07
MARCH • APRIL
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22
IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
FROM THE PUBLISHER
I
Let’s make 2022 the Year of the Security Worker n a time of change and challenge, the Water Tiger
women the right to vote – making Australia the first
offers inspiration for every security worker
independent country to grant women’s suffrage at a national level.
If you are not a person who pays attention to the Chinese zodiac, you may not have known that 1
Sixty years earlier, in 1842, mathematician Ada
February marked the beginning of the Year of the
Lovelace was working hard alongside Charles
Tiger – and, specifically, the year of the Water
Babbage as he developed his Analytical Engine –
Tiger.
widely considered to be the first working machine. Lovelace’s publication of an algorithm for controlling
The Year of the Tiger occurs once every 12 years, and
the machine have led to her being remembered as the
the Water Tiger comes just once every 60 years –
world’s first computer programmer.
just once or twice in each person’s lifetimes – as the calendar rotates through wood, fire, earth, gold, and
Step back sixty years earlier to consider the
water.
achievements of American soldier Deborah Sampson, who disguised herself as a man for 17 months to
Each type of tiger has its own personal
fight the British during the American Revolutionary
characteristics, and water tigers in particular are
War. She was wounded in battle in 1782, was one of
known to be studious and thoughtful, blessed with
the first women to receive a pension for her military
a strong sense of self-esteem, strong chances of
service, and went on to become the first woman to
career success, proficiency in arts and crafts, and the
tour the US as an esteemed lecturer.
ability to learn new things. The Year of the Security Worker Those are all invaluable traits, and those of you born in 1962 can rest confident in the knowledge that
My question to you, then, is simple: what will women
you are in good company: actors Tom Cruise, Ralph
do in 2022, this year of the Water Tiger, to make this
Fiennes and Demi Moore, conservationist Steve Irwin,
year go down in history like so many before us?
and singers Paula Abdul and Jon Bon Jovi were all, like you, born in the year of the Water Tiger.
We have made great strides towards equality and diversity over the past few years, and – as the
If we look back through history, many significant
breadth and depth of talented women in the 2021
achievements for women have also occurred in this
Australian Women in Security Awards show – the
most auspicious year.
security industry is awash in talent.
In 1962, for example, Jean E. Sammat developed the
Consider the achievements of award winners like
FORMAC programming language.
Kate Monckton, Marie Patane, Pip Rae, Anu Kukar, Sarah Hosey, Kavika Singhal, Laura Brandon, Alison
2
In 1902, the Parliament of Australia passed the
Lee, AWSN Cadets, Reshma Devi, and Moufida Rima
Commonwealth Franchise Act 1902, which granted
– as well as allies like Simon Carabetta and Greater
WOMEN IN SECURITY MAGAZINE
Abigail Swabey Western Water, which are demonstrating what can
Raytheon Intelligence & Space executive John Check,
be accomplished when leaders take up the cause of
who was assigned to build a cybersecurity-focused
women in cybersecurity.
team and made diversity a non-negotiable part of its design.
Consider the work of individuals like Amanda-Jane Turner, Nicole Stephensen, and Jess Dodson, who
“If we don’t commit to doing this,” he said,
are going out of their way to help all of us fight
“we choose to limit the creativity that goes
cybercrime by educating us about its perils. Jo
into brainstorming, problem solving, and
Cooper is constantly running tips and tricks, and
new ideas that are essential for fighting
delivering articles about data privacy and your
cybercrime.”
data rights. And Jacqui Lostau is scoring one goal after another building women security leaders and
As you will also read, getting creative is
mentorship programs.
becoming particularly important because, despite years of pouring money into
Given all this great work – and that of so many other
cybersecurity, many executives are starting to think
amazing women that are helping the cybersecurity
about other ways to spend their budgets.
industry shake off the cobwebs of decades of myopia – I am taking the initiative to rename this year not
This means cybersecurity teams will need to look
as the Year of the Water Tiger, but as the Year of the
past the new tech to lean on staff diversity, and team
Security Worker.
cohesiveness, more than ever.
As you read about the achievements, advice, and
Keep this all in mind as you consider what you will
warnings of the many experts in these pages, think
achieve during this, the Year of the Security Worker.
about what role you can play to support positive change across the industry.
Stay fierce and brave like the Water Tiger, and keep fighting for better, more inclusive and more
Consider how the Great Resignation is forcing
productive workplaces that recognise
employers to get real about keeping cybersecurity
the strengths of every individual.
workers – many of whom already have one foot out the door, and a better job offer waiting for them.
This is our year to stand up and grasp every opportunity given, take the kudos, earn those promotions, improve
For many, money is less important than the sense
diversity and inclusion in our industry – and, in so doing,
that their employers value them – and the diversity
to help make the world a better place.
of their peers. The numbers prove that employee satisfaction increases markedly when workers see their employers promoting diversity. Diversity isn’t just a way of keeping staff, though: with cybercriminals building ragtag teams of like-minded individuals, the relative homogeneity of defensive corporate cybersecurity teams has become a liability – and one that requires real leadership to overcome.
Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312/
aby@source2create.com.au
“It takes a deliberate leader to have the selfawareness to question hiring choices,” notes
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2
CAREER PERSPECTIVES
PUBLISHER’S LETTER
Turning off that repetitive track
34
2022: Year of the Rookie?
36
Building a strong cybersecurity career
38
Making cyber accessible: graduate programs and alternative pathways for women into cybersecurity
42
Cybersecurity - A ‘blind spot’ in mergers and acquisitions (M&A)
10
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED by David Braue
44
Too much information: Sifting through
COLUMN
the cyber threat intelligence noise
48
WAY UP – Rule Yourself
50
Pave your own path: 7 things you can do to lay the groundwork for a promotion or move
52
Hey girl! Back from a break? Why not join cybersecurity?
Online grooming
14
Calculator Vault apps
60
54
Let’s make security the lingua franca of business in 2022
62
Life in cyber security
92
INDUSTRY PERSPECTIVES
WHAT’S HER JOURNEY?
Australian Women in Security Incident Response Competition 2021
64
Women In Tech
68
Starting out in privacy
70
To enhance cybersecurity, embrace diversity
72
A Secret Sauce Recipe: The Diondria Holliman
18
Fatema Hashmi
20
Diana Selck-Paulsson
22
Archana Puri
26
Dorien Koelemeijer
28
Robin Lennon
30
JOB BOARD
deliciousness of trying stuff
80
Are you a poacher or a gardener?
82
When the skills shortage reaches
APPLY NOW
56
boiling point
86
You CAN have it all: a parent’s perspective on being a cybersecurity founder
88
MARCH • APRIL 2022
94
AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO
76 by David Braue
TECHNOLOGY PERSPECTIVES
FOUNDER & EDITOR Abigail Swabey
ADVERTISING
JOURNALISTS
by David Braue
David Braue
Charlie-Mae Baker Vasudha Arora
Stuart Corner
The importance of partnerships in security
Abigail Swabey
IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE
SUB-EDITOR
98
Stuart Corner
The missing art of understanding vulnerabilities- the undiscussed approach
100
DESIGNER
A cyber warrior in the
Jihee Park
enterprise of things
102
TURN IT UP
126
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
STUDENT IN SECURITY SPOTLIGHT Gabriela Sorsa
106
Arifa Upola
110
Pranjali Karve
112
Aditi Sigroha
114
Danielle Rosenfeld Lovell
116
OFF THE SHELF
128 ©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
07
MARCH •
IN 2022, YOU CAN NO LO TAKE SE NGER CU WO RK ER RIT Y S GR AN TE FO R D P10-13
SURFING THE NET
120
130
20
AS THE SEC URITY THREAT MO DE FE NS IVE RPHS, MU ST CH TE AM S AN GE TO P76-79 O IF YOU CA YOUR WA N’T SPEND Y SECURITY TO GOOD TRY FO CUTHIS YEAR, YO UR PE SIN G ON OP LE P9497
YEAR OF
APRIL
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
O T E B I E R N I C Z S B A U G S A M R U O n ditio e n the iss a o m t r cribe Neve s b u n! S y for a d agai o n ine t z a es o t g a a d m e up v and i s s u t l n c e ex g ev n i m ong l o a c , p s u ssue i nt. e e r t u n t co fu nus o b with
04
EMB
OBER OCT ER •
THE ING SOLV IP E L IN E P LEM B O PR P82
CT A R T AT
SEPT
AI N -
SUB
SC
NO E B I R
W
DE
VELOP
A G IN IVIN THR ANDEMICE P L T IB S X PO F L E K IN G W O R E NT M N P60 IR O ENV
WW
W. W
EN OM
INS
ECU
RIT
YM
AGA
ZIN
E.C
OM
02
MAY
THE ARE BEW LIANT R IT Y BRIL E R S E C U CYB JERK P16-1
8
N • JU
E
FIN TA IN S
P
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 Australian Women in Security Awards. Register your interest today for various sponsorship opportunities. 04
EMB
OBER OCT ER •
I’M INTERESTED!
THE ING SOLV IP E L IN E P B L E M82 PRO P
CT A R T AT
SEPT
DE
ACT - R R T
AI N ET
VELOP
A G IN IVIN THR ANDEMICE L TP POS F L E X IBIN G K W O R E NT M P60 IR O N ENV
AT
BER G CY ’S NDIN T- W H AT T ALENE S E C R E H T N C E? SAU
P46
IN ENT STUD R IT Y U S E C T L IG H T SPO
#2022WISAWARDS
P97
WW
O W. W
MEN
INS
ECU
RIT
YM
AGA
ZIN
E.C
OM
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED by David Braue
I
t may have started out as an organisational-
organisations implementing back-to-the-office
psychology construct, but the Great Resignation
policies, only to experience mass resignations and
became a real thing last year, with millions
having to reverse course.”
of employees exiting the workforce just as employers were calling for all hands on deck in
That’s a body blow for companies already wrestling
shaping their post-pandemic strategy – only to find
with a base of employees in which, a recent Citrix
key employees had already jumped ship.
survey found, 49% of IT workers are less satisfied with their jobs than they used to be – and 24% have
The extent of the problem has quickly spiralled out
disengaged from their work.
of control, creating an imminent staffing crisis for employers and threatening disruption for security
Large-scale staff losses can be catastrophic in any
leaders that need more workers, not fewer.
market segment, but Australia’s security industry – in more demand than ever as the nature and volume
Yet just 18% of Australian and New Zealander IT
of cybersecurity attacks continues to explode – is
workers have a “high intent to stay” with their current
particularly vulnerable given that the impact of the
employer, according to a recent Gartner analysis that
Great Resignation could compound staff-retention
warned employers must be more flexible than ever as
issues already being keenly felt in cybersecurity’s
they navigate 2022’s new normal – and that long-held
high-stress, high-turnover jobs.
optimism about a return to the office-based normal is the first casualty.
Building effective security strategies requires employees to be both engaged and productive – but
10
“Many CIOs are losing the war for talent,” Gartner
how can companies help their security workers get
notes, warning that the firm “has heard of IT
their grooves back?
WOMEN IN SECURITY MAGAZINE
F E AT U R E
“If management has the impression that we’re all doing fine, but employees don’t, then management might not take the right decisions – and employees may have to fight for diversity policies.” - Hubertus Bitting, Chief Commercial Officer with Statista
CHARTING THE WAY BACK FROM THE BRINK
That, in turn, puts pressure on local employers to
Many factors affect employee retention, but a
figure out how to improve diversity and representation
commitment to diversity, equity, and inclusion (DEI) is a crucial part of this effort, Gartner advises – warning CIOs that without a more concerted focus on DEI, this year’s strong labour market, talent shortages, and inadequate support for underrepresented groups “might prompt good people to seek employment alternatives.”
before inadequate policies further their downfall. Thankfully, research suggests that a proactive approach towards DEI can directly impact employees’ perceptions of the place they work – with stronger measures of employee satisfaction correlated with employers’ success in pursuing meaningful DEI agendas.
The ANZ high-intent-to-stay figures are much lower than the global average of 29.1%, implying that local
Those agendas are most effective if they are built
workers are far less willing to stick around as their
around six main pillars of diversity – LGBTQ+, gender,
employers sort things out.
age, disability, ethnicity, and overarching strategy
WOMEN IN SECURITY MAGAZINE
11
– noted Hubertus Bitting, Chief Commercial Officer with Statista, a data analysis firm that has collected and analysed worker-sentiment data from more than 100,000 people working at over 8500 European companies. Although there are widespread and well-understood financial returns for companies that prioritise DEI, those quantitative measures don’t speak to the overall sentiment of the employees they affect; that conversation, Bitting noted during a recent webinar, is “a very qualitative topic that deals with feelings”. That makes it harder to measure, but Statista uses
12
a Diversity Promotion Score (DPS) – analogous to
Many companies are still trying to figure out which
the widely-used Net Promoter Score (NPS) used to
specific DEI policies have the most impact, with DPS
measure customer satisfaction – to rate employee
scores confirming that management tends to believe
perceptions of diversity and has found a “clear
their companies are doing better than their employees
positive correlation here”.
do.
Plotting DPS scores against the six criteria allowed
Such detailed analyses are instructive in explaining
Statista to trace companies’ progress on meaningful
the gap between management and employee
DEI strategies, with evaluations of the strength of the
perceptions, Bitting said: “at the end of the day
correlation confirming that having a diversity strategy
management is taking the decisions,” he explained,
has the most impact on employee satisfaction –
“and if management has the impression that we’re all
followed by measures to address inequalities in age,
doing fine, but employees don’t, then management
gender, ethnicity, disability, and LGBTQ+ community,
might not take the right decisions – and employees
in that order.
may have to fight for diversity policies.”
The split of DPS scores may come as a surprise:
Analysed across the entire cohort, the figures also
gender-diverse recruitment policies, for example,
helped regional challenges: for example, Scandinavian
were significantly more closely correlated with
countries had better-addressed issues in age equality
employee satisfaction than whether male and female
while scores in France, Italy, and Spain showed
workers are paid the same for doing the same job.
lingering gaps in the equality of ethnic groups.
WOMEN IN SECURITY MAGAZINE
F E AT U R E
“The more employees see and commit to the fact that
to reshape the workforce, making an open and
companies are promoting diversity, the higher their
consistent commitment to improving diversity is one-
satisfaction with their employer,” Bitting said, noting
way employers can fight to keep and win, the security
that the proportion of employees seen as ‘promoters’
workers they need to survive.
– in that they recommend their own employer as a diversity leader – increased from 29.3% to 34.4%
It’s likely to remain a fraught relationship for the near
between 2020 and 2021.
future, however, according to a recent iResearchPegasystems study that found 51% of senior IT
The fact that increase correlates with the dramatic
decision-makers can enact positive change over the
changes wrought by the COVID-19 pandemic
next five years – with 17% having no confidence in
suggests that many companies took responded to the
this at all, or harbouring significant doubts.
disruption by doubling down on diversity – and DPS scores confirm it is working, with steady growth in
Addressing diversity will be critical to improving
each of the six domains over time.
this, with 30% of respondents expecting that it will continue to gain importance over the next few years
“If these things are implemented, and if people really
as IT builds more representative teams by adding
commit to it and the company is really living it, this
more talent from historically marginalised groups.
has the highest impact.” “In the next three to five years, the IT function will
HAPPY WORKFORCE, HAPPY LIFE
look, feel, and perform very differently to today,”
The evidence is in, and the gauntlet has been
said Pegasystems chief technology officer Don
laid down: this year, employees aren’t going to sit around this year in jobs they don’t want, working for
Schuerman.
employers they don’t feel are doing the right thing.
“The accelerated pace of digital transformation
That dynamic creates new tensions in a year that just
strategic value these teams can provide if they are
37 per cent of Australians believe will be better than
given the tools and the opportunity to be creative,
last year, according to a recent Roy Morgan survey
collaborative, and focus their efforts on the areas
that flagged a massive drop in optimism over the past
where they can best add value.”
has put IT leaders front and centre [and] taught the
year. “All of this will lead to better decision-making, more That means anything employers can do to improve
diverse, skilled workforces, and. More open, united
their relationship with employees is going to pay
way of working that will help to crush complexity and
dividends – and with so much disruption continuing
deliver better outcomes.”
