12 minute read
2023 NEW ZEALAND WOMEN IN SECURITY AWARDS
9 TH NOVEMBER Don’t Miss Out
Team Leader, Cyber Response Team | Section Chief, Women and Children
Cybercrime Protection Section | Digital Forensic Examiner | Police Officer | Resource Speaker | Educator | Information Technologist
Sharmaine Labrado is a ‘cybercop’. No, she’s not a software manifestation of RoboCop, the robotic law enforcement officer featured in the 1987 science fiction movie with that name. Labrado is a real person.
Specifically, according to her LinkedIn profile (get ready for this!) she is: “Team Leader, Cyber Response Team | Section Chief, Women and Children Cybercrime Protection Section | Digital Forensic Examiner | Police Officer | Resource Speaker | Educator | Information Technologist.”
She explains, to gain the title of cybercop in the Philippines Police, “personnel need to finish four foundation courses that enable us to conduct proactive internet investigation, cybercrime investigation, identification and seizure of digital evidence and digital forensic examination.”
Labrado is a member of the Philippine National Police (PNP) – Anti Cybercrime Group (ACG). “I gained there my first-hand knowledge of cybercrime investigation, proactive internet investigation, digital forensics and the identification and seizure of digital evidence” she says.
“These became my foundation courses in earning my cybercop badge. Aside from these, I have gained advanced knowledge in conducting cybercrime investigations and digital forensic examinations both locally and internationally. The PNP sends us abroad for training with our foreign counterparts. With these, I was able to compare and learn the procedures of other countries in handling cybercrime and digital forensics.”
Many Responsibilities
Her responsibilities are as many and diverse as her lengthy job title suggests. As team leader, she monitors and supervises personnel who “conduct investigations and cyber patrolling.” She also leads a team in operations involving violation of the Cybercrime Prevention Act of 2012 and, as chief of the Regional Digital Forensic Section, she supervises the conduct of digital forensic examinations and reviews digital forensic reports.
She also coordinates activities designed to prevent cybercrime, lectures to students and professionals on cybercrime awareness and conducts lectures to other police units on cybercrime investigation and how to deal with digital evidence at a crime scene.
Labrado has only recently taken on her role as team leader of a provincial cyber response team and is the only female officer of rank in her region handling cybercrime and cyber-related crimes. She also functions as the chief of the regional digital forensic section.
“With these roles I have to demonstrate knowledge and expertise in the field of cybercrime investigation, cybersecurity, cyber patrolling and digital forensics to lead the team in addressing the growing volume of cybercrime and cyber-related crimes, and apprehend cyber criminals in my area of responsibility with a total population of around three million,” she says.
Labrado cites as the most challenging aspects of her role “Being a female officer in a field dominated by men, law enforcement … [and] being an enforcer of the laws governing cybercrime and cyber-related crimes in the Philippines.”
She admits to being somewhat mystified as to just how she got her current role and offers a similar answer to Jane Frankland who, elsewhere in this issue, says of her journey, “man plans, and God laughs.” Labrado says, “I really don’t know how I arrived at my current role as team leader of the Provincial Cyber Response Team. … As the proverbs say, ‘You can make many plans, but the Lord’s purpose will prevail.’ – Proverbs 19:21.”
Early Interest In It
However, Labrado arrived at her career destination through an early interest in information technology, and in cybercrime. “It has always been my childhood interest to work with computers,” she explains.
“As an information technology student, I’ve seen many vulnerabilities in the programming code used in creating software. As an instructor, I’ve observed the tendency of computer enthusiasts to use technology for malicious programs. Because of this, I became an advocate for the ethical use of the internet and technology in general.”
Labrado pursued her interest by joining the Philippine National Police Anti-Cybercrime Group. “I realised then that technology is widely used as part of the everyday lives of individuals and that cybercriminals are everywhere targeting computer systems and networks,” she recalls. “As a bearer of the cybercop badge, I have been able to use my knowledge and expertise in the field of information technology to serve law enforcement.”
As helpers on her career journey Labrado cites her mentors, Sir Levy, “for giving me the first-hand knowledge in digital forensics and for his trust and confidence in me on different speaking engagements,” and Sir Scott, “for the advanced knowledge he shared and for his continuous technical advice on digital forensic concerns.”
For Labrado the rewards of being a cybercop come from serving the public. “I can serve anyone regardless of their status in life,” she says. “It is rewarding to know that I am able to use the knowledge I have learnt from my education to help the public and our fellow law enforcers in solving their issues and concerns in cyberspace as a cybercop, and that policing is not only about physical visibility on the roads, establishments or streets but also can be take place in cyberspace.” www.linkedin.com/in/sjlabrado athalie Viuf Stender grew up in Denmark in a cybersecurity-rich family environment “where Christmas plans could get dramatically altered if the biggest Danish newspaper were effected by a cyber attack or a code error,” she says.
