities. By bringing diversity of thought to cybersecurity they can provide fresh ideas and solutions, helping more organisations to meet the ever-evolving cyber threats they face.”
www.linkedin.com/in/janefrankland
jane-frankland.com
www.instagram.com/janefrankland
twitter.com/janefrankland
www.youtube.com/janefranklandtv
The September 11, 2001 attack on the World Trade Centre changed the world of aviation security operations, and the lives of many individuals. For a number of professionals those changes were very impactful in terms of career trajectory.. When the aircraft hit the Twin Towers Christina Rose was working as a project officer on the Sydney Air Noise Amelioration Program in the Aviation Division of the Department of Transport & Regional Services, and was immediately drafted into a role managing Australia’s response to the impact on aviation operations.
She was made acting assistant director of a fourperson War Risk Indemnity Taskforce charged with ensuring Australia’s aviation industry continued to operate when the global aviation re-insurance industry collapsed in the wake of 9/11.
Following these immediate responses to 9/11
Christina was asked to join the Aviation Security Branch in the Department of Transport & Regional Services. “I had the responsibility of leading within this portfolio, firstly on the Air Security Officer
Program, secondly the work around retrofitting every aircraft with sixty seats or more operating within Australian airspace with hardened cockpit doors, and thirdly working in consultation with industry on the development over four years, of the Certificate ll in Aviation Transport Protection.”
She adds: “Each project contributed to the paradigm shift towards the creation of a safer, layered and more robust aviation security regime which has since prevented a number of incidents here and overseas.”
Christina says 9/11 was “the catalyst for the uplift of global aviation security measures and cooperation” and “led me down the path of championing the requirements for enhanced aviation security measures through partnering with industry here and the International Civil Aviation Organization internationally.”
Christina has been at the heart of aviation security ever since, initially with the Australian Government, then with private security company Certis (formerly SNP Security) between April 2018 and January 2022
Christina Rose
as ACT Aviation Security Manager responsible for security outcomes at Canberra Airport and Albury Airport. Today, she is Manager, Security Operations & Advisory with the Qantas Group.
Christina says she gained a sound understanding of the global framework set by the International Civil Aviation Organization while working for the Australian Government regulator before moving into the private sector where she has been able to operationalise this knowledge to benefit the teams she has worked with.
The industry Christina serves has, arguably, conquered the tyranny of distance, but for her the opposite is true. “The most challenging aspect of my current role requires continual recognition of the needs of key stakeholders working at our international ports in that they deserve almost a higher degree of attention our people here in Australia are used to given variances in the regulatory environments in which they work.” she says.
Global travel has its benefits and Christina says the most rewarding aspect of her role today is “Meeting interesting and skilled people with the same view of excellence in this field.”
On any day she “may be overseas working with government regulators and colleagues, attending an airport security or airline safety committee somewhere in Australia or overseeing my Duty Security Controller team’s triaging of critical security incidents affecting airline staff and passengers.”
Her advice to anyone aspiring to a similar role would be to work in various roles in industry and if possible, study law, management, policing and/or education at university with the view to “Thinking about the knowledge you will gain, the people you will meet and the places it can take you.”
For further progress she says, “industry experience and relationship management and emotional intelligence coupled with a working knowledge of global and respective domestic/country-specific legislative/compliance frameworks are mandatory to ensure an effective contribution to this sector.”
www.linkedin.com/in/christina-rose-b5597b31
We have told some remarkable stories in WSM of women’s personal journeys in cybersecurity, from initial roles very far removed from cybersecurity or anything close to it. There was Marie Patane, teenage make-up worker and aspiring police officer who is now CSO of Sydney Metro (WSM No5, p20), but it would be hard to beat the journey of Sandra Agobian, a Syrian refugee who abandoned her multinational antiques business, arrived in Australia in 2017 speaking no English and now holds a cybersecurity analyst internship at nbn after gaining two highly competitive digital and cybersecurity training positions.
Agobian, a native of Syria, commenced her career at the age of 18 as an antique dealer. Later on, she established her own enterprise, a Handmade Crafts & Antiques Shop. This business was highly prosperous and gained a prominent position in the design markets of Syria, Lebanon, and Kuwait. With a workforce of over 40 employees, the company was regarded as a top-performing and distinctive establishment.
When the war began in Syria, she lost everything and came to Australia on a humanitarian visa. “I learned
English from scratch, met many people, engaged in the community as much as possible, and learned to understand the Aussie slang,” she says.
Australia gave her the opportunity to fulfil her childhood dream: studying. She started in TAFE, moved on to take a foundation course at Melbourne University and earned a place at Deakin University studying for a law degree.
During her studies, she volunteered at the Red Cross as an emergency responder and worked in various jobs, not all glamourous! while continuously searching and applying for better opportunities. Finally, she was accepted into the Victorian Government’s Digital Jobs program which gave her 12 weeks of free training in an industry-backed digital course of her choosing. She chose to study cybersecurity at CyberCx.
“As I learned more about computer systems and networks, I became increasingly fascinated by how they could be safeguarded against cyber threats” she says. “To deepen my understanding of the field, I started reading articles and attending talks on cybersecurity topics. My interest grew even further as I learned about the real-world impact of cyber attacks on individuals and organisations.”
Sandra AgobianFollowing this, and through another competitive process, Agobian was selected for a 12-week internship at nbn where she was able to apply her new-found knowledge and skills in a realworld setting and contribute to the organisation’s efforts to safeguard against cyber threats. “The interview process at nbn was unique and made me feel comfortable,” she recalls. “Rather than being treated like a generic employee, I was valued as a unique person with a history and life experience.”
Thanks to her exemplary performance that internship was extended for a further six months. “This extension provided me with an opportunity to further develop my skills and knowledge and cement my passion for the field of cybersecurity,” she says. “I continued to gain valuable experience in the cybersecurity field and contribute to the organisation’s efforts to ensure the safety and security of its systems and networks.”
Agobian has seen others transition into cyber from quite different roles and says, in her experience, the key to a successful transition is a willingness to learn and a passion for the field. “While technical skills and knowledge are important, it is also essential to have a strong understanding of the cybersecurity landscape and the threats facing organisations.
“Some people may choose to gain additional qualifications or certifications to help with the transition, but I have also seen others successfully transition through on-the-job training and mentorship programs.”
She finds staying up to date with the ever-evolving tactics and techniques used by cybercriminals to be the most challenging aspect of her role. “The threat landscape is constantly evolving, and it requires me to stay informed about the latest trends and vulnerabilities. Additionally, analysing and interpreting large amounts of data and logs can be a complex and time-consuming process, requiring a high level of attention to detail and analytical skills.”
It is clear Agobian is only at the start of what is likely to be a stellar career in cybersecurity, and when looking for a role, she says remuneration will well down her priority list.
“First and foremost I would want to ensure the company culture and values align with my own. It’s essential to work for a company that fosters a positive work environment and shares my personal values.
“The scope of the role and opportunities for growth and development are also important considerations. I would want to ensure the role offers opportunities for me to learn new skills and take on new challenges that will help me progress in my career.”
More important than salary is location. “I would consider the commute and potential relocation because it may impact my work-life balance. It’s important to find a balance that works for me and allows me to maintain a healthy work-life balance.
“Lastly, while remuneration is important, it should not be the only factor to consider. I would also evaluate the entire remuneration package, including salary, benefits and potential bonuses to ensure it aligns with my expectations and the overall value of the role.”
With initial training and cybersecurity work experience under her belt, Agobian says she is looking to gain the Certified Ethical Hacker (CEH)
“This certification covers topics related to ethical hacking and cybersecurity, including footprinting and reconnaissance, network scanning, system hacking, malware, social engineering, denial-of-service attacks, session hijacking, web application hacking, wireless network hacking, and evasion techniques. CEH training is typically hands-on and includes simulations to provide practical experience.
It is widely recognized in the industry and would demonstrate my expertise and commitment to the field.
“Additionally, I am interested in gaining specialized certifications in areas such as cloud security. These certifications would allow me to develop expertise in specific areas of cybersecurity and would be particularly useful in a role where I am focused on specific security threats or technologies.
“I believe ongoing education and certifications are essential for anyone working in the constantly evolving field of cybersecurity, and I am committed to pursuing additional qualifications to advance my knowledge and skills.”
Agobian says she has been influenced and inspired on her cybersecurity journey by both high-profile women and colleagues, in particular Clare O’Neil, Minister for Home Affairs and Minister for Cyber Security in the Australian Government, and Parisa Tabriz, the vice president and general manager at Google, responsible for the Chrome Browser, and ‘Google Security Princess’.
“These women have not only achieved great success in their own careers, but they have also helped to pave the way for other women to follow in their footsteps.”
Closer to home, “Shannon Gibb’s passion for cybersecurity has been contagious, and Johanna Williamson’s unwavering support have been invaluable. I have also learned a lot from my internship colleagues, Kate Daie, Mousumi Mitu, Shahnaz Ali, Alison Huang, and how we work together as a team with a shared passion for cybersecurity.
“The support and guidance of my managers, Paul Mcdonogh and Toby Nel have been instrumental in my professional development. They have provided
me with opportunities to learn and grow in different areas of cybersecurity, and I am grateful for their encouragement and guidance.
“Finally, the management team at nbn, particularly Ant Cohen [Head Of Security Influence And Customer Solutions] and Simon Lee-Steere - Deputy Chief Security Officer - have created a culture of respect, inclusivity and support in the workplace that has made me feel comfortable and valued. Despite his high position, Darren Kane, the Chief Security Officer, is remarkably humble, and I know that I can always turn to my managers or colleagues for support and guidance.”
In general Agobian has found the growing number of initiatives aimed at encouraging more women to pursue careers in cybersecurity, such as mentorship programs, networking events and conferences, helping to create a more supportive and welcoming environment for women in cybersecurity that has helped her on her journey.
“Overall, I believe the growing recognition of the importance of diversity and inclusivity in cybersecurity is a positive development, and I hope that more women will be encouraged to pursue careers in this exciting and rapidly evolving field.”
Agobian wishes she had taken up cybersecurity earlier. She would tell her last-year-at-school self to pursue it with passion. “Start exploring the field as soon as possible, take advantage of every opportunity to learn about cybersecurity, whether it be through attending events, reading articles, or taking online courses.”
And she has not lost her passion for antiques, listing her leisure activities as “swimming, trying new foods, tasting wine, watching football and finding good deals on collecting antiques.”
www.linkedin.com/in/sandra-agobian
Simona is a strategic leader with extensive experience in how technology enables the customer experience and facilitates the growth of business value. Enabled by her 23-year career in Technology, exploring all facets of technology and security, Simona has a wealth of expertise across the Information Management and Technology sector and has a diverse background in both corporate and government settings. Over the last 23 years, Simona has provided top-notch Technology and Cyber strategies in the Banking, Insurance, Aviation, Energy and State and Local Government sectors.
She has a proven track record of driving the successful delivery of large-scale transformation programs. As the CIO, during the height of the COVID pandemic, Simona achieved a 2-year digital transformation program in six weeks.
With specialties in building and delivering Technology Strategies, Cyber Security, Portfolio Management Offices, Service Management, Portfolio Delivery, Digital Operating Models and bringing Agility to practice, Simona has led IT evolution across toptier brands within the Finance, Aviation, Energy and Government industries.
Simona is a strategic thinker with a passion for what she does, leading from the front, engaging and energising strategic partners and stakeholders as well as the wider business in supporting high impact, dynamic solutions to deliver business value.
She has a passion for continuous improvement and empowering businesses and individuals to reach their full potential, encouraging innovative thinking enabling best practice through the use of technology.
Simona Dimovski graduated from the University of Technology Sydney with a Bachelor of Applied Science in Information Studies, Information Technology and Information Science in 1999.
Today she is Head of Security and Technology at Helia (until recently Genworth Mortgage Insurance Australia) an ASX-listed provider of mortgage insurance to lenders. She describes her role as the latest stage in a career journey that has taken her into ever more security-focussed roles.
“Since the start of my career, and even before that, I have always been interested in information and protecting our digital and physical assets. I have spent the last 23 years working in technology, working across almost all the technology functions. Throughout all my roles, and especially as I progressed my career, it became imperative for
Simona Dimovskime to be become more immersed and extend my experience in cybersecurity,” she says.
“I have always had a passion for technology and information and have had a deep understanding of the importance of protecting our digital assets and infrastructure from cyber threats such as hacking, malware, and phishing attacks. I have found it intellectually stimulating to stay ahead of everevolving threats, or have the opportunity to work on cutting-edge technology.
“I believe technology exists to enable the business and individuals to do their best work in the most secure way and with minimal frustration. So security has always been integral to my approach, and a major consideration and design feature in anything that I have done throughout my career.”
Dimovski describes here move into cybersecurity as being organic. “It was facilitated by my deep understanding of the congruence between security, technology, processes and people. My interest in cyber and information was present from the beginning of my career, and it grew naturally the more involved I became in running technology departments. From there the pivot was necessary, and luckily for me cyber is something I am very passionate about.”
Dimovski says her wide experience in other areas of technology benefits her current role in cybersecurity. “I have had varied career across all sections of technology, and I can add a lot of value in this space by linking my past experience in strategy, transformation, delivery, leadership and technology management.
“Cybersecurity is a challenging field that requires creative problem-solving skills. I enjoy the opportunity to tackle new challenges and develop innovative solutions to protect the organisation, and to do this I constantly need to keep up to date with the latest information and also the best methods to use when needed, such as when managing complex risks, or when managing an incident.
“I find it rewarding to know that my work is making a difference in protecting the organisation and the individuals I serve. I have the opportunity to develop and implement security strategies that can prevent or minimise damage from cyber attacks. I lead and work with some of the most exceptional people in the business. It is energising and empowering to be surrounded by people who believe in you, value your input and make you want to be a better person and a better leader.”
Any cybersecurity role can make significant demands on the holder’s time and energy, leading to burnout, and Dimovski admits to having come close to this. A few years ago she was “so obsessed with the neverending to-do list, and the work that needed to be done, that I almost burned myself out.
“I am very mindful now when I see the signs. I recalibrate and take time to be still and check in with myself and what’s most important to me. Recently I have introduced non-negotiable daily time for my mental and physical wellbeing. Regardless of the day, I try to make time for some physical activity and quiet time, each day, even if it is for only 10 minutes a day.
“Being in cyber is very demanding, because of the ever-changing landscape of threats and vulnerabilities. It’s an area where you always must be on. It’s not a job that you can leave when you ‘clock off’. This can be somewhat of a juggle with other priorities.”
Nor is life likely to get any easier for people in roles like Dimovski’s. increasingly sophisticated ransomware, use of AI and machine learning by attackers, increased targeting of critical infrastructure are often-cited significant developments in the threat landscape. To this list Dimovski adds supply chain security.
“As more organisations rely on third-party vendors and suppliers for critical services, the security of the supply chain becomes increasingly important. It’s likely we will see more emphasis on supply
chain security in the coming years, including greater scrutiny of vendor security practices and more widespread use of supply chain risk management frameworks.”
This of course will greatly broaden the scope of cybersecurity roles: not only will they need to ensure the security of their own systems, they will need to pay attention to their own security, but to that of all players in their supply chains.
Adding to the demands of Dimovski’s day job are those stemming from volunteering in cybersecurity organisations. She is a member of several associations and committees, holding roles that require her to participate, organise events, chair and moderate panels, share her experiences and provide a positive role model for young people interested in a cybersecurity career.
These roles span: the Australian Information Security Association (AISA) where she is a member of the NSW Committee; the NSW Government association, Cyber NSW, where she is a Cyber Ambassador; the Australian Women in Cyber Network (AWCN) where she is a mentor; and Mindful CIO where she is an Ambassador.
“I get a lot from these associations,” Dimovski says. “I have the opportunity to connect with like-minded people, to learn from their experiences, to seek support and share ideas. It’s very rewarding all around.
“Ninety-nine per cent of the time my involvement with these associations is after office hours. This is a source of personal satisfaction and a sense of
passing forward my learnings so others don’t have to learn the hard way.”
Simona is a strong advocate, ambassador and Coach for Women in Cyber and Technology. She has been spreading the message to enable more women to enter and remain in the Tech and Cyber roles. “We all have a part to play in levelling the playing field in technology and cyber. When I reflect on my career and my progression the success has come from a strong inner belief and the mentorship of managers who dedicated their time and effort to develop my strengths and provide networking opportunities to improve my connections. I am now paying it forward. Here are my three actionable insights, the small things everyone can do to start the ripple effect:
• Assume responsibility for writing a brighter future. Start by being accountable for the shifts in culture we need to make. Add the gender diversity conversation to your weekly meetings.
• Start a diversity committee in your workplace. And if there is one in place, get involved Have a conversation about what you can practically do to make positive changes.
• Mentor and role model behaviour and expectations. Identify successful women in leadership and use them as role models.
Simona is passionate about helping businesses and individuals succeed. She shares her expertise with via personalised coaching or business advisory services. If you would like to know more about or to get advice in the form of a coach or mentor, you can reach Simona via LinkedIn.
“I help organisations and individuals to achieve their goals” Simona
www.linkedin.com/in/simona-dimovski-100
On 14 May 2021 the Health Service Executive (HSE) of Ireland suffered a major ransomware attack which caused all its IT systems nationwide to be shut down. According to Wikipedia, it was, at the time, the most significant cybercrime attack on an Irish state agency and the largest known attack against a health service computer system.
It was also a highly significant event in the cybersecurity career of Elaine McConnell. Hardly surprising: she was at the time, and still is, the Dublinbased Manager of Security Operations, Engineering & Administration for Insurance company Canada Life (formerly Great West Life Europe).
She says the attack “made cybersecurity relevant to all the people in Ireland making it easy to articulate issues and impact as this attack impacted the complete Irish health service for a period of time.”
Elaine came to cybersecurity after over a decade in software development roles and it was discovering the vulnerabilities in her own code that led her, eventually, to a career in cybersecurity.
“When I began developing internet facing applications my code was exposed externally and it highlighted the
need to protect against external attacks,” she says. “Using static analysis on my source code highlighted security vulnerabilities that made my applications susceptible to attack. This piqued my interest and I wanted to educate others within my organisation about shifting security left in application development, saving time and money.”
She volunteered her own internet-facing financial application code for a proof-of-concept exercise to introduce static application security testing (SAST) into the software development life cycle (SDLC) for the European subsidiaries of her employer at the time. On completion of that exercise the organisation advertised for its first application security architect. Elaine applied and was accepted, becoming the first female software architect in the company’s European operations.
“After fifteen years in application development I felt it was a good time to transition my career into the cyber arena,” she says. A significant influence on this journey was her first cybersecurity manager and CISO who “made security relevant and interesting to me.”
In that initial cybersecurity role Elaine embedded processes in her organisation to enable other application developers to see the benefits of building security into application development and deployment. She worked with application teams across Europe embedding SAST scanning into the SDLC for all internet-facing applications. When that had been completed she progressed to dynamic application security testing and penetration testing and on to her current role.
Elaine McConnell
“I promoted secure code development in my organisation and assisted the application development teams to achieve compliance with our organisational standards. I promoted secure code training and rolled out annual suggested training to all internet application developers. Once the coding processes were embedded I moved on to other security tools to protect applications: Web application firewall, etc.
“Then an executive manager position became available to manage our central security team. This was to manage all the security tools in the organisation – not just the tools related to application security. I was successful in my application, and this is the position I currently hold.”
She describes her role as being very operational, with responsibility for teams operating the tooling that protects the organisation’s endpoints, network and identities.
“As a manager of these teams I rely on metrics to ensure the tools are operating to their best ability. Metrics for me are a key indicator of how my teams and tools are operating efficiently, Elaine says. “These metrics are a mixture of KPIs and KRIs and dashboards to monitor performance and SLAs within my team. The volume of information that is propagating in my teams is not sustainable for me to be close to the detail but with relevant metrics I can focus on the areas that require most attention to delve into.”
Elaine never studied cybersecurity at university, but since her career transition has made a point of gaining multiple relevant certifications. She cites keeping her skills current as one of her biggest challenges, along with maintaining consistent awareness of emerging threats and the measures needed to protect her organisation from these threats.
“When I embarked on my career I decided to achieve Certified Information Systems Security Professional (CISSP) from ISC². This gave me a good baseline for
my security knowledge. I then achieved my Ec-Council Certified Ethical Hacker (CEH) certification to tie together the security and application security.
“I understood the importance of bringing together the security management perspective, so I undertook my ISACA Certified Information Security Manager (CISM). And risk and security are closely coupled so I also achieved my ISACA Certified Risk and Information Security Control (CRISC) and my International Cyber Threat Task Force (ICTTF) Certified Cyber Risk Officer (CCRO). Wherever my role takes me I will try to ensure that I back up my knowledge with the relevant qualifications.”
It is hardly surprising with such a list of certifications that Elaine says she trains constantly and attends conferences and seminars. “It is mandatory to undertake continuous professional education in order to maintain my current security certifications. This gives me the motivation to complete and track keeping abreast of latest trends. I also listen to webinars, podcasts, audiobooks etc on topics of interest me: not only in cybersecurity but also in leadership and in particular women leadership.”
Like all leaders in cybersecurity, Elaine faces staffing challenges, in particular finding people with expertise in cloud computing and risk.
“Organisations are moving to the cloud and leveraging cloud solutions and finding staff with the required skillset to deploy and monitor these solutions in a secure manner is proving difficult.”
The shortage of people with skills in risk management, Elaine says, is exacerbated by regulatory and privacy legislation that has become complicated, costly and difficult to maintain compliance with. “There is an increasing need for cyber regulatory compliance and compliance to evolving regulations. Finding staff with the required skills in this area is proving difficult also.”
She says the COVID-induced increase in remote working has not helped. “The ability for a lot of roles
to be conducted 100 percent remotely has opened up the employee market more than ever before. The attrition rate in my teams in 2022 was higher than ever before. Staff can take up roles in locations they never have to attend. This is a benefit a lot of organisations are offering, but does not fit with the hybrid model in my organisation.”
And she says it is also a challenge to get staff to attend training and upskill where required, which in turn creates another challenge: better trained staff become more attractive to other employers.
Her message for anyone attracted by this skills shortage is that cyber skills are not a prerequisite. “I personally feel you have to have an interest in cybersecurity. Listen to podcasts, check out webinars see if the topic interests you and if you have the basics: you enjoy a challenge, you have natural problem-solving skills, you want to constantly evolve your skillset, you are good at collaboration and critical thinking, make the transition just as I did. It will open up a world of opportunity.
“Global cybercrime has increased significantly in recent years and continues to grow annually. If you are looking to secure a position on the front line protecting an organisation, then cyber is the right position for you. The skills shortage is increasing salaries and the constantly evolving landscape gives you the opportunity to continually grow your knowledge and progress your career.”
There are plenty of other challenges. Elaine identifies supply chain attacks, the Internet of Things (IoT) and artificial intelligence as the biggest.
“The reliance organisations have on their supply chain means that organisations not only need to monitor their own security they also need to ensure the security of the companies they do business with” she says. “And we are becoming more and more reliant annually on IoT devices in our personal lives and they are coming part of the majority of activities in our daily lives. The connectivity of these systems directly impacts the vulnerabilities we are exposed to.”
AI, however, presents both a threat and an opportunity. “Advancements in artificial intelligence will enable it to predict new attacks and data breaches and assist in the protection of organisations,” Elaine says. “However, it also encourages innovation in cybercrime. Attackers no longer need to be skilled individuals. There are tools now available to assist less skilled individuals to perform attacks.”
With all her challenges and responsibilities it is hardly surprising Elaine struggles to maintain a good work/ life balance.
“I have to constantly monitor my work life balance,” she says. “There are times when my position expects me to go the extra mile for the needs of the organisation. However I need to monitor my balance constantly to make sure the scales are not tipping in the wrong direction.
To achieve this she undertakes daily, weekly and annual planning and measurement against set goals, and makes sure she gets ‘me time’. “I work better when I have achieved my fitness goals and allocate time for friends, family and fun things to do. This results in a happier, healthier life.”
However, “There are always times when a curve ball is thrown in and then I need to reassess and prioritise. Plans may need to be adjusted to deal with shifting priorities.”
www.linkedin.com/in/elaine-mcconnell-cissp-cism-criscceh-86712a90
Kirsten Chapman was born to be an engineer. “My parents were always telling me how, as a child, I’d come up with out-of-the-box ideas for problems we had as a family, and they’d look at me and go, ‘wow, I never thought of that’,” she recalls. Her natural curiosity made her question how the machines around her worked, what made them move and, eventually, how she could become the one making them.
Today, Chapman is the lead engineer for Gallagher Security, a global company providing integrated access control, intruder alarms management and perimeter protection. She leads a team of engineers in the production of security hardware. Her journey from curious toddler to lead engineer was paved with hands-on experience, a lofty dream and some significant figures who encouraged her along the way. The first of these were in her home.
“My dad was a fitter and turner,” she says. “As a kid, I used to follow him to work and put my fingers into things that I shouldn’t and ask, what does this do? And how do I do that?”
Her family-oriented upbringing also gave Chapman the chance to observe her uncle working in his job at a plastics manufacturing company. “On the weekends, I’d be there when my uncle would be doing work, and I’d be running around watching these machines do their thing. It probably wasn’t the safest thing, but the experience inspired me.”
That early exposure sparked Chapman’s interest in manufacturing, but it was a Gallagher site tour that cemented her decision to pursue a career in engineering.