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
C O L U M N
Online grooming Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe. Welcome to 2022. This year my column will focus on
the child in a state of undress, or convincing them to
cybercrime that impacts individuals and on what we
meet, which puts the child in physical danger.
can all do as individuals to stay safe from cybercrime. Whether the victim is physically injured or not, this Cyberspace may not be the same as physical
online grooming has long-term negative impacts on
space but that does not make it any less real. Crime
their lives and the lives of their family and friends. As
committed via online mechanisms, or using data
the Australian Centre to Counter Child Exploitation
sourced from cyberspace, can have severe and tragic
(ACCCE) states, “behind every image or video there is
consequences in the physical world. Think about the
a real child victim being sexually exploited.”
cybercrimes of predatory behaviour and the online sexual grooming of underage persons.
These online predators may use child-friendly websites, online gaming platforms and social media
Online grooming is when someone befriends a
to locate and lure their intended victims. In 2007 a
person online to exploit them. These online predators
young girl in Australia was lured to her death by an
often target children for sexual exploitation.
online predator pretending to be a teen musician.
Thanks to the anonymity and massive reach of the
That girl was Carly Ryan. Her mother created the
internet, they can easily approach multiple children
Carly Ryan Foundation to provide education on online
simultaneously. Usually they create a fake persona in
safety.
the same age group as their targets. Exploitation may mean encouraging the underage person to participate
For information on how to protect children from
in sexually explicit conversation, obtaining pictures of
online predators, and the signs to look for, please visit the ACCCE website. Cybercrime is big business. We need to work together to stay safe from it. This column is dedicated to the memory of two very good men: my friend Kyle Maher (1989-2021), and my dad Gordon Turner (1925 – 2022)
www.demystifycyber.com.au/
Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! www.source2create.com.au
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
Connecting - Supporting - Inspiring AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY
With an affordable annual fee, AWSN members will have access to discounts on programs and industry events, the membership Slack space, post or share job opportunities, and receive our monthly and any special edition newsletters Members can also access our range of informative events and workshops!
Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
Thank you to all our amazing sponsors for their generosity and for helping us to CONNECT, SUPPORT and INSPIRE our members Contact us for further sponsorship opportunities in 2022: awsn.org.au/supportus/sponsors/
WHAT’S HER JOURNEY?
DIVERSITY NEEDED AT THE TOP She believes lack of diversity at senior levels to be one of the greatest challenges facing cybersecurity, and a challenge exacerbated by the pandemic. There are, she says, two barriers hindering women
Diondria Holliman
from rising into leadership roles in cybersecurity: subconscious bias against women being great executors and ‘super-doers’, and a lack of executive-
CISSP, PMP
level sponsorship to open doors beyond simply providing mentoring. Holliman is an IT cybersecurity analyst at global medical device manufacturer Medtronic, and a seasoned security professional with more than 15
T
years experience in corporate information security strategy, compliance, security architecture and data here has been much talk, and many
privacy and protection. She leads several internal
initiatives, in recent times to increase
and external efforts to solve gender and ethnicity
diversity in the cybersecurity workforce,
disparities across the tech industry.
but Diondria Holliman sees diversity at senior levels going the wrong way.
Holliman describes her job as “leading initiatives focused on securing sensitive data and intellectual
“By 2030, we are trending to see even less diversity
property through encrypting data in transit,
in cybersecurity at the C-suite and director level,”
encrypting data at rest, and providing encryption key
she says. To reverse this trend, she suggests
management and certificate solutions.”
senior executive remuneration should be linked to the achievement of inclusion, diversity and equity
She adds: “In this type of dynamic work environment,
(ID&E) goals with both short and long-term incentive
I can expand quickly to drive other key areas such
programs.
as cloud encryption, certificate automation, and code signing solutions. It’s also no secret that
“Diversity breeds more diversity. Therefore, opening
cybersecurity jobs pay higher salaries, offer better
opportunities to all capable individuals will inspire
job security, and more flexible work hours which is
others to see themselves exceling in cybersecurity
especially valuable to me as a working mom.”
too, regardless of their gender, ethnicity, sexuality, or any other factor,” says Holliman. “[Diversity in] cybersecurity is important because the enemy doesn’t discriminate against the individual, business, or government in seeking to cause harm. Hence, it’s even more important that cybersecurity takes the lead in diversification to think through a different lens, which in turn will help further devise innovative ways to counteract these attacks.”
18
WOMEN IN SECURITY MAGAZINE
RECOGNITION FOR ACHIEVEMENT In 2021 she had the distinction of receiving the 2021 (ISC)² Mid-Career Professional Global Achievement Award for the Americas. It “recognises an individual who is at the mid-career stage and has demonstrated commitment and achievement in managing or implementing a vital component of a cyber, information, software, infrastructure program/ project.”
W H AT ’ S
H E R
J O U R N E Y ?
Holliman won the award for her “successful
“Although there are many ways to begin a career
implementation of Medtronic’s USB Block program,
in cybersecurity, I believe having knowledge of the
which spans across 95,000+ employees located in
essential components of programming offers a higher
160+ countries worldwide, to prevent data exfiltration,”
competitive edge,” she says.
and for being “instrumental in orchestrating secure code signing of ventilator software to assist
Today Holliman stays current on the ever-changing
Medtronic’s efforts to open-source its ventilator
threat landscape by “consuming related content on
design to speed up the production of the life-saving
multiple platforms whether that’s by reading, listening,
machinery.”
speaking, or attending live events.”
She hopes winning the award will help break down barriers and perceptions of how STEM leaders should
SEIZING COVID-CREATED SECURITY OPPORTUNITIES
look, act or speak, and help increase diversity.
She also makes a point of gaining industry certifications to broaden her technical and
It should also help further her own leadership
management skills. She holds CISSP, PfMP, and PMP
ambitions. Holliman sees artificial intelligence has
certifications and is pursuing the (ISC)2 Certified
having a key role in healthcare technology and wants
Cloud Security Professional (CCSP) to seize the
to play a key role enhancing IoT device security
opportunities created by the pandemic-driven shift
controls through the use of AI to drastically improve
to cloud, that, she says, “has led to the high cost
both cyber defence and patient outcomes.
of misconfiguration-driven breaches and a reset of business continuity needs at an unprecedented scale.”
LEADERSHIP ASPIRATIONS
She also hopes the qualification will help her “build
“My highest ambition is to steer change from a
further credibility in evangelising the best practices to
senior leadership role by bringing diverse input and
design, manage, and secure data in the cloud.”
perspectives as we strive to balance the macroeffects of AI as a whole.”
Holliman is also making her own contribution to
In addition to her ‘day job’, she teaches cybersecurity
online course provider Udemy to produce a series of
fundamentals at local schools, participates as a
lectures on how companies can adapt their business
mentor in several non-profits, speaks on panels as
continuity and disaster recovery strategy which
a thought leader, and has had articles published in
releases in March 2022. With her unique combination
several globally recognised magazines.
of project portfolio knowledge, she has recently
cybersecurity education. She has partnered with
partnered with LinkedIn Learning as well to teach on Holliman says she grew up “always attracted to the
how to manage cybersecurity programs and create
challenge of solving problems and constantly learning
a balanced portfolio in this space. Stay tuned for
new technologies.” She started her cyber career with
promotional codes related to these endeavours.
bachelor’s and master’s degrees in computer science and says she spent more than five years as a happy
www.linkedin.com/in/diondria/
coder in various programming languages, building the skills necessary to examine software security
twitter.com/diondria4309
vulnerabilities and detect malicious code.
WOMEN IN SECURITY MAGAZINE
19
She provides consultative services in governance, risk and compliance and develops security strategies. She says her biggest challenge in this role is shifting client mindset and countering an attitude that sees security as merely a checklist. “All solutions need controls that are sustainable and not that just look good, or sound
Fatema Hashmi Senior Security Consultant at Telstra Purple Unsung Hero Highly Commended Award winner at the 2021 Australian Women in Security Awards
secure.” It’s a role a long way from her career aspirations when she completed schooling in her native India: chemical engineering. Instead of following that path she took a leap of faith “that I will make it big in a foreign land,” migrated to Australia and signed up for a Bachelor of Information Technology course at
A
Federation University. s someone who has spent a decade in
While applying for permanent residency she took
the male-dominated industries of IT and
whatever work she could find. That’s how she came
cybersecurity Fatema Hashmi considers
to be working at McDonald’s. Other jobs included
herself lucky to have had no fewer than
tutoring and cold calling from a call centre until
six female managers, starting from her
she finally secured an IT service desk analyst
first job in Australia, working at McDonald’s.
role with Skilled in 2012, just after completing her bachelor’s degree. She started her master’s degree
She rates these women as some of the most
in information systems at Melbourne University in
influential people in her career journey. Alex Panos,
2015, completing it in 2017. It was this experience
her manager in her first IT role, at labour-hire
that sparked her interest in security and led to her
company Skilled Group, “showed me how to stand up
first cybersecurity role, with Accenture. “And the rest
against bullying, and that being treated with respect
is history,” she says.
is a basic ask.” Her second female manager, Tasneem Muskeen, helped develop her people skills.
SECURITY DEBUT AT ACCENTURE At Accenture Hashmi worked on multiple security
However, it’s not all good news about female
projects for Accenture’s clients before taking on her
managers. Some, Hashmi says, had adverse effects
current role with Telstra Purple in 2021. She also has
on her professional growth. They were aided and
part time roles at RMIT Online as a facilitator and as a
abetted in this endeavour by “men with a very rigid
session tutor at RMIT University.
mindset.” One of her biggest challenges was “to navigate these career-limiting obstacles and continue
With such a varied career, it’s perhaps not surprising
to make a difference.”
Hashmi lists accepting change as a major factor in her career journey. “Change is the only constant in
A SENIOR ROLE AT TELSTRA PURPLE
one’s career. We need to keep evolving and adapting.”
Today, Hashmi is a senior security consultant at
20
Telstra Purple, Telstra’s IT service arm which claims
She attributes her career success to her acceptance
to be Australia’s largest Australian-owned technology
of change and to “my passion to bring about a
services provider.
change, the willingness to work and to keep pushing,”
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
and to her parents, who taught her the value of hard work and the rewards it brings. Despite having a bachelor’s and master’s degree, Hashmi believes that not having
“Change is the only constant in one’s career. We need to keep evolving and adapting. My passion to bring about a change, the willingness to work and to keep pushing.”
a formal degree doesn’t imply that someone cannot pursue a career in security. “The attitude to learn, to be flexible to change, and
CHALLENGES APLENTY
an insatiable hunger for knowledge are all you need
These women will face plenty of challenges, Hashmi
to get started in security,” she says, adding, “For
says. “The log4j vulnerability exploits and the most
someone starting out – associating with security
recent DDoS attack on Microsoft, while mitigated,
workgroups, taking part in industry webinars and
show the growing complexity of attacks which
subscribing to technical articles would be really
demands more proactive, defensive security controls
helpful.”
be implemented.
And for school leavers contemplating a security
“And with the exponential growth of the Internet of
career, Hashmi advises: “Explore all the streams
Things (IoT) and Artificial Intelligence (AI), the lines
of Security – Governance, Risk and Compliance;
of security are getting blurry and intertwined each
Identity & Access Management; Security Operations;
day. We need to know our assets and where/how
Cloud etc. Subscribe to newsletters and follow the
our information is going, and how it is being shared
Australian Cyber Security Centre(ACSC) if practising
before we can protect it.”
in Australia.” If you are a rookie in security, she recommends
www.linkedin.com/in/fatema-hashmi-85544a62
starting in cyber in an operational role. “It gives you the necessary insight to understand the organisation’s assets, relate these to the organisation’s vision and see how the environment operates. These are key elements to know what to protect and why. The ‘how’ part you will learn on the job.” She welcomes the growing number of women in cyber and has strong ideas on what roles they should be filling. “We need more women in technical roles such as chief technology officer, and in architectural roles where they bring in their security experience to build robust designs, and their empathy to leverage the people skills required to shift the mindset from a reactive to preventive security.”
WOMEN IN SECURITY MAGAZINE
21
GETTING CYBER-CERTIFIED She then took the initiative and expanded her role. “Because I had really good insights into what we were seeing across our customers, and thus industries, I requested to be allowed to conduct small research projects that would combine external threat
Diana Selck-Paulsson Lead Security Researcher at Orange Cyberdefense
landscape sightings with internal insights.” And in her first year, she boosted her cybersecurity expertise by obtaining a CompTIA Security+ certification. Those initial research projects led to her being offered a position as a threat research analyst in an internal threat research team. Simultaneously, another path was offered to her, a more leading position
D
in managing a small team of analysts, which she declined. iana Selck-Paulsson is lead security researcher at global security services
“I really wanted to stay closer to the field and learn
provider Orange Cyberdefense. She is
and deepen my knowledge there,” she says. “In
based in Sweden.
hindsight, I am glad I made that decision.”
She describes her first role in cyber
Despite her initial post-master’s degree role being
security as being a long way from her education: she
somewhat removed from her qualification and
holds a master’s degree in International Criminology
aspirations; she says she is now in a role that is
with a focus on interpersonal cybercrime. She ended
closer to her university background and her passion.
up applying for a job with Orange Cyberdefense
22
following a friend’s recommendation and started
“When I finished school, I wanted to do more
out in an administrative role, coordinating a team of
research in cybercrime and contribute to combating
security analysts and helping them with their monthly
it. I knew this was needed but I couldn’t find any
deliveries to customers.
open positions, especially looking at cybercrime
She works with security incident data generated by
from the victims’ point of view. I saw that so much
their customers and external threat data that the
victimisation is happening online every day, but
company collects continuously and says she does
defence, prevention and awareness were not reaching
sometimes get to use her expertise in criminology to
the majority of the public. That was when I decided I
help customers and the company better understand
needed to find like-minded people who could not only
the global threat landscape. She says she leveraged
tell stories of online victimisation but who were active
her involvement in these reports to get a better
in this area and would want to collaborate with me to
understanding of the overall cyber threat landscape.
do something.”
“From the reports, I gained a lot of knowledge on
So, in 2016, having just finished her master’s Selck-
security incident management. I took the lead on
Paulsson created a local Meetup group, Critical Tech,
driving change towards standardisation of incident
and over the following four years organised events,
documentation and thus helped with increasing our
workshops and after-work talks about technology and
data quality.”
its impact on society.
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
A PASSION FOR THE ‘BIG PICTURE’
the external threat landscape that everyone else was
The friend who recommended Selck-Paulsson clearly
observing?”
had an impact on her career, as have many others, but she believes her passion for the ‘big picture’ — the
A PIVOTAL EVENT
interaction between people and technology — has
During an internal project she was introduced to her,
been the consistent driver of her career.
now manager, the head of security research at Orange Cyberdefense, Charl van der Walt. It proved to be a
“When I first joined cybersecurity, I realised I had
significant event.
come from a completely different discipline, and thus a very different world (social science). After
“We had really great discussions about the broader
looking at interpersonal cybercrime in my thesis I
issues of cybercrime and our company’s role and
was introduced to the technical part of cybersecurity:
responsibility as a managed security service provider
networks, security alerting on user (mis)behaviour,
(MSSP) in helping combat cybercrime. He encouraged
technical indications of suspicious activity. It was very
me to connect both my worlds (social science and
different from what I knew.”
cybersecurity). Together we started working on a research project to look into a cybercrime theory that
What she discovered was that the ‘human factor’ was not given the prominence she believed it deserved. “I perceived the overall attitude towards the human as quite negative. The industry would say, ‘the human is the weakest link’ and I would feel
“Maybe I am biased because my background isn’t a typical one within IT security, but I do believe that passion and life experience outweighs the formal qualifications. I think if someone is self-driven, curious, eager to learn, a critical thinker with a strong ambition to help combat current issues in cyber security, there is a place for you, the rest you will learn over time.”
quite offended by it (and still am).” She learnt much about cybersecurity but still felt she was missing the
could help us understand a threat we were observing.
insights she sought.
We developed some concrete ideas on the prevention, which really is at the heart of criminology.