In 2005 the Danish newspaper Jyllands-Posten published 12 cartoons depicting Muhammad creating a storm of outrage and riots in some Muslim countries. After that “both physical and online security become a hot topic in my family,” Stender says.
Her steeped-in-cybersecurity childhood is easy to understand when she identifies her father, Per Palmkvist Knudsen, whose “career as CIO in a time where security started emerging as a big topic was very inspirational,” as the biggest influence on her cybersecurity career. According to his LinkedIn profile he has had a long career in senior level IT roles.
Today Stender is Privacy and Security Engineering Leader with IKEA Retail (Ingka Group) in Sweden. However, cybersecurity was not her first career choice. Like many teenagers she chose a career path contrary to that provided by family example, but the pull of IT and cyber proved irresistible.
“As a child my idea was that I never wanted to do the same [as family]. So, I started studying business only to get frustrated by the lack of involvement of IT and IT security in the economic risk calculations,” she says.
A BESPOKE MASTER’S DEGREE
“It felt like the academic world of business simply did not understand how important this area would become. I therefore chose to take my master’s at the IT University of Copenhagen, where I created my own master’s combining security, privacy and compliance in order to be able to deep dive into the topics I could see impacting our everyday lives and businesses even more in the future. At this time GDPR [the EU’s General Data Protection Regulation] was only on the horizon and cyber attacks where not broadly known, so the widespread options for education in this area seen today were simply not there.”
It was also a time when women in cyber roles were less common, and less accepted. “As a woman, I was a bit afraid of signing up for the security classes since they often primarily consisted of men,” Stender says. “And I was concerned about how that would feel and look in a workplace.”
After that very deliberate move, Stender says some of her other career choices have been less directed.
“I do not see my career as a planned journey from a to z. My philosophy is that I want to do what makes me happy and what is sparking my interest. I have taken just as many horizontal moves as vertical, but in the end, they have all added something to my overall profile.
“One example was my bachelor’s degree from Copenhagen Business School. It taught me to understand business risk thinking, budgets and strategy. I can use that knowledge when getting the business buy-in on fixing vulnerability, planning for security improvements or in prioritising this important topic.”
A GLOBAL ROLE WITH IKEA RETAIL (INGKA GROUP)
Stender joined in 2022 and says she was attracted to the position because it was a global role that combined responsibility for privacy and for security.
“In many companies privacy and security are seen as two different fields and are often placed far from each other within the organisation. But you cannot have privacy and comply with the technical and organisational measures without having good security. And you cannot have good security without privacy. Being able to work with these two fields in combination made so much sense to me that I decided to join IKEA.”
She says the diversity of tasks she has to undertake is the most challenging aspect of her role. “I do not often work hands-on with complicated technical security tasks but mentor, oversee, prioritise and, sometimes most importantly, communicate the results.
“Security for organisations like IKEA a growing almost exponentially in work and importance. And it does take time to get all processes and people on board with the sometimes-urgent nature of security.
“As an example, if a zero-day vulnerability has been discovered, we sometimes need hundreds of people to deprioritise their work to make sure our business is not impacted. This requires clear communication, stakeholder management and an eye for the technical details.”
Balancing Work And Life
Stender was also drawn to IKEA because she saw the role as enabling her to balance work and personal life: she is able to work from home two or three days per week. “Having two kids and a husband, my first thought is always how my everyday life with a family would work. I have been offered positions I ended up turning down because they would not allow me to be much with my family. This might change as my kids grow older, but right now my family life is a priority.”
Meanwhile, Stender say the most rewarding aspect of her role at IKEA is “seeing people grow” rather than specific security achievements. “For me it does not matter whether it is managers seeing ‘the light’ and becoming more aware of security, or a new junior who suddenly starts having all the right answers herself to the tough questions. Seeing how our cyber organisation’s work ends up making a huge positive effect on everyone in IKEA is really rewarding.”
Prior to joining IKEA, Stender had a role in which she was responsible for compliance with GDPR and NIS2. She predicts compliance with regulations will be one of the most significant developments in cybersecurity over the next two years, and does have some concerns about the effect of focusing too much on regulations but more work is needed in the area:
“Looking at the legislation coming, for example, from the European Union, we are going to see much more regulation in this area which also links to more documentation. Done right, it will have a positive impact on the actual security level, but documentation and compliance alone do not necessarily lead to good technical security.
“We need to be able to remember security is an important culture that also drives better software and not only a legal requirement. In the end you cannot defend companies against cyber attackers with a box of paper.”