“Growing up in Hamilton [New Zealand], I knew their big glass building. Then, when I was 13, I signed up for an electronics course. In one of our first classes my teacher told us about an upcoming Gallagher site tour and described all the facilities and how high-tech it was, and I remember thinking, wouldn’t it be cool if I could work in a place like that one day? And that’s kind of what started my journey.”
She took her first step by enrolling in the electronic engineering program at the University of Waikato,
Kirsten Chapmanbut her most significant step came in her second year there when she unexpectedly found herself at Gallagher’s glass door again.
“When it came time to start applying for work placements, one of the university’s workplace coordinators said, ‘I’ve submitted your name to Gallagher, we’ll see how it goes.’ I was shocked, because I never shared that goal with them, so when they said working there was a real possibility, I got really excited.”
After an initial six-month summer placement in Gallagher’s engineering team, Chapman was invited back during her third year of university as a student electronic engineer and worked on a variety of projects that cemented her love of the work.
“It was so fun,” she says. “That early engineering work opened my eyes to all these options and to the potential of what I could build or enable.”
After graduating with a Bachelor of Electrical and Electronic Engineering in 2014, Chapman signed on with Gallagher as an electronic engineer. Four years later she was promoted to senior electronic engineer and in May 2021 to lead engineer for the research and development team.
Then the global supply chain crisis hit. The perfect storm of events that included the Covid-19 pandemic, droughts, factory fires, shipping complications and increased demand produced exponential increases in the prices of key pieces of hardware, such as microchips and electronic components, making it difficult for Gallagher to continue operations.
Chapman’s first major task in her new role was to steer her team through the massive challenge of re-engineering several security products using components that could be accessed, and juggling priorities under intense time pressure.
“We went through each product and where we couldn’t source a component, we looked at what alternatives would be possible and what we could actually source,” she says. This was a manageable task for some of the minor components, but for a few products, finding the key components became impossible.
“We couldn’t get those pieces. So we shifted away from trying to source those components and changed our focus into redesigning products as quickly as we could with the resources we had to make sure we never stopped our supply.”
She says failure to supply some products would have put lives at risk around the world. “Our products were being used in hospitals, in food production facilities, in small businesses – places where essential workers needed the health and safety protections we supply. Halting production and distribution wasn’t an option.”
Under Chapman’s leadership, Gallagher was one of the few security suppliers to continue shipping hardware products during the supply chain crisis, an achievement that reverberated throughout the security ecosystem.
“One of the biggest obstacles in engineering is trying to predict the future and how we can make products that will be valued in the market for years to come,” Chapman says, “It’s a fun challenge, to be sure –being responsive to unknown, future developments and needs. I still get excited thinking about all the potential out there.”
One major challenge Chapman predicts will become increasingly critical in coming years is sustainability. “There’s a big conversation around what sustainability actually means. There are all sorts of perceptions out there, and they can be misleading. Yes, we can make sustainable plastics and be responsible in how we manufacture and dispose of materials, but that’s only one aspect of a product’s lifetime. The industry needs to invest in making products holistically more sustainable.”
She says that means designing products with energy consumption in mind, reincorporating old components, using more recycled materials, and clearly communicating those benefits to a sceptical market.
“If we could re-educate people on what it means to be sustainable over a product’s lifetime, maybe we could build things in a smarter way in the future.”
To contribute to that future, Chapman regularly visits high schools to talk with students about the rewards of a career in engineering and, with luck, spark the next generation’s passion for electronics.
“I find great joy in showing students what’s possible. I particularly like to show others that, even though this is a heavily male-dominated field, women can succeed and excel within the industry. There are no limits on what we can achieve.”
www.linkedin.com/in/kirsten-chapman-79962496
Team Leader, Cyber Response Team | Section Chief, Women and Children
Cybercrime Protection Section | Digital Forensic Examiner | Police Officer | Resource Speaker | Educator | Information Technologist
Sharmaine Labrado is a ‘cybercop’. No, she’s not a software manifestation of RoboCop, the robotic law enforcement officer featured in the 1987 science fiction movie with that name. Labrado is a real person.
Specifically, according to her LinkedIn profile (get ready for this!) she is: “Team Leader, Cyber Response Team | Section Chief, Women and Children Cybercrime Protection Section | Digital Forensic Examiner | Police Officer | Resource Speaker | Educator | Information Technologist.”
She explains, to gain the title of cybercop in the Philippines Police, “personnel need to finish four foundation courses that enable us to conduct proactive internet investigation, cybercrime investigation, identification and seizure of digital evidence and digital forensic examination.”
Labrado is a member of the Philippine National Police (PNP) – Anti Cybercrime Group (ACG). “I gained there my first-hand knowledge of cybercrime investigation, proactive internet investigation, digital forensics and the identification and seizure of digital evidence” she says.
“These became my foundation courses in earning my cybercop badge. Aside from these, I have gained advanced knowledge in conducting cybercrime investigations and digital forensic examinations both locally and internationally. The PNP sends us abroad for training with our foreign counterparts. With these, I was able to compare and learn the procedures of other countries in handling cybercrime and digital forensics.”
Her responsibilities are as many and diverse as her lengthy job title suggests. As team leader, she monitors and supervises personnel who “conduct investigations and cyber patrolling.” She also leads a team in operations involving violation of the Cybercrime Prevention Act of 2012 and, as chief of the Regional Digital Forensic Section, she supervises the conduct of digital forensic examinations and reviews digital forensic reports.
She also coordinates activities designed to prevent cybercrime, lectures to students and professionals on cybercrime awareness and conducts lectures to other police units on cybercrime investigation and how to deal with digital evidence at a crime scene.
Sharmaine LabradoLabrado has only recently taken on her role as team leader of a provincial cyber response team and is the only female officer of rank in her region handling cybercrime and cyber-related crimes. She also functions as the chief of the regional digital forensic section.
“With these roles I have to demonstrate knowledge and expertise in the field of cybercrime investigation, cybersecurity, cyber patrolling and digital forensics to lead the team in addressing the growing volume of cybercrime and cyber-related crimes, and apprehend cyber criminals in my area of responsibility with a total population of around three million,” she says.
Labrado cites as the most challenging aspects of her role “Being a female officer in a field dominated by men, law enforcement … [and] being an enforcer of the laws governing cybercrime and cyber-related crimes in the Philippines.”
She admits to being somewhat mystified as to just how she got her current role and offers a similar answer to Jane Frankland who, elsewhere in this issue, says of her journey, “man plans, and God laughs.” Labrado says, “I really don’t know how I arrived at my current role as team leader of the Provincial Cyber Response Team. … As the proverbs say, ‘You can make many plans, but the Lord’s purpose will prevail.’ – Proverbs 19:21.”
However, Labrado arrived at her career destination through an early interest in information technology, and in cybercrime. “It has always been my childhood interest to work with computers,” she explains.
“As an information technology student, I’ve seen many vulnerabilities in the programming code used in creating software. As an instructor, I’ve observed the tendency of computer enthusiasts to use technology for malicious programs. Because of this, I became an advocate for the ethical use of the internet and technology in general.”
Labrado pursued her interest by joining the Philippine National Police Anti-Cybercrime Group. “I realised then that technology is widely used as part of the everyday lives of individuals and that cybercriminals are everywhere targeting computer systems and networks,” she recalls. “As a bearer of the cybercop badge, I have been able to use my knowledge and expertise in the field of information technology to serve law enforcement.”
As helpers on her career journey Labrado cites her mentors, Sir Levy, “for giving me the first-hand knowledge in digital forensics and for his trust and confidence in me on different speaking engagements,” and Sir Scott, “for the advanced knowledge he shared and for his continuous technical advice on digital forensic concerns.”
For Labrado the rewards of being a cybercop come from serving the public. “I can serve anyone regardless of their status in life,” she says. “It is rewarding to know that I am able to use the knowledge I have learnt from my education to help the public and our fellow law enforcers in solving their issues and concerns in cyberspace as a cybercop, and that policing is not only about physical visibility on the roads, establishments or streets but also can be take place in cyberspace.”
www.linkedin.com/in/sjlabrado
“It is rewarding to know that I am able to use the knowledge I have learnt from my education to help the public and our fellow law enforcers in solving their issues and concerns in cyberspace as a cybercop.”
athalie Viuf Stender grew up in Denmark in a cybersecurity-rich family environment “where Christmas plans could get dramatically altered if the biggest Danish newspaper were effected by a cyber attack or a code error,” she says.
In 2005 the Danish newspaper Jyllands-Posten published 12 cartoons depicting Muhammad creating a storm of outrage and riots in some Muslim countries. After that “both physical and online security become a hot topic in my family,” Stender says.
Her steeped-in-cybersecurity childhood is easy to understand when she identifies her father, Per Palmkvist Knudsen, whose “career as CIO in a time where security started emerging as a big topic was very inspirational,” as the biggest influence on her cybersecurity career. According to his LinkedIn profile he has had a long career in senior level IT roles.
Today Stender is Privacy and Security Engineering Leader with IKEA Retail (Ingka Group) in Sweden. However, cybersecurity was not her first career choice. Like many teenagers she chose a career path contrary to that provided by family example, but the pull of IT and cyber proved irresistible.
“As a child my idea was that I never wanted to do the same [as family]. So, I started studying business only to get frustrated by the lack of involvement of IT and IT security in the economic risk calculations,” she says.
“It felt like the academic world of business simply did not understand how important this area would become. I therefore chose to take my master’s at the IT University of Copenhagen, where I created my own master’s combining security, privacy and compliance in order to be able to deep dive into the topics I could see impacting our everyday lives and businesses even more in the future. At this time GDPR [the EU’s General Data Protection Regulation] was only on the horizon and cyber attacks where not broadly known, so the widespread options for education in this area seen today were simply not there.”
It was also a time when women in cyber roles were less common, and less accepted. “As a woman, I was a bit afraid of signing up for the security classes since they often primarily consisted of men,” Stender says. “And I was concerned about how that would feel and look in a workplace.”
After that very deliberate move, Stender says some of her other career choices have been less directed.
“I do not see my career as a planned journey from a to z. My philosophy is that I want to do what makes me happy and what is sparking my interest. I have taken just as many horizontal moves as vertical, but in the end, they have all added something to my overall profile.
“One example was my bachelor’s degree from Copenhagen Business School. It taught me to understand business risk thinking, budgets and strategy. I can use that knowledge when getting the business buy-in on fixing vulnerability, planning for security improvements or in prioritising this important topic.”
Stender joined in 2022 and says she was attracted to the position because it was a global role that combined responsibility for privacy and for security.
“In many companies privacy and security are seen as two different fields and are often placed far from each other within the organisation. But you cannot have privacy and comply with the technical and organisational measures without having good security. And you cannot have good security without privacy. Being able to work with these two fields in combination made so much sense to me that I decided to join IKEA.”
She says the diversity of tasks she has to undertake is the most challenging aspect of her role. “I do not often work hands-on with complicated technical security tasks but mentor, oversee, prioritise and, sometimes most importantly, communicate the results.
“Security for organisations like IKEA a growing almost exponentially in work and importance. And it does take time to get all processes and people on board with the sometimes-urgent nature of security.
“As an example, if a zero-day vulnerability has been discovered, we sometimes need hundreds of people
to deprioritise their work to make sure our business is not impacted. This requires clear communication, stakeholder management and an eye for the technical details.”
Stender was also drawn to IKEA because she saw the role as enabling her to balance work and personal life: she is able to work from home two or three days per week. “Having two kids and a husband, my first thought is always how my everyday life with a family would work. I have been offered positions I ended up turning down because they would not allow me to be much with my family. This might change as my kids grow older, but right now my family life is a priority.”
Meanwhile, Stender say the most rewarding aspect of her role at IKEA is “seeing people grow” rather than specific security achievements. “For me it does not matter whether it is managers seeing ‘the light’ and becoming more aware of security, or a new junior who suddenly starts having all the right answers herself to the tough questions. Seeing how our cyber organisation’s work ends up making a huge positive effect on everyone in IKEA is really rewarding.”
Prior to joining IKEA, Stender had a role in which she was responsible for compliance with GDPR and NIS2. She predicts compliance with regulations will be one of the most significant developments in cybersecurity over the next two years, and does have some concerns about the effect of focusing too much on regulations but more work is needed in the area:
“Looking at the legislation coming, for example, from the European Union, we are going to see much more regulation in this area which also links to more documentation. Done right, it will have a positive impact on the actual security level, but documentation and compliance alone do not necessarily lead to good technical security.
“We need to be able to remember security is an important culture that also drives better software and not only a legal requirement. In the end you cannot
defend companies against cyber attackers with a box of paper.”
And she expects attacks to grow, particularly on critical infrastructure, identifying global politics, as the most significant factor driving cybercrime. “We are already seeing a big spike in government-supported attacks on critical infrastructure, and these will continue growing as long as countries globally seek conflict instead of diplomacy.”
Like every cybersecurity leader, Stender faces ongoing staffing challenges, “everything from pen-testers to governance, risk and compliance.” She sees more people graduating from university with these
“I am a huge fan of vertical development. Even though people coming from other fields might not have much cyber experience, they will still have some of the stakeholder skills, patience and business knowledge people fresh out of the university are lacking.”
For her own skill development Stender says she is finalising her CISSP certification to be able to document her knowledge better within security, but confesses to finding prioritising this to be a challenge. “Last week, I had booked some study time in my calendar but then our IKEA security leaders from China visited in Sweden and I could not resist learning more about their job and get some ideas for how we can globally work better together.”
www.linkedin.com/in/nathalie-viuf-stender-89037984
If anyone’s career trajectory reinforces the message, frequently repeated in these pages, that skills other than those in technology loom large in cybersecurity, it is that of Silvana Macri.
Asked what first piqued her interest in cybersecurity, Macri replies: “I was born to be a social engineer. I love people and behavioural psychology intrigued me.”
Her first steps to pursue her interest were not studying technology, but networking, the personal kind. “I am an avid networker, so I joined as many security-related networking groups and went to all their events to meet people and listen to what they had to share.”
After 16 years in various IT related roles, in 2019 she founded her own cybersecurity education specialist business, in Perth: Stay Cyber Safe. It provides programs, tools and learning opportunities to help corporates, industry groups and SMEs reduce their cyber risk.
For Macri, the rewards that come from being in cybersecurity are not technical achievement but relationships: “Working with people, rewarding positive behaviour, and helping people fill the
gaps they have in security knowledge and cultural dimensions.”
And the biggest cybersecurity challenge she sees is the scarcity of people like herself. “I wish there were more security specialists with a psych background and communications and facilitation experience who understand how to translate tech speak to user speak,” she says. “Right now we are incredibly overallocated and under-resourced.”
A pivotal moment in Macri’s cybersecurity career was her discovery of Perry Carpenter, who she describes as “the ‘father’ of security awareness as a function.”
Carpenter is Chief Evangelist and Strategy Officer at KnowBe4—a security awareness training and simulated phishing platform—and the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behavior. He formerly led security awareness, security culture management and anti-phishing behaviour management research at Gartner.
Now, Macri is planning to gain formal qualifications in the behavioural aspects of cybersecurity by sitting the Security Awareness and Culture Professional (SACP) exam, a vendor-neutral certification that recognises professionals who work and exhibit competency in the development, assessment, management and
maintenance of security awareness programs. “It is absolutely critical in a role like mine,” she says.
However, cybersecurity requires people with a technical focus as much as a people focus, and some are better suited to such roles. Macri’s advice to anyone aspiring to a role similar to hers is to first explore the technical side. “Do a short cyber course first as a pathway and see if it is a good fit, or alternatively if it’s the people side of cyber, study behavioural science/psychology and facilitation (delivery).”
Macri says she “couldn’t believe how the people side of security was being unaddressed,” until “I realised it was because people are grey, not on/off binary. And tech peeps generally find people difficult to predict so they avoided the human element for years until it seriously became the biggest/most effective attack vector.”
However, human ingenuity might be about to lose its prime position. It is not people but technology, specifically artificial intelligence that Macri sees as being one of the most significant new threats. She is not alone; it has been cited by many women who have shared their cybersecurity journeys in these pages.
“The challenges AI/automation brings cannot be decoupled from the benefits, so be aware and prepared for an exponential increase in attack numbers and sophistication,” she says. “Do not underestimate nation state attacks using automation/ AI especially in critical infrastructure.”
As the biggest influence on her career, Macri cites Kevin Mitnick, a convicted hacker who now runs security firm Mitnick Security Consulting and is part owner of KnowBe4. Macri hosted him in Perth for a two-day event at Optus Stadium in 2019 and she says he is now her ‘friend’ on a number of online platforms.
www.linkedin.com/in/macrisilvana
"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Explorers program today!"
S t u d y i n g o r a n E a r l y C a r e e r P r o f e s s i o n a l i n i n f o r m a t i o n s e c u r i t y ?
L e a r n m o r e a t . a w s n . o r g . a u / i n i t i a t i v e s / a w s ne x p l o r e r s /
- Liz B, Co-Founder
I have never been one to follow the easy route, the beaten track stretching out before me. Many people like to see how things have been done previously and follow the path of least resistance. That can be an acceptable way to do things and, on occasion, I have done the same. But what happens when that beaten track is not right? What happens if that well-worn path leads everyone who follows it to the same failures?
You should change paths, right?
Yes, you should. You should stop, look at what everybody is doing and consider how you might be able to do things better, or differently. Different can sometimes be sufficient to inspire innovation and foster a new way to look at a problem.
Following that unbeaten track will not always be easy. I know. I have the bumps and bruises of life to prove it. However, by going my own way I have, on occasion, achieved great success.
Look at my writing, for instance. I started my writing journey about six or seven years ago. I had never really written anything previously and no writing experience when I pitched my first article to Charlie-Mae at CSO magazine, who now works for Source2Create, the publisher of this amazing magazine, Women in Security. (The editor of Women in Security, Abigail Swabey, was editor of CSO at the time.). However, I had something I needed to say, a problem that needed to be aired and considered. That decision led me to what I feel is now a reasonably successful writing career.
I have written approximately 200 articles, had three books published, have three more to be released in 2023, and I am working on others for release in 2024. I have not tried to follow anyone else’s style. I do my own thing, but it works. Seriously, the books in my A Hacker I Am awareness series are more like the old
‘choose-your-adventure’ books than cybersecurity books, and I love that about them. You can choose the order in which you read them. You bought them, why should you not decide?
I have gotten a little off track here, but my point is that, to achieve the results we need in cybersecurity, we need to innovate and look at the problems we face in a different light. To do that, we need to promote all aspects of diversity: race, gender and background. We need to encourage different ways of looking at things. We need to look and see if we can do things better, or make them simpler to manage. Maybe we need to throw away old ideas and ways of securing our systems and try something completely different.
Just because something has always been done a certain way does not mean that way is right. Think for yourself, and be brave enough to say: “No, that’s not how it should be done.” If we can do that, I think we just might have a chance of taking back control of our systems, of getting to a level of security that will allow us not only to endure an attack. We may even be able to make attacks irrelevant or inconsequential, because we have found ways to protect our systems, or reduce the impacts of attacks. Maybe then the onslaught of breaches and data pillage will end.
It is a dream, and a tough one for us to achieve. But nothing worthwhile is ever easily achieved. So, let’s stop talking, let’s start doing something about it. Diversify, innovate and succeed.
www.linkedin.com/in/craig-ford-cybersecurity
www.amazon.com/Craig-Ford/e/B07XNMMV8R
www.facebook.com/AHackerIam twitter.com/CraigFord_Cyber
DEIKA ELMI
Culture is the key reason there is a shortage of women in security professions. Women with all the necessary talents opt for other jobs – some early on, some in the middle of promising careers. Ways to combat the shortage include altering the way security talent is recruited and emphasising the human element. Recruiters can attract more skilled women by tweaking job descriptions so they read more about helping people and less like the script of an action movie.
It is no secret fewer women than men enter security professions. One reason for this is an inaccurate impression of what a role in security entails. Even in the most physically challenging environment you will certainly spend more time watching and talking to people than you spend in fistfights. However, that is often not the impression you would gain from a security job description. Yet, according to Winifred R Poster, a lecturer in international affairs at Washington University, in the US “job postings call for ‘ninjas’ and ‘cyberwarriors’.” Physically pulling a plug is the most action you can expect to see in most cybersecurity professions.
That kind of advertising is pervasive and, according to Chana R Schoenberger, editor-in-chief of American Banker, it turns women away from applying. As a PhD dissertation, The Underrepresentation of Females in the United States Cybersecurity Workforce, put it: “Everything is not young white guys at a black and green screen. There are other parts that can be highlighted, such as geopolitical, social, investigative, and the human element.”
Women who stay in cybersecurity often feel alienated and out of place before realising they do belong and do have the necessary skills. The author of a 2021 University of New England degree dissertation interviewed 16 C-suite women executives in cybersecurity and found one common experience: “The pivotal moment was the relationship of a mentor or sponsor who then validated their ability to do that role, giving them the confidence to push past those feelings of being an imposter.”
Those women who do enter the cybersecurity profession may not stay. A 2014 paper Women in STEM and Cyber Security Fields, presented to the American Society for Engineering Education’s Conference for Industry and Education Collaboration
estimated 80 percent of men stay in cybersecurity while only 60 percent of women do. Skilled mid-career women often love the work itself, but become frustrated with an ‘expectations gap’ and a poor work culture. A 2008 Harvard Business Review report said 41 percent of women who entered the tech industry leave, compared to just 17 percent of men. A recent McKinsey report gave richer detail. It found, in tech, 37 percent of entry-level jobs held by women compared to 47 percent in other industries. That number dwindles with seniority. Women hold only 30 percent of managerial, 25 percent of senior manager/director, 20 percent of VP and 15 percent of C-suite roles.
People skills are extremely important in security. Cybersecurity experts love to talk about extremely technical attacks like watching LEDs with a drone or decrypting RSA keys from the whir of a hard drive. Yet for every highly technical attack there are many more attacks that could have been stopped by persuading people to update their passwords and not click suspicious attachments. Bravery and geeky brilliance have their place, but far more of the day-to-day work of cybersecurity is .
That conclusion may be one explanation for the STEM skills shortage. Amanda Diekman, a professor of psychology at Indiana University, led a study which : “one important reason for [gender] discrepancy is that STEM careers are perceived as less likely than careers in other fields to fulfill communal goals (eg, working
with or helping other people). Such perceptions might disproportionately affect women’s career decisions, because women tend to endorse communal goals more than men.”
Tragically, women’s very desire to help people is not helping them succeed in cybersecurity. Furthermore, this is the very talent the profession needs to attract if it is to successfully combat most cybersecurity attacks.
Companies intentionally or unintentionally alienate women during the sourcing and recruitment process A warrior ethos and whiz-bang technical details are not the heart of security work. Security professions are about helping people and keeping them safe. There are no cloaks nor daggers. Patience is needed far more often than a shuriken (a Japanese concealed weapon used a to distract or misdirect an opponent).
Women are not rare in security. As of 2017, around 44 percent of private detectives and investigators were women. Around 24 percent of the workforce in the investigations and security services sector were women. That number is growing: an extrapolation from Census data estimates 27.4 percent of workers in the investigations and security sector were women in 2019. One in four is far from parity, but it is progress that can be built upon.
www.linkedin.com/in/deikaelmi
by David Braue
It is well understood that diversity in teams provides a necessary spectrum of experiences, which in turn fosters innovation across the organisation – but how can companies develop this diversity?
HR-driven recruitment practices can be a great place to start, as multinational manufacturer Kerry Group found when diversity played a core role in building a strong business case for hiring more than 200 new staff for its Kuala Lumpur, Malaysia shared-service operations.
As the organisation went to market it became clear that building diversity into its recruitment efforts would be crucial not only to finding enough staff, but to finding the right ones.
Also crucial was rapidly scaling up the recruitment effort. Over the course of a six-week recruitment drive, run in conjunction with recruitment firm Page Outsourcing, Kerry Group received over 20,000
CVs, screened more than 72,000 candidates and conducted more than 2000 interviews with the 320 people who were ultimately onboarded into the organisation.
“It was really a no-brainer for us to establish a bigger presence in Malaysia,” Clive Jardine, Kuala Lumpurbased HR director for Global Business Services with Kerry Group told a recent SSON webinar. “But we faced challenges around the need for really good skills and strong talent to support our business here.”
Asia’s broad cultural and linguistic diversity meant talent needed to be equally diverse. Support for 16 different languages was key, and employee diversity was critical to ensuring the new workforce could support the business and its customers.
Jardine said gender diversity was one key focus for the company, which, he said, was probably, predominantly female. However, building and extending a multicultural workforce was just as
tuning your recruitment diversity can set the tone across the organisation
important to ensure the new business function had the right mix to support innovation for the long term.
“From a values perspective, we really do celebrate diversity,” Jardine explained. “And we’re really proud of the fact that we represent multiple ethnicities in our organisation that are representative of Malaysia; that was really a good aspect in terms of the recruitment process.”
Strong working relationships between the recruitment firm and internal HR organisation was crucial, with Page and Kerry Group teams using “honest, transparent and fluid” communication to work through the process in lockstep, said Page Outsourcing Hong Kong associate director Andrew Barnes – who noted that Kerry Group’s strong sense of values ensured diversity remained integral to the process.
Kerry Group “were able to supply us with a plethora of information that helped us gain a detailed understanding of them as an organisation, the way they work, their company culture, and the way they were going to be replicating that,” Barnes said, noting this had helped the two organisations refine the employee value proposition (EVP) Kerry used to attract the right mix of candidates.
In running the recruitment drive during the chaos of the COVID-19 pandemic and the ensuing shift to remote access, for example, the EVP rapidly skewed towards “things that weren’t necessarily important to people before,” Barnes said.