“I learned a lot from my direct colleagues in my first years. They would always take the time to explain
“These were very influential months that strengthened
things to me and answer my questions, and thus I
my belief that we need a multidisciplinary approach to
formed a good knowledge base. But it wasn’t until
the broader issue of combating cybercrime.”
later that I felt I was missing the broader discussion on technology and society. What did the things we
This belief was further reinforced when she
were seeing at our customers mean in comparison to
discovered a web page dedicated to public interest
WOMEN IN SECURITY MAGAZINE
23
technology resources, maintained by Bruce Schneier.
there are great opportunities for all kinds of interests
“I was so excited when I read his introduction on
and skillsets.”
the topic explaining that we need people working in the public interest with diverse and interdisciplinary
ADVICE FOR NEWCOMERS
backgrounds. It underlined that what I did had a
Selck-Paulsson acknowledges the rich diversity of
purpose, despite me doubting it at times.”
opportunities in cyber can seem overwhelming to newcomers but says: “Just remember no one knows
As someone who has arrived at her current role
everything. Keep an open, curious mind while you try
through purpose and passion rather than formal
to figure out which branch you might want to deepen
qualifications, it’s perhaps not surprising that Selck-
your knowledge in. Prepare to always learn, it’s a
Paulsson values these attributes over more formal
really fast-changing field, which is exciting but can
career pathways.
also feel stressful at times. Find a good balance and accept that gaining knowledge takes time would be
PASSION COMES FIRST
my advice.”
“Maybe I am biased because my background isn’t a typical one within IT security, but I do believe that
Looking forward she sees ‘security by design’ as one
passion and life experience outweigh the formal
of the main developments the industry will need to
qualifications. I think if someone is self-driven,
come to grips with.
curious, eager to learn, a critical thinker with a strong ambition to help combat current issues in cyber
“Technological development is moving so fast that
security, there is a place for you, the rest you will
we cannot catch up and thus we cannot prevent
learn over time.”
technological failure or misuse/abuse. The products we develop and produce as a society today are the
However, she does acknowledge that coming to
ones that increase our individual or organisational
cybersecurity from another discipline or background
vulnerability and thus, can be misused tomorrow.
does have its challenges, the biggest one being imposter syndrome.
“We need to start implementing processes to require security, privacy standards, and ethical
“I feel that cybersecurity has been, and maybe still
considerations during the production of new
is, in its own bubble, only looking for people with a
technologies. Our industry often attempts to solve
specific profile very similar to the profiles of those
technical issues with technological solutions, but
that have held positions in the past decade in the
sometimes they just add to the stack of issues. If we
industry. If you are a little outside of this profile, you
don’t start thinking ahead cybersecurity will continue
notice it very quickly, and you start to wonder if you
to struggle with a huge resource problem: a catch-up
should be here if you belong here. It still gets to me
game that we cannot win.”
at times.” But she does not want prospective cybersecurity people, especially women, to be put off. “Cyber is a really exciting field to work in. If you do have an interest, passion or are curious to join this industry, definitely give it a try. We need people from more diverse backgrounds joining. “I think any role in cybersecurity could be filled by a woman. And because the roles are really diverse,
24
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/diana-selck-paulsson-41494754/
Stay Current Stay Connected Follow us on Instagram to keep up to date with industry news, job postings, issue releases, articles, women in security awards, our event and marketing services, plus much more!
@s
ou
rce
2c
rea
tep
tyl
td
www.source2create.com.au
break the notion that women can’t work successfully in the technology and security industry.” Much of her early career in cyber was spent in the
Archana Puri Security Assurance Manager at Harvey Norman The One to Watch in IT Security Highly Commended Award winner at the 2021 Australian Women in Security Awards
Middle East a decade ago. She says it was not easy professionally being the only woman or one of few women in the cybersecurity team. The biggest challenge was to constantly make efforts count in order to be not sidelined among the team of men. I am grateful for these challenges and the support of my male team members which proliferated into me the attitude and passion for growth. Today in Australia things are much easier for women in cyber and she says it is a world in which women
A
can thrive. “All they need is clarity around their ambition and path. Cybersecurity is a diverse domain rchana Puri, security assurance manager
and has opportunities for everyone. There is a huge
with Harvey Norman, had a rather
demand for cybersecurity professionals and who
unplanned transition into cybersecurity.
better to meet the need than women.
She went from completing the first degree in biotechnology to doing a
“Many great women leaders and professionals have
master’s in cyber law and information security, both
created a path for us to follow. I suggest to aspiring
in her native country, India.
women, connect with these women on community platforms such as AWSN, seek mentorship, engage
An interest in programming, kindled while studying
with various security communities and grab
biotechnology, was only one reason for the switch.
opportunities for scholarship to study, participate
Another reason was rather unusual: her mother
in the events and mentorship programs. There are
encouraged her to pursue a master’s degree so as
plenty of avenues available for aspiring candidates to
to delay, at least for a few years, the destiny of most
start and sustain a successful career in security.”
young girls in her culture; an arranged marriage. Puri also says it is important for aspiring Her decision to pursue a cyber career also reflected
cybersecurity professionals to find the career
her refusal to follow another accepted life journey
path that is right for them in what is a very diverse
for a young, educated Indian woman: medicine. “It
landscape. “The SANS cybersecurity skills roadmap is
was considered a safe and a respected career option,
a great resource to explore the options. Additionally,
especially for girls,” she says.
SANS is providing free training and conferences virtually this year. They represent a great opportunity
CHALLENGING GENDER STEREOTYPES
for aspirants and experienced professionals.” And she
Instead, Puri took up what she saw as a distinctly
advises aspirants to also work on their soft skills like
unusual and female-unfriendly option. “I chose to
stakeholder management and team management.
work shoulder to shoulder in the team of guys to
26
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
“I chose to work shoulder to shoulder in the team of guys to break the notion that women can’t work successfully in the technology and security industry. The biggest challenge was to constantly make efforts count in order to be not sidelined among the team of men. I am grateful for these challenges and the support of my male team members which proliferated into me the attitude and passion for growth.”
ADVOCATING FOR CYBER RESILIENCE
earlier in the development process], automated
She sees increasing businesses’ cyber resilience,
machine learning-based security detection, prevention
rather than simply working to beef up cybersecurity,
and response mechanisms are some of the changes
as one of the main challenges facing the industry, and
in security we can expect to see in the near future.
says the pandemic has changed everything. The good news is that “With the growing demands “With companies moving towards more agile and
placed on cybersecurity, and with more investments
remote working requirements, zero-trust security
pouring into the security industry as a result of
architecture and associated technologies will play
increasing cybersecurity attacks, the volume and
a key role. increasing dependencies on digitisation
variety of opportunities for aspiring cybersecurity
steering increase in the likelihood of security breaches
professionals will increase.”
via phishing and sophisticated ransomware attacks, along with misconfiguration, lack of adequate remote working controls; a cybersecurity approach
www.linkedin.com/in/archanapuri1/
and mechanism to increase resilience rather than the traditional preventative cybersecurity strategy is required.” Puri has certainly overcome that challenge in her current role at Harvey Norman, which she describes as: “defining a risk-based security architecture for business initiatives and critical changes by embedding security by design from concept to closure,” and “advising the organisation on day-to-day security and third-party security risk management.” She says companies will have to shift their focus towards including security in decision-making. “DevSecOps, shift left security [implementing security
WOMEN IN SECURITY MAGAZINE
27
INSPIRED BY A PIRATE “One of the founders of The Pirate Bay (he was kind of a local in the city I lived in) gave a presentation about online privacy and security,” Koelemeijer recalls. “I ended up writing my master’s thesis about the security aspect of IoT devices, partly because of this talk.”
Dorien Koelemeijer Cloud Security Engineer at Afterpay Best Female Secure Coder Highly Commended Award winner at the 2021 Australian Women in Security Awards
D
She is now in the fortunate position of having the role she aspired to after graduating with her master’s degree in information security. “I really wanted a job where I would be involved in the more technical aspects of security and would develop tooling to increase security in the cloud,” she says. That first role at Klarna proved significant for Koelemeijer’s career in many ways. “The opportunity I
orien Koelemeijer has a big job in
got at Klarna to learn on the job for the first couple of
security: her main responsibility is
months provided me with a strong foundation. I also
maintaining the security of a $40b
got to present at Klarna’s internal tech conference
company’s cloud environment. That’s the
about our team’s “Compliance as Code” project, which
figure ($US29b) US company Block paid
was a great catalyst for my career journey” she says.
for her employer, Australian buy-now-pay-later startup
“Previously, when I worked at a small information
Afterpay.
security firm during/alongside my master’s, I was involved in an EU-funded research project where I got
She brings to her role two master’s degrees, the first
opportunities to speak at conferences and publish
in human computer interaction, the second, from
articles, which also shaped my career journey.”
Stockholm University, in information security. She describes that degree as being “fairly theoretical and
However, perhaps the most important contribution
business-focused”. So she taught herself coding
Koelemeijer’s time at Klarna made to her career was
during evenings and weekends.
being mentored. “Having a great mentor during my time at Klarna has most significantly influenced my
However, that master’s degree did give her access to
career journey. Without him I would probably not have
the security community in Stockholm and resulted in
gotten where I am now,” she says. “I believe a good
her being hired by Swedish online financial services
mentor teaches you the right amount of theoretical
company Klarna — which also offers buy-now-pay-
knowledge and gives you the opportunity to get
later services — for a role in its infrastructure security
hands on and learn by solving problems (and making
team. It was there, Koelemeijer says, that she learnt
a lot of mistakes) yourself.”
the basics of security in the cloud. She also credits her current manager at Afterpay for
28
Also, her attendance at conferences whilst studying
helping her career. “He is amazing at bringing out
for her first master’s degree, and one talk in particular
the best in people in his team and knows how to
left a deep impression, sparked her interest in
make the team shine. His trust and confidence in me
security and led to her going on to gain her second
has allowed me to grow and develop myself greatly
master’s.
during the past 18 months.”
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
NETWORKING TOPS DEGREES
across problems that span the entire organisation.
Despite having two masters’ degrees, Koelemeijer
So the problem space you’re working in is generally
does not place too much store on the value of
a lot larger in comparison to a developer role where
degrees. “For me the most valuable thing my
you tend to focus on a smaller problem space (i.e. the
university studies provided me with was access
service you’re developing).
to a network of people, not necessarily the content of the program,” she says. “A degree in information security or computer science is beneficial, but I wouldn’t say it’s a requirement.” “If you’re more interested in
“I believe a good mentor teaches you the right amount of theoretical knowledge and gives you the opportunity to get hands on and learn by solving problems (and making a lot of mistakes) yourself.”
application security, cloud security or detection and response, having a solid base in computer science is highly recommended (I still wish on a daily basis that I had a better computer
“Another challenge for me is the constant context-
science foundation). This being said though, going to
switching. Depending on your role, you’re likely to
university mainly gives you proof of education. It is
work on several projects simultaneously, and have to
more than possible to teach yourself anything with all
deal with any queries that come up during the day as
the online content that exists nowadays.”
well.”
And she adds: “Some of the most talented security
INSECURITIES OF WORKING IN SECURITY
people I know do not have a university degree. I
Perhaps it is not surprising that Koelemeijer admits
definitely think provable skills are worth a lot more
to suffering from the condition that afflicts many
than diplomas in this field, and interview processes
cybersecurity professionals: Imposter Syndrome.
usually thoroughly test you on your skillset rather than
“Another aspect I find challenging is that you are
focus on education or certifications.”
often required to have knowledge of a broad range of subjects, and give ad hoc advice on engineering
IT’S OK TO FAIL
problems, which often strengthens the feeling of
Personal attributes are also important. “I think
being an imposter if you don’t have answers to
courage and being okay with failing (a lot!) are
questions straight away.”
crucial attributes when you’re starting your journey in security. It’s also important that you’re willing and able
A cybersecurity role can also mean multitasking to
to learn new things at a fairly high pace. Working in
meet multiple deadlines, which can have serious
security is often not easy, so being persistent and not
consequences, she says. “Sometimes you have so
giving up when things are getting difficult are crucial
many things on your plate that you want to finish
as well.”
tasks as quickly as possible, which inevitably leads to mistakes.”
Koelemeijer argues that cybersecurity is a particularly tough gig because of its multiple challenges. “You
And such mistakes might not be small. “I accidentally
need to always be prepared to be thrown in the deep
took Afterpay’s production environment down for a
end, and try to understand and solve a problem, often
little while because of a small mistake I made in a
under time pressure. You also usually need to be
script that I ran across the entire AWS organisation.”
WOMEN IN SECURITY MAGAZINE
29
Holloway, University of London. I sold my home, packed up my belongings, found my sweet old dog a
Robin Lennon MHRD, MSc Information Security; Human Factors Performance Lead at Scoutbee
forever home and moved to the UK. Becoming a mature student was not easy, but I was determined to succeed. The course connected well with my earlier master’s in human resource development. One of the options focussed on human factors, which fascinated me because the person who hacked me was someone I knew well and whose wedding I had attended just a few months prior. I quickly realised the human element was one of the leading problems facing cybersecurity professionals.
I
It was cathartic and empowering to write my dissertation on human factors and internal threat t is a pleasure to write about my unique journey
management.
into cybersecurity. Just a few years ago, I was a single mother working as the CEO/founder
HOW I GOT MY CURRENT ROLE
of a business and brand with international
My previous role required activity on social media,
recognition and poised for growth in the US. Then
but not LinkedIn. When I first arrived at Royal
I discovered I had been hacked by someone inside my
Holloway, the program directors immediately urged
organisation.
us to write our CVs, to begin booking interviews for placements/jobs and to get active on LinkedIn. That
According to Inc. Magazine, 60 percent of small
was somewhat overwhelming, because the course
businesses fail within six months of becoming the
work was quite challenging, but get active I did. I
victim of a cyber attack. Unfortunately my business
made researching who was prominent in my area of
became one of those statistics.
study in the UK (and around the globe) almost a parttime job. I also became part of an organisation called
Realising the business in its current form was no
the Ladies of London Hacking Society where I met
longer viable, I took some time to re-evaluate my
wonderful industry leaders and made some incredible
life and consider all my options. One thought kept
friends.
coming to the fore: I wanted to help other women entrepreneurs avoid a similar experience.
My degree required a placement with an employer after graduation. This occurred in the midst of
At that point I had neither a computer nor an
lockdowns, and finding opportunities challenged
information security background. So I did what I do
many of us. My network of people I had come to
best: educate myself (I already had two degrees).
know through interviews, authors I had researched
I researched what was on offer around the world
while writing my dissertation and others gave me
and found a program I felt met my requirements
many opportunities.
completely; a MSc in Information Security at Royal
30
WOMEN IN SECURITY MAGAZINE
W H AT ’ S
H E R
J O U R N E Y ?
“Becoming a mature student was not easy, but I was determined to succeed. The course connected well with my earlier master’s in human resource development. One of the options focussed on human factors, which fascinated me because the person who hacked me was someone I knew well and whose wedding I had attended just a few months prior. I quickly realised the human element was one of the leading problems facing cybersecurity professionals.”
CHALLENGES FACED
ADVICE
It is not easy to walk into a group as a ‘newbie’ when
I once had a little paperweight on my desk that said,
you feel everyone in the room has infinitely more
“Never, ever, ever give up.” This industry is full of
knowledge and experience than yourself, what we
simply amazing people to support, encourage and
refer to as Imposter Syndrome. Some of the most
provide mentorship. Do not underestimate the power
successful people have experienced it, but it does
of networking. When you reach out to someone, make
subside over time.
sure you let them know why you wish to connect. You will have more success than if you simply request
Another quite serious challenge facing people in
connection. My experience is that many people are
cybersecurity is recruitment. Many job descriptions
open to helping others. If someone does not respond,
described as “entry level” require skills and
do not take it personally: schedules and life can be
certifications that can be gained only after lengthy
hectic for all of us. Most of all, follow your passion.
qualification periods. There is a growing movement to
Define your purpose and write down what success
rectify this issue, but time and effort will be required.
looks like to you.