Challenges Ahead
And she expects attacks to grow, particularly on critical infrastructure, identifying global politics, as the most significant factor driving cybercrime. “We are already seeing a big spike in government-supported attacks on critical infrastructure, and these will continue growing as long as countries globally seek conflict instead of diplomacy.”
Like every cybersecurity leader, Stender faces ongoing staffing challenges, “everything from pen-testers to governance, risk and compliance.” She sees more people graduating from university with these
“I am a huge fan of vertical development. Even though people coming from other fields might not have much cyber experience, they will still have some of the stakeholder skills, patience and business knowledge people fresh out of the university are lacking.”
For her own skill development Stender says she is finalising her CISSP certification to be able to document her knowledge better within security, but confesses to finding prioritising this to be a challenge. “Last week, I had booked some study time in my calendar but then our IKEA security leaders from China visited in Sweden and I could not resist learning more about their job and get some ideas for how we can globally work better together.” www.linkedin.com/in/nathalie-viuf-stender-89037984
If anyone’s career trajectory reinforces the message, frequently repeated in these pages, that skills other than those in technology loom large in cybersecurity, it is that of Silvana Macri.
Asked what first piqued her interest in cybersecurity, Macri replies: “I was born to be a social engineer. I love people and behavioural psychology intrigued me.”
Her first steps to pursue her interest were not studying technology, but networking, the personal kind. “I am an avid networker, so I joined as many security-related networking groups and went to all their events to meet people and listen to what they had to share.”
After 16 years in various IT related roles, in 2019 she founded her own cybersecurity education specialist business, in Perth: Stay Cyber Safe. It provides programs, tools and learning opportunities to help corporates, industry groups and SMEs reduce their cyber risk.
Relationships Are Rewarding
For Macri, the rewards that come from being in cybersecurity are not technical achievement but relationships: “Working with people, rewarding positive behaviour, and helping people fill the gaps they have in security knowledge and cultural dimensions.”
And the biggest cybersecurity challenge she sees is the scarcity of people like herself. “I wish there were more security specialists with a psych background and communications and facilitation experience who understand how to translate tech speak to user speak,” she says. “Right now we are incredibly overallocated and under-resourced.”
A pivotal moment in Macri’s cybersecurity career was her discovery of Perry Carpenter, who she describes as “the ‘father’ of security awareness as a function.”
Carpenter is Chief Evangelist and Strategy Officer at KnowBe4—a security awareness training and simulated phishing platform—and the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behavior. He formerly led security awareness, security culture management and anti-phishing behaviour management research at Gartner.
Formal Qualifications In Security Awareness
Now, Macri is planning to gain formal qualifications in the behavioural aspects of cybersecurity by sitting the Security Awareness and Culture Professional (SACP) exam, a vendor-neutral certification that recognises professionals who work and exhibit competency in the development, assessment, management and maintenance of security awareness programs. “It is absolutely critical in a role like mine,” she says.
However, cybersecurity requires people with a technical focus as much as a people focus, and some are better suited to such roles. Macri’s advice to anyone aspiring to a role similar to hers is to first explore the technical side. “Do a short cyber course first as a pathway and see if it is a good fit, or alternatively if it’s the people side of cyber, study behavioural science/psychology and facilitation (delivery).”
Macri says she “couldn’t believe how the people side of security was being unaddressed,” until “I realised it was because people are grey, not on/off binary. And tech peeps generally find people difficult to predict so they avoided the human element for years until it seriously became the biggest/most effective attack vector.”
Challenges Ahead
However, human ingenuity might be about to lose its prime position. It is not people but technology, specifically artificial intelligence that Macri sees as being one of the most significant new threats. She is not alone; it has been cited by many women who have shared their cybersecurity journeys in these pages.
“The challenges AI/automation brings cannot be decoupled from the benefits, so be aware and prepared for an exponential increase in attack numbers and sophistication,” she says. “Do not underestimate nation state attacks using automation/ AI especially in critical infrastructure.” www.linkedin.com/in/macrisilvana
As the biggest influence on her career, Macri cites Kevin Mitnick, a convicted hacker who now runs security firm Mitnick Security Consulting and is part owner of KnowBe4. Macri hosted him in Perth for a two-day event at Optus Stadium in 2019 and she says he is now her ‘friend’ on a number of online platforms.
"When women work together, they become a force to be reckoned with. Be part of a force for good in the security industry, by joining the AWSN Explorers program today!"
S t u d y i n g o r a n E a r l y C a r e e r P r o f e s s i o n a l i n i n f o r m a t i o n s e c u r i t y ?
L e a r n m o r e a t . a w s n . o r g . a u / i n i t i a t i v e s / a w s ne x p l o r e r s /