Kerry’s workplace culture, personal development and work/life balance became points of differentiation as the Page team worked to sell Kerry’s culture to prospective employees – with diversity initiatives such as traditional dress and food days meaning they could “really allow people to be their authentic selves within the workplace.”
“As a leader, if you see people behaving in a manner that is inconsistent with the very values that the company has stated, and that’s tolerated, then what credibility would go into the values?”
- Delta Airlines senior vice president Tim Mapes
“The fact that Kerry lives and breathes this culture and ethos,” Barnes said, “helped us to identify suitable talent that aligned with the values they’re looking for.”
“We are super proud of the people that we’ve been able to attract to our organisation through this process,” Jardine said, calling the program a “remarkable success… we’ve got candidates selected on the basis of what will really work, and fit with our organisational values.”
Mass recruitment drives – often linked to significant new investments in technology or business capabilities – present a significant opportunity to remedy lingering inequality in the company culture.
Yet it’s important to avoid allowing pro-diversity practices to fade once the project is finished; rather, diversity, equity and inclusion (DEI) values should be embedded deep within the HR function – and that of strategic recruitment partners – to ensure hiring and staff retention practices seed the diversity crucial to fostering innovation.
Such policies speak directly to a company’s ability to deliver a hospitable, compelling employee experience, and many businesses admit their HR practices are still falling short in this respect.
A recent Gartner survey of more than 800 HR leaders found them facing increasing competition for talent. Thirty six percent of respondents said their sourcing strategies were “insufficient” to help them find the skills they need – and 44 percent admitted their organisations lacked “compelling career paths” to attract and retain the employees they need.
“HR leaders face a historic amount of disruption, and their timeline from planning to action keeps shrinking while the imperatives increase,” Gartner said, noting the simultaneous challenges HR leaders face in needing to juggle people and technology investments, cultivate a positive culture and employee experience, and transform HR to be “more automated and digital.”
Central to these changes is the creation of an equitable internal labour market, according to Gartner. It advises HR leaders to shape their strategies this year around boosting leadership development, organisational design and change management, employee experience, recruiting, and overhauling workforce planning that is often “disconnected from reality and… ineffective at combating the disruptive landscape.”
Doubling down on a company’s values and brand can provide a significant foundation for subsequent growth and innovation, says Delta Airlines senior vice president Tim Mapes. He told a recent CES 2023 session that “at the end of the day, a brand has got to be true to itself.”
“As a leader, if you see people behaving in a manner that is inconsistent with the very values that the company has stated, and that’s tolerated, then what credibility would go into the values?” he continued.
“When you make decisions, and behaviours are consistent with those values, your brand comes to be known in the hearts and minds of your employees and customers as representing those things.”
As the internal managers of human capital and culture, HR staff have considerable strength in setting the tone of that decision-making to ensure it supports the culture necessary to foster sustainable innovation.
RMIT University School of Management associate professor Dr Lena Wang told a recent AWSN International Women’s Day event that shaping culture also requires a degree of introspection to evaluate the effect unconscious bias may have on hiring practices – and to detect when unconscious bias skews hiring practices. She said recognition of unconscious bias could have flow-on effects in unexpected places.
“Every one of us has potential bias, and it’s about how to find strategies to counter that,” Wang explained. “It’s so powerful when leaders start to recognise this themselves, then do things to actively change that.”
Simply having senior executives pushing the barrow of equality is not enough to change an organisation on its own, she warned: “you may have this amazing, visionary CEO who truly gets it, but somehow when that communication falls down to your frontline managers, it goes missing – and they don’t get the point as to why we need more women on the team.”
Such attitudes can prevent many women from speaking up to express their concerns about potential blockers for innovation – an issue that proactivity by HR executives can counter. “It’s very important to create psychological safety for all employees to give feedback,” Wang said.
Even in companies that have good policies in areas such as flexible work arrangements, she said, “a lot of the time it is those day-to-day experiences that make women feel excluded… when you are creating workplaces that are not truly supportive of women employees.”
It’s a practice that should also be extended to strategic partnerships, says Kate Wendt, vice president of strategy, transformation and sustainability with Seattle-based outdoors retailer REI Co-Op. She identified three core steps the company takes when developing new partnerships.
These include doing due diligence on partners’ values and alignment, looking at what each party brings to the table, and how the company can learn by being more open.
“We tend to be highly discerning about partners,” she explained. “The biggest learning is how we can be more open and listening and learning.”
“Every one of us has potential bias, and it’s about how to find strategies to counter that. It’s so powerful when leaders start to recognise this themselves, then do things to actively change that.”
- RMIT University School of Management associate professor Dr Lena Wang
• You are naturally curious and a self-starter. Tell us about how you build Cyber Ranges in your own time, or your latest research project.
• You have experience with Internal Investigations and/ or Insider Threat Management.
• You have worked with custom applications and log formats in a TDIR context.
• You listen to and follow podcasts and bloggers like Darknet Diaries, Recorded Future, @IT_SecGuru or @TheHackerNews. Tell us what r/ threads you’re currently tracking.
• You have exposure to Vulnerability Assessments or Penetration Testing professionally or through your own personal research. If you’ve started a CEH or OSCP certification, even better!
• Show us how you automate using PowerShell and Python.
• Establish relationships with new and existing third parties (e.g., contractors, vendors, service providers).
• Relay current Information Security requirements to third parties and inform internal stakeholders when requirements are not met.
• Manage and update Information Security questionnaires.
• Maintain list of approved contractors, vendors, or service providers.
• Modify and retain relevant legal, financial, and security documents (e.g. NDA, Security Questionnaires, Invoices, Purchase Orders).
• Regularly audit third party security risk.
• Where possible, negotiate contracts with third parties for optimal pricing.
• Periodically assess performance of vendors and make recommendations to stakeholders when organizational needs are not met.
• Manage third party onboarding and work with internal stakeholders to make relevant updates when necessary.
• Route supplies to appropriate locations, departments, or users.
• You have COMPLETED, not started, certifications such as CompTIA Network+ and Security+ as well as core networking such as Cisco CCNA or CCNP.”
• 3+ years of experience working with systems, networking and security technologies, with at least 2 years working as a Security Analyst or equivalent role
• Hands-on security knowledge of Windows/Linux/Unix platforms
• Hands-on experience with one or more SIEM/EDR/VM systems and can demonstrate end to end knowledge of the TDIR Methodology
• In-depth knowledge of the MITRE ATT&CK Framework
• A demonstrated knowledge of IT security controls, OSI Model and TCP IP Stack
• Manage third party payments and billing.
• Assist team members in implementing best security practices across the organization as needed.
• Perform Information Security document reviews.
• Aid in the monitoring and testing security mechanisms as needed.
• Proficient in Word, Office, MS experience, Windows Operating Experience.
• Bachelor’s degree in Business Management, Business Administration, Supply Chain Management or equivalent.
• Excellent oral and written communication skills.
• Ability to organize, multitask and manage time effectively.
• Strong research, analysis and negotiation skills.
• Good communication and interpersonal skills.
• Ability to effectively manage multiple projects at once.
As the IT Audit Manager you will work as the 2ic to the Head of IT Audit. This is a new role created due to investment within the Risk function and the need to add an SME in Cyber and Technology Risk. This role will work across multiple projects across Cyber, Digital, Cloud transformation and technology uplift programmes.
You will play a key role in the design and operations of Technology Audits, taking ownership for the end to end delivery of audits working with multiple business and risk stakeholders.
You will take ownership for IT Audits, manage the strategy and delivery of said audits whilst working closely with the business to ensure all risk is highlighted and mitigated accordingly. You will also plan and manage resources to ensure deadlines are met.
• Five years’ experience across the IT audit, It Governance, Assurance and technology risk domain
Leidos Australia have opportunities for System Engineers to join our team based in Canberra and provide support to a large Federal Government program. As part of our team you will be responsible for all system engineering aspects of the product baseline and structures for multiple delivered subsystems and assist in the smooth transition of new capability into service.
The ideal person will have an in-depth understanding of the systems engineering lifecycle applied to complex mechanical/electrical systems, an understanding of configuration management and the ability to troubleshoot, identify faults and rectify.
• Understanding of the ITIL framework
• Involvement in detailed design and equipment acquisition of complex systems
• Minimum three years’ experience working across IT Audit, Risk or Compliance programmes
• Three years’ experience within the financial services domain, preferably banking.
• Work across a range of regulatory requirements, hands on knowledge of security management is highly desirable, specifically CPS234
• Proven experience in risk and control identification, assessment, tracking and remediation
• Strong background in risk management and prioritisation within Risk and Control Taxonomy
• Good knowledge of IT control implementations and ability to control and mitigate risk
• Proven ability in risk and control identification, tracking and remediation
• Certifications across would be highly beneficial CISSP, CISM, CISA, CRISC
• IT governance framework knowledge such as ISO27k, NIST CSF, CIS, ITIL v3 and COBIT
• Demonstrated experience developing engineering artefacts (Application for Deviation, Engineering Change Proposals (ECPs) and engineering investigation reports);
• Strong interpersonal, communication and technical writing skills
• 2-3 years’ experience in one or more of the following;
• Windows (Windows Server 2008, 2012 & 2016, Exchange 2010 & 2016, Active Directory, DNS, DHCP & DFS, Enterprise level backup products)
• Networking (NSX, Cisco, Palo Alto)
• VMWare, or vROPS, vShpere, Horizon, vRealize
• Linux (Red Hat Satellite Tower, Ubuntu)
APPLY HERE
The Info Security Consultant - Cybersecurity Awareness and Education manages the execution of Key’s Security Awareness and Education Program. The overall goal of the security awareness and education program is to reduce information security risk by ensuring that all employees and contractors understand Key’s security policies and apply information security practices with respect to institutional data and information technology systems. In collaboration with other members of the Enterprise Security Services, this position will manage a broad set of activities, including drafting publications, creating and managing website content, facilitating marketing campaigns, scheduling meetings, hosting/presenting virtual training sessions, creating timelines and infographics; and helping to plan outreach, awareness, and educational events for KeyBank clients and employees.
• Experience working across multiple lines of business to design and implement training plans and track organizational progress, development, and metrics.
• Strong verbal and written communication skills with experience briefing corporate professionals,
executives, and clients.
• Ability to periodically travel to conduct training.
• Proven ability to identify and implement process improvement opportunities.
• Results oriented, self-starter with ability to work with general direction.
• Ability to manage competing priorities.
• Basic understanding of security threats and knowledge of financial industry.
• Strong organizational skills and ability to multitask. Experience coordinating, organizing, and implementing events.
• Demonstrated experience executing multifunctional projects.
• Strong analytical and conceptual skills; ability to see the “big picture,” proactively think/plan and provide ideas.
• Effective teamwork and interpersonal skills and ability to communicate with all levels in the organization.
• Experience with Microsoft Excel, Word, PowerPoint, and SharePoint.
RESPONSIBILITIES
• The effective governance of organizational websites and mobile applications activities.
• Driving the Vendor Security Governance program
• Supporting Cyber Security compliance activities within the team.
• Strong knowledge across Information Security and Cyber Risks.
• Deep knowledge of cybersecurity practices, risk assessments and compliance activities.
• In-depth knowledge of risks assessment process. APPLY
ABOUT THE ROLE
• Develop and execute regional cyber safety strategy and ensure alignment with global strategy
• Support Divisional Information Security Officer through engagement and influence of technology and business stakeholders and provide training to highrisk employee groups
• Partner with Communications, Learning and Development, Risk & Compliance and Technology teams to deliver engaging cyber safety awareness resources for the QBE workforce, partners and customers
• Develop awareness of and participate in projects and other change initiatives where cyber safety awareness inputs are required to achieve defined outcomes and ensure safety risks are proactively managed
• Build and manage strong and effective relationships with business stakeholders and project teams to deliver services that meet stakeholder expectations
• Maintain high standards of service delivery to enable continuous improvement and effective response to stakeholder feedback
• Communication – strong verbal and written communications. Ability to communicate clearly and concisely to a broad audience; translating technical information into business-relevant language
• Influence – ability to develop and leverage relationships to achieve the right outcome for QBE. Represents Group Cyber Security team in a range of internal and external forums
• Customer service – sound customer service focus, able to provide advice and recommendations to address customer needs or strategic business issues; supporting the implementation of any agreed actions
• Self management – ability to apply excellent attention to detail, have strong organizational skills and manage and deliver conflicting priorities
• Analytical and problem solving skills
• Actively undertake personal development to ensure up to date knowledge and skills
• Experience at managing and influencing relationships at senior level.
Michelle Gatsi, Cyber Security Consultant at EY
Jay Hira
As practitioners in the cybersecurity industry we are constantly solving a complex puzzle. This puzzle has many moving parts, and no one person has all the answers. If we bring together a team of people with similar educations, experiences and viewpoints, they are likely to have similar biases and, therefore, similar blind spots in the way they solve a problem. This is an issue we encounter constantly in many cybersecurity environments. The teams solving puzzles must be as diverse as the problems themselves. When we bring together a diverse group of individuals with different ethnicities, academic backgrounds, ages and life experiences, we get a more comprehensive and innovative approach to problem-solving.
Recently, we participated in an “Ask an Expert” session at the AISA Cyber Conference in Canberra where we observed a high degree of interest in pursuing careers in cybersecurity. The most common
challenge for those who want to start a career in cyber and those who want to navigate a career transition into cyber is how to put their best foot forward for an industry opportunity and demonstrate curiosity, conviction and persistence through actions beyond words. As a result, we decided to share our experiences and provide specific advice for those looking to start a career in cybersecurity as students, and for those looking to navigate a career transition into cybersecurity.
As someone who has been a cybersecurity student I understand the struggles of navigating a field without a clear-cut career path. However, this industry values the diversity of skills and experiences that each individual brings to the table. Whether you come from a technical or non-technical background, cybersecurity has a place for you. To help newcomers
in the industry, I would like to share some tips based on my personal experience.
Embrace opportunities. Starting without prior experience or knowledge can be intimidating, but it also means you have a clean slate and the malleability to mould yourself into any form. Do not be afraid to say “Yes!” to opportunities, even if you do not have the necessary skills. Believe in yourself and say, “I don’t know, but I can figure it out.” By learning and gaining new skills, you can give any opportunity that comes your way your best shot.
Make learning a priority. Learning in cybersecurity never stops, because the industry evolves constantly. As a student, I volunteered for student accelerator programmes and learned alongside my peers to deliver job-enhancing workshops. Participating in capture-the-flag events, hack rooms, certifications, podcasts, news articles and networking events can also help you upgrade your skills and knowledge. Such activities are critical to getting your first job in cybersecurity.
Network and engage. Building industry connections helped me understand the various roles and responsibilities within cybersecurity. Attending networking events and conferences enabled me to seek more opportunities for growth and learning. By meeting new people I better understood the impact I could make in the industry, which became a driving factor in my studies.
Showcase your work. It is important to share your contributions with others. LinkedIn is a major networking platform used by many cybersecurity professionals, and an excellent way to engage, connect and be inspired. Talk about your key learnings from networking events, tag individuals you connected with, and discuss how completing a course or certification has added to your skill set and will benefit your career. This practice creates a pattern of accountability and reflection crucial to building your brand.
My journey into cybersecurity was slightly non-traditional. Here are a few pointers to what worked for me as someone with a background in criminology and a history of work experience in the legal sector. These could be helpful for anyone looking to transition into a career in cyber.
Build meaningful relationships. This does not mean increasing your LinkedIn connections to increase the number of connections you have. Building involves a lot of time and effort. Before I started working in the industry I met with many experienced cyber and information security professionals. I was genuinely interested in knowing more about them, what they did for fun, their day-to-day work, and why they chose cybersecurity as a career. I even found myself some career mentors who are now my very dear friends: Phillimon Zongo and Jay Hira.
It was a very busy time for me, juggling my then legal support officer role by day and my cybersecurity career pursuit by night. I am still in contact with many of the professionals I connected with earlier in my career, and I now work with some of them. You will never know where your connections can lead you, but it is important to approach this step with complete authenticity: be yourself and be real. This leads me to my next point.
Leverage personal branding platforms. I found LinkedIn to be a handy tool for promoting my personal brand and connecting with industry professionals from all over the world. I was always very shy; the thought of sharing my written articles or promoting my achievements with other professionals was terrifying. However, I learned very quickly that sometimes you have to step outside your comfort zone to get where you want to go. This means becoming comfortable with the discomfort and pushing through it. I wrote and published my first-
ever blog on my LinkedIn page just under two years ago, based solely on my desire to pursue a career in cybersecurity. This blog caught the attention of a number of industry professionals who were interested to know more about my journey and offered a helping hand. These interactions added fuel to my enthusiasm to learn more about the industry.
Be open to ongoing learning. As technology advances relentlessly, so do cyber criminals and their techniques. Cybersecurity is like a big house with many rooms (in fact, picture a castle with each room representing a different domain – from data protection and privacy to identity and access management and beyond). It is easy to feel lost and overwhelmed by how much there is to learn. But I believe the key is to keep the mind active through continued learning. Our industry involves constant change; therefore, we must be willing and open to acquiring new knowledge and upskilling. We can do this through tertiary study, certifications, boot camps, articles, podcasts and networking.
I started with foundational knowledge through an online cybersecurity risk management course provided by Harvard University. I am now studying for my Security+ certification provided by CompTIA whilst building my work experience in technology consulting at EY. I consider it a privilege to be working beside incredibly intelligent cyber professionals every day. Prior to this, I spent a lot of time building relationships with a wide range of information security professionals and learning from their experiences. I would have done myself a great disservice had I chosen not to absorb the wisdom of the people around me. So do not be afraid to reach out to people – do so authentically and be willing and ready to learn.
Document your journey, and do not give up! The beauty of documenting your journey is that you can look back and see how far you have come. One day you will likely use your story to encourage the next wave of people wanting to start or transition into a career in cyber, and seeking an industry mentor just like you. This final tip is a bonus.
Strong teams are diverse in perspectives, life experiences and leadership. The wider the variety of people and experiences we recruit to defend against adversaries, the better our chances of success. Individuals looking at transitioning into a career in cybersecurity should focus on building meaningful relationships, leveraging personal branding platforms, upskilling and reskilling through relevant certifications, and gaining experience through volunteering and internship programmes to build a solid foundation for a successful career in the dynamic and exciting field of cybersecurity.
www.linkedin.com/in/jayhira
www.linkedin.com/in/kavika-singhal
www.linkedin.com/in/michellegatsi
Karen is CEO and co-founder of BCyber, an agile, innovative group that works with SMEs to protect and grow their businesses by demystifying the technical and helping them to identify and address cybersecurity and governance risks. In 2021 Karen graduated from the Tech Ready Woman Academy’s Accelerator and the Cyber Leadership Institute’s CLP programs.
Cybersecurity is much more than a technology problem with only technology as its solution. We need to look at cybersecurity through a broader lens without getting bogged down in the technical aspects and ignoring the, critical, people component.
Taking a human-centred approach to cybersecurity means emphasising the importance of all staff and their roles in ensuring cyber threats are mitigated. As someone (relatively) new to the cybersecurity industry, it is my view EVERYONE in the business plays a part in hardening cyber resilience.
A strong human line of cyber defence is a crucial element of a successful cybersecurity strategy, and one which can often be overlooked. In this human line of defence, diversity is Queen (or King). Imagine how much stronger your cyber resilience programs would be if:
• Your cyber awareness education program was regular, relevant and practical across the entire business, with everyone from the boardroom to the mailroom taking an active part. Think of this as building a reinforced brick wall to secure your entire business from external cyber threats. This would be a far better approach than having only some areas secure, which is what you get when you have an ad hoc, poorly-delivered program (i.e., a brick wall with holes).
• Cybersecurity was baked into every project from the ‘get-go’. For example, if HR wants to implement a new system, you make sure the steering committee has someone involved who understands cybersecurity and can provide a cybersecurity viewpoint.
• Each department had its own internal cybersecurity champion, creating a two-way information sharing opportunity. If the non-IT rep can understand and communicate what IT is trying to implement, they would be able to spread cyber resilience throughout the business. As a bonus you may even attract staff who would never have thought of cybersecurity as a career but whose life skills can round out your IT team beautifully. Tech skills can be taught, life skills not so much!
• Tech project teams included non-tech stakeholders as a business-as-usual activity. This is particularly helpful if you need to present to and get signoff from your executive leadership team and/or board. The addition of these stakeholders will help you understand business drivers and values, allow you to deliver a plain English version of what may well be a highly technical project presentation, and increase the likelihood of your business case getting approved.
Using diversity of knowledge and experiences within a business to harden cyber resilience. That is priceless.
www.linkedin.com/in/karen-stephens-bcyber
www.bcyber.com.au
karen@bcyber.com.au
twitter.com/bcyber2
youtube.bcyber.com.au/2mux
I was having a discussion with a mixed group of people when someone brought up the topic of “death by a thousand cuts.” They were referring not to “a form of torture and execution originating in Imperial China” or a Taylor Swift song about a breakup, but to something that can, and has been, the cause of many women leaving high positions. It describes something many women and minorities face in workplaces.
In this discussion I described my experience of being appointed to an international board, and appointment I knew had created a special opportunity to showcase myself.
However, from the moment I arrived I could tell I would have to prove I belonged. So, I quietly endured every sleight and ignored every mispronunciation of my name (If you can say Daenrys Targaryan, you can learn to say my name!). Every time I was talked over or not recognised, I stayed quiet. When I did reach out to ask politely to talk with individual board members, I was ignored. I even had one board member mock my ‘Americanness’ because I spoke multiple languages and lived outside the US. Each and every time, it felt like a cut.
Why did I stay silent? I wanted to show I belonged, that I had earned my seat at this table, that I was a ‘team player’.
During my three-year term I served on almost every committee. But after three years I had had enough. When my term ended, I felt like former New Zealand PM Jacinda Ardern. I had “no more left in the tank.”
I did not seek re-election to serve another three years.
Of course, people were surprised, including the other board members. What they did not see was the “death by a thousand cuts.” What they did not see were my capabilities. What they did see was my endurance and commitment to do the work. However, I could no longer endure another three years of slights and indifferences.
I did not get any appreciation from my fellow board members. I got not responses from them to a heartfelt email send prior to the end of my tenure. In the years since only one board member has reached out to me to ask me for something related to her work.
I share this experience because I know many women and minorities often “put up and shut up” to stay in a position that, over time, depletes them. In the end, many of us have chosen the path of ‘silent quitting’ - doing the minimum requirements of the job and putting in no more time, effort or enthusiasm than is absolutely necessary.
This ‘silent quitting’ may mark women and minorities
for layoffs. Research suggests that women and people of colour have been disproportionately affected by the recent wave of layoffs. It is estimated 45 percent of those who lost their jobs in the recent wave of layoffs were women. Keep in mind, when the workforce is not split evenly between women and men, losing 45 percent of the women is a huge cut.
It is even more challenging for women in high positions. In its 2022 Women in the Workplace report, Leanin.org stated “More women leaders are leaving their companies,” giving three key reasons for these departures.
1. WOMEN LEADERS WANT TO ADVANCE, BUT FACE STRONGER HEADWINDS THAN MEN.
• Women leaders are twice as likely as men leaders to be mistaken for someone more junior.
• Thirty seven percent of women leaders have had a co-worker get credit for their idea, compared to 27 percent of men leaders.
2. WOMEN LEADERS ARE OVERWORKED AND UNDER-RECOGNISED.
• Women leaders are twice as likely as men leaders to spend substantial time on DEI work.
• Forty percent of women leaders say their DEI work is not acknowledged at all in performance reviews.
• Forty three percent of women leaders are burnt out, compared to only 31 percent of men at their level.
3. WOMEN LEADERS WANT A BETTER WORK CULTURE.
• Forty nine percent of women leaders say flexibility is one of the top three things they consider when deciding whether to join or stay with a company, compared to 34 percent of men leaders.
• Women leaders are more than 1.5 times as likely as men at their level to have left a previous job because they wanted to work for a company that was more committed to DEI.
It is even more difficult for women from minorities. The same report found Black women leaders were “more likely to be undermined at work.” They faced having someone imply they were not qualified (20 percent) or being mistaken assessed as holding a lower level role (38 percent)). Even worse, was having their judgement questioned (55 percent)! These are listed as microaggressions. Each microaggression is a little cut. Cumulatively they can drive many women to simply leave – whether they be in high positions or low.
I was asked recently to consider applying for a highsounding position. I say high-sounding because the position was not high in the organisation’s structure and its holder would have no say or control over budget, staffing or tooling. I was also asked if there were other women who might consider it. I said no, and gave those reasons. It is not sufficient to have a high-sounding title. There needs to be significant support behind it.
Many of these ‘thousand cuts’ are small and almost invisible. That is the problem. When women raise issues with their leaders, how are they treated? Most often, they are brushed aside with comments such as “you are too sensitive/emotional” or “it’s not really that big a deal.” So, they start suffering in silence.
I had one such position where my manager would brush off my concerns. So I suffered in silence as the microaggressions grew. I did the bare minimum required of me, all the while looking for another position. When I left, I had an exit interview with HR. The HR rep listened to me and then asked why I did not share my issues with my manager. I told the HR rep I had done so and provided details of the responses from that manager. I also pointed out that other women had left the group following similar experiences. Eventually, that manager was removed but the damage had already been done.
So, what are the options? Many women find solace in external networks. These can be places to vent the pain and the anger. But this does not solve the organisation’s problem.