In the meantime, do not let such job descriptions frustrate your efforts. Keep in touch with your contacts and someone will open a door for you. In our
www.linkedin.com/in/robinlbylenga/
industry we need more women in senior roles and on corporate boards to help achieve parity of women in technical roles, and salary equality. I had been told not having an IT background would compromise my ability to find a successful career in cybersecurity. That is not the case. According to the National Initiative for Cybersecurity Careers and Studies, there are over 52 pathways into cybersecurity. In the human factors segment we need experts from psychology, behaviour management and other specialisations as we learn how to effect positive change.
WOMEN IN SECURITY MAGAZINE
31
“If you want to go fast, go alone. If you want to go far, go together.”
Partner with us In today’s ever-competitive world, Source2Create understands that sometimes you have to perfect what you can and let others take care of the rest, which we see is the way of the future. No skill is too big or too small. Are you an amateur photographer interested in growing your portfolio? Do you enjoy Graphic Design in your spare time? Are you interested in growing your speaking range? Visit our partner portal to see all the ways you could partner with us and grow your potential or even open a side -hustle.
VISIT OUR PARTNER PORTAL TODAY
CAREER PERSPECTIVES
SIMON CARABETTA
TURNING OFF THAT REPETITIVE TRACK by Simon Carabetta, Cyber Communications Specialist and Male Champion of Change Award winner at the 2021 Australian Women in Security Awards In April 2020, in the midst of Australia’s first COVID
In April of that year, I was told my contract as a
restrictions I was introduced to a game my eldest son
cybersecurity awareness trainer would not be
had decided to show me. It was called Among Us,
renewed. Despite being given every possible reason,
and I loved the concept immediately, despite being
except performance, for non-renewal — budget,
hopeless at it from the get-go.
COVID, the current work plan — and despite every single review of my performance up to this point
Among Us is an online multiplayer game that
indicating excellence, I had only one thought: I should
designates each player either as a crew member of
not be in this industry.
a space station, or a parasitic alien impersonating a crew member, otherwise known as an imposter.
I SHOULD NOT BE IN THIS INDUSTRY Turns out my inner monologue really enjoys playing
The goal of an imposter is to kill as many crew
certain tracks on repeat, greatest hits such as You
members as possible without being discovered, while
Don’t Know What You’re Doing, Go Back to Teaching,
the crew members’ objective is to survive, discover
and my personal favourite number one hit, You’re a
the imposters and eject them into space if they are
Complete Fraud.
confident they have made the right call. So, picture this, a good month and a half before my The game has been around for quite a while, but
last day at that job, with the Spotify playlist from Hell
I was thoroughly drawn in by its psychology. I
swirling around my head, it dawned on me: I was
became so intrigued I would play the game at
the imposter. Funnily enough, I had not heard of
every opportunity, even without my son, so I could
Imposter Syndrome, let alone considered it. It was not
better understand the ‘hive-mind’ thinking and mob
until I came across a post about Imposter Syndrome
mentality of such a scenario. What I did not realise at
on Reddit, in the middle of a break from a feverish job
the time was that my life was on the same trajectory
search (COVID made things very interesting at that
as the psychology of the game, but for completely
time) that things started to click.
different reasons.
34
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
to where I wanted to be. For teaching, it was thinking back to every single educational theorist I could half understand, every practical placement I had passed, every exam I had aced. For working in cybersecurity, it was every successful workshop I had run, every time I had been in front of executives and able to simplify something complex, every time someone I admired and respected in the industry had agreed with something I said, or simply listened to me and made me feel heard. Was this what I was going through? Was I taking
THE MINDFULNESS
the news about my contract the wrong way? Was
At the risk of sounding far too ‘new age’,
Imposter Syndrome impacting my confidence and
it’s important to take time each day to meditate and
hampering my current job search? Check, check and
partake in mindfulness activities. These have helped
check.
bring me back to the present and direct my focus away from my negative inner monologue. I have
The more I read about it, the more I understood how
been able to shut down all inner monologues and
my thought processes had impacted my career to
simply ‘be’. For me, a mindfulness exercise can be
date, not just in cybersecurity, but as a high school
as simple as completing a crossword, a logic puzzle
teacher and, before that, as a public relations
or even colouring a picture. Mindfulness activities
practitioner. The playlist on repeat in my head was
are different for everyone, but the end results are
actually way more retro than I remember it. These
important for everyone.
were not the latest chart busting Tik Tok tracks, they were covers of old songs, and remastered originals.
THE CONVERSATION
I vaguely remember my first day as a media studies
This one is simple. Talk, talk, talk about it. Schedule a
teacher, standing in the middle of the classroom,
five-minute chat with a colleague, your boss, someone
introducing myself to a large group of Year 9 students,
you work with or who understands the plight of those
thinking I was in way over my head and would not
with Imposter Syndrome. Have a coffee and talk it
survive the next hour, let alone the 12-and-a-half years
out. Discuss your wins, your failures, your goals, and
I would go on to complete in education.
be a good listener: others are dealing with Imposter Syndrome too.
How did I make it that far? I’m glad you asked. Imposter Syndrome is very real. It affects far more
CHANGING TRACKS
people than we think. Always remember, you are not
Here are just some of the ways I was able to change
the only one feeling like an imposter, but others are
my inner monologue, the negative part at least.
willing to show support, to listen and to accept you
These are some of the steps I took when I started my
as one of the crew, no matter what track is playing on
education career, which I still employ today when I
your inner playlist.
feel I am in a real-life game of Among Us. www.linkedin.com/in/simoncarabetta/
THE JOURNEY This is my first go-to. The accomplishments, the
twitter.com/carabettasimon
study, the preparation and the long journey to get
WOMEN IN SECURITY MAGAZINE
35
STEVE SCHUPP
2022: YEAR OF THE ROOKIE? by Steve Schupp, Executive Director (WA), CyberCX and Male Champion of Change Highly Commended Award winner at the 2021 Australian Women in Security Awards There was a buzz in the air as I walked into a Perth
struggled to recruit cybersecurity talent. They are
co-working space on a warm Tuesday evening in late
often competing for highly experienced candidates
November. A large group had assembled in an open
or have unrealistic expectations of skills and
collaboration space and as I grabbed a drink I was
qualifications.
greeted by cyber industry veterans, many of whom I had known for over 20 years. However, this event
Their approach needs to shift to recognise the raw
wasn’t for them.
talent entering the industry, and to refocus hiring decisions to provide opportunities for the surge
As we mingled before the formal agenda
in graduates. There is a real opportunity to build
commenced, I met some of the almost 100 student
diversity when hiring recent graduates, thanks to
attendees at this final Students of Cyber event for
the growing number of women taking cybersecurity
2021.
courses.
The event included a panel session with four
Our business, CyberCX, has adopted several
cybersecurity professionals at different stages in their
engagement strategies to identify new recruits and
respective careers. I was on the panel, but that was
find highly motivated graduates who have quickly
not why this was my favourite event of the year.
developed their skills and capabilities.
Following the panel session, hosted by Cecily Rawlinson, director, WA AustCyber Innovation Hub,
SHINING A LIGHT ON CYBERSECURITY AS A CAREER
the student and graduate attendees enjoyed a speed
Some of my favourite outreach activities have been
networking session that gave them the opportunity
engaging with high school students and providing
to hear insights from those who had walked the path
them with a view of what a cyber career might
before them.
look like. In 2021 we hosted 40 female high school students studying computer science-related units.
I thoroughly enjoyed speaking to the students,
It was coordinated by Dr Michelle Ellis from the
answering their insightful questions and listening to
Academic Centre of Cyber Security Excellence.
their career aspirations. The day included a cyber escape room and a panel
36
OPEN THE DOORS FOR THE ROOKIES
session with four of CyberCX’s talented women
I have spoken to many organisations that have
representing various roles. Providing these students
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
with a chance to ask questions and hear the
and it is essential if professional women are to be
experiences of others was a great way to showcase
attracted back into the workforce.
role models and encourage these students to enter our industry as future graduates.
My advice to candidates is to be prepared to have a conversation about flexible working with a
The Cyber Saturdays initiative between the WA
prospective employer. It will give you a great sense of
AustCyber Innovation Hub and the Innovation Institute
the work culture; agile employers will be prepared to
of WA in which high school students collaborate with
negotiate with the right candidate.
industry is another effective program addressing this issue in WA.
A SOFT LANDING We need to ensure new entrants are given support
BUILDING A NETWORK FOR GRADUATES
and mentoring as they start their career journey.
We often hear that more candidates are placed
They will need the space to gain experience and
through word of mouth than through job ads. This
confidence. They will need the safety net of being able
creates a challenge for graduates; they must develop
to make mistakes without dramatic consequences.
their own network of contacts to increase their chances of securing employment.
Hiring a rookie into a role built for a cybersecurity veteran is not going to create a great outcome for
Events like Students of Cyber provide fantastic
anyone. Breaking a veteran’s job description into
opportunities for both students and those hiring them
component roles and hiring one (or two!) graduates
to chat without the pressure of an interview situation.
into analyst roles with a supportive cyber lead to guide and mentor them will have long-term benefits
A network of industry contacts can offer a student
for the employee, the hiring organisation and the
guidance, and for organisations looking for talent
industry by building this raw talent into a future
those contacts represent a great opportunity to
cybersecurity professional.
identify motivated and enthusiastic graduates.
EMBRACING ROOKIES IN 2022 CAREER CHANGERS
It is time to stop bemoaning the skills shortage
Career changers bring complementary and
and start providing pathways for new recruits. It is
transferable business skills. Someone with a
important to engage with students and graduates and
background in health and safety can bring skills in
demystify the industry to give them an understanding
audit, process and procedure, and cultural change to
of the pathways into cybersecurity as a career and
the cybersecurity challenge.
show them how they can make a start in our industry.
Often these candidates have shown initiative and
Rethinking role descriptions and requirements
motivation by embarking on self-study and by
increases the chances of making a long-term
pursuing certifications. Although they lack practical
investment in capability by hiring highly motivated
experience, their previous business experience
and eager talent.
gives them a professional edge when engaging with business stakeholders, and they quickly become
I encourage those in the industry to consider what
cyber-proficient.
they can do to create pathways for rookies into the careers we enjoy so much.
Flexible work schedules are increasingly becoming the new normal. They offer an attractive benefit
I’m excited to welcome the next generation of rookies
to career changers who often have family
into our industry, and firmly believe that 2022 will be
responsibilities and other work/life balance needs.
the Year of the Rookie Cybersecurity Worker.
These candidates value flexible work conditions (work from home, modified start/finish, reduced hours)
www.linkedin.com/in/steve-schupp-605457
WOMEN IN SECURITY MAGAZINE
37
DEBRA CHRISTOFFERSON
BUILDING A STRONG CYBERSECURITY CAREER by Debra Christofferson, CISSP, CISM and CCSK
Cybersecurity is seen as a top business issue in all
security community if you lack a sufficient network.
organisations thanks to our digital environment,
Make your connections about two-way value, not just
and to the many attacks on cyber infrastructure.
about yourself.
Cybersecurity offers ample career opportunities for those already working in the field, and those desiring
Join security-related groups like those below, and
to enter it.
become active on their leadership teams, based on your locale and interests. As nonprofits, these groups
You can increase your career options, understand
create value and serve our profession in multiple
the opportunities and move in the direction of your
ways, according to their respective missions and
choice. You can gain support where you need it, direct
charters.
your efforts where they matter most and achieve your best results.
• ISSA –Information Systems Security
We are short on cybersecurity talent to support the
• CSA –Cloud Security Association, https://www.
Association, https://www.issa.org industry, and there is no better time than now, with endless opportunities for further engagement. The security industry is broad and deep. Where would you
cloudsecurityalliance.org • ISC2 –International Information System Security Certification Consortium, https://www.isc2.org
like to start?
• ISACA –Information Systems Audit and Control
ENGAGE ACTIVELY IN CYBERSECURITY
• IAPP – International Association of Privacy
Association, https://www.isaca.org Get connected and stay connected. Engage in organisations where cybersecurity professionals ’live’. Build a professional profile that represents who you are in the market, and how you want to be seen.
38
Professionals, https://iapp.org • OWASP -- Open Web Application Security Project (software security), https://owasp.org/ • ASIS – Predominantly focused on physical
Make sure your LinkedIn profile properly represents
security and related access controls, executive
you, in your photo, summary and content. Make
protection, investigations, https://www.
it professional and relevant. Get connected to the
asisonline.org
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
• InfraGard – a US government run organisation
There are many opportunities to invest in your career.
and a partnership between the Federal Bureau
Choose wisely to find what best supports your own
of Investigation (FBI), and the private sector,
goals and the market where you operate. All offer
focused on protecting US critical infrastructure,
value, and those right for you are very much worth
https://www.infragard.org
the investment. I value the opportunities they offer to network, and to stay on top of cybersecurity issues.
You can also engage in local or security vendor user groups, meetups dedicated to aspects of security, or
Also, seek to engage in the leadership teams in your
start your own user group or Meetup group.
choice of organisations, and look for opportunities. This will have a tremendous impact on your
Most of these groups require membership fees, which
outcomes and learning. It will create breakthroughs
are very much worth the small investment. Pay for
for you and build a deep and valuable network that
an individual meeting or two to determine if a group
you will not develop by passive attendance as an
is a fit before you invest further. You can also ask the
audience member.
chapter contact about attending as a free guest for your first event. CSA, OWASP and InfraGard do not
My years of volunteer experience with these
typically charge for chapter membership. All create
organisations in chapter leadership and international
value, and many have cross members. I belong to
board roles have been invaluable professionally
most of these groups.
and personally. Too many newcomers, want-tobe-newcomers, degree holders, or those leaving
In the current environment many of these
big companies after many years’ tenure are not
organisations offer free web conferences open to
networked at all, or even aware they need to be.
anyone. Local and regional training and conference keeping current. Some offer certifications as a
IDENTIFY CYBERSECURITY TRENDS AND INNOVATION OPPORTUNITIES
primary driver of revenue and purpose, while
Innovation is usually associated with developments
options may present additional education options for
others such as ISSA, OWASP and InfraGard are neutral.
in STEM—science, technology, engineering and maths. But it can extend across marketing, staffing, the digital supply line, or any other field where incremental or disruptive change can alter the course of business, or your career. Participating in security groups will increase your awareness of trends, challenges and opportunities. Keep your eyes open for innovation opportunities, and places to learn and engage further to support business requirements. Today’s trends include • Securing the remote workplace. •
Improving software security in the
cloud. •
Facilitating automation through
artificial intelligence (AI) and machine learning (ML).
WOMEN IN SECURITY MAGAZINE
39
• Driving new solutions for incident response systems that address malware and ransomware
standards, guides and documentation to support new technology.
risk. • Coding policy for automating security and
You could research current tools and solutions in
privacy compliance, and operations systems
security and write a paper on their use and value
supporting critical infrastructure.
from your own perspective. You could lead learning
• A focus on emerging and changing technologies that represent new cybersecurity risks.
sessions for others by researching a given topic, such as cryptocurrency, looking at how it’s used, what the risks are, and how to mitigate them. You could give
Security technology is a hotbed of innovation. Venture
a talk about the topic, or write an article on it, even if
capitalists are investing heavily in cybersecurity
you publish it only on LinkedIn.
startups. AI and ML are driving innovation in automation, robotics, autonomous vehicles, cloud
Collect knowledge to share with others in an article
computing and devices connecting to the Internet:
or blog, or as a speaker to a team you work with, or a
Internet of Things (IoT), Internet of Everything (IoE),
security group in your local community.
digital infrastructure and much more. This is not a comprehensive list.
Write about security for industry publications and magazines, in whitepapers, your own blog or
Determine relevant trends by reading current
someone else’s. This article includes many examples
security publications, or the Wall Street Journal.
of suitable topics. Choose a relevant topic that others
Update yourself on cybersecurity investment trends.
want to understand. Examples include cryptocurrency
Focus on the big picture and avoid getting bogged down in everything you find online, or you will quickly become overwhelmed. Read Brian Krebs’ blog (Krebs on Security) for information on the latest threats and risks. These activities will help you learn about the risks businesses face, what they care about, their priorities, and what roles or technology might help them overcome their challenges.
“Seek to engage in the leadership teams in your choice of organisations, and look for opportunities. This will have a tremendous impact on your outcomes and learning. It will create breakthroughs for you and build a deep and valuable network that you will not develop by passive attendance as an audience member.”
Identify your own interests and focus areas, which will evolve over time.
WRITE AND SPEAK ON SECURITY
and its risks, identity management systems for IoT
Seek opportunities to contribute to research and
devices, privacy objectives, etc.
development in security. If you work for a vendor
40
you might write or support white papers or publish
You can speak on security topics for your local
technical guides on specific security topics and
chapters, within your organisation, to groups or
products. You could join a volunteer R&D workgroup
at events. Calls for speakers detailing criteria and
with the Cloud Security Alliance, which creates
topics precede most conferences. Choose what
WOMEN IN SECURITY MAGAZINE
others are not choosing so you stand out, and if you
experience being sought. I see a lot of students
do not already know the topic, research and learn
seeking certifications as an easy way into security
more about it. Write and speak to the priorities of
roles. These will help, but they will not lead to the
your target audience. This will help your learning,
instant success you might be seeking. Lots of options
your networking and increase your visibility and
exist to support your goals and those of the hiring
credibility. Your audience will help you learn and grow.
organisations. You can also become an entrepreneur.
For example, if you decide to learn how to audit for
But that’s another story for a different article.
cloud security controls, where would you start? You could share what you learn whether you complete the
One recommendation I have is to increase your
certification or not.
knowledge of the cloud and how to secure it. I see cloud security certifications such as the new
CONSIDER EDUCATION AND CERTIFICATION
CCAK—the Certificate of Cloud Auditing Knowledge—
Degrees matter, and they do not have to be in security,
creating value and opportunity. There is a dearth of
although security and engineering or technology
cloud security experts, and especially knowledgeable
degrees may be perceived as more valuable by hirers.
auditors to support incremental cloud growth. You
You can get hired without a degree, but a degree will
will be ahead of the curve if you focus here. Many
help you get hired. Often more is required.
opportunities exist, and there are plenty of free learning resources.
There seems to be a disconnect in degree programs particularly, because students do not gain field
It is up to you to identify your value and showcase it
experience before they graduate. You will find
to show you have what a hiring manager seeks. If you
employment much easier and faster if you gain
do not know, ask for help from colleagues or other
experience while learning rather than after the fact.
security professionals. Consider your investment and
Get help from your college with this, and from your
choose wisely to find the best fit that balances market
network.
needs with your career aspirations.
Certifications will also help you get hired or transition.
CONCLUSIONS AND CALL TO ACTION
They demonstrate your skills and your commitment to
Look for low-hanging fruit and aim for small markets
growing in your role. The CISSP (Certified Information
where you will have greater value. Research current
Systems Security Professional) is the best known. The
staffing challenges and understand how those fit your
Certified Information Systems Auditor (CISA) is also
own growth plans. Shape your career accordingly.
prominent, as is the Certified Information Security
Create a 12-month or longer plan for your career
Manager (CISM).
evolution. Join an organisation like the Information Systems Security Association (ISSA), actively network,
Some certifications represent profit opportunities for
and stay current.
the companies offering them. Others are completely neutral. Some require experience and an exam. Others
Choose your career path, and build it, whether through
only require paying for and passing an exam. Vendors
certification, a degree, or focused learning. Make
such as Microsoft, Cisco, Amazon and others certify
informed decisions about your choices and values.
competence in their products and provide support
Keep moving forward. And enjoy the journey.
and education. Schools offer certifications that promise to place you in lucrative security roles. www.linkedin.com/in/debbiechristofferson/
Every certification is an investment in time and learning, but requires an immediate, and often
debbiechristofferson@earthlink.net
ongoing, financial commitment. Look at cybersecurity job openings of interest to identify the skills and
WOMEN IN SECURITY MAGAZINE
41
TRAVIS QUINN
MAKING CYBER ACCESSIBLE: Graduate programs and alternative pathways for women into cybersecurity by Travis Quinn, Principal Security Advisor, Trustwave & PhD Candidate, UNSW
Graduate programs are a common pathway into
industry needs to take advantage of internships,
the security workforce for both men and women.
apprenticeships and other pathways that do not have
However, as a mechanism for attracting women into
strict degree requirements.
IT and cybersecurity, they are problematic. According to the Australian Government , female representation
RETHINKING WHAT A SECURITY WORKER IS
in STEM degrees of any kind was 36 percent in 2019.
Many in the industry now recognise that a
For IT, the numbers were even less encouraging:
university degree is not essential. While there are
only 19 percent of students identified as female.
various advantages to a degree, cybersecurity is a
Even without factoring in the rates of degree non-
multidisciplinary field with a range of specialisations
completion, women are not well-represented in the
available and with various professional development
total pool of graduate candidates.
options to support them (e.g., certifications and tailored courses). However, some of the biggest
42
If the balance of our recruitment for entry level roles
recruiters of security professionals in Australia and
hinges on graduate programs, can we reasonably
internationally have yet to recognise this. A degree
expect to attract female talent at a level comparable
is often viewed as a ‘tick in the box’, with experience,
to male talent? Of course, the answer is no. There
certifications and other considerations being the
are many factors at play, and female representation
differentiators between comparable candidates.
in STEM at the tertiary level is a fundamental issue
This creates a uniquely unhelpful situation in which
that will take time and concerted efforts to address.
degrees are simultaneously required and trivialised.
However, a step in the right direction is recognition
This is often the case later in a candidate’s career
that we cannot rely primarily on graduate programs
when they are assessed significantly less on the
to recruit people into junior roles. The cyber
basis of whether they went to university and what
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
they studied. In lieu of a ‘qualification check’, a more
types of programs into the private sector would be an
qualitative and considered assessment of a candidate
excellent step towards attracting candidates of both
is likely to identify better long-term prospects in the
genders and providing them with a structured path
in one with the right attitude, the right aptitude and a
forward in their careers.
willingness to learn. A worthwhile initiative that warrants mentioning
BUILDING ALTERNATIVE PATHWAYS
here are the veteran upskilling programs offered by
Internships, apprenticeships and their equivalents
organisations like WithYouWithMe and Microsoft. The
are a fantastic alternative to graduate programs that
latter offers the fully funded Microsoft Software and
make careers in cybersecurity more accessible to
Systems Academy (MSSA), which instils foundational
both women and men. This is particularly the case
IT knowledge and skills through an intensive eight
given the bias of graduate programs towards younger
week course. The MSSA Australia (MSSA-AU) was
candidates. Someone considering cybersecurity as
trialled in late 2021 and is hopefully the first of many
a career later in their life may be discouraged if their
such programs here. The MSSA and equivalents
lack of a relevant degree precludes them from a
demonstrate that even a short program can be
graduate program, especially if they are otherwise not
impactful and can help those with passion and
competitive for entry level roles. Programs that take
interest to break into the industry.
a more holistic view of the experience, qualifications and qualities of applicants are able to take advantage
THE WAY FORWARD
of a wider and more diverse pool of candidates.
Cybersecurity is a fantastic career. As cyber professionals we get to apply our interest in
Some organisations have already begun taking
technology, people and processes to help make
advantage of such programs. For example, the
Australia and Australians safer. Those of us already
Australian Government’s Digital Apprenticeship
working in the industry have a duty to make cyber
Program enables school leavers or those seeking a
accessible to the rest of our community, regardless of
career change to access paid industry experience and
whether they choose to go to university. We need to
training while completing a Certificate IV or Diploma
do our part to promote and support apprenticeships,
in a relevant discipline. However, finding an equivalent
internships and other pathways into the profession so
program outside of the public service is not easy, and
that no one feels needlessly excluded.
not all candidates are Australian citizens or able to obtain a security clearance. The proliferation of these
www.linkedin.com/in/travis-quinn1/
WOMEN IN SECURITY MAGAZINE
43
TAYLA PAYNE
AMIT GAUR
ANU KUKAR
CYBERSECURITY - A ‘BLIND SPOT’ IN MERGERS AND ACQUISITIONS (M&A) by Tayla Payne, Cybersecurity – Cloud, Strategy & Risk Associate, IBM A/NZ Amit Gaur, Cybersecurity – Cloud, Strategy & Risk Executive, IBM A/NZ Anu Kukar, Associate Partner, Cybersecurity - Cloud, Strategy & Risk IBM Australia and New Zealand Director, Arascina , IT Security Champion winner at the 2021 Australian Women in Security awards THE A/NZ M&A LANDSCAPE
actors target M&A activity because of the likely short-
Despite the marketplace being plagued by economic
and long-term rewards available. The transition of
instability and uncertainty as a result of the global
operations can leave high-value data vulnerable. This
pandemic, M&A deals are set to continue. Both Corrs
vulnerability is often compounded by the attention a
Chambers Westgarth’s and Herbert Smith Freehills’
deal can bring to the data. The media coverage given
M&A 2022 predictions suggest A/NZ is in for deals,
to a public company involved in M&A negotiations
deals and more deals. In other words, the M&A deal
can alert threat actors to the opportunity to launch an
frenzy of 2021 is set to continue.
attack.
2021 saw some of the highest deal volumes since 2014, with deal success rates returning to the pre-
RISK EXPOSURE DUE TO LACK OF CYBERSECURITY CONSIDERATIONS
COVID level of approximately 80 percent. Here’s why
There are several reasons for an organisation’s lack
cybersecurity, often an organisational ‘blind spot’,
of cybersecurity engagement during an M&A deal.
must be a key part of any future M&A deal. Many are likely to have limited experience of the
44
WHY M&A IS A RISKY BUSINESS
complicated lifecycles of such deals. Also, an
M&A deals are complex. M&A deals are multiplex,
organisation may choose to restrict the number of
time-consuming and fundamentally risky business
individuals given prior knowledge of an upcoming
scenarios. Increasingly, highly advanced threat
merger.
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
A key question every board and CxO should ask about an M&A is: “Do we understand the cybersecurity exposure pre and post-merger?
PHASE 1: PRE-ACQUISITION Undisclosed or unknown risks should be uncovered through: • Collaboration: Cybersecurity experts should be key members of M&A risk management and planning teams throughout the M&A lifecycle. • Regulatory obligations: New regulatory and compliance requirements resulting from the merger/acquisition should be assessed for their Leaving cybersecurity ‘out of the loop’ can compromise the organisation’s security and lead to a successful cyber-attack that can have grave financial,
potential impact. • Business continuity due diligence: The business goals of the merged business must
compliance and legal consequences, and cause
be articulated and the role of cybersecurity
devastating reputational damage.
in supporting robust business continuity and resiliency must be identified.
In April 2020, the acquirer of a pending merger
• Cybersecurity due diligence: Relevant
opted to retain five percent of the purchase price to
information on prior attacks, incidents and public
safeguard it against the possibility of incurring costs
filings must be identified to determine potential
as the result of a ransomware attack.
business risks and liabilities.
SO, WHAT’S THE BEST APPROACH?
PHASE 2: ACQUISITION
Cybersecurity risk during the course of an M&A can
The following areas should be considered during the
be dealt with through a variety of proactive measures.
acquisition process to ensure visibility of the security
A three-phase approach can help an organisation
posture, appropriate technology adoption, and
reduce its exposure.
leverage the appropriate partner support.
WOMEN IN SECURITY MAGAZINE
45
• Assessment: A detailed cybersecurity
and maintain the security mindset across the
assessment of the target’s information systems,
organisation.
tools, policies and regulatory positions should be undertaken and the findings translated
Cybersecurity is a crucial consideration in the M&A
into specific monetary values for pricing and
process. An inability to recognise how significantly a
negotiation considerations.
merger can influence operational risk exposure can
• Threat monitoring: Media coverage should be
diminish the future value.
monitored to gauge public interest and potential threats. • Cost estimation: The cost of maintaining
To reduce cybersecurity risk exposure during an M&A, the deal lifecycle should involve security
cybersecurity during the M&A process, including
experts as early as possible,
the maintenance of multiple instances of tools,
remain engaged through all three phases of the deal.
should be estimated.
Early cybersecurity risk assessment can provide the
• Partners’ and suppliers’ support: All domains
and they should
insights crucial to addressing compliance concerns,
of the M&A process should be evaluated with
risk exposure and the need for security technology
a view to engaging third parties to assist in
adjustments.
specific areas such as risk management. A specialist partner can supplement the internal
Also, adherence to a robust risk management
team’s capability and provide an unbiased view
methodology will help manage and quantify risk
during the transition period.
factors enabling them to be considered in deal value negotiations. Additional initiatives such as continuous
PHASE 3: POST-ACQUISITION
monitoring of threats, keeping strong controls during
The following areas should be considered during
the transition, and leveraging partners to complement
the post-acquisition phase to determine the optimal
the internal team’s capability can vastly reduce the
degree of integration.
uncertainty that accompanies an end-to-end M&A deal.
• Strengthen controls: Strict controls should be maintained to avoid the exposure of integration
A thorough consideration of cybersecurity helps
points between the organisations involved. Also,
boost confidence and is in the mutual interest of
any approved exceptions from the integration of
organisations involved in the M&A process.
business functions should be properly analysed and documented and fed into risk management
Start your M&A journey safely with a cybersecurity
processes.
expert by your side and keep them there throughout
• Review and update: Cybersecurity policies
the deal journey from start to finish.
and operating procedures should be reviewed and aligned with the security operating model
References:
established during due diligence.
Top 10 Australian M&A predictions for 2022 – Keep your super
• Continuous monitoring: High-security vigilance and monitoring for increased threats resulting
strides on! IBM Benchmark Insights- Assessing cyber risk in M&A
from media exposure should be maintained and a playbook for isolating emerging risks developed.
www.linkedin.com/in/tayla-payne-b619b6145/
• People and culture: The M&A related impacts on the workforce should be anticipated and
www.linkedin.com/in/amit-gaur-183907105/
factored into risk planning. Executable strategic and tactical plans should be prepared to bridge the culture gap, ensure seamless integration
46
WOMEN IN SECURITY MAGAZINE
www.linkedin.com/in/cyberuntangler/
DO YOU WANT YOUR VOICE TO BE HEARD?
Contact us today to find out how you can become an industry contributor, no matter the level of experience.
REACH OUT NOW
MEGHAN JACQUOT
TOO MUCH INFORMATION: Sifting through the cyber threat intelligence noise by Meghan Jacquot, Associate Cybersecurity Threat Intelligence Analyst, Recorded Future Open any newsfeed, social media feed or browser
Often, analysts are writing their threat reports for
and the data scrolls without stopping, as in The
multiple audiences. One audience might comprise
Matrix. Page after page and click after click, there is
people who are not highly technical but are the
so much digital noise out there. I help see through
ultimate decision-makers. They need to know
the noise. I research, refine and polish raw data
the bottom line up front (BLUF) in an executive
into actionable intelligence. I know you have been
summary. Another audience will need to execute
overwhelmed by choice and information before,
those decisions so needs all the details. For example,
everyone has.
a more technical audience will need to understand technical details in order to mitigate a threat, such
There is just so much out there. If research, writing,
as exactly which ports were affected and where the
puzzles, sifting through and prioritising information,
command and control server was pointing.
and making it actionable are of interest, then threat intelligence could be a good field for you.
Then there is knowledge. A CTI analyst must understand many things, such as attack surfaces,
Cyber threat intelligence (CTI) analysts sift through
confidentiality, integrity and availability (the CIA
this information and parse it to determine whether
triad), malware, ransomware, network traffic analysis,
there is nothing of significance or if there are critical
common vulnerabilities and exposures and the
threats to the infrastructure. This is my job, and I find
Common Vulnerability Scoring System (CVE/CVSS),
great joy in its intricacies.
criticality levels, vulnerabilities, mitigation strategies, etc.
WHAT MAKES AN EFFECTIVE CTI ANALYST? There are two major skills analysts require: research and writing. Honed research skills make an analyst better equipped to sift through all the noise. Clear communication and understanding produce effective report writing.
48
WOMEN IN SECURITY MAGAZINE
CTI analysts can start as generalists and become specialists, building domain knowledge over time, but it is essential they have a strong baseline knowledge of cybersecurity.