Diversity, equity and inclusion (DEI) goals are often undermined by what is referred to as the ‘leaky bucket’ of retention: an organisation works hard to attract and hire women and minorities but fails to keep them. Hiring a diverse workforce does not necessarily create an inclusive workplace.
Most organisations are built from the top down. However, creating an inclusive workplace requires a rethinking of the organisation from the inside out. There are retention techniques (see table 1). Implementing them will take work and time. With resources stretched, companies are cutting back their efforts in this area
However, lessening these efforts, even during trying times, is not the best approach. Here are five reasons not to cut DEI efforts, even in a recession:
1. DEI can strengthen a company’s ability to weather a declining economy.
2. DEI is integral to core values and brands.
3. DEI initiatives are built over time.
4. Other cost-cutting options are more effective.
5. Even in a recession, investing in people and workplace culture is essential.
Finally, I would like to say the responsibility for creating an inclusive workplace should not be put solely on the shoulders of women and minorities. Yes, we should be asked about how our workplace can be made better. Yes, we can be involved in these efforts. When we are, we should also be acknowledged for it. This is not something we should be expected to do “in our spare time.”
So, when you ask a woman or a member of a minority to consider a high-level role, ask whether the organisation will be able to appropriately support that person. Because at the end of the day you do not want that person to walk away and warn others against applying for a role at your company.
www.linkedin.com/in/saihonig
With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters
In my experience of collaboration within many organisations, diversity of all types produces improved solutions to the most complex problems. The most pressing issues are solved in inclusive settings with a diversity of viewpoints where team members can participate based on their preferences as to where they do their best thinking.
When confronted with challenges and problems we need to support the emergence of ideas and innovative solutions by fostering an inclusive culture that promotes diversity of thought.
Here are seven strategies to foster an inclusive environment where innovation can flourish.
1. Encourage teamwork - sometimes it is more difficult to present a proposal on your own, and less senior colleagues might be discouraged from doing so if they do not have the backing of a team. Safety for the mind is important, and comes from having a mix of newer and more
experienced colleagues working together with a common purpose or desired outcome identified.
2. Hold regular “think tank sessions” to promote proactive teamwork and create opportunities for connections to be forged between various business, IT and IT security teams that will produce better cross-pollination of perspectives and more expansive ideas. These sessions could be online brainstorming sessions lasting 60-90 minutes with a variety of co-workers to identify issues and solution options that may need further exploration in a separate session.
3. Provide a diverse range of innovation events for your team in which they can explore new ideas, connections and technology, keep abreast of what is happening and identify options for now and the future.
4. Permit the submission of ideas anonymously. Anonymity can also remove any barriers of
judgement and any concern submitters might otherwise have of appearing stupid. Anonymity also encourages submissions with a broader range of ideas.
5. Leverage external coaches and/or facilitators who can assist teams to express their ideas. Writing or presenting an idea is not everyone’s day job, and it can be particularly difficult for early career employees and non-native English speakers. Colleagues can learn from a coach how to create a well-formed idea proposal and the best way to communicate it.
6. Seek a diverse group of reviewers to assess ideas against success criteria. This makes sure the advantages and disadvantages of each idea are considered from multiple angles.
7. Provide time for people to think about a topic or issue and the desired outcome. Provide a detailed brief on the context of what you want to achieve and the background to the problem, including the history of where it came from. Provide at least 72 hours’ notice to give team members the opportunity to think at the time and in the place they do their best thinking: AM, PM, evening or whilst doing something such as walking the dog, exercising, hanging the washing or having a shower. Research shows some of the most innovative ideas emerge outside of work hours.
There are other ways in which team members can participate even if producing innovative ideas is not their core strength. One is by voting on the suggestions made by other people. Voting gives team members a say in which ideas the business pursues, and encourages team engagement and involvement. By voting on multiple ideas, team members can express views based on their experiences and their requirements. The outcomes can be unexpected, insightful and powerful.
Making sure all team members feel welcome to contribute their ideas for innovation pays
off. Their increased engagement increases the range of strategic options and produces better business solutions.
Vannessa McCamley is a leadership and performance expert specialising in neuroscience practices that help individuals, teams and businesses grow in meaningful ways whilst delivering measurable results in healthy ways. She has a passion for helping people and businesses to overcome obstacles and enabling them to reach their strategic goals. She brings a strong background in IT security and more than 20 years of business experience to collaborating with individuals at all levels and from several industries. She is the author of Rewire for Success, an easy guide to using neuroscience to improve choices for work, life and wellbeing.
linksuccess.com.au/rewire-for-success
www.linkedin.com/in/vannessa-mccamley
linksuccess.com.au/contact-us
Warning: This article discusses a difficult subject. It seeks to start a dialogue that will foster positive change in our industry, address bad behaviour and build a better future.
I had the honour of attending a breakfast gathering at Melbourne Zoo hosted by Source2Create to celebrate International Women’s Day. The panel included women close to our industry, but not from our industry, who echoed sentiments we have heard over the years. During the Q&A I felt compelled to raise a question that has troubled me and many of my colleagues for years, a question that seems unanswerable but needs to be addressed: how, without fear of retaliation, can we hold individuals and organisations accountable for maintaining good standing in our industry?
Many of our professional certifications and industry bodies mandate adherence to codes of conduct. However, there are still individuals and organisations that fail to maintain good standing, either deliberately or inadvertently. Their actions continue unabated, seemingly swept under the carpet as if they are taboo
and cannot be discussed. We need to collectively address this issue to improve our industry’s overall reputation.
Calling out bad behaviour can be counterproductive, and often provokes retaliation. Those speaking out against employers, seniors or leaders can suffer employment termination, contract cancellation or other retaliatory action. We have all heard the term “career-limiting move.” Many suffer in silence, and the longer a problem persists, the more frustrated they become, especially when multiple sources independently confirm repeat behaviour by certain individuals or organisations.
It is possible some workplaces and individuals may be unaware of their culture or actions, and in such cases we can proactively take steps to address the problem. But how can we raise issues, make individuals and organisations aware of their actions and achieve positive change without creating conflict? We can do so by seeking a better understanding of their position and perspective and fostering a positive and collaborative culture for the betterment of our industry.
In conclusion, for our industry to grow and mature, we need to learn how to hold individuals and organisations accountable for actions detrimental to their good standing in our industry, without fearing retaliation. We must proactively address toxic cultures and seek positive change without creating conflict while being sensitive to those who may not be aware of their culture or actions. It is time to work together and create a better industry for everyone.
www.linkedin.com/in/mtett
www.dotm.com.au
Catenaccio, which means ‘door-bolt’ in Italian, is also the name for a highly coordinated defensive style of Association Football (soccer to some of you) made famous by the successful Italian national team from the 1950s onwards. For those unfamiliar with the game and this style of play, Catenaccio focuses on denying opponents any opportunities for goalscoring and any clear chances to even take a kick at goal. Catenaccio is lambasted by many for its lack of entertainment appeal and seemingly boring style of play. However, played right and against the right team, it is extremely effective, particularly if the team employing these tactics exploits counterattack opportunities. Catenaccio is also what you want for your organisation’s cybersecurity strategy.
Comforting news for many in Western Australia is that there are current mandates from our Office of Digital Government stipulating that all departments must have a minimum of Level One maturity across the Australian Cyber Security Centre’s Essential Eight controls to mitigate cyber attacks. This is comforting for those of us in desperate need of a coordinated
approach across our state agencies, but not so comforting for those having to quickly identify their security gaps and then implement a wide range of controls that will impact hundreds, and in some cases thousands, of staff.
There is another way Association Football, and many other sports played at an international level, can inform how we as a country can strategize better when it comes to cybersecurity: by establishing a unified national approach.
For football, netball, rugby and many other sports played around the world, there is a national body which usually establishes a uniform approach to how the sport is managed at a grassroots level: the standards and regulations for play and, of course, the style in which national teams are coached and how they play. Take Rugby Union for example. Most European and Northern Hemisphere squads play a style that allows for more kicking and drop goals, whereas the Southern Hemisphere national teams place emphasis on hard running and carrying the ball for a try.
Of course, this is an oversimplification. However, it is useful to explain how a national approach to cybersecurity is the one way we can unify the way in which all commonwealth, state and territory, and even local, governments build their cybersecurity strategies. The Essential Eight is a good start, but we do need to go further. Take information security for instance. There is crossover with cybersecurity in some areas, but not in others. We should aim for a national approach that will, to some extent, unify information security practices across all government tiers in Australia. This is also why Australia’s new Cyber Security Coordinator needs to have the authority to advise on information security standards, not just cybersecurity.
While many people are still talking about the devastating data breaches at Optus, Medibank, and now Latitude, the cynics in the room suddenly become World Championship Wrestling wrestler, Bill Goldberg and boldly ask, “Who’s next?” Australia needs a coordinated and unified national approach to both cyber and information security, and it needs that approach to be Catenaccio.
Let’s now look at the various players on the football field and assign each of them a place in cybersecurity control. What makes Catenaccio so effective is the extra layer of defence it creates, even though it keeps more players in their half of the pitch during attack. This means a team playing Catenaccio style has more players in its half of the pitch when the other team is attacking, providing an extra layer of defence –multifactor authentication, if you will. Then there are the wing backs: versatile, fast, excellent ball-handlers. These are players who can be deployed at various spots on the pitch, changing the player configuration. They are the user application hardeners – changing configurations to block malicious executables on devices.
Anyway, I think you get the picture here. I could go on and list all 11 players in a team, but then this article would become football coaching 101, and although I had two seasons (un)successfully coaching the Belmont Under 16s (one win in 20 games) I feel I would be underqualified. Also, this is not Women in
Soccer Magazine (although I know we are all getting fairly hyped up for the Matildas and the upcoming World Cup!
Unfortunately, we in the industry will never hear the full-time whistle on cyber attacks. In fact, we are not even approaching half-time. The pitch is muddy, it is raining and we are down 4-0. However, the good news is that Australia is heading in the right direction. We are on the way to achieving some kind of national, unified approach and cybersecurity strategy. I hope the following can be included:
• Funding to implement the full 37 controls of the Essential Eight across all tiers of government.
• A uniform approach to how cyber incidents are communicated.
• Standards and regulations around reporting cyber incidents, particularly in industries providing critical infrastructure.
• Standards and regulations specifying how cybersecurity awareness training is deployed.
• Nation-wide curriculum integration of cyber and information security skills across learning areas (not stand-alone cybersecurity education: our teachers are already exhausted).
This is the wish list. While I do hope all organisations, government and non-government, can employ the style of Catenaccio I also believe it will not be sufficient without the above wish list. I could discuss each item in detail, but I will leave that for another article at another time. Until then, think of your own organisation’s cybersecurity strategy and where Catenaccio and the great (well, in this writer’s eyes, anyway) Italian Football team can inform you of where that strategy should be headed. Until then, ciao.
www.linkedin.com/in/simoncarabetta
The Australian Women in Security Network (AWSN) was founded in 2014 as an open network of people aiming to grow the number of women in the security community in Australia.
Since its humble beginnings as a private LinkedIn group the network has expanded and has continued to inspire, support and connect women in the industry. The network supports those looking to enter the field by giving them the tools, knowledge, networks and platforms needed to upskill and by connecting them with peer support groups having similar interests.
The introduction of our formal programs in 2021 was the brainchild of AWSN founder and executive director Jacqui Loustau. The Security Pathways Program was initially designed to help address the predicted* 18,000 shortage of staff in the cybersecurity sector by attracting, retaining and developing women. The focus was to support women entering security and those already in the industry.
The network recognised that we must focus on initiatives to help retain and support women working in this industry, and we remain committed to the goal of retention and advancing women in security across Australia.
We continue to learn, improve and grow. We now know that according to the Gender Dimensions of the Australian Cyber Security Sector Report, where analysis of 2021 Census data indicated that women only represented 17 per cent of the cyber security. Our future plan is to establish new programs dedicated to increasing the pipeline of women in security. We will focus on students and professionals interested in learning or upskilling as well as supporting emerging and established leaders advancing their careers.
In addition to small cohorts and high touch programs, our programs differ from others in the peer support and network connections our participants and members receive through:
AWSN, in partnership with the Australian Signals Directorate and Australian start-up OK RDY, has developed Australia’s first mentoring program with an associated app-based platform for women in security. The program offers training resources, networking and ongoing support for the mentoring journey.
The app uses AI technology to foster deeper, more successful mentoring connections by suggesting mentors and matching these with mentees based on their values, interests and experience.
Since its official launch in October 2022 the program has grown to have 250 mentors and mentees interacting daily. 2023 will see the introduction of further enhancements to support the user experience and provide exclusive access to new mentoring videos designed to support the mentoring journey. These self-paced learning videos will cover topics such as:
• Reciprocity
• Building Trust
• Meaningful Mentoring
• Getting Started
• Building Confidence, and more!
Regular events organised and run by our team of chapter leads provide opportunities for members to connect with and learn from peers and other members of the AWSN community.
Each program cohort has its own dedicated private group to enable its members to communicate before, during and after program completion to share ideas and wins and to receive support.
Participants receive career advice and CV guidance from industry experts through group sessions to assist them with job readiness and support leadership aspirations, with the option of additional one-onone guidance. We have expanded this offering
from Security Pathways participants to Women in Leadership program participants after receiving feedback over the past year.
With sponsorship from the Australian Signals Directorate we are introducing a wider range of programs to support the community this year. Based on continual feedback from our community we have made a few changes
Our Security Pathways stream is separated into foundational courses and those which dive deeper into our popular specialised areas.
Likewise our Women in Leadership programs are now grouped into programs for emerging leaders with two to three years’ experience in security and programs for established leaders with more than five years in security.
We have created a security career ‘sandbox’ where women can learn and practice their skills in an inclusive space. This helps them find their areas of interest and build on their current knowledge of the different areas of security. This helps ensure their future security training investments are directed to the areas of security that most interest them and to which they are best suited.
Introduction to Cybersecurity Essentials - We are continuing with our most popular security pathways program and will admit two cohorts to the program this year. It provides insight into the different areas of security in a comfortable environment where participants can learn, ask questions and practice their skills.
OSINT Foundations Course - This course shows how to investigate people, places and things in the online environment. Participants learn key concepts and skills in open-source intelligence (OSINT) including efficient searching, data reduction and verification.
Creating Your Cyber Security Toolkit^ - We have received much feedback from our community members indicating their wish to be able to set up a security lab at home for their own learning and experience. This hands-on training supports participants to set up their own virtual machines and gives them a basic understanding of Linux and PowerShell commands and the functionality of a number of useful cybersecurity tools.
CompTIA Security+ Training^ - This is an intensive, instructor-led program designed to prepare participants for the CompTIA Security+ exam. We wanted to make some certification training available at a subsidised price for our members.
Based on the popularity and feedback of the 2022 training, we are bringing the Incident Response training exercise to Hobart, Brisbane, Sydney and Newcastle for 2023. We will also be running the Incident Response Competition in the second half of the year.
We are offering the following programs this year for emerging leaders with two to three years’ experience in security.
Emerging Leaders Program – We have made some changes to this program for 2023 based on participant feedback. These include spreading out the sessions to fortnightly, adding an additional one-onone coaching session and four learning lab sessions and integrating the learnings from the program. The first cohort is already undertaking the program and we are now accepting applications for the second cohort.
Powerful Presenter Program – Our program to help participants learn the art of impactful presenting is back for 2023. Because of limited trainer availability we can cater for only one cohort this year. We will be offering the program to additional cohorts in the early part of 2024.
Business Communications 1^ - This is one of our new programs for 2023 for emerging leaders. It helps a broad range of cybersecurity professionals break existing habits and enables them to produce more impactful written business communications. There is a big difference between writing reports for university courses and for corporate audiences. This program equips participants with the skills to produce effective email communications and high-quality, informative reports and business communications. These are critical skills needed to persuade a board that it needs to invest in stronger controls to mitigate key risks, or to inform major stakeholders on the impact of recent incidents. This program is a prerequisite to part two, which will be offered in 2024.
Women in Leadership Programs Emerging Leaders Program Business Communications Powerful Presenter Program CISM Emerging Leaders (2+ years)CISM Training^ - This is an intensive, instructor-led program designed to prepare professionals for the Certified Information Security Manager (CISM) exam. The ISACA CISM is an industry recognised certification which will help participants learn better methods to manage large security programs and teams.
These are the programs we are providing this year for established leaders with more than five years’ experience in security.
we want to support founders in our community. This bootcamp provides the starting point for anyone curious about exploring their start-up idea. This first training will be held in Melbourne. EoIs for other states are being accepted.
All Women in Leadership participants receive access to the Leadership Forums. These forums are held three times per year. They provide a platform and inclusive space for all women in the program to come together and discuss common issues, support each other, share ideas and learnings, ask questions, be inspired and share stories. This year we will also be inviting past participants to present at the forums to support participants as they advance in their leadership roles.
Project Friedman will run again this year as a partnership between WomenSpeakCyber and AWSN. It supports women wanting to speak publicly at events and conferences.
Although most of these programs are already oversubscribed, please complete an EoI so we can assess the level of interest in future training programs.
Aspiring CISO Masterclass – This is returning for another year We have added an addition session to further support participants and we will run the program for two cohorts this year to keep the numbers small and allow for more interaction between participants and our coach. This masterclass helps participants understand what skills and knowledge are required to be a CISO so they can work towards this goal.
Secure Your Board Leadership Masterclass^ - Board Communication has been added to our programs this year based on feedback from many members desiring to move into higher leadership and C-suite positions. This program teaches how to effectively communicate with a board. It will be offered twice in 2023.
Bootcamp for Aspiring Cyber Founders^- Being a founder is a role very different from any other and
In addition to these subsidised programs we are planning to offer further programs to our members. As an AWSN member you will have access to these subsidised programs and access to a diverse, Australia-wide network of professionals in all areas of security and at different stages of their careers.
All program details including subsidised costs, dates, times and training partner details are available on our website here.
If you are yet to become a member of AWSN –you can join here.
It is increasingly apparent a global cybersecurity skills shortage persists, and we do not have sufficient talent to fill the rapidly increasing number of available positions. ISACA’s survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, showed 63 percent of organisations having unfilled cybersecurity positions, an increase on the previous year. Furthermore, 82 percent of respondents predicted demand for technical cybersecurity roles, and for cybersecurity management roles in particular, would increase in 2023.
While the skills shortage is a significant challenge that places organisations in vulnerable security positions, we must also see the hiring blitz as an opportunity to increase diversity in the sector. A more diverse workforce is more innovative and more productive, and these attributes have a positive effect on an organisation’s bottom line.
Empowering and resourcing individuals to move into cyber careers requires a collective effort that, fortunately, is becoming more common. Necessity has, thankfully, allowed organisations to ‘look outside the box’ for talent, and a wonderful aspect of cybersecurity is that individuals with certain attributes, regardless of the sector they currently work in, may be suited to a career in cybersecurity.
We have seen many excellent cybersecurity professionals pivot from other sectors including health, law enforcement, military, other IT-adjacent fields, or studying seemingly unrelated subject in the humanities such as World Language, Literature, or History.
Over the past few years there has been an increase in partnerships between non-profits, professional organisations, academic institutes, corporations, foundations and governments to address the skills shortage and build the cybersecurity workforce.
This is a positive step, because it will take a collective of partners to train and resource untapped talent and to ensure individuals have strong pathways and placement opportunities.
Interestingly, ISACA’s State of Cybersecurity 2022 report indicated the greatest skills shortage in cybersecurity (54 percent) to be in soft skills: communication, flexibility and leadership.
Specifically, ISACA highlighted the top five soft skills needed as being communication-listening and speaking skills (57 percent); critical thinking (56 percent); problem-solving (49 percent); teamworkcollaboration and cooperation (44 percent); attention to detail (38 percent).
Many women naturally bring these attributes to the table and find the transition to cybersecurity more seamless than often anticipated, because they are capable in these life skills.
Years of individuals being excluded because of bias and other factors have created a tech workforce with very little diversity, and the exclusion of various cohorts negatively affects technology development, because it is necessary to have multiple perspectives (gender, cultural, ability, age, etc.) driving technology innovation to ensure the outcomes are applicable to all users.
There are many non-profits and other organisations dedicated to building diversity as well as inclusion in the cybersecurity workforce. This includes well-known organisations such as Women in Cybersecurity (WiCyS), the International Consortium of Minority Cybersecurity Professionals (now Cyversity), the International Organization of Black Security Executives; Women in Security and Privacy; Minorities in Cybersecurity; and many other country-specific organisations including the Australian Women in Security Network.
ISACA Foundation One In Tech was launched three years ago to promote diversity through scholarships, programs, events and community. While many corporations provide resources to build diversity internally, which is a positive step, inclusion must
also be prioritised because the two go hand-in-hand. Organisations can find retaining a diverse workforce challenging if inclusion is not part of the culture or DNA of the company.
One in Tech is successfully removing barriers to ensure all individuals receive equitable access to begin and advance their careers in cybersecurity.
Employers are the key to increased diversity. While mentoring, training programs, resources and all types of support offered to under-represented populations are valuable, focusing on those who are excluded puts the onus on them to change the status. However, the only way to truly change is to ensure corporations understand the critical need for diversity not only as an ethical issue but as a business case. Diverse employee teams are far more innovative and productive, and company profits increase with increased diversity.
As Esanju Maseka, an audit professional who assesses governance over cybersecurity controls, and a member of the ISACA Emerging Trends Working Group based in Melbourne, says: “Cyber teams have a broader perspective of vulnerability scenarios to consider as they plan defence tactics or strategies. Diversity allows for different skillsets to be brought to the table. It prevents omission errors in detection or protection software because attributes of a larger pool of individuals can be included.”
The ISACA State of Cybersecurity survey also found 30 percent of security professionals surveyed leaving their job because of poor workplace culture and environment, and eight percent leaving because of a lack of workplace diversity.
These are significant numbers that must be addressed by company-wide decision-making and a change in culture.
www.linkedin.com/in/vspitzer
www.linkedin.com/in/esanju-maseka-2b022852
Innovation is the lifeblood of startup businesses, whose ambitious and often young founders grew up in a climate that prioritises diversity much more than in the past. But does that mean startups’ progressive culture of innovation automatically translates into diverse, innovative workplaces?
Not necessarily. People are people, after all, and cultural issues can be as difficult to overcome for growth-focused startup founders – who must navigate a range of corporate cultures as they try to win over early-stage investors – as they are in more established organisations.
“The system is basically stacked against you,” says Inez Murray, New York City-based CEO of the Financial Alliance for Women, a fierce advocate for diversity who has watched women fight to establish themselves in the early-stage investor “boys’ club”.
“It’s very hard for females to get into,” she told the recent VFF FinTech Forum. “One of the important things is to give [opportunities to] new VCs or young VCs with less of a track record. Waiting for the VCs themselves to embrace diversity is going to take a long time.”
Statistics confirm that the startup community, for all its potential to rebalance gender diversity, still has a ways to go on diversity measures: twothirds of startups have fewer than 20 per cent women in leadership roles, according to InnoVen Capital’s recent Startup Outlook Report 2023, which found the remainder have fewer than 10 per cent women leadership.
Whether they’re operating in finance, cybersecurity, IT or other domains, the culture established during those early days will set the tone for startups in the long
Not necessarily – because culture must be deliberate no matter how small you are
run – so if women are already struggling to normalise diversity at the get-go, how can they possibly hope to carry diversity into their operational space?
One of the most important aspects to normalising an innovative, diverse startup culture is in setting the terms of that culture early on, notes Myrtle Dawes, a board member of the Scotland-based Technology Leadership Board and solution centre director with Scottish envirotech firm Net Zero Technology Centre.
“The issue really is around expectations,” she notes “You can’t have a situation where society is quite unfair, and then you walk into the workplace and all of a sudden everything is different. That isn’t realistic –and I think the reason some of these [initiatives] get lip service is because we expect companies to look different from the general society.”
That can pose issues in large companies where diversity, equity and inclusion (DEI) programs often get dropped onto the desk of employees who treat them less as a personal mission and more as just another KPI they have to meet.
“We have to address the societal issues, and not just put it on a few people who actually have hardly any overlap with us,” Dawes said. “All companies should have these expectations about the composition and inclusion of their teams. Diversity really does breed diversity.”
The benefits of a diverse culture can be amplified within small organisations, notes Tram Anh Nguyen, co-founder of the UK-based Centre for Finance, Technology and
Entrepreneurship – who notes growing demand for diversity training has rapidly expanded the organisation’s scope across all manner of other industry sectors.
“People in technology, and people that are entrepreneurs and marketers, have very, very unique diversity in terms of people,” Nguyen explains. “We are training them so that they can quickly and efficiently join this new world of finance and tech startups… we’re upskilling pretty much everyone.”
By introducing diverse training and operational modes early on, startups can set clear expectations around expected behaviours and cultural perceptions of diversity.
Yet many companies continue to align their internal structure in ways that work counter to the goals of diversity, points out Janelle Santa Maria, CEO of Benevity, who told a recent IWD panel that many companies implement diversity, equity and inclusion (DEI) initiatives as an HR function while corporate social responsibility (CSR) ends up as a corporate communications or marketing issue.
Co-ordinating the activities of the two is important in companies of any size, she said, because they address employees’ desire to work at a company that shares their personal values.
“Employees want to know that the company they work for lives and aligns to their purpose, values, lives, and passions,” Santa Maria explained, citing company involvement in areas such as community groups, employee giving as a great example of the way these various goals can be brought together.
“Working for a company, and being part of an employee resource group that allows [employees] to give back to the community from a CSR standpoint is a great brand story for any company,” she explained.