C A R E E R
P E R S P E C T I V E S
Analysts identify threats to assess risk, analyse emerging threats and look for weaknesses. They deliver reports, recommendations and mitigation strategies. They examine internal security controls to look for any threat, and model security weaknesses. They communicate all this information, often working with a team of analysts. To do these things effectively, analysts must be willing to continue their learning, work in a team, practice their communication skills, and be able to see the forest from the trees. An analyst must see both the big picture landscape and how the small pieces fit together.
Threat intelligence is one of the domains and the interconnected concepts are external, internal, contextual, intelligence sharing and indicators of compromise (IoCs). If you are already in cybersecurity or the technology industry and you want to become a threat intelligence analyst, it is useful to look at the domains of cybersecurity and see what overlaps exist between your current field and threat intelligence. If you are new to cybersecurity, then it can be helpful to see what domains are associated with being a CTI analyst. Once you have determined where your current skills
For example, a CTI analyst working on an analysis of
overlap with your desired outcome you need to put a
network traffic needs to understand how the bigger
plan into place.
picture of indicators of compromise (IoCs) in network traffic will affect the organisation.
• What do you need to work on and specifically upskill?
To be more specific, perhaps there is unusual
- Research
Windows registry activity occurring compared
- Writing
to baseline normal registry activity. Upon further
- Cybersecurity knowledge
inspection, someone in the organisation received a USB drive in the mail (maybe from an advanced
• Are there conferences that you can attend? (Here are a few)
persistent threat group) and inserted the unknown
- SANS CTI Summit
USB into their computer, infecting that computer and
- BlueCon
the network with malware.
- Predict - Threat Intelligence Summit
The CTI analyst could look at the network data, analyse which files were changed in the registry, see what type of intrusion happened, identify if any beaconing had occurred, and work with the malware team to further analyse the malware.
• Are there any certifications you might need? (Here are a few) -
SANS GIAC FOR578 on cyber threat intelligence
- MITRE ATT&CK Defender is a MITRE certification with different levels
Depending on how the company is organised there might also be a team that specialises in advanced
- GBHackers has a malware analysis certification
persistent threat (APT) groups. It has been working on tracing USBs mailed to public sector organisations
However, you may not need a certification for the role
and is able to attribute all of this to FIN7, an APT
you’re looking for. Whatever you choose, enjoy the
group that has been sending malicious USB drives.
journey and carpe diem!
This is a .
HOW CAN YOU BECOME A CTI ANALYST? In this Map of Cybersecurity Domains from Henry Jiang, revised version 3.1 (shared with permission), there are 11 domains of cybersecurity.
www.linkedin.com/in/meghan-jacquot-carpe-diem/
twitter.com/CarpeDiemT3ch
www.youtube.com/channel/UCpYtbFziEx3p2N-gv_s8nXQ
WOMEN IN SECURITY MAGAZINE
49
MADHURI NANDI
WAY UP – RULE YOURSELF by Madhuri Nandi, IT Security manager, Till Payments Do you think your manager determines your
Create a plan of action: Have a rough sketch of the
promotion?
possible ways to reach your chosen goal. Always
Do you worry you do not know everything?
draw up two or three plans for this purpose. For
Do you think you have to work more to get promoted?
example, reaching it with your current employer, or by
The answer is NO!
making a move to another.
Let’s look at some simple techniques to help you gain
Don’t be taken in by promises: This does not mean
your dream promotion.
you should not trust what your managers are telling you: it means making your own appraisal. Are you
Motive First, ask yourself what your goals are:
seeing changes taking place in the direction you want
• To receive a pay rise?
to go? If you are hoping for a promotion, ask yourself
• To expand your domain skills?
whether there is a clear upward path.
• To gain more responsibility? • To step into a leadership role? • To own the title?
Gain mentors and sponsors: Always work with your mentors by discussing your progress and sharing it with
Your motive is the basis of your plan of action. For example, if you want
them. Sponsors are also very important for helping you reach your dream roles.
to become a director of
Look for supportive leaders
security and your motive
or team members who can
is to expand your
vouch for you.
portfolio, you will be upset if you gain such a role and it does not deliver the outcomes you expect. If the motive that drove you to achieve that goal is not clear, it will not deliver what you wanted.
50
WOMEN IN SECURITY MAGAZINE
Look out for indicators: Don’t wait until your performance review to discuss promotion. Keep looking for hints, for example your manager giving you new roles and responsibilities or offering insights about
C A R E E R
P E R S P E C T I V E S
your future role. You might be receiving feedback relevant to your goals, or recognition of your skills and performance. Communication: Communication in this context is your ability to convey messages to audiences at all levels. Storytelling is a skill you need to master to advertise your work and make everyone understand your contributions. Never exit in a rush: Never make the mistake of leaving an organisation in a rush. You will have to prove yourself again in your new role and that will take time. There is a famous quote: “Employees leave their managers but not their organisations.” Your manager is also an employee unless he/she is the owner of the company. In most cases it pays to stay where you are and make the most of your situation until conditions become more favourable. Don’t aim for pointed promotions: At early stages in your career it’s not beneficial to get saturated in limited areas. If so, it can make career advancement difficult. Always widen your skills by moving horizontally before seeking to make a step up. Key points • Don’t succumb to impostor syndrome • You cannot know everything • Mentors are your gods • Communication should be your key mantra • Never claim the work of others as your own. • Support your team, colleagues and extended network unconditionally. • Have open conversations with your line manager. Growth does not come only from meeting your deliverables but by widening your focus to embrace people, technology, process and, most importantly, from “communications.” www.linkedin.com/in/madhurinandi/
itsecurityawareness.com
WOMEN IN SECURITY MAGAZINE
51
ASMITA GOVIND
PAVE YOUR OWN PATH: 7 things you can do to lay the groundwork for a promotion or move by Asmita Govind, Account Manager for Technology Recruitment at Sirius Technology
I am asked how people can move into more senior
INCREASE YOUR VISIBILITY
roles. My answer is “Throw your current manager
People in leadership roles always take the time to do
under the bus and take their role.” Those who know
things that may seem immaterial. They spend time
me, and my really bad sense of humour will know I
with their team outside of work, for example, lunch,
am joking, well kind of…
drinks or social events. So, attend optional work functions like Friday drinks, take the time to have a
Many people have fallen into leadership because their
conversation at someone’s desk rather than sending
current manager left and someone needed to step
lots of emails.
up into a leadership position. You can only do that successfully if you have been laying the groundwork
We do many things at work simply because they are
for when the opportunity arises.
required by our job, without telling anyone: things like noticing an error and quickly fixing it, or coming up
Alternatively, if you were to apply for a comparable
with an innovative solution that keeps a customer
role in another company, you would be asked, “what
happy. Try and voice these things in team meetings
makes you qualified?” before they interview you.
or when appropriate, not only to make people aware of all the great things you are doing but so others can
Here are seven things you can do to help lay the
learn from you. Have you noticed, it is often the most
groundwork for either a promotion or a move.
vocal people who get promoted, even if they are not the most suitable candidates?
52
PUT YOUR HAND UP FOR MORE RESPONSIBILITY
Visibility in your organisation is great, but it is also
To be clear, responsibility does not mean doing
important to build some visibility externally. Share
more work, it means being part of, or even leading,
your knowledge, personal wins, team successes,
small projects in your team that enable you to
tips, etc on social platforms like LinkedIn and Twitter.
contribute towards the wider business strategy. Take
Share in professional groups online, and industry
opportunities to collaborate with other business
groups, where appropriate. These actions may feel
units. This will help increase your visibility across
unproductive, but over time you will be seen as a
your organisation.
thought leader.
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
MENTORING
Before you apply ensure your resumé is updated and
Find yourself a mentor. You will find many new ways
outlines relevant achievements and the skills required.
to do things, and their experience will help you think
I would recommend working with a seasoned career
in different ways, which is key for leaders. Finding a
coach or a branding specialist. They can help you
mentor, either within your organisation or externally,
pitch your resumé appropriately and take out a lot of
will open your eyes to new ways of thinking and give
the guesswork.
your new perspectives. You will find good leaders love to spend time mentoring because they love to share
CERTIFICATIONS AND TRAINING
what they know. A good mentor can be great career
I believe on-the-job learning is sometimes better than
support. They will help you find opportunities, push
taking a course. However, certifications are great for
you to be better and keep you focused on the bigger
understanding industry standards and best practices.
picture.
They tell a recruiter or potential employer you know what you are doing and provide additional confidence.
You should also look to do the same, mentor new people in your team and business. Do not treat your
There is also no shortage of leadership courses. Most
skills and knowledge as private information (unless
companies will run an internal program or sign you up
of course, it is private information) and do not worry
to an external provider should you show a desire to
that others in your team will show you up. Be open to
move in that direction. Be honest with your manager
helping others by sharing new skills and knowledge
and HR manager. Let them know your goals for
you gain. In the words of Jon Gordon, speaker and
leadership and they will help you find the right training
author of Power of Positive Leadership, “Great leaders
course.
don’t succeed because they are great. They succeed because they bring out the greatness in others.”
Do not underestimate the power of your own reading and learning. You do not need to have an MBA. There
REPLACE “NO” WITH “WHY NOT?”
is no shortage of leadership books and podcasts.
More often than not your first reaction when someone
Watch and learn from like-minded individuals, CEOs
makes a suggestion or asks you to do something
and directors. LinkedIn Learning and YouTube also
new, will be to say “no”. It is how our brains are wired.
have some good material.
Great leaders are those who have trained themselves for many years to look at things differently. They are
FAKE IT TILL YOU MAKE IT
much more inclined to say “yes, let’s give it a go” or
You would have heard the saying, “If it walks like a
“why not?”
duck, talks like a duck, it probably is a duck.” If you act like a leader and speak like a leader you probably will
APPLY FOR THE ROLES YOU ASPIRE TO
become a leader.
Whether it be internal or external if you see the type of job opportunity that will allow you to move
If you think leadership is for you, make yourself a
toward your leadership goals, apply for it. Even if you
priority and start laying the groundwork. The work you
don’t have all the attributes specified. Sometimes
do now will be what sets you up for success.
companies are looking for people with the right attitude or the foundations they can build on. Applying for roles to which you aspire but feel unqualified will
www.linkedin.com/in/asmitagovind/
connect you with recruiters who are hiring for these types of roles. You will also start to see what skills you need to develop to be successful when you apply for some of these roles.
twitter.com/asmitagovind www.instagram.com/asmita.govind/
WOMEN IN SECURITY MAGAZINE
53
POOJA SHIMPI
HEY GIRL! BACK FROM A BREAK? WHY NOT JOIN CYBERSECURITY? by Pooja Shimpi, Regional Business Information Security Officer (BISO), APAC at State Street Bank & Trust
Cybercriminals are getting more sophisticated
CAN I GO ON A ONE-YEAR BREAK WITHOUT FEARING NOT BEING ACCEPTED INTO THE WORKFORCE ON MY RETURN?
with their cyber attacks, making it imperative for
This was the greatest fear I struggled with early in my
organisations to beef up their defences. Needless
career. I started out doing a humble desktop support
to say, there is a gap between the supply of and
job and quickly improved my skills to the point where,
demand for cybersecurity professionals, to the tune
within the first few years of my career, I was providing
of approximately 2.7 million worldwide.
critical application support on a securities trading
The world of cybersecurity is on the move, and at the start of 2022, it’s moving faster than ever.
floor at a leading Australian bank, Macquarie Capital The number of women in information security is
Securities. I progressed faster than my peers, but
gradually increasing, but are we doing all we can to
not without having this uneasy fear in the back of my
encourage more women to join the cybersecurity
mind.
workforce? Working hard to climb the corporate ladder has its According to the latest surveys, the percentage of
obvious advantages, but it takes a toll on your well-
women in cybersecurity has shown a decent rise
being. That was when I realised the only way to get
globally over the past few years. More women are
rid of this fear was to face it. I chose to take a break
joining the workforce straight out of college, and
and go backpacking across India in 2011. In the
many are reaching senior-level positions at par with
decade since I have progressed steadily to a BISO
their male counterparts. However, the question
role with State Street Bank and Trust.
remains: how open is cybersecurity to women who
54
are returning, or have recently returned from, a career
Life is not all about work, and there are many reasons
break?
why women choose to take a break: have a baby, take
WOMEN IN SECURITY MAGAZINE
C A R E E R
P E R S P E C T I V E S
care of family, move to a different country, lose a job,
cybersecurity can be the simple solution we are
travel, or simply to rejuvenate. But, almost always it is
looking for. Additionally, it can help address the huge
more difficult and challenging for women to rejoin the
supply-demand gap in the cybersecurity workforce.
workforce, particularly in cybersecurity because the
While many organisations are struggling to improve
technology advances extremely rapidly, and cyber is
their gender diversity, their human resources team
generally seen as a very stressful profession.
could start focusing on hiring returning women. This way they would be hiring rejuvenated women eager
While fear plays a clear role when someone is
to re-join the workforce, highly motivated, with a fresh
deciding whether they can afford a break, there is
perspective, and eager to perform.
also the fear that cybersecurity is “out of bounds” for women returning from a break. Thus, a large number
CAREER PERSPECTIVES
of women who could join cybersecurity fail to do so.
There are many women who have held multiple roles
There is a solution, and it could be very simple.
throughout their careers. Simply understanding their strengths, guiding them into cybersecurity roles
EVERYBODY NEEDS SOMEBODY
suitable for them, and helping them prepare for those
Mentorship is well-accepted today. But back in 2011,
roles can be sufficient. While there is a plethora
I was lucky to have the right people to guide me in my
of information on the internet, the personalised
career. I weaved my way into cybersecurity through
approach of mentorship goes well beyond a Google
various roles starting from desktop support and
search that often leaves desperate jobseekers
progressing through trading applications support,
confused and disoriented.
database vulnerability management, technology governance, risk and compliance, information security
Also, the misguidance that prevails as a result of
manager and eventually ISO. I achieved this through
educational institutes offering quick fixes such as
the right combination of self-study, certifications and
“join us for a course in cybersecurity and get a job”
challenging myself with new roles. When I started
can be completely avoided. Hence, it is vital that
looking for jobs after a one-year gap my mentor
more professionals volunteer to join cybersecurity
guided me to a career path suited to my personality,
mentorship programs. The more success stories that
study options and certifications.
come out of these programs, the more women can be offered quality guidance in cybersecurity.
While some people are blessed with great managers, sometimes it is much better to have a neutral mentor,
Mentorship can also help bust several myths, such as:
one unbiased in their approach. Hence, I believe there is a need for mentorship programs that can assist women-on-a-break or those who are just back from one.
• You need to be very technical to join cybersecurity. • Cybersecurity is a very stressful field. • A certification/cybersecurity course will help you
In 2021, as a mentor in the (ISC)² Singapore Chapter Mentorship Program, I mentored a woman wanting
secure a high paying job immediately. • Previous experience will be devalued.
to get back to work after a three-year break. Happily, she has now successfully joined the cybersecurity
“Life’s most persistent and urgent question is “What
workforce with no prior background in cybersecurity.
are you doing for others?”
It was a clear win for both of us and, for any
Dr Martin Luther King Jr
struggling woman out there, a strong indication of what is possible.
www.linkedin.com/in/pooja-shimpi-cissp-bisoapac-5b143617/
While there is no silver bullet, a good mentorship program and volunteering by leading experts in
WOMEN IN SECURITY MAGAZINE
55
JOB BOARD SECURITY OPERATIONS LEAD PAID PARENTAL LEAVE
LEARNING AND DEVELOPMENT PROGRAMS HYBRID WORKING
PRIVATE MEDICAL, INCOME & LIFE INSURANCE
FLEXIBLE WORK
GLOBAL OPPORTUNITIES
UNITED KINGDOM
As part of the Global Security Operations team, Senior Security Analysts undertake cyber security monitoring, detection and response activities, vulnerability and defect management, access control management and threat management activities for Iress-managed technology across all of Iress operating locations and the cloud. As the senior security operations person in the UK region you will be a key member of the team delivering the security operations strategy. Reporting directly to the Head of Security Operations (HSO), you will be responsible for performing all activities of the SecOps squad. As a Senior member of the team, your role will include mentorship and development of junior team members. The role may evolve to include broader team leadership.