It can also be particularly beneficial for startups, whose relatively limited resources may see them struggling to match larger competitors on a perk-by-perk basis – but who can compensate by normalising innovative staff attraction and retention benefits like flexible work, generous parental leave, and so on.
“There doesn’t have to be that tension or fighting for budget,” Santa Maria said. “They really can serve to complement one another, and to drive the goals that each of those particular areas or teams has, in a very strategic way.”
“It doesn’t need to be as blatant as having a formal DEI program; just think of inclusion and what it means in terms of your policies, procedures, and practices – and how you are casting as wide a net as possible to involve all of your employees and to really be inclusive.”
Working in a startup or small business often feeds a sense of community and common purpose that can be harder to find in larger companies – and with employees happier and more innovative, it’s a good idea for startup founders to put extra effort into that part of their company culture.
“What’s really been most inspiring, from what we’ve seen so far, is the community that has been built between the founders themselves,” Kate Wendt, vice president of strategy, transformation, and sustainability with REI Group, which in 2021 established a Path Ahead Ventures Fund and hopes to support 300 founders of colour by 2030.
“They go through as a cohort together,” she said during a recent CES 2023 panel discussion, “and I think they’re getting as much inspiration and guidance and support from each other, and how that can amplify their efforts, as they are from our supporting them in the program.”
Many women are put off by perceptions that startups aren’t welcome spaces for them, according to recent research that found “women, but not men, are sensitive to information about organizational gender composition, especially for startups signaling diversity debt” – and warned that startups which don’t hire women in their early days typically struggle to attract them later on.
If innovation and community aren’t maintained, it’s easy for companies to feel isolated, noted Jacqui Loustau, founder and CEO of the Australian Women in Security Network (AWSN) during an IWD fireside chat with RMIT University leadership academic Dr Lena Wang, who is co-director of that institution’s Centre for People, Organisation, and Work.
“That’s one thing that has been really great as an organic kind of community that we’ve really tried to build,” said Loustau, who has worked with her team “to make sure that everyone is on the same philosophy of trying to help others and to be inclusive of all types of people.”
The organisation recently overhauled its Cadet program, renaming it as the Explorer Program in recognition of its stronger focus on inclusion as a harbinger of more effective innovation.
“We wanted to provide a space where they could ask questions without feeling like they were being judged,” Loustau said. “It is so powerful when leaders start to recognise [unconscious bias] and then actively do things to change that.”
“We all have a responsibility in this for this whole new generation of cybersecurity and security professionals. From government to leaders to industry associations, to educational institutions – all of us can play a part in this to really change things.”
Wang agreed: “we don’t expect leaders to get every single policy right,” she said, “but if we actually take the collective wisdom of our employees, it just allows them the opportunity to voice if something isn’t working for them.”
Whether in large businesses or small, innovative startups, “we can collectively create a culture where people feel safe to say ‘I need to go pick up my kids’.” Wang continued. “Just simply asking and being supportive as a leader, is often the most powerful thing.”
Peter Coroneos, founder of Cybermindz, a charity dedicated to the mental health of cybersecurity professionals, has been fascinated by the human brain since childhood. He was only 10 years old when a neuroscientist uncle took Coroneos into a laboratory and showed him pickled brains in jars.
That interest has been channelled into a life-long focus on his own mental health — he has been practicing meditation for 45 years — and he turned his attention to the mental health of others in 2013 when he founded Serenityworks, a couple of years after stepping down after a 13 year stint as CEO of the Australian Internet Industry Association (IIA).
“I was thinking about what I might do,” he told Women in Security Magazine. “And I started to see some scientific reports come out around the neurological changes that occur in long term meditators: improved immunity, better emotional balance — things that I knew, subjectively, were true for me, — and,
in particular, the ability to maintain a sense of equilibrium, even in very trying circumstances.
“These are skills I’ve applied in my own professional career, but under the radar. When I left the IIA, I realised this was something I could share. The game changer was really research around neuroplasticity, which started coming around about 2007 when the first papers were being published.”
Serenityworks offers a range of mentoring, stress reduction and meditation programs to individuals and teams in any industry, and from that came Cybermindz, founded in 2022.
“I was doing some work in cyber through Serenityworks. But I felt there would be benefit in setting up a not-for-profit specifically for cybersecurity, because I wanted to give recognition to the criticality of those roles. And I felt that Cybermindz could give the issues much more focus than coming out of a more generic offering,” Coroneos tells WSM.
“When I started Serenityworks cybersecurity was there in the background, bubbling away. But in recent years, it’s got more prevalent and more serious in its effects. So I wanted to really bring home the message to all of society that this is something that affects everybody, directly or indirectly. By being a not-for-profit, we’re hoping to get some federal grant funding or state grant funding. That’s easier if you’re a not-for-profit.”
The cybersecurity industry, Coroneos argues, is unique in the mental health stresses it imposes on participants. “We’ve identified at least 15 factors that come to bear on cybersecurity professionals. I don’t see any other profession, having all those 15 factors bearing on them.”
One of the most significant factors, he says, is that success is invisible: cybersecurity is successful when an organisation experiences no attacks that impact
its operations. “That’s a big one and the counterpoint is the high visibility of a single failure. You can have 10,000 successes and no one will notice, but if you have one failure, it can make front page headlines.”
At the heart of Cybermindz services is the iRest Protocol, described as “a contemporary form of meditative self-inquiry that has been adapted from the ancient practice of Yoga Nidra into a 10 step framework which is simple to learn and easy to practice.”
It is managed and promoted globally by the US based iRest Institute. It has been endorsed, and is widely used, by the US military, in programs for veterans in more than 50 military hospitals and bases across the US. The Australian military has also been using it since 2016.
The iRest Protocol was developed by Dr Richard Miller, “a spiritual teacher, author, yogic scholar, researcher and clinical psychologist, who combined traditional yogic practice with Western psychology and neuroscience,” according to the iRest Institute.
“The US army surgeon general’s office has endorsed the iRest program because they’ve shown it can start
to reverse PTSD in a month, and PTSD is something that can hang around for decades,” Coroneos says.
“it’s a process of really deep relaxation and resetting. But it’s also a process of selfenquiry, where you start to enquire into your beliefs and the narrative that you’re running in your own head, around what you’re doing in life. That can be personal as well as professional. But it only works if you’re in a hyper-relaxed state. … It’s not an intellectual exercise. It’s actually somatic. It’s grounded in the physical sensation because you’re holding it almost energetically. … By going into this hyper-relaxed state you are able to observe them with a degree of detachment and dispassion, then you can start to inquire, ‘is this still true?’”
IRest facilitators are trained and accredited by the iRest Institute and iRest training has been offered in Australia since 2013 by the iRest Institute Australasia. Coroneos says there are 400 iRest facilitators in Australia, and 7000 worldwide.
Cybermindz has partnered with the iRest Institute and this partnership is the foundation of the Cybermindz offering. Coroneos says he saw strong parallels between the issues faced by military veterans and those impacting cybersecurity professionals.
“They are both defensive type roles. Arguably, cybersecurity is even more challenging because there is off duty time in the military. You get leave. I’ve talked to many CISOs. They tell me, even if they take a holiday, they’re still vigilant.”
Cybermindz will provide iRest training to cybersecurity professionals using accredited iRest facilitators who have been given additional training to understand cybersecurity, the language of cybersecurity and the issues and challenges cybersecurity professionals face.
“I’ve created an induction course for iRest facilitators who want to deliver iRest training on our behalf. It brings them into the frame of cybersecurity, maybe for the first time,” Coroneos says. “We’re planning on using people who have worked with the military or corporates. So they already understand the corporate world, or the military world, but don’t have the specific understanding of what a day in the life of a cybersecurity professional is like.”
The initial training for clients comprises one hour per week over eight weeks. “Every week, there’s a different theme tackling a different aspect of cyber stress,” he says. “It might be the inability to switch off, or the fear they are carrying about letting the team down, or a sense that they are not doing a good enough job. These are all themes that have emerged through our consultations with the industry.
“We’ve cemented those into a standard format of eight weeks. An individual would be invited to attend every session. We can do it in person, or we can do it online. They become part of a hybrid group where they’re with people from other organisations. We also give them practice recordings. So as we’re delivering the iRest Protocol, we’re recording it for that week. And then they are asked to go home and use the same recording every day until the next session.”
Coroneos says Cybermindz has a number of pilot programs under way with major clients to validate its approach. “We’re running three pilots with the New South Wales Government this month. We’ve got another one with the Department of Defense coming up. So we’re now ready to implement.”
He is also planning to launch Cybermindz in the US in April, and in the UK later this year. “Our plan is to go through the Five Eyes [Australia, Canada, New Zealand, UK, US] because we’ve got iRest facilitators worldwide.
“We will have management teams in each country doing the groundwork. But the real power is the facilitator network and the uniformity we bring to our delivery. In theory, it shouldn’t matter who you have as a facilitator from one week to the next, because we will have approved them as being competent to deliver iRest to cybersecurity.”
Cybermindz has an exclusive agreement with the iRest Institute to deliver iRest training to cybersecurity professionals, but Coroneos says the Institute has recognised the potential to apply the model Cybermindz has created to other industries.
“They got very excited when I came to them with our model, because they could see how readily the concept could be transplanted into other domains. So they are now actively investigating training facilitators who have specific expertise, particularly in the health profession. I think that and the education sector would be the two other areas they would move into first.”
In October 2022 Cybermindz launched a study into the mental health of cybersecurity professionals. It is being conducted by its director of organisational and behavioural research, Dr Andrew Reeves. The results will be published later in 2023 but Coroneos told WSM initial results suggested stress levels among cybersecurity professionals were already very high and likely to lead to significant numbers of people leaving a profession already labouring under staff shortages.
“What we are measuring is burnout. There are three attributes of burnout: emotional depletion, cynicism, or depersonalisation, and professional efficacy. In addition, we’re looking at sleep quality. And we’re looking at a quality of life index, which takes in four other factors. So, effectively, we’re looking at eight factors. We’ve already got a statistically significant number. … It’s showing that the professional efficacy metric — which is the third aspect of burnout, ‘how well do you feel that you’re doing in your job?’ — is running lower for cybersecurity professionals than for frontline healthcare workers. Of the three metrics within burnout, that’s the one that predicts resignation intent.
“So the takeaway from the research so far is that we are looking at a potential exodus of people from cybersecurity in the next one or two years, because they don’t believe they’re being effective in their work. They’re not getting any professional satisfaction from what they’re doing.
“Then you add in the other factors that come to bear around emotional exhaustion: the fact that they can never switch off, the fact that they’re not being recognised externally for their work. Any rational person is going to start to do a calculation and think, ‘Why am I doing this?’ That’s what we’re trying to turn around with the iRest Protocol, and we know you can do that.” cybermindz.org
Today many companies embrace diversity and inclusion in their businesses. Organisations around the globe put diversity initiatives at the top of their ‘must-do’ lists. And while it is widely accepted as the right thing to do, the benefits of ensuring diversity and inclusion in the workplace can be far reaching.
As it turns out, creating a culture of diversity and inclusion is good for your business in more ways than you might imagine. Inclusion is a way of building on diversity and creating a feeling of belonging for everyone within an organisation. It means creating a workplace culture in which employees feel valued, respected and accepted. They feel welcomed, able to be themselves and able to share their ideas in a friendly environment.
Such a workplace culture improves the work experience of employees. However, the benefits of a diverse and inclusive workplace run much deeper.
In this article, we explore the benefits of diversifying the cybersecurity industry, the challenges faced and the practical steps that companies can take to create a more diverse and inclusive workforce.
Although the terms appear together, diversity and inclusion mean slightly different things.
• Diversity refers to the specific makeup of an organization or group. For example, how many different cultures, races, sexual orientations ages its members.
• Inclusion refers to how well an organisation represents and enables diversity within itself.
When thinking about inclusion, organisations should focus on ensuring the thoughts, feelings and opinions of diverse employees are valued and respected.
According to Forbes, organisations that rank high in gender diversity outperform their competition by 15 percent. The results get even better for those practicing ethnic diversity: they do better than their competitors by 35 percent.
In addition, workplace diversity is an important predictor of a company’s sales revenue and profitability. The most racially diverse companies bring in, on average, 15 times more sales revenue than those with lower levels of racial diversity. Let’s look at some of the less well-known benefits of nurturing diversity and inclusion.
In the study, Fostering Innovation Through a Diverse Workforce, researchers for Forbes found some
fascinating links between inclusion and innovation. Diverse employees bring a wide-ranging set of life experiences and backgrounds to the table, meaning they often look at life through different lenses. Those different perspectives can open new ways to solve challenges or address problems.
When different viewpoints mesh they have the potential to enable companies to out-innovate their competition, or as the Harvard Business Review explains, “Diversity unlocks innovation by creating an environment where ‘outside the box’ ideas are heard.” The results? Organisations that exhibit diversity are 70 percent more likely to capture a new market than those that do not.
At a time when unemployment is low, recruiting talented, dedicated workers can be a challenge. They are looking for more than compensation, perks and packages. There are programs available to educate employees on how to be an ally in the workplace so that every employee can feel empowered to bring their best selves to work. More than ever, this is a critical component of hiring and retaining top
talent. In addition, a study by Glassdoor found that diversity can significantly increase the attractiveness of an organisation for potential employees.
Researchers found 67 percent of jobseekers considered a diverse workforce an important factors when choosing where to work. That was true regardless of whether or not the survey respondents were members of a minority. These findings show workers are not open only to the idea of a diverse workplace, but are beginning to expect one. The more an organisation responds to this expectation, the better its chances of hiring and retaining top talent.
Diversity is not only about changing the composition of workplaces across the country; it is also about increasing the diversity of its customers. When a business exhibits a culture that fosters diversity it becomes more attractive to minority customers and is more likely to be perceived as understanding the needs of a diverse customer base.
Researcher Stephen B Knouse, from the University of Louisiana at Lafayette, found a diverse
employee base could communicate better with different types of customers, better understand their needs, and better meet those needs.
As Intuit CEO, Sasan Goodarzi puts it, “We must have a diverse and inclusive environment to be able to hear all voices. If we want to know what’s important to [our customers], we actually have to be diverse like our customers.”
The consulting firm DeEtta Jones reports brands that value diversity enjoy better brand perception. One reason could be that customers perceive such brands as being more in touch with their customers and more forward-thinking. Potential customers may perceive brands that do not practice diversity as being behind the times.
Many studies indicate that positive work environments lead to greater business success. Happier employees are more engaged and productive, and when employers take the time to have employees describe their experience of the benefits of diversity and inclusion, a happier, more relaxed work environment emerges. Employees feel valued and respected, which leads to greater collaboration and creativity.
According to Dr Shirley Davis Sheppard, vice president of diversity and inclusion and workplace flexibility at the Society for Human Resource Management (SHRM), inclusive workplaces have higher levels of engaged workers and there is direct correlation between engagement levels and better job performance. Disengaged employees cost organisations an estimated $450 billion to $550 billion yearly through lost productivity, according to Gallop. They also undermine the performance of a company: greater employee engagement can boost profits by an average of $2,400 per employee per year. And companies with employees that are more engaged enjoy 2.5 times more revenue growth.
The frequency of cyber attacks has increased in recent years, creating a higher demand for cybersecurity professionals. By 2025 it is estimated there will be more than 3.5 million unfilled jobs in cybersecurity. Businesses are facing talent shortages, creating another reason to factor diversity and inclusion (D&I) into recruitment efforts. Diversifying the cybersecurity workforce can ensure businesses have access to a bigger pool of talent.
Diversity in the cybersecurity industry means there will be a range of perspectives and different approaches to critical thinking and problem-solving. Diversity opens doors to new insights and innovation. In a workplace lacking diversity, people tend to turn away when they cannot find someone or something they are able to relate to. Prospective clients will often consider partnering with providers who offer more versatile services that better fit their needs. The likelihood of being able to onboard talent also decreases in less diverse workplaces, because work culture significantly influences people choosing to apply for a role in a company. Respecting the unique needs of every job candidate and employee gives businesses a competitive advantage.
The importance of prioritising diversity, equity and inclusion in the workplace cannot be overstated. This is especially important in the cybersecurity industry which is constantly evolving in response to the emergence of new threats. Just like the COVID-19 virus variants, phishing and ransomware attacks reach new levels of sophistication every month. Businesses that strive to provide effective cybersecurity need to be agile, adaptive and open to multiple modes of critical thinking.
A cybersecurity provider is more likely to exhibit
these qualities if it has a diverse workforce. However, diversifying the cybersecurity industry is easier said than done.
There are some challenges to diversifying the cybersecurity industry, which include:
The cybersecurity industry’s talent pool is very limited. Women make up just 11 percent and minority representation stands at 26 percent. This is unsatisfactory. To diversify the industry, businesses need to expand their reach and identify candidates outside the traditional hiring channels.
A significant challenge businesses face when diversifying their workforce is implicit bias. This refers to the unconscious attitudes or beliefs in stereotypes that can affect decisions and actions. For example, hiring managers may overlook qualified candidates from underrepresented groups as a result of implicit bias. Businesses need to ensure their recruitment processes are free from implicit bias that may filter out potential candidates, especially those from underrepresented groups.
After onboarding talent, businesses need to maximise retention efforts. With the demand for cybersecurity professionals increasing, maintaining employee morale is critical to ensuring employers do not lose workers, especially those with valuable skills. Companies can achieve this through more inclusive policies, hosting in-office events in support of different cultures and providing educational training and workshops for current and prospective staff.
Dismantling unconscious biases in the workplace is the core to promoting a more diverse and inclusive environment.
In many security organisations conversations around the pressing issue of diversity in the industry tend to be overlooked. The people at the top in the world of cybersecurity form a homogenous group and the lack of diversity in the industry creates hurdles, making the provision of security to clients much harder than it need be.
So, how do you increase diversity within your security teams to help foster greater innovation?
Much of the conversation around diversity in cybersecurity focuses on hiring staff. However, to create more diverse security teams, it is necessary to also focus on retaining diverse staff. While it is important to increase significantly the number of non-binary individuals, women and people of colour, it is just as important to improve internal processes to help retain them.
Studies show that up to 52 percent of women leave security careers, as do those from non-traditional backgrounds. This figure is almost double that for men leaving cybersecurity careers. Some say this is because women do not enjoy their careers in security, but more than 80 percent of women in the industry say they love their work. These figures suggest many from diverse backgrounds leave the industry because of cultural differences.
Too often we have a mental picture of what a security person is supposed to look like: one that does not reflect reality. The famous picture of Einstein shows him with tongue out and hair all over the place. If you did not know him have been one of the world’s greatest intellectuals, you might assume from his
appearance that he was not very bright. Appearances can be very deceptive.
We often do not realise we have fallen victim to unconscious bias. We must understand that our biases may not be explicit or intentional. We must learn to recognise they exist, listen to what people say, evaluate the work they produce and observe how they collaborate with others: these are all indicators of the value they bring to an organisation.
Also, those who have been conditioned to believe security to not be a valid career path for them, or those who are neurodiverse, may not exhibit confidence in their work. This does not mean they cannot do their jobs, it simply means they may need a little more encouragement in their working lives.
Security organisations often want people to shake things up by thinking ‘outside the box’, but in reality many are uncomfortable with being challenged and presented with new ways of doing things. When original thinkers are not valued, they are more likely to move elsewhere.
In security organisations, building a culture of inclusion in which everyone has a chance to share their ideas can help to increase diversity. Not every idea will be great, but all ideas and opinions should be shared and listened to.
In March 2020 when the COVID-19 global pandemic hit, steps were taken across all industries to get staff working from home. Many organisations realised their employees could be just as productive working from home as working in an office. In addition, those who are neurodiverse often get stressed when a deadline is approaching and undertake their work as far as possible in advance, while others find they need the adrenaline rush that comes when waiting until (almost) the last minute to deliver a project.
Supporting flexible working hours, a flexible working location, job sharing or three weeks on and one week off enables people to set their own hours and choose the locations where they feel most productive while still delivering on deadlines and projects. However, a flexible work environment requires trust in people to be productive even if they are not working in the same way or at the same time as others.
To build a strong and diverse security team, organisations need to build an environment that
supports and accepts differences of all kinds. They must not let unconscious bias about gender, the hours someone works, the location where they work or their appearance get in the way of nurturing all the great security talent available.
Organisations need to focus on creating cybersecurity teams that mirror the make-up of their wider workforce. Only then do they stand a chance of warding off the growing cyber threat and fostering greater innovation in the industry.
Lisa Ventura is an award-winning cybersecurity awareness specialist, writer and speaker. She is the founder of Cyber Security Unity, a global community organisation dedicated to bringing together individuals and organisations working in cybersecurity to help combat the growing cyber threat. She is also a mindset and mental health coach and offers help and support to those workers in cybersecurity and Infosec affected by stress, burnout and mental health issues.
www.linkedin.com/in/lisasventura
twitter.com/cybergeekgirl
10 TICKETS
To Enter:
- Make sure you are following us @Source2Create
- Nominate for the awards between 26th April and 26th May
To nominate for the awards, visit: https://womeninsecurityawards.awardsplatform.com/
The cyber and privacy professions are growing. Both are seen as critical to ensuring the safety and security of individuals, organisations and governments – with the privacy profession also focused on preserving the rights of individuals in respect of the collection and handling of their personal information. The building blocks of mentorship, leadership and allyship are key to the progression and vitality of these fields and to the success of the professionals within them.
Just over twenty years ago I had the great fortune to meet a person who would become my careerlong mentor, friend and (fast forward to today) my business partner. In addition to benefitting from his deep knowledge of privacy law and practice in Australia and abroad, I learned about the longgame: that it would take patience, determination and planning to deliver myself to the so-called ‘top’ of my career.
A mentor is often described as someone who provides guidance, support and advice to an individual who is new to the field or looking to advance their career. However, my experience is that mentorship is more nuanced than this, for both mentor and mentee. It is less an activity and more a process of discovery, particularly where the connection is lasting.
I was fortunate to be offered one-on-one mentoring just when I needed it, and that is something I reflect on with much gratitude (I am aware group mentoring and online mentoring can offer privacy and cyber professionals great support too). The benefits of mentorship are different for everyone, and can include:
1. Knowledge transfer - mentors share their knowledge and experience with mentees, helping them learn new skills and gain a deeper understanding of their profession.
2. Career advancement - mentors provide guidance and advice on how mentees can advance in their profession, including how to gain new certifications and develop new skills.
3. Personal growth - mentors help mentees develop their personal and professional skills, including communication, leadership and problem-solving.
4. Networking - mentors introduce mentees to other professionals, helping them build their network and connect with potential employers.
Living the career long game my mentor described (this, I suppose, is the discovery part), I have found that the ‘top’ is not, after all, a destination. It is more of a viewing platform, a chance to reflect on
the career path travelled before considering what comes next.
In my own role as a mentor to privacy and cyber professionals, I too encourage an ongoing association. To my mentees I offer my own pearls of wisdom, including the need for professional resilience. The hard work, the learning, the successes and hiccups are all, in their way, fortifying. And strength (particularly of character) is measured as much by how people respond to losses, disappointments and stumbles as by their response to any of the public high notes.
Leadership takes many forms: organisational leadership, team leadership, project leadership and, increasingly in my experience, servant leadership. Servant leadership emphasises the importance of serving others first before leading them. It is a leadership approach that focuses on the needs and wellbeing of the people being led, rather than the leader’s own interests or goals.
For me, the notion of being a servant leader grew from experiences earlier in my career, when I was ‘being led’ and when my views about success and career sustainability were still forming.
It is not easy to visualise a leader in a privacy and cyber consultancy actually putting humility, empathy and a strong commitment to ethical and moral
principles ahead of invoicing – and to be clear, I do not do this. Instead, I listen and pitch in. In corporate speak, I comfortably ‘deleverage’ myself as partner and support the people who need supporting (ie, actually help with the work). I also believe my role is to create a workplace and structures that empower people to be successful, and to complete their projects on time and with excellence. This, of course produces happy clients who are happy to receive a bill for services rendered. However, the personal and professional growth of team members and the creation of a positive and supportive environment where everyone can thrive and succeed matter deeply to me.
The benefits of strong leadership in privacy and cyber are numerous. They include:
1. Vision - leaders provide a clear vision for the future of the organisation or project and help guide the team toward success.
2. Motivation - leaders motivate the team to work toward a common goal, inspiring them to do their best work.
3. Accountability - leaders hold themselves and their team accountable for their actions.
4. Innovation - leaders encourage innovation and creativity and help their team develop new ideas and solutions to complex problems.
That said, and returning to mentorship for a moment, I believe leadership (in its various forms) is not the
exclusive domain of the boss or the one in charge. It is not a trait limited to a select few individuals. Anyone can be a leader, regardless of their background, education or experience. Leadership is about having a vision, setting goals and inspiring others to work toward achieving those goals. It is about being able to communicate effectively, listen to others and make decisions that benefit the group.
Being a leader also requires a willingness to take risks, learn from mistakes and adapt to changing circumstances. With dedication, hard work, a commitment to personal growth and that of society, anyone can develop the skills and qualities needed to become an effective leader. A quality I much admire in leaders is allyship.
experiences of those who are oppressed or marginalised. However, by demonstrating allyship, my colleague became the subject of criticism and vitriol on social media.
In the privacy and cyber professions, the benefits of allyship are obvious.
1. Diversity and inclusion - allyship helps to create a more diverse and inclusive workplace, which can lead to better problem-solving and innovation.
2. Support - allyship supports and encourages individuals who may feel isolated or marginalised in the workplace.
3. Education - allyship educates individuals on the experiences and perspectives of those from different backgrounds, leading to greater understanding and empathy.
4. Challenging bias - allyship challenges biases and stereotypes in the workplace, creating a more equitable environment for all.
I saw a great example of allyship (and leadership!) recently. A colleague who had been asked to speak on a cybersecurity panel suggested the organiser should revise the all-male (albeit racially diverse) panel to include women. It seems a small thing, but supporting inclusion most certainly is not.
For the uninitiated, allyship is the act of supporting and advocating for a marginalised group of which one is not a member. It involves recognising and acknowledging one’s own privilege (or advantageous position) and using it to amplify the voices and
Taken together these three ‘ships’ increase staff cohesion in cybersecurity and privacy and help nurture successful professionals. Mentorship supports the transfer of knowledge, advancement of careers and development of personal and professional skills. Leadership can be supportive, motivational for teams, hold individuals accountable and encourage innovation. Allyship creates a more diverse and inclusive workplace, provides support and education and challenges biases and stereotypes. A trifecta!
www.linkedin.com/in/nicole-stephensen-privacymaven
“I also believe my role is to create a workplace and structures that empower people to be successful, and to complete their projects on time and with excellence. This, of course produces happy clients who are happy to receive a bill for services rendered.”
Content allows you to establish, share, and strengthen your brand. It helps build relationships which is why we are shining the light on our content service.
Content strategies don’t just define the goals your content is intended to achieve, but also the procedure, processes and governance required to get there. We can show you how to manage your content effectively .
We can then use that content to attract, acquire and engage your customer and new prospects, deepening your relationships
What are you waiting for?
REACH OUT TODAY
by Sasenka Abeysooriya , Program Director & Senior Strategic Adviser at The University of Queensland, and Merrell Milano , Deputy Vice-President, Advancement Services at The University of Queensland
Rapidly advancing technology and evolving cybersecurity threats require cybersecurity professionals to continually think differently to protect against potential breaches and attacks. The complex and sophisticated nature of these threats requires cybersecurity experts to stay informed and prepared to face the challenges of today and the future.
Dr Ivano Bongiovanni from the University of Queensland led a study on the barriers that women face in cybersecurity. It found: “…given the growing complexity associated with cyber threats and the multiplicity of skills required to address them, the demand for cybersecurity professionals continues to increase rapidly.”
In other words, the supply of qualified talent simply cannot keep up with demand, leading to a significant skills gap in the industry and increasing the vulnerability of organisations already at risk. To address this challenge, Dr Bongiovanni and his colleagues urge organisations to invest in innovative approaches to education and training, as well as in initiatives to promote diversity and inclusivity in the cybersecurity workforce.
A focus on expanding existing staff perspectives through professional development initiatives—such as upskilling current employees, investing in education and training programs, and leveraging emerging technologies—can help alleviate the cybersecurity
talent shortage. However, to meaningfully and strategically foster innovation in cybersecurity, organisations must recognise the value a pool of skilled and diverse professionals can bring, and must focus on attracting and retaining such people.
True transformation often arises from creative problem-solving and resourcefulness, and a diverse team will bring a wider range of ideas and solutions to combating the growing sophistication and creativity of future cybersecurity challenges. To achieve this transformation, organisations must create an environment that encourages and embraces people with diverse backgrounds, experiences and perspectives.
In talent acquisition, diversity is achieved by actively seeking out and recruiting candidates with a wide range of backgrounds, experiences and perspectives. They could be diverse in ethnicity,
gender, sexual orientation, age, socioeconomic status or other attributes. By seeking out a pool of diverse candidates, organisations can tap into a broader range of skills and experiences and infuse standard positions and responsibilities with new, unique perspectives. Such a workforce is likely to produce solutions more innovative than those from a homogeneous team.
Initiatives to foster diversity in cybersecurity include a shift in conventional recruitment strategies and going beyond the usual channels to seek talent in unexpected places. It is important to acknowledge what people have overcome in their lives rather than focusing on their qualifications and recent experience. By recognising, valuing and celebrating the achievements of individuals who have overcome obstacles and have demonstrated resilience and problem-solving skills, organisations can create a workplace culture that values and acknowledges the strengths of all team members.
When the cybersecurity community is more inclusive it has a better chance of identifying and addressing the many and diverse threats and vulnerabilities it faces. An inclusive environment is crucial to ensuring all team members can contribute to their full potential. This requires the leadership to remove participation barriers and promote a thriving environment where team members can share their challenges and experiences without fear of judgment or reprisal. Leaders must identify and address participation barriers to create an environment in which all can contribute and grow.
Infusing planning and strategy with different perspectives and open ideas can help establish a more inclusive team environment. When leaders intentionally seek out diverse perspectives they can identify and address potential blind spots and generate innovative solutions to complex problems. In doing so, they create opportunities for team members to learn from each other and grow together.
Leadership that recognises and celebrates both personal and professional achievement will contribute to an inclusive team culture. Acknowledging and appreciating the unique challenges colleagues may have faced, and celebrating their achievements will establish an environment that values and recognises the strengths and experiences of all team members.
If recruitment processes are to achieve diversity and inclusion they must select candidates based on essential core traits: professionals able to continually adapt and show traits for success such as problemsolving ability, critical thinking and soft skills.
Problem-solving ability is one of the most crucial traits for cybersecurity professionals. Cyber threats are continually evolving and becoming more sophisticated, requiring cybersecurity professionals to think outside the box and solve complex problems creatively. Individuals must be able to quickly identify and address security vulnerabilities and incidents
and adapt to rapidly evolving situations and contexts while proactively developing new strategies to prevent future attacks.
Critical thinking is essential for success in cybersecurity. Cybersecurity professionals must analyse data and recognise patterns to identify security risks, evaluate the effectiveness of different security measures and develop responses that are effective and efficient. Additionally, they must be able to evaluate new and existing technologies and products to determine whether they are secure and compatible with existing systems.
Soft skills are essential for success in cybersecurity, albeit currently under-valued. Effective communication skills, including active listening and clear expression of ideas, are critical to ensuring cybersecurity professionals work collaboratively with their teams and effectively communicate with stakeholders. Soft skills become increasingly critical during incident response, particularly in managing dynamic stakeholder relations and ensuring clear communication on actions and timelines. A lack of clarity and team cohesion can jeopardise security in a high-risk environment.
It is vital to select candidates based on these essential core traits if a strong and effective cybersecurity team is to be built. By prioritising these core traits in recruitment, organisations will build a diverse and innovative workforce capable of handling the ever-evolving cybersecurity landscape.
Fostering innovation in cybersecurity requires a concerted effort to create a diverse and inclusive team environment. By recruiting from a wide range of backgrounds and providing an inclusive workplace culture, organisations will tap into the wellspring of creativity and innovation that comes with diversity. By embracing new and varied perspectives and experiences, organisations will create a more innovative and effective workforce that is better positioned to rise to the challenges of the digital age.
Sasenka Abeysooriya is an accomplished and dynamic strategist, innovative thinker and strong communicator with over a decade of experience in IT. He is Program Director for The Queensland Commitment at The University of Queensland and is well-versed in a diverse range of activities, including strategy, enterprise architecture, program management, data governance, security and risk transformation. His extensive career has spanned a variety of industries including ICT, healthcare, travel, marketing, advertising, government, higher education and not-for-profit. Sasenka holds degrees in IT and International Relations.
www.linkedin.com/in/sasenkaabeysooriya
Merrell Milano is an accomplished executive with extensive experience in advancing fundraising and engagement programs. She is Deputy Vice-President, Advancement Services at The University of Queensland where she oversees a portfolio of information management, insights and operations teams. Her expertise spans a range that includes business analysis, process development, change management and project management, as well as aligning technology and tools with the unique needs and best practices of institutions.. Prior to joining The University of Queensland, Merrell spent a decade as an Associate Vice President at US-based fundraising consulting and services company BWF where she specialised in fundraising operations and systems, helping universities, colleges, healthcare organisations and other non-profits design and implement data-driven operations and effective technology tools to achieve fundraising success. Merrell is a graduate of New York University with a Bachelor of Arts degree.
Natalie Hingco Perez is the SheLeadsTech Coordinator in the ISACA Melbourne Chapter. She led a committee of volunteers from SheLeadsTech Melbourne, ISACA Melbourne Chapter, ISACA Sydney Chapter, EY Women In Tech and AWSN that organised a day-long hybrid event to celebrate International Women’s Day 2023. In this article, Natalie identifies the top three things she learnt from organising the event, and shares her views as a participant.
I am fortunate to be a volunteer on committees such as SheLeadsTech Melbourne which recently held an International Women’s Day event in collaboration with the Australian Women in Security Network (AWSN), ISACA Melbourne Chapter, ISACA Sydney Chapter and EY Women In Tech. The event, with the theme Cracking the Code to Embrace Equity, was virtual and on-premises with participants in EY offices in Sydney and Melbourne and comprised four presentation sessions and two panel sessions. Here are the top three lessons I learnt as a participant.
Firstly, I was able to gain a better understanding of the metaverse, of how artificial intelligence works, of the opportunities and challenges they will create for the industry, and how these will impact diversity and
inclusion. I am one of many who have felt fear and concern about the metaverse and AI. My concerns extend to my children, because these will be the technologies they will encounter as young adults. I need to understand these technologies, what they can do and how to embrace them.
The big corporates with the capabilities to develop, enhance and extend the metaverse and AI must take responsibility and be held accountable. This responsibility entails making ethical investments and ensuring the data and codes behind the metaverse and AI exclude any form of aggression. The Internet has already demonstrated that suppressing inappropriate content is a huge task and a huge responsibility.
NATALIE PEREZThe users of artificial intelligence must also take responsibility to train it well. Chatbots powered by AI are continually enhanced by input from users ranking and rating the responses they receive. Such feedback is important but must be validated by those responsible for an AI system before it is accepted.
Samantha Lengyel of decoded.AI told the audience ChatGPT could be useful if it provides its users with relevant information. For example, ChatGPT might be able to generate a seven-day pescatarian menu for me that has a low glycaemic index and is high in protein.
According to one speaker, inclusive workplaces advocate and author Karen Catlin, there are seven types of allies: sponsor, champion, advocate, amplifier, scholar, upstander and confidant.
Another speaker, Angela Anthony of Dulux Group, described a conversation with one of the female managers at Dulux interested in applying for a higher role in the company but hesitant because she was pregnant. Anthony’s response carried a powerful message.
“Firstly, congratulations to you and your hubby on your pregnancy. You should celebrate that. Secondly why not apply for that role if you want it? Is it because you are pregnant? If you are accepted, that is more great news to celebrate. And if you go on parental leave, it is the hiring manager’s responsibility to find someone to do the job whilst you are away.”
With companies now adopting the term ‘parental leave’ instead of ‘maternity leave’, fathers of newborns can take paid leave to participate in of the care of their children, some until the newborn is two years old. This enables them to support mothers returning to the workforce from their maternity leave, and build relationships with their children.
Gail Bray from the Wyndham Tech(nology) School (WTS) in the western suburbs of Melbourne described her program to spark students’ interest in STEM. WTS and its partners have run programs featuring STEM problems and case studies. Bray has adopted an approach she calls “hiding the vegetables” to make learning and developing skills in STEM enjoyable for students. It entails packaging the STEM content in something more appealing to students.
As a result of having STEM in the curricula of Years 7 and 8 the ratio of female to male students has improved from 5:95 in 2020 to 52:48. Imagine how many girls would consider a career in STEM if STEM were included in the high school curriculum until Year 12.
I am grateful to have been given the opportunity to meet virtually and in person with the volunteers who helped organise our International Women’s Day event. The resource persons on such events are passionate about being able to increase the representation of women in technology and support them to thrive and be successful in their endeavours. I learnt much from the event, especially: Be Brave, Be an Ally and Hide the Vegetables.
www.linkedin.com/in/natalie-hingco-perez-74298436
I have heard innovation defined as “fresh ideas that add value.” In cybersecurity, ideas that add value are necessary because we need innovative, automated and sometimes out-of-the-box ways to improve cybersecurity practices; as individuals, organisations and governments. ISO/IEC27001, the international information security standard, even has a clause titled ‘improvement’ that outlines the requirement to constantly enhance security practices.
The cybersecurity profession is diverse and dynamic in the skills, knowledge areas and personal attributes of the individuals who work in it, and is ever-changing because of the nature of cyber threats, technology and societal needs. Diversity is indeed required if we are to ensure our information is secure, our business operations run as we expect and if we are to understand how changes in technology can impact regulations with which we must comply.
The diversity of individuals working in cybersecurity could be increased by lowering the barrier to entry into the profession. Some worthy initiatives that help do so are listed below, in no particular order.
• ISC2’s One Million Certified in Cybersecurity Program. ISC2 is offering free Certified in
Cybersecurity training and exams. This training provides a technical foundation in key cybersecurity domains such as access control, incident response and security operations.
• SANS New to the Cyber Field Manual. This excellent guide is jam-packed with useful resources and tips for those looking to start or transition to a career in cybersecurity. It includes details of useful webcasts, books and approaches to getting started in cybersecurity.
• OneInTech. This is an ISACA Foundation with the vision of creating a diverse and inclusive global community of cybersecurity and IT audit professionals. It provides scholarship opportunities. Its SheLeadsTech program focusses on building a gender diverse and inclusive cybersecurity workforce. ISACA stages global events and offers a supportive community, making ISACA membership a worthwhile investment that provides access to professional development, networking opportunities and thought leadership resources.
• Cyber Leadership Institute With training programs and the Cyber Leadership Hub the
Cyber Leadership Institute is on a mission to develop visionary cyber leaders and assist cybersecurity professionals to attain leadership positions. Cybersecurity leaders require a range of skills beyond technical skills if they are to have an impact, and the programs offered aim to equip cyber leaders to succeed in executive level positions.
• Australian Women in Security Network (AWSN) mentoring. Mentoring is a powerful mechanism to encourage individuals into the cybersecurity field. There is tremendous value in having conversations on career growth and development, and in learning from the experiences of others. AWSN’s mentoring program provides a fantastic opportunity for mentees to ask questions and build relationships with mentors in the cybersecurity industry.
No single method represents the best way to encourage participation in cybersecurity. A combination of technical, leadership, networking and relationship-building opportunities provides a multi-dimensional approach to increasing skills and setting the foundations for diversity in the profession. The initiatives listed above make a difference by encouraging individuals to enter, transition into or grow in cyber careers. The cybersecurity industry must continue to work to advance and sustain the cyber profession, and heed the warning from Marcus Aurelius: “What stands in the way becomes the way.”
www.linkedin.com/in/marisealphonso
March was International Women’s Month, it celebrated the contributions of women in technology, science and other industries. However, a continuing effort is needed to inspire both men and women who have doubts about pursuing a career in technology, science or engineering.
According to the National American University, in 2022 only 24 percent of computing jobs were held by women and only 19 percent of university graduates majoring in STEM subjects were women. This underrepresentation could be the result of differing social norms and expectations. All people, whatever their gender, should have equal opportunities to start a technical career or pursue a course in STEM.
Here are some key imperatives for advancing gender equity.
1. GIVE OPPORTUNITIES FOR WOMEN TO LEAD, AND RECOGNISE MEN AS ALLIES IN THEIR STRIVINGS FOR SUCCESS.
A study published by the Harvard Business Review said diverse teams produced more innovative ideas. When people of different genders and with different backgrounds work together they bring different perspectives that
produce greater creativity, and innovation is key to creating a progressive, digitised economy.
2. SUPPORT WOMEN STARTUP BUSINESSES. Companies with female owner(s) and female executives prioritise the hiring of women. This is important to help equalise disparate salary rates. Also, the inclusion of women brings more perspectives to the design of new products, services or solutions. It increases opportunities for growth through business partnerships and collaboration.
3. GROW THE SUPPORT ENVIRONMENT FOR WOMEN.
Women often have second thoughts when contemplating a job in technology, or a career
shift. It is crucial they have a sense of belonging. Organisations should aim to promote women’s empowerment and develop women leaders who can work hand-in-hand with male leaders in their respective organisations, and so boost their confidence to do work in which men have long played leading roles.
4. INSPIRE AND PROGRESSIVELY SUPPORT STUDENTS TO TAKE UP STEM COURSES. Increasing the number of women enrolling in STEM courses would help bridge the skills gap for technology and cybersecurity. Male and female STEM students who embrace diversity and equity could encourage others to take up STEM studies.
5. GIVE EQUAL RIGHTS AND RECOGNITION TO WOMEN UNDERGOING HEALTH OR MATERNITY BREAKS.
We have seen women who have experienced career setbacks after getting married because their priorities have been divided between career and family. Women who prioritise family matters should not be
disadvantaged. They should be given opportunities to lead, to take on key projects in their organisations and allowed to balance work and family priorities.
Projects succeed not only because of processes and technology but because of people’s attitudes and abilities, and women’s abilities and attitudes stem from their family roles.
The journey to gender equity is long and far from complete. We need to view and respect people without bias and discrimination, regardless of their gender. Equity gives people of every gender the opportunity to move up the career ladder unimpeded by biases.
www.linkedin.com/in/mel-migriño-b5464151
www.linkedin.com/company/wisap-women-in-securityalliance-philippines
There are big benefits for cybersecurity businesses prepared to widen the recruitment net and invest in training promising candidates who have the right attributes.
It is no secret cybersecurity skills are in short supply in Australia. There has been a lack of job-ready candidates for several years. AustCyber’s 2019 Australia’s Cyber Security Sector Competitiveness Plan noted the need for an additional 17,000 cybersecurity workers by 2026, and demand for their services has intensified post-Covid as businesses and organisations have scrambled to protect themselves from an ever-growing array of threats.
The skills shortage is impacting both the supply and demand side of the cybersecurity industry. Cybersecurity vendors and service providers are drawing heavily on workers from other industries
who have transferable skills to make up the skills shortfall and secure the talent they need to service their customers.
Many individuals working in the broader ICT sector are well-equipped to make the switch and hence have been prime targets for cyber firms seeking to maintain or increase their headcounts.
It is all too easy for cyber organisations to keep hiring more of the same: individuals with roughly similar backgrounds and skillsets to the people already in their teams, but there is a downside.
With a modicum of training and mentoring the new hires may be able to perform their duties capably, but this hiring approach does not necessarily create a workforce comprised of individuals with a broad range of perspectives.
There is no shortage of evidence to show that teams high in diversity—of culture, gender, sexual orientation and life experience—are more innovative and better performing than more homogeneous versions.
For example, a series of reports by McKinsey over recent years has revealed that public companies with the greatest ethnic and racial diversity at the top are more likely to report financial returns above the industry average.
Increased diversity is a big part of the reason I would like to see more cyber companies have a change in mindset and open themselves to the possibility of building teams and skillsets from the ground up. In practice this would mean training promising candidates to fill vacant roles rather than buying in the bulk of the expertise they require.
Doing things this way would kill three high-tech birds with one stone. It would go a long way towards alleviating the skills shortages impeding cyber organisations’ ability to grow. It would create more opportunities for individuals from non-traditional backgrounds to forge challenging and rewarding careers for themselves in an industry that is really hitting its straps. And it would allow organisations giving those individuals a start in the sector a better shot at building committed, high-performing, diverse teams.
So, where should cyber businesses that would like to walk the walk begin when it comes to diversity, inclusion and innovation? Hiring for attributes rather than experience would make a great start.
Attributes like curiosity, initiative, lateral thinking and tenacity, for example, are all traits that can be harnessed to excellent effect in the cybersecurity industry in roles such as penetration testing, social engineering and analysis.
Quick, motivated learners can add value everywhere from marketing to customer success once they are au fait with the industry and its workings.
Getting rookie recruits up to speed may require more upfront investment than hiring individuals who can hit the ground running, but it can be money well spent, at least for organisations looking at the big picture.
I am grateful my employer, Devicie, is one of them. With the support of its leadership team I segued successfully from the defence sector into a customer success role a few months ago, and a handful of my colleagues have made similar shifts.
We are excited to be part of a diverse, high performing team that is transforming a home-grown cyber startup into an international success story with a corporate customer base spanning three continents, and growing.
How good would it be to see other cyber businesses solve their staffing challenges and reap the same diversity-driven innovation dividend Devicie is now enjoying?
www.linkedin.com/in/gabriellaespensen
The issue of whether parents checking their teen’s phone is an invasion of privacy is contentious. On the one hand, parents argue it is their responsibility to monitor their child’s behaviour and ensure the child’s safety. On the other hand, teens argue it is an invasion of their privacy and undermines their trust.
Parents who support monitoring believe they have a responsibility to make sure their child is not engaging in dangerous or inappropriate behaviour, such as sexting or cyberbullying. They also argue that monitoring their child’s phone can help prevent the child being targeted by online predators.
However, teens who oppose phone monitoring believe their parents should trust them to make good decisions and respect their right to privacy. They also argue that phone monitoring can be counterproductive because it can lead them to being more secretive and hiding their behaviour from their parents.
I believe there is a middle ground. As parents get involved in their teen’s online activities and show interest in the apps and websites the teen uses, they begin to develop a rapport with their child around technology and can educate themselves on the features available to their child through these apps. This opens the door to discussing with the child the importance of keeping safe online and teaching them how to safely use technology, with a view to them managing it themselves in the future. Checking the phone with your child enables them to have input and enables you to take advantage of moments that present opportunities for teaching.
In the end, the decision to monitor a teen’s phone should be based on the family’s individual circumstances. If there are concerns about a teen’s behaviour or safety, it may be necessary for parents to monitor the teen’s phone. However, if a teen is generally responsible and trustworthy, it may be more appropriate to respect their privacy and trust them to make good decisions.
The issue of parents monitoring their teen’s phone is a complex one with valid arguments on both sides. Ultimately, the decision should be based on the best interests of the child, the parents’ parenting beliefs and morals, and the family.
www.linkedin.com/in/nicolle-embra-804259122
www.linkedin.com/company/the-cyber-safety-tech-mum
www.thetechmum.com
www.facebook.com/TheTechMum
www.pinterest.com.au/thetechmum
Recently, I received my car insurance renewal documents. Normally I do not really read the policy document. I just make a note of the amount and the renewal date. However, the email I received had a statement that caught my eye.
“Your policy document now explains what happens if there is a cyber act or incident. We’ve updated the ‘What you are not covered for’ section of your policy to include new information about ‘cyber events’. This update explains that there are some losses and costs arising from a cyber act or incident that may not be covered by your policy.”
The policy (available publicly online) states:
“Cyber
This policy does not cover loss, cost or liability, directly or indirectly caused by, arising from,
contributed to, by or in any way connected to a cyber act or cyber incident. However, we will not apply this exclusion for any of the following:
• an event otherwise covered by this policy that causes a cyber incident.
• loss resulting from an event otherwise covered by this policy that has been caused by a cyber incident or cyber act.
I did ask for clarification of what this really means. This is what came back from my insurance provider.
“Some loss and damage we intend to exclude under our motor products are:
1. A vehicle that can connect to the internet is having issues with a new software update that has been downloaded to it by the manufacturer.
This means the vehicle needs to be looked at by a repairer to remedy the issue. The cost for the repair in this case will not be covered under the policy.
2. A computer virus has caused a vehicle system to malfunction. There is no physical damage to the vehicle, but the key to access the vehicle no longer works. The cost of a repairer to resolve this issue will not be covered under the policy.”
I certainly did not expect to see my car insurance discuss cyber events. So why is this disclaimer in the policy? As we have seen, our cars are becoming more like our laptops and mobile phones. In many vehicles, Bluetooth and Internet connectivity are becoming standard features. Because of this, insurers are putting in disclaimers such as the above.
This needs to be understood. Software in many automotive systems may have vulnerabilities that could allow vehicles to be hacked, customer data to be stolen or even enable complete vehicle takeovers Because the software rather than the hardware is affected, these are considered ‘cyber events’ and may not be covered by the insurer.
Even Tesla’s ‘self-driving’ capabilities come with flaws. A senior engineer at Tesla is reported to have said that, when Tesla tried to show the Model X could park itself with no driver, it crashed into a fence in Tesla’s parking lot. The US Department of Justice launched a probe following more than a dozen crashes, some of them fatal, involving Tesla’s driver assistance system, Autopilot, which was activated during the accidents.
I think we can agree that the “more than a dozen crashes” of Tesla’s Autopilot could have been caused by cyber incidents. I think we can also agree that complete vehicle takeovers can be caused by cyber attacks.
However, with all the software currently in vehicles (and more to come), can we ignore these cyber events? If our car insurance policies do not cover cyber events, what recourse do we motorists have?
The Russia-Ukraine conflict has been described as the world’s first hybrid war. In addition to traditional, kinetic warfare involving deadly weapons and boots on the ground, there is also a cyber war taking place online. Cyberattacks, coordinated with the aid of the deep dark web, may be less lethal than bombs and firearms, but the risk they pose to financial institutions and critical infrastructure is substantial, and actors from both sides have been fighting in cyberspace with the same fervour as conventional forces.
The deep dark web can be as scary as it sounds. It is a version of the internet with significantly fewer oversights where hackers and cyber criminals sell identities, weapons and illegal drugs, launder money and traffic human beings. This alternate network is not indexed by search engines and cannot be accessed by standard web browsers. Special tools like the Tor browser are needed to access it, and it is here that hackers use dedicated forums and chat services like Telegram for recruitment and coordination.
Much online activity in Russia has moved to the deep dark web as a result of sanctions, voluntary actions and self-imposed restrictions, taking Russia away from popular Western platforms.