APPLY NOW
SENIOR MANAGER, CYBER SECURITY FULL-TIME
SYDNEY
FLEXIBLE WORK
CYBER SECURITY
ABOUT THE JOB Are you looking for an opportunity to have an impact? Reporting to the Head of Cyber Security, you will play a critical role in enabling Allianz Australia to operate with confidence by providing specialist knowledge and expertise to the function. As an individual contributor, rather than a leader of people, you will be a deep specialist able to provide functional thought leadership to ensure the Allianz cyber security posture is effective and remains within agreed risk appetite levels.
YOU’LL BE RESPONSIBLE FOR • Defining the AAL Cyber Security Strategy to support business & IT goals and strategies, delivering AAL cyber security strategy by managing the cyber delivery portfolio • Providing security consulting services to ensure business solutions are ‘secure by design
• Functionally supporting the local cyber threat management function in identifying, assessing and evaluating cyber threats, vulnerabilities and technology-related risks • Managing cyber security incidents and ensuring these are adequately responded to minimise impact to customers and Allianz • Managing and supporting IT service providers and security vendors to provide adequate levels of security services, maximising ROI • Developing and maintaining strong cyber security measurements and metrics that provide the CISO and Executive Management with visibility into the current state and ongoing improvement of Allianz Australia cyber security posture • Supporting the Head of Cyber Threat Management & Advisory to prepare Management and Board reporting as well as developing and preparing regular Cyber Security, Protection & Resilience dashboards for internal, Management and Board reporting • Collaborating with our Global Cyber Security community, liaising effectively with AAL IT and Security Operation teams to drive delivery of the Cyber Strategy • Identifying and assessing cyber risks that may impact AAL, acting as an SME and thought leader amongst the organisational entities across the Group • Supporting the Head of Cyber Threat Management & Advisory to lead a team of Cyber Architecture, Consulting and Threat Management professionals
APPLY NOW 56
WOMEN IN SECURITY MAGAZINE
SECURITY ENGINEER, AUTOMATION, TRIAGE AND COMPLIANCE SYDNEY
ENTRY-LEVEL
FULL TIME
BACHELOR’S DEGREE IN A RELEVANT FIELD
PROGRAMMING EXPERIENCE IN PYTHON, C/C++, JAVA, OR GO EXPERIENCE WITH APPLICATION, SYSTEMS AND NETWORK SECURITY
ABOUT THE JOB Our Security team works to create and maintain the safest operating environment for Google’s users and developers. Security Engineers work with network equipment and actively monitor our systems for attacks and intrusions. In this role, you will also work with software engineers to proactively identify and fix security flaws and vulnerabilities. The Detection Team develops and maintains the signals, tools, and infrastructure that we use, constantly evolving them to match sophisticated attackers. As part of this team, you will be building advanced and novel detection mechanisms for attacker techniques tactics and procedures, developing systems to automate remediation, conducting threat hunting, and performing network and systems forensics, as well as malware and indicator analysis. We are responsible for managing all malicious activity on Google’s networks. We perform deep analysis of threats on our corporate, production, and acquisition environments. This is the team at Google that hunts for and helps respond to advanced (APT) attackers and insider threats. At Google, our users come first, and the Systems Infrastructure team is at the heart of that promise. We build the technologies that transform the way we think about doing business. Whether working on our cloud systems, researching the latest in computer technology or keeping Google’s internal systems humming, Googlers and users alike rely on us to keep things running. We’re back-end experts: protecting your privacy and ensuring your security. RESPONSIBILITIES • Manage first-line triage of general security and privacy queues. • Recommend and drive process optimizations. • Automate workflows and develop appropriate tooling. • Arrange test sites, code repositories, and credentials, and explain processes and provide basic support. • Identify issues that can be resolved without further routing.
APPLY NOW
CYBER DEFENCE LEAD PERMANENT
FLEXIBLE WORK
AUSTRALIA
CYBER DEFENCE
The Group Security Team create tech to protect REA across corporate infrastructure and Cloud environments, driving the adoption of security patterns and practices by the rest of the business to be built into their own infrastructure. We’re looking to level up on the Security services we provide, and we’d love you to come to help us. The Cyber Defence Lead sits within the Group Security team, within REA’s Security Platform Architecture & Cloud Engineering team (SPACE) based in Melbourne. The Group Security team work together to embed security throughout REA, empowering staff to make good risk decisions and equipping them with the tools to do so – a Cyber ‘health service’, not a police force. Are you fed up doing security by the numbers? Do you like to solve problems instead of following an instruction manual? Have you wanted to implement a unique approach to mitigating cyber threats but your ideas were shut down or too radical to be accepted? Do you love what you do and are able to bring others on the journey? We want to hear from you! Find out why our new #cyberdefence lead is a rare, hands-on opportunity for someone to take the next step in their #security career. Flexible location within Australia.
APPLY NOW WOMEN IN SECURITY MAGAZINE
57
JOB BOARD SECURITY ENGINEERING INTERN, SUMMER 2022 SYDNEY
SECURITY INTERNSHIP
ABOUT THE JOB At Google, our users come first, and the Systems Infrastructure team is at the heart of that promise. We build the technologies that transform the way we think about doing business. Whether working on our cloud systems, researching the latest in computer technology or keeping Google’s internal systems humming, Googlers and users alike rely on us to keep things running. We’re back-end experts: protecting your privacy and ensuring your security. There’s no such thing as a “safe system” - only safer systems. Our Security team works to create and maintain the safest operating environment for Google’s users and developers. As a Security Engineer Intern, you will help protect network boundaries, keep computer systems and network devices hardened against attacks, and provide security services to protect highly sensitive data like passwords and customer information. As a Security Engineering Intern, you will work with a broad range of devices, actively monitoring our systems for attacks and intrusions. We focus on the offensive/testing side and work with software engineers to proactively identify and fix security flaws and vulnerabilities. We also build tools, scripts, and other automation to help our project teams achieve Google-scale impact. Google is and always will be an engineering company. We hire people with a broad set of technical skills who are ready to address some of technology’s greatest challenges and make an impact on millions, if not billions, of users. At Google, engineers not only revolutionize search, they routinely work on massive scalability and storage solutions, large-scale applications and entirely new platforms for developers around the world. From Google Ads to Chrome, Android to YouTube, Social to Local, Google engineers are changing the world one technological achievement after another.
RESPONSIBILITIES •
Apply knowledge gained in computer science courses to real-world challenges.
•
Analyze information and evaluate results to choose the best solution to effectively solve challenges.
•
Develop scripts to automate routine tasks.
•
Create and support a productive and innovative team, this includes working with peers, managers, and teams.
Applications close on April 8th, 2022. Note this role is not eligible for immigration sponsorship.
APPLY NOW
DO YOU WANT YOUR COMPANY'S JOB LISTED IN THE NEXT ISSUE? Contact us today to find out how we can boost your job listing and help you find the top talent in the security industry aby@source2create.com.au
58
WOMEN IN SECURITY MAGAZINE
REACH OUT
vasudha@source2create.com.au
ICT SECURITY ENGINEER MELBOURNE
FULL-TIME
GREAT EMPLOYEE BENEFITS
FLEXIBLE WORKING HOURS
SALARY PACKAGING
AUSTRALIAN WORK RIGHTS
CYBER SECURITY
Amazing opportunity to use your technical skills to address critical risks at a leading public health service.
ABOUT THE ROLE A newly created role has been established for a technical SME to lead the cyber security program. This is a rare opportunity for a technical security specialist to take ownership and responsibility for uplifting a critical capability in an organisation that provides essential health services to millions of Victorians. You will have the flexibility and autonomy to make technical decisions, influence stakeholders and apply your skills. Joining a high profile team, this role will allow you to shape the future direction and landscape of Eastern Health cyber security and ensure that healthcare information and the IT services provided are protected and secure.
ABOUT YOU To be successful in this role you will possess: • 5+ years of experience in information security, especially in a security engineering role • Knowledge of security, risk and control frameworks and standards such as ACSC Essential 8, ISO 27001 and 27002, NIST, MITRE ATT&CK & ITIL • Technical expertise in cyber security knowledge, including VPN, Firewall, network monitoring, intrusion detection, vulnerability management tools, web server security, wireless security and email security technologies • Strong knowledge of common vulnerabilities and exploitation techniques • Practical experience with database security, content filtering, vulnerability scanning, and anti-malware • Degree in Computer Science, Information Security, or a related field, desired but not essential.
APPLY NOW
CYBER SECURITY OFFICER PERMANENT FLEXIBLE WORK
COMPETITIVE SALARY PAID PARENTAL LEAVE
EMPLOYEE SHARE SCHEME BABYCARE PACKAGE
HYBRID WORKING
AUSTRALIA
ABOUT THE ROLE Our Cyber landscape is evolving, and we are looking for a seasoned CSO professional to help us on our way and keep our IT and OT assets and associated systems and processes in the digital landscape safe. A permanent full-time role, reporting to our IT Director, you will be a valuable member of our leadership team in reviewing our roadmap priorities and getting these initiatives underway to bring our organisation on the journey, all while building capability with your team of eight, plus offshore team management. As the technical owner for Cyber Security technologies, you will also be responsible for proactively governing the day-to-day monitoring of cyber threats and acting in line with appropriate frameworks, plans, procedures, capabilities, and technologies to mitigate cyber risk (covering security architecture, governance, and operations). Are you someone who enjoys seeing the fruits of your labour and being recognised for them? If so, this role can offer you that, you will be comfortable navigating through ambiguity and confidence to speak and present at all levels including Board. Applications will close on 7th March 2022.
APPLY NOW WOMEN IN SECURITY MAGAZINE
59
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
C O L U M N
Calculator Vault apps Remember growing up and wanting to hide
vault apps also alert the user to any failed access
something from your parents? Under the bed, under
attempts.
the mattress, the back of a drawer were typical hiding places. Today, our digital teens have new things to
WHAT CAN PARENTS DO?
hide, and new ways to do it.
Prevention is always best. Control app downloads with a secure password so your teen can download
Calculator Vault is an Android app, and a generic
only apps you authorise.
name for similar apps on Android and IoS that enable
If you use Family Sharing or use your Apple ID on
the user to hide other apps, images, texts and videos
their devices, check your accounts regularly to see what apps have been downloaded. Other parental control software and apps generally contain a feature that allows the parent to approve apps to be downloaded, eg Family Link. If you are suspicious about a calculator app on your teen’s device, you can open the App Store or Google Play Store on their device, type in “calculator,” “vault” or “secret” and see if any such apps have been downloaded. If you discover a calculator vault app, stay calm (I know it’s hard, but try) and
so they can be accessed only with a password. These
have a conversation with your child about why they
apps are hidden behind what looks like a calculator,
downloaded it and what they are using it to hide.
hence the name. When a calculator vault app is opened it looks and performs like a normal calculator, but if the right code is entered the hidden apps, images, videos and texts can be accessed. These apps also usually offer sharing options so the hidden content can be sent to
www.thetechmum.com www.facebook.com/TheTechMum
others via text or email.
www.pinterest.com.au/thetechmum
Some calculator vault apps will ask permission to
www.linkedin.com/company/the-cyber-safety-tech-mum/
access the camera so that images and videos can be taken and saved in the app. Most calculator
60
www.linkedin.com/in/nicolle-embra-804259122/
WOMEN IN SECURITY MAGAZINE
INDUSTRY PERSPECTIVES
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.
C O L U M N
Let’s make security the lingua franca of business in 2022 The last few years have seen cyber risk grow and
ambassador is an option. This is a business unit staff
change in ways we could never have imagined. So,
member who is designated as the “internal subject
let’s make 2022 the year we embed cybersecurity into
matter expert”. Having one is a great way to transfer
businesses big and small. By moving cybersecurity
knowledge and to “grow your own” cyber expertise
from the traditional “cyber risk as an IT problem”
in house. A cyber ambassador can help you keep all
to “cyber risk as a competitive advantage” you can
teams current and up to date with the greater cyber
protect and differentiate your business from others
ecosystem. There is an added bonus: by making
in your market. It is not sufficient to tell management
cybersecurity relevant you will help knowledge
about the problem, you also need to provide actions
retention.
they can easily implement. Are you ready to reengage with your business colleagues? Here are three
CROWN JEWELS
ideas to get you thinking.
You may be able to identify the business’ “crown jewels” but what about those of individual business
ALL DEPARTMENTS HAVE DIFFERENT CYBERSECURITY NEEDS
units? These are the assets that each business unit
Each and every business unit needs to embed
requires a whole-of-business team effort. When these
cybersecurity into its day-to-day processes and
assets have been identified you can work on ensuring
procedures. For example, what processes are
the highest levels of protection are in place for them.
deems most critical to its mission. Their protection
in place to ensure the accounting and finance department does not get phished and end up making
No doubt you have many ideas of your own.
payments to a fictitious supplier, or to a fraudulent
Remember, managing cyber risk is like origami: it
account purporting to belong to a real supplier? Are
looks easy, as if anyone can do it, but it can take
details of payments in excess of certain thresholds
years to master the intricacies. So be patient when
required to be confirmed through a second form of
taking your business on its cyber risk journey.
communication (eg phone)? This might not be the traditional remit of the cyber expert but it will add value and possibly save the business time, money and embarrassment. Each business unit will have its own challenges. You can help them identify
www.linkedin.com/in/karen-stephens-bcyber/ www.bcyber.com.au
and address these. Cybersecurity is more than technology.
karen@bcyber.com.au
ASK FOR HELP
twitter.com/bcyber2
Security personnel are often pulled in many directions, and it is unlikely you will be able to have people embedded in each business unit. A cyber
62
WOMEN IN SECURITY MAGAZINE
youtube.bcyber.com.au/2mux
Source2Create Spotlight
Advertising The market is saturated, so how can you position your company’s product or service strategically to your audience to stand out from the clutter? At S2C, we position your creative and content across a mixture of media to generate more excitement and better engagement from your target audience. We explore a range of ideas with our clients to spread their message – the right way.
REACH OUT TODAY www.source2create.com.au
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
LAURA JIEW
AUSTRALIAN WOMEN IN SECURITY INCIDENT RESPONSE COMPETITION 2021 WINNER: WrongEmail
by Laura Jiew, AWSN Marketing & Social Media Lead Congratulations to the team WrongEmail, placed first in the first competition-style incident response exercise for women working in, or interested in breaking into, the information and cybersecurity sector across Australia, which took place in late 2021. For this article, AWSN reached out to the winning team of Gyle dela Cruz, Senior Security Consultant - Incident Response; Jocasta Norman, Security Analyst; Cheryl Wong, Security Culture & Change Management Lead; and Mal P, DFIR specialist currently on a career break, to learn more about their journey into cyber and their participation in the competition. They recount their experience and learnings from coming out on top.
TELL US SOMETHING ABOUT YOURSELF AND YOUR BACKGROUND Gyle: I got into the tech industry about 18 years ago. I started by working on Cisco networking projects and
Jocasta: I’ve recently ventured back into the corporate world after working as a freelance digital marketer and online business consultant for more than a decade. Prior to that I was working in logistics. I chose to explore information and cybersecurity because I knew I would never get bored. There is always so much to learn, so many facets to the industry, and things are always changing. Cheryl: I’ve been working in the travel industry for the past twenty-plus years mainly as a product manager. I decided on a career change into cybersecurity because of the COVID-19 pandemic and international and domestic borders closing. Mal: I’ve been in the information and cybersecurity industry for about five years in a variety of roles, digital forensics and incident response (DFIR)-related roles in particular.
I now work as a senior security consultant incident
HOW LONG HAVE YOU BEEN WORKING IN INFORMATION AND CYBERSECURITY AND HOW DID YOU GET INTO THE FIELD?
response within IBM X-Force.