A pro-Russian hacker group, charmingly named Killnet, is one such cyber army using the deep web to attack Ukraine and its allies. This criminal collective has committed a number of distributed denial of service (DDoS) attacks against government organisations in Romania, Moldova, Czechia (the Czech Republic) and Italy, temporarily shutting down websites and making them unavailable to users.
DDoS attacks are akin to multiple people crowding a brick-and-mortar store’s doorway, preventing legitimate customers from entering. To accomplish a DDoS attack a large number of machines from different sources are needed, all infected with novel malware (undetectable by standard cybersecurity software) that hands over control to hackers. Phishing scams, where a person is tricked into clicking on a fraudulent link, are a popular way to install said
malware. These scams can also be used to gain the credentials needed to access sensitive information, which is then leaked on the dark web.
But this is not a one-sided battle. Fire is being fought with fire. Groups like the hacktivist collective, Anonymous, have declared war on Russia and Killnet, pledging to leak details of Russian troop movements and other military information.
Using search patterns and other means to identify anomalous behaviour, pro-Ukraine actors are setting up malware lures to entrap cyber criminals before they can strike. These groups are also doxing and exposing the hidden assets of pro-Putin Russian oligarchs and companies that either owned by Russians or are doing business with Russia.
In May, Killnet’s planned DDoS attack against the Eurovision Song Contest was foiled and Ukraine’s entrant declared the winner.
The cyber war between Russia and Ukraine has shown no signs of slowing down.
Follow these best practices to protect your data and digital assets:
• Keep your operating system, applications and firmware up to-date.
• Enforce multifactor authentication (MFA), and secure remote desk protocol (RDP) and other risk mitigation services.
• Implement network segmentation.
• Maintain backups of your systems in geographically dispersed locations.
• Know your exposure, and have a prepared incident response plan in place.
• Improve the cybersecurity awareness of your end-users with training.
• Use geo-blocking and positive rules for apps.
• Monitor traffic for suspicious activity.
www.linkedin.com/in/deikaelmi
In recent years the term Web3 has become a buzzword in the tech world. It refers to the decentralised web which promises to transform the way we interact with the internet. However, with every new technology comes new challenges, and Web3 is no exception. In this article, we’ll explore the good, the bad and the unicorn of Web3.
Let’s start with the good news. Web3 is all about decentralisation, which means data and applications are spread out across a network of computers rather than being stored in a central location. This approach has several advantages. First, it eliminates the need for intermediaries like banks or social media platforms, which can be slow, expensive and prone to censorship. Instead, users can interact directly with each other, making transactions faster and cheaper.
Second, Web3 is built on blockchain technology, which provides a high level of security and transparency. Blockchain is a decentralised ledger that records every transaction in a public database. Once a transaction is recorded it cannot be changed or deleted, making it tamper-proof. This makes Web3 ideal for applications like voting where trust and transparency are essential.
Finally, Web3 is designed to be open and accessible to everyone. Unlike the current internet, which is dominated by a few tech giants, Web3 is a level playing field. Anyone can create an application or service and anyone can use it. This has the potential to democratise the internet and give power back to the people.
Now for the bad news. Web3 is not without its challenges. The first challenge is scalability. Currently, most Web3 applications run on the Ethereum blockchain, which can only process a limited number of transactions per second. This means that, as more people use Web3, the network will become slower and more expensive. To overcome this developers are working on new blockchains and scaling solutions that can handle more transactions.
The second challenge is user experience. Web3 applications can be complex and confusing for nontechnical users. For example, to use a decentralised exchange like Uniswap you need to connect a wallet like Metamask to your browser, which involves several steps and can be intimidating for beginners. To make Web3 more user-friendly developers are working on new interfaces and tools that hide the complexity and make it easier to use.
The third challenge is security. While blockchain technology provides a high level of security, Web3 applications can still be vulnerable to hacks and attacks. For example, in 2020, the decentralised finance (DeFi) platform, bZx, was hacked, resulting in a loss of $350,000. To address this, developers are working on new security protocols and best practices to make Web3 more secure.
Finally, the unicorn. Web3 has the potential to create a new internet that is more open, transparent and secure. It could revolutionise industries like finance, healthcare and social media, creating new opportunities and disrupting old business models. However, to realise this potential we need to overcome the challenges and build a robust and scalable infrastructure that can support the growth of Web3.
So, what does the unicorn look like? Imagine a world where you can vote in elections from your smartphone knowing that your vote is secure and tamper-proof. Imagine a world where you can invest in startups from anywhere in the world without having to go through intermediaries like venture capitalists. Imagine a world where you own your data and can decide who has access to it.
Decentralised finance (DeFi) is just one example of how Web3 could shake up the finance industry
and provide more opportunities for innovation and entrepreneurship. DeFi is a financial system built on blockchain technology. It allows peer-to-peer transactions without the need for intermediaries such as banks. This gives users greater control over their finances and reduces the potential for fraud.
In conclusion, Web3 is a significant step forward for cybersecurity and data privacy. Its focus on security and privacy combined with its potential to disrupt industries and create a more democratic and transparent online ecosystem make it a technology worth exploring.
However, as with any new technology, Web3 comes with its own set of challenges, including its lack of standardisation, scalability issues and regulatory uncertainty. It is essential to approach Web3 with caution and take steps to mitigate potential cybersecurity risks.
As the world of Web3 continues to evolve it will be critical to keep cybersecurity and data privacy at the forefront of our minds. By doing so we can fully realise the potential benefits of this ground-breaking technology while minimising potential risks.
www.linkedin.com/in/priyacyber
Ayesha Qureshi grew up in Karachi, Pakistan and now lives in Sydney where she is undertaking self-paced cybersecurity courses delivered by TAFE NSW’s Institute of Applied Technology in preparation for gaining the ISC2 Certified Cyber Security certification. At present she is studying Networking, Introduction to Artificial Intelligence, Cloud Computing, Data Analytics and Security Incident Response. She is presently unemployed but looking for a fulltime position.
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
When I knew nothing about cybersecurity, I never thought it important. To me, security was just locking the front door or setting up a passcode. By studying the depths and vastness of cybersecurity, I understand it to be about human security, data security, endpoint security, network security, infrastructure security, you name it!
What cybersecurity role would most like to be hired into when you graduate, and why?
I am interested in cyber intelligence roles, and I want to work for prestigious organisations to make a bigger impact and provide services on a larger scale to serve humanity.
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
This is an interesting question because I switched to cybersecurity in middle age after working in creative industries. My family supported me in my decision and became really interested when I started telling them about setting strict security measures on personal devices, not connecting to free Wi-Fi networks, etc. They are really keen to see me progress in this field.
Who, or what would you say has had the biggest influence on your cybersecurity career journey to date, and why?
The Australian Women in Security Network (AWSN) has shown me how a woman can thrive in this industry. I came from the Middle East where I had seen only men working in communications and technology. When I moved to Australia and decided to switch careers, women in IT industries were my first go-to role models and sources of inspiration.
In addition to your studies, what employment experience do you have in cybersecurity?
During my vocational training I was able to secure a cadetship and got an opportunity to work in cybersecurity that accelerated my learning. I gained exposure in cybersecurity frameworks, cloud computing architecture, risk management, identity and access management.
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain any of these, if so which ones, and why?
Yes, I love the idea of certifications. Because I switched careers and have a non-technical background, certifications have been a great way of learning and upskilling. Currently, I am completing nationally recognised certifications and on the side I am preparing for the CompTIA Security+ and ISC2 cybersecurity certifications, which are internationally recognised.
What aspect of your studies excites you the most?
I really enjoy studying networking because it has a lot of practical work. I am also keen to learn and work in ethical hacking. Since ChatGPT gained recognition, I have added an artificial intelligence module to my learning program.
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
It may sound unusual, but coding and programming were very challenging for me. I struggled initially to learn Python but with time and consistency I got through the course.
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
I would love to get trained in communication skills, project management, business strategy development, business intelligence and many other skills.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience?
I am a member of AWSN. It is an amazing network and I love attending events and meeting the amazing women working in this industry. I am also a part of WYWM Academy. This platform has contributed immensely to my self-paced learning. Cyber Risk Academy is another great institution. I attend ISSA Live webinars weekly. I am also a member of ICTTF and WiCyS and I enjoy being part of these communities.
www.linkedin.com/in/ayesha-qureshi-802123116
Sassandra Rae grew up in Mauritius, Malaysia and Australia and now lives in Melbourne where she is in her third year of study for a Bachelor of Science and IT degree at Monash University.
Bachelor of Science and IT Student at Monash University
How does the reality of cybersecurity as you experience it today fit with your understanding when you first thought about studying it?
Having no experience in technology when I first began my course, I thought roles in security were codingcentric with limited communication required. As I have progressed through my course I have realised security is a constantly evolving field that requires a wide range of skills beyond coding. While coding skills are helpful, problem-solving, critical thinking and communication skills are also essential in the field.I have learned that cybersecurity is not just about recovering from an attack, but also about being able to put yourself in the shoes of the attackers and develop strategies to mitigate the impact of an attack.
The field is also constantly changing to adapt to new threats and vulnerabilities, so it is important to stay up to date with the latest trends and technologies. My understanding of cybersecurity has transitioned from a narrow focus on coding to a much broader view of the field that emphasises the importance of communication, problem-solving and ongoing learning.
What was the reaction from parents, peers or career advisors to your decision to get into cyber? Did you face any opposition, if so, how did you feel about this?
I was lucky to receive a large amount of support and encouragement from my family when I decided to pursue a career in cybersecurity.
Both my parents work in the IT sector so have a solid understanding of what cybersecurity entails and are aware of the increasing demand for skilled professionals in the field, particularly in light of the recent rise in cyber attacks on major organisations. They have been extremely supportive of my decision, very often sending me links to various cyber-related workshops and programs to further my skills. The help and support I have received from my family
and peers have given me significant motivation as I pursue my studies and begin my career in cybersecurity. I am incredibly grateful for the strong support network I have around me.
Who, or what, would you say has had the biggest influence on your cybersecurity career journey to date, and why?
The biggest influence on my cybersecurity career journey to date has been my stepfather. As an enterprise architect he initially encouraged me to pursue a degree in IT even though it was not my primary interest at the time. Throughout my course he has provided unwavering support and guidance, helping me navigate all the ups and downs of my tech journey. Following my decision to specialise in cybersecurity he has been a constant source of encouragement and motivation, regularly sharing interesting security-related articles as well as providing me with endless opportunities to further my career.
What aspect of your studies excites you the most?
Network security is the area of cybersecurity I find most interesting because I enjoy the problem-solving: monitoring and analysing network traffic to identify potential threats and vulnerabilities. The opportunity to study network protocols and the transmission of data across networks during my coursework initially piqued my interest in cybersecurity.
Recently, I participated in a virtual internship program with ANZ where I was exposed to real-world network analysis situations and got hands-on experience with tools such as Wireshark. This experience reinforced my interest in network security and helped me develop my skills in investigating and finding abnormalities in packets sent across the network. However, I am also aware there are other areas of cybersecurity that may interest me as I continue to learn and grow in the field and I am excited at the prospect of exploring these.
Is there any aspect of your studies you find particularly difficult or challenging, if so what, and why?
As someone who went into her degree with no previous experience in IT, I found learning how to code to be the most challenging aspect of my studies. I initially struggled to keep up with the rapid pace of learning required, and because many in my cohort had some level of coding knowledge, I was discouraged to see how far I was behind my peers.
What made coding especially difficult for me was the fact it required a learning approach different from that for other subjects. Unlike topics where memorisation was key, coding was more about problem-solving and logic. This was a new way of thinking for me that I struggled to wrap my head around. I found I had to work harder just to understand the simplest of concepts.
However, after a lot of extra work and support from the people around me, I am now able to code effectively and, most importantly, to enjoy it.
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
While technical skills are crucial in the field of cybersecurity, non-technical skills are equally important in tackling ever evolving and increasingly complex cyber threats.
I believe training in effective communication is necessary in security because it enables us to clearly communicate the potential risks and threats to all levels of personnel and educate them about cyber risks and threats. It is important to be able to explain complex technical concepts to nontechnical stakeholders.
Are you involved in the wider cybersecurity community, eg AWSN, if so, how and what has been your experience?
I have recently become a member of both the Australian Women in Security Network (AWSN), the Australian Information Security Association (AISA) and Grad Girls. My experience so far has been overwhelmingly positive. Through my involvement, I have come to realise the incredible support and the scale of opportunities available for women in the security industry. I have had the opportunity to connect with welcoming and inspiring women who are eager to share their expertise and offer advice.
One of the benefits of being part of these organisations has been exposure to the industry. I have gained valuable insights into emerging trends, best practices and potential career paths. Additionally, both AWSN and AISA provide a sense of community and support, which is especially important as a woman in a male-dominated field.
Being part of these communities has also given me access to many personal and professional growth opportunities. From mentoring programs to training and certification courses, there is a wealth of resources available that can help me further develop my skills.
Have you ever felt disadvantaged or discriminated against by being a woman in cyber, if so, please provide details?
No. In my university classes, it is common for me to be one of very few women, but this has never made me feel disadvantaged. In fact, it has allowed me to build stronger connections with the women in my classes and to be part of an incredibly supportive network. There are also many programs and opportunities available for women starting out in a career in cyber, which has been so inspiring. I feel empowered to pursue my passion in cyber, regardless of my gender.
With the benefit of hindsight would you change your career trajectory to date, and if so now? Looking back, I would not change a thing.
Before landing on cybersecurity I explored several different areas and started university with a biology career in mind. However, through exploring various IT subjects I discovered a particular interest in cybersecurity. My earlier experiences taught me a range of soft skills such as adaptability and teamwork, which have been invaluable to my studies in security.
While my career trajectory may not have been a direct path to cybersecurity, I am grateful for the various experiences that have shaped my journey thus far. These have helped me tremendously in navigating my way through the course.
www.linkedin.com/in/sassandra-rae
a professional marketing, strategy and implementation agency that is dedicated, responsive, professional, dedicated, creative, innovative, hardworking, and really cares about your business outcomes?
REACH OUT TODAY FOR AN INSTANT QUOTE.
With:
The team at Source2Create has all the necessary skills to get the job done for you, so your time can be reserved to focus on other things aby@source2create
Johanna Broquet grew up in Bernin, France and is now back there, living with her family and looking for a job after much travelling pursuing her studies. She graduated in November 2022 with two master’s degrees: an Erasmus Mundus joint degree in International Security, Intelligence and Strategic Studies (IMSISS) and a master’s degree in Political Sciences awarded by the French public-school Sciences Po Grenoble.The IMSISS is awarded by only three universities: Glasgow University (UK), Università di Trento (Italy) and Charles University (Czech Republic).
Graduate Student
Suppose you met an old friend from your last year at school who, knowing nothing about cybersecurity or what you do, asks you what you are doing. How do you answer them to ‘sell’ them on the idea of a career in cybersecurity?
I would tell them that cybersecurity is a very broad field which requires people with a variety of profiles working on various aspects and at various levels.
Protecting against cyber threats must be undertaken on various levels of society: each entity, no matter its size, should be ready for cyber challenges to come. That includes the use of the internet individuals, societies and companies, public infrastructure organisations, states and international organisations. For example, you could have your data stolen and used against you, a public hospital could be the target of a cyber attack that cut its electricity supply, details of a company’s finances could be digitally stolen, confidential information on a country’s intelligence agency could be exposed.
Basically, everyone and everything using the internet should be concerned about cybersecurity, because if everyone can gain something from the internet, they also have something to lose to it.Thus, because the internet is something that encompasses so many different actors, it widens needs and makes cybersecurity a broad activity.
The common perception of cybersecurity threats as emanating from hackers behind a computer is false. Now that the internet has crucial importance in our daily lives, it can become a political tool. This is why it is important not only to protect the cyber space, but also to regulate it, to be able to define what is lawful and what is forbidden.
Cybersecurity encompasses computer and data scientists and engineers, but must also include
lawyers, law enforcement agents and local, national and global authorities who must all work together to regulate and protect cyberspace.
Because of the prominence of digital technologies in society, there is work for people of all kinds in cybersecurity: various profiles are needed to define and give effect to the protection we need for cyberspace.
Finally, there is increasingly a need for global cooperation to make the internet safer in the future and to tackle new challenges as they arise. This is why cybersecurity is so interesting!
How does the reality of cybersecurity as you experience it today differ from your understanding when you first thought about studying it?
When I began to study cybersecurity I had very basic knowledge and preconceived images of what it really meant. I based my perceptions on common representations such as in TV shows (Mr Robot for example) and movies, which depict the cyberworld and its activities only through hackers and secret organisations such as Anonymous.
I believe my vision today is more realistic and my knowledge of the actors involved on the different levels working for the protection and design of cyberspace to be more comprehensive (see my previous answer).
I think a more precise idea of the people involved in cybersecurity also comes from better knowing the different cyber threats and the future cyber challenges. For example, because am I particularly interested in international crimes, my studies have enabled me to learn about the different types of cyber crimes that can be carried out by criminals. I find it particularly interesting that criminals increasingly use
digital platforms to be more efficient and discreet in their illicit activities, representing a new challenge for the law enforcement agencies trying to detect and arrest them.
What cybersecurity role would most like to be hired into when you graduate, and why?
Because I have not received an education in engineering or computer sciences I do not know how to tackle a cyber intrusion or how to protect data. Therefore I do not believe I will find a role in the technical side of cybersecurity.
But I have learnt to do web-based research on the internet, and especially with open-source intelligence (OSINT). With these skills I could be hired in an operational setting such as an investigator position that seeks to identify criminals by the hints and tracks they leave online, just as Europol and Interpol do.
Moreover, I believe studying cybersecurity through social sciences opens many doors: I could see myself in one of the many international organisations working to regulate cyberspace (the UN and the EU for example). Such organisations employ people with many different profiles (lawyers, diplomats, mediators, civil society representants, government representatives, etc) to reach cooperative agreements and set international guidelines designed to better organise the internet and its interdependences and make the cyberworld safer for all.
The cybersecurity industry abounds with certifications from multiple organisations. Have you gained, or do you plan to gain, any of these, if so which ones, and why?
I followed a course named Comprehensive Analysis Lab: Assessment of the Civil Environment through Structured Analytic Techniques, offered by the
Ostbayerische Technische Hochschule AmbergWeiden (OTH) university. The course introduced the PMESII-PT/ASCOPE matrix as a tool to better organise OSINT research.
I also would like to bring up the fact that you do not need certifications from official organisations to train yourself in cybersecurity. There exist many platforms through which you can train individually, for example, the website CyberSoc – Cyber Detective CTF is a great tool for those who want to learn to carry out OSINT in an entertaining way. It gives you links to social media of profiles on which you have to uncover precise information for each challenge (such as the political party of someone), sometimes using digital tools to break a code (to decrypt a password for example). This is a great exercise not only to enhance OSINT skills but also to gain awareness of how information we sometimes reveal about our daily life on the web (and especially on social media) can be used against us, and teach us to be more careful about what we reveal.
I also believe cybersecurity to be a field in which it is easy to find many tools that can be used to improve skills autonomously.
We hear all the time that the world of cybersecurity is changing rapidly, particularly with the rate of threat evolution. Do you feel your course is doing a good job of being current?
Yes and no. I would say no because, in most of our theoretical classes, the studies were based on ‘old cases’. In my cybersecurity class, for example, we studied WikiLeaks (2006) and the Stuxnet attack (2010). These events happened not so long ago, but given how fast the cyberworld and cyber threats evolve, the means and strategies used from one year to another can change completely. However, I also understand that these events constituted a turning
point because of the impact they had on society and the importance technology started to have on many aspects of our lives. I also understand that distance in time is needed for objective academic study of a topic to enable a broader view of its dynamics and consequences. This is more difficult when the event is ongoing. Moreover, I understand the speed with which cybersecurity and cyber attacks evolve make it difficult for teachers to design courses based on recent events and to cover the latest technology breakthroughs and threats.
However, I would still say my course was very current because it gave space for students to interact, debate and comment, and it was mostly during these moments that the most recent cases were brought up. We would exchange views on the events we were witnessing in our daily lives, which gave currency to the class. For example, we talked about the Pegasus Project (2021) and Russian virtual interferences in the US presidency campaign (2020).
What aspect of your studies excites you the most?
I think it is the fact that my study topics are very current and destined to gain increased importance in the future.
The dynamics of cybersecurity are evolving everyday as society evolves, and are having direct consequences on it. If I can have an impact on these dynamics, I can have an impact on the society we live in.
This is what I really like about my field of activity: to feel I have some kind of power to shape the future world, and to feel included in something bigger than myself. I also really like the strategic planning side, trying to anticipate what is to come in future years, and the threats we will have to overcome. I am comfortable with uncertainty, and I find it very exciting to know
that, despite the fact we try our best to be prepared for what is to come, there are always some aspects that will be unpredictable, and will require all of our adaptability and skills to find solutions for.
Is there any aspect of cybersecurity that you think should be given greater focus in your course, or any aspect you think should be given less focus?
I feel talking about cybersecurity without actually experiencing the technical or operational side of it can be a bit confusing. To better understand what comprises the daily activity of cybersecurity I might have added more practical classes instead of theoretical classes. I would have given students deeper insights into to the use of OSINT technologies, coding software, or the use of specific techniques to use the internet safely. They would have been relevant, because most of my master’s cohort will probably be required to work with sensitive or confidential data from national or international agencies.
Do you see the need for, or plan to undertake, additional training in non-cyber skills to better equip you for a future role, eg interpersonal communications or management?
Developing non-cyber skills is a must for me. I believe the more cyberspace experiences threats, the more we need to be efficient in face-toface communications.
This is why developing intercultural and interpersonal communications and management skills seems crucial to me. We have all experienced one of our virtual messages being misunderstood when it would probably have been better interpreted if delivered in person. I believe face-to-face communication will always be more efficient and better received than online communication, because it involves feelings and emotions that virtual space cannot transmit.
This is why I was very happy to have courses focusing on developing intercultural and interpersonal communication competencies, and I believe everyone should follow some such course. This is particularly important for those working directly in cybersecurity because it is a field where crises are very likely. I think effective communication is necessary for every person involved in crisis management to enable them to quickly understand, give and act upon instructions.
This is true in the case of a cyber attack, for example, where teamwork must be very efficient to block intrusions that can have huge consequences. If agents have learned in advance, how to communicate well outside the digital world they are more likely to be able to build a common strategy to tackle challenges.
www.linkedin.com/in/johanna-broquet-61b10a1b8
Author of How We Got Cyber Smart | Amazon Bestseller
Olivia and Jack’s school has organised a program for all the grade 5 and grade 6 students to learn about social media and how to use it safely. Their school said it was important to learn how to use social media safely before secondary school, because that is when most children start using it to connect with each other. Olivia and Jack think social media is cool because they can connect with people all over the world, so they are really excited about the program. Most of their friends have been talking about it at lunch time. Some of their friends already have social media accounts, but Olivia and Jack are still not allowed to use social media because their parents’ rule is that they have no access until the recommended age, which is generally 13+.
The following week Olivia and Jack started the program. They were told it used a simulated social media platform that was not online but connected only to pupils in their school year. They quickly created their profiles and started sharing pictures and messages. Olivia was invited to join a group with some of the other girls from her basketball team, but got upset because not all the girls were invited. Olivia sent a message to the group and asked why some of the girls had not been invited and this caused some drama. The girl who had set up the group sent Olivia an unkind message saying it was her group, she would decide who was in it, and telling Olivia to butt out! Olivia was quite upset about this and decided not to take part in the group’s chat. The teacher saw the chatter in the group and explained to all the girls that this was one of the drawbacks of social media. “Some kids will feel excluded, and we should be mindful of how others will feel when we exclude them,” she said.
Meanwhile, Jack ended up in a group chat with some of the grade 6 boys who were sending silly photos of themselves. The teacher saw this and said “be careful about the photos you post and share on the internet. If you don’t want anyone else to see your photos, you should not post them. Once your photo is online on the real internet it is impossible to remove, and you never know where it will end up.”
Olivia and Jack went home that day feeling rather sad. Their mother noticed they were a bit mopey and sat down with them to talk about what had happened at school in the social media class. She spoke to them about the importance of being safe on social media and echoed what the teacher had said. She told them
to never share personal information with strangers and to be careful about what they posted. She also reminded them they would not always be included in group chats and that ‘likes’ and followers were no measure of self‑worth.
Olivia’s and Jack’s learnings about social media
• Only accept friend requests from people you know and think carefully about what you post.
• Never share personal information or any images/ photos that are inappropriate because you never know where they might end up.
• It is not nice to intentionally exclude friends from chat groups.
Olivia and Jack felt that when they were old enough to start using social media they would have some knowledge about how to use it safely, and knew they would use it for good. They were looking forward to following accounts that shared interesting information about topics they were interested in like basketball, science and chess. They wanted to connect with friends who inspired them and shared similar interests.
Their teacher was impressed by how Olivia and Jack had used the social media program at school and reminded them that, while social media has its risks, it also has the power to bring people together and make a positive impact. Olivia and Jack learned that social media could be both fun and safe if used responsibly.
Check the recommended age for social media platforms and help your children navigate them so they use social media in a safe and responsible manner. Talk to them about the risks associated with social media and what to do if something goes wrong. If something does go wrong, do not blame your child. Help them deal with the issue and get professional help, or get law enforcement involved if there is a situation that requires this. Start the conversation early.
www.linkedin.com/company/how-we-got-cyber-smart
facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school ‑ aged children. READ NOW
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books. Conference Speaker and Cybercrime specialist
2. JANE FRANKLAND Award-Winning Cybersecurity Leader
3. CHRISTINA ROSE Manager — Security Operations & Advisory at Qantas Group
4. SANDRA AGOBIAN Cybersecurity Analyst Intern at nbn® Australia
5. SIMONA DIMOVSKI Head of Security and Technology at Helia
6. ELAINE MCCONNELL Business Information Security Officer at The Depository Trust & Clearing Corporation (DTCC)
7. KIRSTEN CHAPMAN Lead engineer at Gallagher Security
8. SHARMAINE LABRADO Team Leader, Cyber Response Team | Section Chief, Women and Children Cybercrime Protection Section | Digital Forensic Examiner | Police Officer | Resource Speaker | Educator | Information Technologist
9. NATHALIE VIUF STENDER Privacy and Security Engineering Leader at IKEA Retail (Ingka Group)
10. SILVANA MACRI Founder of Stay Cyber Safe
11. CRAIG FORD
Cyber Enthusiast, Ethical Hacker, Author of A Hacker
I Am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
12. DEIKA ELMI Vice President Of Security Engineering at Goldman Sachs
13. JAY HIRA Director of Cyber Transformation at EY
14. KAVIKA SINGHAL Cyber Security Consultant at EY
15. MICHELLE GATSI Cyber Security Consultant at EY
16. KAREN STEPHENS CEO and co-founder of BCyber
17. SAI HONIG Engagement Security Consultant at Amazon Web Services
18. VANNESSA MCCAMLEY Leadership and Performance Consultant, Coach, Facilitator, Author and Keynote Speaker
19. MATT TETT Founder of Day of the Month club
21. MEGAN KOUFOS AWSN Head of Programs
22. GINGER SPITZER Executive Director, ISACA One In Tech
23. LISA VENTURA Founder, Cyber Security Unity
24. NICOLE STEPHENSEN Partner at IIS Partners
25. SASENKA ABEYSOORIYA Program Director & Senior Strategic Adviser at The University of Queensland
26. MERRELL MILANO Deputy Vice-President, Advancement Services at The University of Queensland
27. NATALIE PEREZ SheLeadsTech Coordinator of the ISACA Melbourne Chapter
28. MARISE ALPHONSO Information Security Professional
29. MEL MIGRIÑO Chairman and President, Women in Security Alliance Philippines
31. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
32. PRIYA GNANASEKARAN Security Engineer at LAB3
33. AYESHA QURESHI Cybersecurity Student at Institute of Applied Technology, TAFE NSW
34. SASSANDRA RAE Bachelor of Science and IT Student at Monash University
35. JOHANNA BROQUET Graduate Student
Are you looking to increase your knowledge and skills relating to cyber security practices? Are you looking to seek employment in the field of cyber security? Do you want to have a certificate to add to your CV?
This qualification is designed to provide learners with knowledge and skills relating to cyber security practices. It will provide the learner with a chance to develop knowledge and learn practical skills which can be used to seek employment or proceed into study at a higher level.
This qualification aims to:
• focus on the study of the practices within cyber security
• offer breadth and depth of study, incorporating a key core of knowledge
• provide opportunities to acquire a number of practical skills.
The objective of this qualification is to:
• provide the learner with an opportunity to develop knowledge and skills relating to cyber security practices.
VISIT HERE
If you are looking to develop a career in the IT industry, love new technology and are seeking employment in Cyber Security –this is the course for you.
VISIT HERE
The ICT40120 Certificate IV in Information Technology (Networking) is the minimum standard for network administrators in Australia. This job role requires excellent communication skills so a supporting qualification in customer service or business administration will certainly improve your job prospects. Some organisations require their employees to have a National Police Check.
VISIT HERE
The NIST Cybersecurity Framework was released in 2014 and is gaining widespread use by organisations across the globe. The continuous improvement lifecycle assists organisations to use a tiered, risk-based approach when safeguarding their most critical assets, before, during and after a potentially disruptive cybersecurity incident.
VISIT HERE
Break into the world of cyber security with this Cyber Security Professional Online Bootcamp Program delivered by Simplilearn.
VISIT HERE
The course will provide you with a foundation in cyber security. You’ll learn how to formulate a strategy so that organisations are able to respond to incidents in an orderly and efficient manner and limit the damage of attacks and recover information from the damages caused.
VISIT HERE
Gain core knowledge and experience to successfully secure the cloud and prepare for the Certified Cloud Security Professional (CCSP®) certification.
The cyber security program is delivered in a 24 week part time and 12 week full time format and is designed for career-driven professionals to transition into the cyber security industry.
Microsoft Azure, commonly referred to as Azure, is a cloud computing service created by Microsoft for building, testing, deploying, and managing applications and services through Microsoft-managed data centers.
The Networking Career Starter collection is designed to equip you with the skills needed to launch your networking career. The collection covers the basics of networking, security, routing and switching.
Gain practical skills and experience through a workplace program with a local company. VISIT HERE
Courses have been designed by industry experts, in conjunction with NSW Cyber Security Innovation Node, to ensure that course content is modern, ultra-relevant, and teaches current skills using real-world examples. Courses can be completed in a matter of hours and combine to enhance industry experience, improve security expertise and protect networks that may be at risk of cyber attack. By completing each course, participants will receive a certificate of completion, as well as a digital badge to promote their newly acquired skills.
The Diploma of Network Engineering will prepare you for entry-level network engineering roles by providing the skills and knowledge required to design, operate and maintain networks that play a crucial role in the infrastructure of industry and government organisations. Your coursework will cover key areas of network engineering, including data networks and their implementation. You will combine academic studies with practical experience allowing you to further develop your skill set and provide you with the opportunity to stand out from the crowd in a competitive industry. You can also use this qualification to move into our other degree programs such as the Bachelor of Information Technology or Bachelor of Software Engineering Honours.
We have loved seeing all the amazing nominations coming in and thought we'd give something back
We are giving away 10 tickets to attend the Women in Security Awards!
To Enter:
- Make sure you are following us @Source2Create
- Nominate for the awards between 26th April and 26th May
To nominate for the awards, visit: https://womeninsecurityawards.awardsplatform.com/
“Are you looking to gain a greater understanding or build upon existing knowledge of Cyber Security issues? Are you seeking employment in a Cyber Security related role and want to have a
With Mickey Revenaugh
Technology changes the way we learn and engage with content. Throughout her career, Mickey Revenaugh has worked on bringing technological advancements to education. Mickey is currently Vice President of Business Development in Global Online Learning at Pearson.
With Billie Quinlan
“Billie Quinlan is the co-founder and CEO of Ferly, a female-focussed sexual wellness app. She tells AnneMarie how technology is helping women discover their sexuality, and change the way people think about sex. They also talk about her journey from aspiring actress to head of her own start-up, including having to learn new skills.
With Toni Collis
“On this podcast, we explore the techniques, tips and strategies you can use to become a standout leader. To give you the time and credibility to focus on what you love doing instead of justifying yourself every moment along the way. I’ll be sharing with you my best insights designed to make success not just simple, but inevitable.”
With Roz Ho
In this episode of Women in Tech with Ariana, Ariana interviews Roz Ho. Roz is the Vice President and Global Head of Software at HP (Hewlett Packard). Subscribe to our Women in Tech email list: www.wallwaytech.com/podcastlinks and watch this episode on the Women in Tech with Ariana Youtube Channel.
With Andrea Ochoa
The *hottest* national security and foreign policy podcast featuring conversations with leading policy practitioners, thinkers, and leaders. In each episode, we open up a ‘burn bag’ to breakdown some of the most pressing security challenges of today’s world with the people who have worked and lived them.
With Manal al-Sharif and Reinhardt Sosin
From artificial intelligence and data mining to social media and dating apps, tech has touched our lives on every level. In Tech for Evil (Tech4Evil.com) podcast, we talk about the impact of Big Tech on our minds, planet and liberties. We also expose what Big Tech doesn’t want you to know and what you can do about it.
With Lifen Tan
Of information & cyber security and the great women who make it turn. In each episode, I sit down with a guest speaker to discuss their experiences and touch on some of the lesser known aspects of the industry. We’ll shed light on the routes to the various technical and non-technical roles in this space, as well as exploring the skillsets required to be successful.
With HerHax
HerHax Podcast was founded by a group of women who are passionate about the field of cybersecurity and want to spread the word about everything cyber! From the history of women in cryptography to modern day workplace tips, how to stay safe online or how to pwn your way to the top of the CTF scoreboard, come listen to our podcast and join our Discord Channel!
With Erika McDuffie and Jax Scott
2 Cyber Chicks is an inclusive cybersecurity podcast designed to educate and break the stereotypes of cybersecurity professionals. We will be discussing the “tough” topics that come along with being a woman in this field while providing life hacks on how to handle burnout, networking, and goal-setting.
With Abigail Bradshaw
In this episode, Head of the Australian Cyber Security Centre (ACSC) and Deputy Director-General of the Australian Signals Directorate (ASD) Abigail Bradshaw explains the steps the ACSC has taken to achieve gender balance in their workforce and how they support working families. They also discuss her love of leadership and approach to helping others become amazing leaders themselves.
With Nigel LeBlanc
In this episode, Amanda Lee Keammerer, Founder and CEO of Javilud LLC, comes up with a deep conversation about gender inequality in cybersecurity with five unique and super talented women with different backgrounds, experiences, and journeys into the industry. Participating with us today is Annalise Buonya, a leader in cyber security who placed top 25 last year in the Cyber Wraith Tournament.
With Bridget Todd
Marginalized voices have always been at the forefront of the internet, yet our stories often go overlooked. Bridget Todd chronicles our experiences online, and the ways marginalized voices have shaped the internet from the very beginning. We need monuments to all of the identities that make being online what it is. So let’s build them.
With Naomi Buckwalter
On June 30th, SafeGuard Cyber hosted a leadership panel called, ”Vision & Voice: Removing Barriers for Women in Cybersecurity.” It was so well attended, that we wanted to make it available to a wider audience. This conversation featured insights from women cyber leaders Naomi Buckwalter, Amy De Salvatore, and Evelyn de Souza.
With Gloria Steinem
We know that our industry is full of change and with that change comes opportunity whether it is for a new role, a new company, or a completely different path. I am here to tell you to go for it! Take that step, work toward your dreams and embrace the opportunity in front of you.
With Grace Lewis
In her work at the SEI, Grace Lewis focuses on securely pushing cloud resources to the edge and integrating IoT devices into systems. In this SEI Podcast, Lewis discusses her career journey, which led to her leading Tactical Edge Computing at the SEI.
With Cera Baker
This biweekly podcast features powerful, in-depth conversations with women leaders from around the globe who are experts in foreign policy, national security, international business, and international development. It ranks among the top non-profit and government podcasts.
With Nina Davidson, Catherine Burn and Abigail Bradshaw
To celebrate the final episode of the Women in National Security mini-series, the ANU National Security College hosted a networking event and live podcast recording with more than 250 women at the National Gallery of Australia.
With Miri Rodriguez
Marketing and storytelling are important components of product development because they allow companies to reach their audience and share their message. Miri Rodriguez explained what storytelling is and its role in brand development. Miri is the author of the book Brand storytelling: Put Customers at the Heart of Your Brand Story.
Author
// Miriam FernandezOver the years, I have solely resided in IT (Information Technology) organizations, until now, where I work in a more evolutionary function. My achievements have directly supported the businesses that depend on IT to run. Core competencies include engineering and administration of the network backbone, plus UNIX servers supporting the IT Infrastructure. These directly connect the IT environment to the business groups and functions.
Author // Rhonda
FarrellRecent cybersecurity innovations in both technology and standards, set a new tone for organizations, allowing for cyber-intelligence to be capitalized on by focusing on continuous collection, analysis, policy enforcement, and remediation at multiple enterprise levels. Vast improvements in governance, risk, and compliance management follow.
Author
// Martha DanielComputer security has evolved over the past 25 years as innovative technologies embrace wireless telecommunication integrating information and data and connecting the world globally. I can remember in the early 1990s the announcement that the “Super Highway” was coming with the prediction that it was going to significantly change the way we do business, the way we live, and the way we work.
Author // Elwood Scott
Colin Calls the Help Desk is a hilarious and relatable take on the absurdities of office life.
Follow Colin the Koala as he dives into a series of mandatory workshops to identify why people think there’s too many meetings, conflicting “work smarter” initiatives, and an IT Help(?) Desk who keep emailing him the login details to access his computer.
Q. I notice there’s a koala on the cover. Is this a book for kids?
A. Not if you ever want them to get a job. Colin Calls the Help Desk is a satirical look at the corporate life Our hero just happens to be a positive and perhaps slightly naïve koala.
Q. But aren’t koalas generally naked, drunk or spending their time sleeping or catching Chlamydia?
A. No, you’re thinking of Bryan from Accounting. Colin wears a suit, is sober, and excited to lean-in, add value and grab the low hanging fruit.
“In Alpha Girls, award-winning journalist Julian Guthrie takes readers behind the closed doors of venture capital, an industry that transforms economies and shapes how we live. We follow the lives and careers of four women who were largely written out of history - until now.
Magdalena Yesil, who arrived in America from Turkey with $43 to her name, would go on to receive her electrical engineering degree from Stanford, found some of the first companies to commercialize internet access, and help Marc Benioff build Salesforce. Mary Jane Elmore went from the corn fields of Indiana to Stanford and on to the storied venture capital firm IVP - where she was one of the first women in the U.S. to make partner - only to be pulled back from the glass ceiling by expectations at home.
Theresia Gouw, an overachieving first-generation Asian American from a working-class town, dominated the foosball tables at Brown (she would later reluctantly let Sergey Brin win to help Accel Partners court Google), before she helped land and build companies including Facebook, Trulia, Imperva, and ForeScout.
Sonja Hoel, a Southerner who became the first woman investing partner at white-glove Menlo Ventures, invested in McAfee, Hotmail, Acme Packet, and F5 Networks. As her star was still rising at Menlo, a personal crisis would turn her into an activist overnight, inspiring her to found an all-women’s investment group and a national nonprofit for girls.
These women, juggling work and family, shaped the tech landscape we know today while overcoming unequal pay, actual punches, betrayals, and the sexist attitudes prevalent in Silicon Valley and in male-dominated industries everywhere.
Despite the setbacks, they would rise again to rewrite the rules for an industry they love. In Alpha Girls, Guthrie reveals their untold stories.”
Author
// Carol Stewart“You don’t look like an introvert” was a statement made to the author whilst at a networking event, and she thought to herself, what on earth is an introvert supposed to look like...
Many misconceptions exist about what introversion is, and this was just one of them. These misconceptions can lead to people having an unfavourable, unconscious bias towards those who identify as introverts when it comes to developing talent in the workplace. The challenges women face getting to senior leadership roles is well documented, and for the introverted woman who, dealing with those challenges, along with the challenges many face as introverts, can make the leadership journey even more difficult.
However, just because someone is not loud and gregarious, it does not mean that they are not great, effective leaders. This book addresses many of the challenges that introverted women face as leaders and shows how these challenges can be overcome. Some of the challenges are due to the self limiting beliefs they hold about themselves, or they may be as a result of unfavourable bias and misconceptions about what introversion is, or they may be a combination of both.
Quietly Visible is written from the perspective of the lived experience of the author (herself an introvert), her clients, her research, and the many, many introverted women across the globe who regularly share their experiences and challenges with her.”
Editor // Sherry Turkle
“For more than two decades, in such landmark studies as The Second Self and Life on the Screen, Sherry Turkle has challenged our collective imagination with her insights about how technology enters our private worlds.
In The Inner History of Devices, she describes her process, an approach that reveals how what we make is woven into our ways of seeing ourselves. She brings together three traditions of listening--that of the memoirist, the clinician, and the ethnographer. Each informs the others to compose an inner history of devices.
We read about objects ranging from cell phones and video poker to prosthetic eyes, from Web sites and television to dialysis machines. In an introductory essay, Turkle makes the case for an “intimate ethnography” that challenges conventional wisdom. One personal computer owner tells Turkle: “This computer means everything to me. It’s where I put my hope.” Turkle explains that she began that conversation thinking she would learn how people put computers to work. By its end, her question has changed: “What was there about personal computers that offered such deep connection? What did a computer have that offered hope?”
Author // Sherry Turkle
“A groundbreaking book by one of the most important thinkers of our time shows how technology is warping our social lives and our inner ones.
Technology has become the architect of our intimacies. Online, we fall prey to the illusion of companionship, gathering thousands of Twitter and Facebook friends, and confusing tweets and wall posts with authentic communication. But this relentless connection leads to a deep solitude.
MIT professor Sherry Turkle argues that as technology ramps up, our emotional lives ramp down.
Based on hundreds of interviews and with a new introduction taking us to the present day, Alone Together describes changing, unsettling relationships between friends, lovers, and families.”
Author // Jane Frankland
Women are fundamentally different to men and, when it comes to cybersecurity, one thing is certain. . .IF YOU’RE SHORT ON WOMEN YOU’RE LESS SAFE.
Women matter in cybersecurity because of the way they view and deal with risk. Typically, women are more risk averse, compliant with rules, and embracing of organisational controls and technology than men. They’re also extremely intuitive and score highly when it comes to emotional and social intelligence, which enables them to remain calm during times of turbulence – a trait that’s required when major security breaches and incidents occur. As cybercrime, terrorism and warfare is increasing, and the number of women in cybersecurity is declining, now is the time to take action.
By combining stories, interviews and data with practical advice, the golden rules and checklists, IN Security provides the means to turn things around. When you read this book you’ll understand why the numbers of women have fallen, along with strategies for attracting, identifying, and retaining more women in cybersecurity.
RISE
THE CYBER WOMEN: VOLUME ONE: INSPIRATIONAL STORIES FROM WOMEN WHO ARE TAKING THE CYBER SECURITY INDUSTRY BY
STORM Compiled by // Lisa Ventura“The Rise of the Cyber Women” is a compilation of inspiring stories from women in the cyber security industry from all over the world who are pioneers and leading the way in helping to protect the world from the growing cyber threat.
Those who are included and featured in this book shared not only their stories but also their hints, tips and advice to women who are looking to pursue a career in cyber security or change their career path into cyber security.
Their tenacity and commitment to their careers in the cyber security industry is very impressive indeed. If you are a woman who is looking to make the move into the cyber security industry, you need to read this book.
If you feel that you are not good enough for a career in cyber security, you need to read this book. If you suffer from “impostor syndrome” which is holding you back from a career in cyber security, you need to read this book.
Author
// Barbara Stanny“Quietly and steadily, the number of women making six figures or more is increasing and continues to rise at a rate faster than for men. From entrepreneurs to corporate executives, from whitecollar professionals to freelancers and part-timers, women are forging careers with considerable financial success.
In Secrets of Six-Figure Women, Barbara Stanny, journalist, motivational speaker, and financial educator, identifies the seven key strategies of female highearners: A Profit Motive, Audacity, Resilience, Encouragement, Self-Awareness, Non-attachment, and Financial Know-How.
Based on extensive research and hundreds of interviews, including more than 150 women whose annual earnings range from $100,000 to $7 million, Barbara Stanny turns each of the six-figure traits into a specific strategy for upping earnings. By rigorously finetuning them, readers can, step-bystep, climb the income ladder.”
Author // Sally Helgesen and Marshall Goldsmith
Leadership expert Sally Helgesen and bestselling leadership coach Marshall Goldsmith have trained thousands of high achievers -men and women -- to reach even greater heights.
Again and again, they see that women face specific and different roadblocks from men as they advance in the workplace. In fact, the very habits that helped women early in their careers can hinder them as they move up. Simply put, what got you here won’t get you there . . . and you might not even realize your blind spots until it’s too late.
By Liliya Khasanova
The protests in Iran in the name of Mahsa Amini are one of many examples of how the advancement of technology enables us to speak up, spread the word, and learn about human rights violations. Online anonymity and, therefore, reduced accountability for gender-based violence affects the vulnerability of individuals. There is no doubt now that the internet has become the most consequential communication technology of the human rights era.
“Poornima Vijayashanker started Femgineer in 2007 as a creative platform for sharing her experiences working as the founding engineer with Mint. com. Thirteen years later, the organisation has developed into an education company for tech professionals wanting to build software products and companies. The blog is built around the concept of sharing learnings to innovate and inspire, and covers topics such as hiring tech professionals and the benefits of putting the customer at the centre of product creation.
Their website also has a range of online courses covering technical skills improvement as well as soft skills such as communication.”
By Joanne Fisher
Every woman in cybersecurity should be empowered. Cybersecurity innovation thrives on diversity of thought and background. And the cyber community needs more of both. We recognize every woman who continues to pave the way for change.
Sia’s data analytics engineering and growth online hub. I’m a senior data analytics professional with experience as a data ops and pipeline management lead; including data cleaning, wrangling, analysis, visualization, and storytelling. With extensive teaching experience and a love of learning, sharing, and writing, I’m interested in working on and finding solutions to challenging data.
“We don’t always think of it this way, but on modern machines, memory and pointers are an abstraction. Today’s machines have virtual memory, divided in blocks called “pages”, such that the addresses represented by pointers don’t necessarily map to the same address in physical RAM. In fact, mmap even makes it possible to map files to memory, so some of these addresses aren’t even mapped to RAM addresses at all.
Two weeks ago, I wrote about UVM, the small virtual machine I’ve been building in my spare time. This VM has a relatively low-level design where it has untyped instructions and pointers for instance. Generally speaking, I’ve done my best to design the VM to be fairly “conventional”, in the sense that most design elements are aligned with common practice and unsurprising. In my opinion, this is important because it keeps the design approachable to newcomers. Having a design that’s unsurprising means that new users don’t need to read a 100-page manual and familiarize themselves with new terminology to get something done.”
“In this tutorial, we will build a rock, paper, scissors game with GitHub Copilot. We will also explore GitHub Copilot, a cloud-based AI tool that assists users of various editors in suggesting lines of code and whole functions instantly. We will discuss how Copilot has redefined productivity for millions of developers, and the benefits it provides. This tutorial includes the use of CodeTour, a VS Code extension, that allows developers to create and follow a guided walkthrough of a codebase. Let’s get started!
What is GitHub Copilot?
GitHub Copilot has helped redefine productivity for millions of developers by introducing them to the magic of AI assistance. GitHub Copilot is a cloud-based artificial intelligence tool developed by GitHub and OpenAI to assist users of Visual Studio, Visual Studio Code, Neovim, and JetBrains by suggesting lines of code and whole functions instantly. With Copilot, you can write a regular expression or interact with an API for the first time without leaving your editor.”
“In this blog, WPS Coalition member Dr Lisa Carson makes the case for an intersectional and intergenerational approach to building peace.
The theme of this year’s International Day of Peace was ‘End racism. Build peace’. The day is observed by the UN General Assembly and is devoted to strengthening the ideals of peace with calls for a 24 hour ceasefire globally. As the UN highlight, ‘achieving true peace entails much more than laying down arms. It requires the building of societies where all members feel that they can flourish. It involves creating a world in which people are treated equally, regardless of their race’.
In some ways, deepfakes are to video what photoshopping is to images. Just like photoshopped images, some are created better than others. It involves the manipulation of videos in such a way that, when well-made, it is impossible to distinguish from an original video. Deepfakes can be created in roughly two different ways: image creation and morphing. Image creation is a process by which a neural network looks at faces and creates their own image based on the samples it has been given. An example of image creation is the website ThisPersonDoesNotExist.
Deepfakes created through morphing merge one face with another, or superimpose expressions of one face onto another, creating video. Combined with voice cloning or using voice actors, morphing can lead to incredibly realistic videos that are entirely fictitious, such as the deepfake of President Nixon delivering the speech that was prepared in case of a moon landing disaster. A distinction must be made between deepfakes and “cheapfakes.” The latter is the manipulation of existing footage by slowing down or speeding up certain sections to exaggerate part of the video or by selectively editing content. Both U.S. Speaker of the House Nancy Pelosi and U.S. journalist Jim Acosta became the target of cheapfake”
By Susan Fowler
“As most of you know, I left Uber in December and joined Stripe in January. I’ve gotten a lot of questions over the past couple of months about why I left and what my time at Uber was like. It’s a strange, fascinating, and slightly horrifying story that deserves to be told while it is still fresh in my mind, so here we go. I joined Uber as a site reliability engineer (SRE) back in November 2015, and it was a great time to join as an engineer. They were still wrangling microservices out of their monolithic API, and things were just chaotic enough that there was exciting reliability work to be done. The SRE team was still pretty new when I joined, and I had the rare opportunity to choose whichever team was working on something that I wanted to be part of.
After the first couple of weeks of training, I chose to join the team that worked on my area of expertise, and this is where things started getting weird. On my first official day rotating on the team, my new manager sent me a string of messages over company chat. He was in an open relationship, he said, and his girlfriend was having an easy time finding new partners but he wasn’t. He was trying to stay out of trouble at work, he said, but he couldn’t help getting in trouble, because he was looking for women to have sex with. It was clear that he was trying to get me to have sex with him, and it was so clearly out of line that I immediately took screenshots of these chat messages and reported him to HR.”
“I was promoted a few weeks ago, which was great. I got a lot of nice notes from friends, family, customers, partners, and random strangers, which was exciting. But it wasn’t long until a note came in saying “everyone knows you got the position because you’re a girl.” And in spite of having a great week at a great company with great people I love, that still stung, because it’s not the first time I’ve heard it.
You see, every woman who works in tech (heck, likely every woman on earth) hears “because you’re a girl” dozens if not thousands of times in her life.”