Gyle: I’ve been working in cybersecurity for more than
started specialising in information security in 2013.
eight years. I became fascinated with information and
64
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
cybersecurity while chatting on mIRC channels before
but felt lucky to have landed in a great team. We
my career shift into the tech industry. I had an online
shared lots of laughter along the way. I had heard
stalker, an experience that taught me a lot about
you usually build a bond with your teammates in
privacy and all things cybersecurity. It took some time
CTF competitions like this one, and I found that to be
before I got to focus on infosec.
true. I look forward to doing more and hope we can participate in some in-person events too. That would
Jocasta: I have been working in cybersecurity
be great.
for a little under a year and have been studying cybersecurity for a couple of years. I got into the
Cheryl: I really enjoyed seeing the full end-to-end
industry through my studies and involvement with the
process of managing a cyber-related incident and just
AWSN community. My first role in cybersecurity was
how much work an incident responder does, not only
a contract role in which I used my marketing skills to
to investigate the causes, but to document the results
help influence and uplift the cybersecurity culture. I
at each step, all under intense pressure.
loved it. I feel so incredibly grateful to have recently started a new role at SEEK as a security analyst.
Mal: I really enjoyed working with my fellow
My new role focusses on third party security risk
teammates. It was great to work with such fantastic
management, a topic that piqued my interest during
people. We all got to sharpen our incident response
my studies.
skills together.
Cheryl: I’ve been in the cybersecurity industry for the
WHAT DID THE COMPETITION TEACH YOU ABOUT SECURITY INCIDENT RESPONSE AND WHAT NEW SKILLS DID YOU LEARN?
past year after doing a short course in cyber. I was fortunate to be able to gain experience through a move to the IT department of the company I worked for where I learnt the operations side of security. I realised there were many non-technical roles in which I could use the skills acquired in my previous career, so I moved into the education and awareness space to help uplift the cybersecurity culture of the organisation. I now also lead the IAM change management initiative and several security operations
Gyle: Incident response is a team sport and to succeed you need to have people in the team with diverse skill sets, folks who are respectful and not constantly second guessing each other every step of the way. The work of responding to an incident and remediating the situation should unite the team. There were a lot of discussions within our team about how to best solve the incident scenario presented. My
projects.
teammates were (are) fantastic in this regard. On the
Mal: Five years ago I got into cybersecurity via AWSN
one needs to always have volatility versions two and
through a chance encounter with an AWSN volunteer who was a fellow employee at a company I then worked at.
WHAT ELEMENTS OF THE COMPETITION DID YOU ENJOY MOST?
technical aspects of the competition, I learned that three in one’s arsenal, instead of just the one standard version. Jocasta: I learned it takes a team with a diverse range of skill sets. I also understood more clearly that it’s a lot of pressure to conduct digital forensics with the
Gyle: For me it was the chance to work with smart,
clock ticking and stakeholders wanting or needing
collaborative, patient and down-to-earth teammates.
constant updates on your response and remediation
I consider my experience competing in the event to
steps. Let’s be completely honest, it’s incredibly hard
have been a journey with great travel companions.
to give timely updates when you have incomplete information. I gained a newfound respect for the
Jocasta: I really liked the teamwork aspect and
work of our DFIR-ers, working on many things under
the combination of technical and communication
time pressure, and then having something like the
tasks throughout the competition. Initially I was a
log4j incident popping up out of the blue. Talk about
bit worried about my lack of hands-on experience
balancing your priorities!
WOMEN IN SECURITY MAGAZINE
65
Cheryl: Through this experience I found you need a
Mal: Definitely the challenge of juggling work
diverse group of people working together if you are
commitments alongside the competition
to succeed. We were lucky to have a mix of technical
requirements. Some major (real-world) vulnerabilities
and non-technical skills in the group. The technical
occurred over the period of the competition. So there
folks were able to dive in and investigate the incident
was an added element of time pressure thrown into
while the non-technical members were able to
the mix.
translate these steps into a written report in language that the public and ‘board’ were able to understand.
ANYTHING ELSE YOU WOULD LIKE TO SHARE WITH READERS OF THIS ARTICLE?
Mal: The competition taught me to question
Gyle: There are many incident response (CTF) events
everything and to challenge assumptions. It’s easy in an incident to assume what may have happened
that cover different aspects of information security. This particular event, created by Retrospect Labs,
without analysing the pieces of evidence provided.
was an excellent introduction to incident response
WHAT WERE SOME OF THE CHALLENGES YOU FACED DURING THE COMPETITION AND HOW DID YOU OVERCOME THEM AS A TEAM?
participated in something like this. I would highly
Gyle: There was the usual balancing of real-life work
Jocasta: This was such a great experience, seeing
and personal responsibilities while trying to finish
what an incident response (CTF) competition is
the different competition challenges. I felt it was
like. It was my first time. I had always been nervous
very important to be upfront about possible time
about being in a team, feeling worried all the time
constraints, and the patience and understanding
and not knowing what I was doing. Fortunately my
within the team made a lot of difference.
worries were unfounded and I had a terrific bunch
and what goes on behind the scenes. If you haven’t recommend doing so.
of teammates. I am grateful to AWSN for partnering Jocasta: The timing of the competition was
with Retrospect Labs to make this competition
particularly challenging for personal reasons: I was
happen.
moving house. On top of this, it was the weekend the log4j vulnerability was discovered. We overcame the
Cheryl: I would definitely recommend partaking in a
challenges by making ourselves available at different
CTF exercise like this one to anyone thinking of being
times, including late in the evening, and keeping an
an incident responder in cybersecurity and wanting
open communication line between all members of the
to see what is involved, or starting out in the field
group.
and wanting to practise expanding their skills. The experience was really valuable. Retrospect Labs did a
Cheryl: Time! Gyle and Mal had to deal with the log4j
fantastic job of running it.
vulnerability incident in their day jobs at the same time as competing in this event. We delegated tasks so we didn’t waste any spare time. We checked on each other’s work and we kept an open mind when analysing everything to ensure we looked at different angles and did not pigeon hole our ideas.
The Australian Women in Security Network (AWSN) was established in 2015. Today, it is a not-for-profit organisation and network of people that aims to grow the number of women in the security community. We support, inspire and act as role models. We connect women in the industry and those looking to enter the field with the tools, knowledge, network and platforms needed to build confidence and interest. We know diverse threats require diversity of thought to address them, and this is where our network thrives. We hope to run this competition again in 2022. Follow us on LinkedIn and Twitter to stay up to date with all our upcoming events throughout the year. In the last edition of this magazine, Retrospect Labs and A3C provided their commentary of the competition. You can read that here.
66
WOMEN IN SECURITY MAGAZINE
STAY CONNECTED All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.
@wisms2c
@source2create
@womeninsecuritymagazine
DIGITAL
@Source2C
womeninsecuritymagazine.com
womeninsecuritymagazine.com
ANKITA DHAKAR
WOMEN IN TECH by Ankita Dhakar, Managing Director at Security Lit and Founder & Chief Cyber Warrior at Cyber Cosmos World
The number of female students in medical schools
LACK OF ROLE MODELS
rose in 2019. The proportion of women working in
If we want to get more women into technology,
medicine has increased steadily since 2015, reaching 50.5 percent in 2019. However, women remain underrepresented in the technology industry. Ada Lovelace is recognised as the first woman to program a computer, working with 19th century computer pioneer Charles Babbage. And during World War II a team of six smart young women created the first all-electronic programmable computer.
we must begin early. A lack of role models makes it difficult for girls to identify with a career in technology. If you studied for a PhD or a master’s, how often did you see a female professor in the classroom? The idea that technology is for men is instilled in girls at an early age. That’s why early influences are critical. Girls need help at the outset of their careers so they can overcome the obstacles they face.
Ever heard of the Domain Name System (DNS)?
LACK OF SUPPORT AND ENCOURAGEMENT
Network devices do not understand domain names
The impacts of support and encouragement are
(website names). All they interpret is an IP address. The DNS translates a web address to an IP address. It was devised by a woman, Elizabeth Feinler. So, there is a rich history of women playing key roles in the early days of computers, but that momentum
exponential. The fewer other females women see in their workplaces, the less motivated and inspired they will be to work in that environment. The more women they see working in technology, the more their numbers are likely to increase.
seems to have been lost. Today, women make up
MATILDA EFFECT
28.8 percent of the tech workforce, and 13 percent
Have you ever had the feeling that your efforts are not
of the Fortune 500 are led by women. There are several reasons why women are underrepresented in cybersecurity.
being recognised? If you become demotivated, the less likely you are to contribute value to whatever you are working on. You are not alone. This phenomenon is so common, it has a name: the Matilda Effect — a bias against acknowledging the achievements of
68
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
women scientists and instead attributing these to
billion by the end of 2028 with a 10.9% CAGR.
their male colleagues. Cybersecurity comprises multiple domains and
HARASSMENT
presents a good opportunity. There is a huge skill
A huge number of women experience sexual
gap, and the financial rewards are good. With some
harassment and threats in the workplace. The #MeToo movement has done much to raise awareness of this problem, but there are many issues women face when considering going public about harassment. The perpetrators know this and exploit the fact.
dedication and hard work I see no reason why women cannot lead this domain. As the founder of cybersecurity services company, Security Lit, I have provided opportunities to students to acquire cybersecurity skills, and many have found good jobs in cybersecurity.
Let’s talk about my previous experience in cybersecurity and why I founded Cyber Cosmos World (CCW).
WHAT CCW IS DOING We are aware of the difficulties women experience. There are plenty of opportunities today, but women either do not have access to them, are not aware of them or are not encouraged to pursue them.
“The idea that technology is for men is instilled in girls at an early age. That’s why early influences are critical. Girls need help at the outset of their careers so they can overcome the obstacles they face.”
CCW is committed to growing the number of female employees in cybersecurity and is actively seeking internship and career opportunities
I know it is hard to reach out to people for help,
for females in the industry. CCW has demonstrated
especially when you have been let down multiple
how a woman was able to thwart a cyber-attack
times, but I know if eight people out of 10 reject you,
against the entire planet.
you will always find two who will extend their hand to help you. You just need to focus on these two.
Projects of this nature demand considerable financial resources, and no one wants to put their money
When it comes to cybersecurity, the community is
into something that will not yield a return on their
empathetic and always ready to help its members.
investment.
Don’t take my word for it. Join any Discord group. You will find many people extending help in any way they
CCW is a collection of 10,000 virtual females working
can.
in the Ethereum blockchain. Besides other benefits to the NFT holders, a fraction will be spent in providing
www.linkedin.com/in/ankitadhakar/
internships and job opportunities to females and the rest for charitable events.
www.cybercosmos.world/
I would like to specifically target the cybersecurity
contact@securitylit.com
industry. It is a booming industry with a market size of about $179 billion and is expected to reach $372
WOMEN IN SECURITY MAGAZINE
69
DELLA WEIER
STARTING OUT IN PRIVACY Interview with Della Weier, Junior Privacy Consultant at Ground Up Consulting by Nicole Stephensen, Director and Principal Consultant at Ground Up Consulting
Della Weier is a junior privacy consultant at Ground
In my brief time in the industry I have learnt that
Up Consulting, a privacy firm based in Queensland.
professionals working in the privacy space come
Nicole Stephensen, director and principal consultant
from many and varied backgrounds. However,
at Ground up Consulting sat down with Della to
privacy professionals all appear to have one thing in
discuss her move into the privacy space.
common: their passion for upholding privacy values
This is her story of starting out in privacy:
and protecting the interests of the community. They care about what they do, and the people they are
“After returning from extended maternity leave I was
working to protect.
looking for a change and for something to keep my mind ticking over. I was put in touch with Nicole, who
My interest and passion for privacy developed a
was looking for someone to assist with research.
couple of months into my new role when I attended
Nicole gave me a shot and offered me a position, and
a strategic privacy by design workshop delivered
my education into privacy began.
by Jason Cronk and Nicole. The training took participants through an exercise in which we had to
I had recently completed a Bachelor of Business
design privacy into a local council app. Privacy went
and had experience working as an undergraduate
from being a set of legal rules to something tangible
accountant at a forensic accounting firm. It is
and practical.
difficult to draw a line from accountancy to privacy or information security, but I believe my learnings of
Luckily for me (with my limited knowledge of
business, and my experience working through cases
IT systems and technical controls), privacy
methodically, assisted me in my role. For me there
encompasses more than information security. While
is also a goal common to forensic accounting and
the security of personal information is a relevant
privacy; to do what is right.
and important principle, the protection of personal information requires adherence to all privacy
70
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
principles: demonstrating accountability; being
and other external privacy documents to ensure
transparent; limiting the collection, use and disclosure
stakeholders can understand the privacy practices of
of personal information; and supporting the privacy
their organisation.
rights of individuals. I find some aspects of the job challenging. These I have developed a particular interest in privacy
include working with organisations to ensure privacy
program management in public and private
obligations are being met whilst still meeting project,
organisations and I enjoy working with organisations
platform, service or organisational objectives. A key
to build privacy into their organisational practices to
phrase I am coming to learn is: “There is more than
ensure privacy is operationalised in all departments
one way to skin a cat.” (A colloquialism of Nicole’s that
and business areas.
makes me laugh, but it’s true) In the future, I see my
“I have learnt that professionals working in the privacy space come from many and varied backgrounds. However, privacy professionals all appear to have one thing in common: their passion for upholding privacy values and protecting the interests of the community. They care about what they do, and the people they are working to protect.” - Della Weier, Junior Privacy Consultant at Ground Up Consulting
job continuing to require creative, collaborative and I have learnt that privacy is not limited to the ‘privacy
outside the box thinking.
team’ alone, but intersects with many organisational business areas, including information governance,
I am very thankful for Nicole taking me on, educating
security, risk management, procurement, business
and guiding me through the privacy space. I am
continuity, disaster management and project
also thankful to other privacy professionals who
management. Privacy is relevant for all business
continually share their wisdom and learnings. I have
areas where personal information is handled, or
learned a lot, but I know working in privacy is also
where decisions are made in respect of personal
about the ‘long game’ (especially given the pace and
information.
the ever-changing privacy landscape). I am excited to see where my professional privacy journey will take
I am also fascinated by the work of Nathan Kinch on
me, and how technology and digitisation will continue
designing valuable, meaningful and engaging contract
to change this industry.”
experiences. I can recommend his work on Data Trust by Design. www.linkedin.com/in/della-weier-755b281a7/
A key privacy principle is that personal information be managed in an open and transparent way, including
www.linkedin.com/in/nicole-stephensen-privacymaven
by publishing a privacy policy. I enjoy working with clients to simplify and tailor their privacy policies
www.groundupprivacy.com.au/
WOMEN IN SECURITY MAGAZINE
71
VIDYA MURTHY
TO ENHANCE CYBERSECURITY, EMBRACE DIVERSITY by Vidya Murthy, Chief Operating Officer at MedCrypt The last two years have shaken the foundations of
patterns and build systems that are resilient and
our lives. Every facet has been impacted, from our
without weaknesses. This can sometimes require
health, our jobs and finances to our governments
making assumptions.
and our law enforcement agencies. These systems will be rebuilt in our lifetime. We all need to ask
These assumptions on how a user, or process,
ourselves what we can do to ensure cybersecurity
is expected to engage can leave threat vectors
alleviates the bias that exists today, and how
unidentified or unseen. When an unmitigated threat
we can ensure a diverse mindset is applied to the cybersecurity challenges every individual and every organisation faces.
vector exists in a system, it can be a mechanism through which an attacker gains unauthorised access.
This means including people from non-traditional backgrounds, and intentionally avoiding herd mentality.
Imagine a hospital. It is filled with devices made by manufacturers, installed by technicians, operated by clinicians and
If we as an industry proclaim security-
monitored by the hospital’s IT organisation.
in-depth to be best practice, we must strive for diversity-in-depth to ensure we most effectively
For a patient to be “processed” data must move
mitigate the risks that abound.
across various functions in that hospital, such as from the medical device to the hospital record
PROBLEMS CAUSED BY HOMOGENEITY IN SECURITY
system to the billing system where it creates an
Every system or process requires multiple data
transition between departments requires a common
components and users performing different tasks.
understanding of the ultimate objective and of who
When a user engages with the system they can
is responsible for what. If there is a misalignment
drive information to multiple people, processes and
sensitive data can be disseminated or accessed
technologies. The developers and defenders of a
inappropriately.
system must attempt to predict these behaviour
72
WOMEN IN SECURITY MAGAZINE
invoice that is sent to collections. A successful
I N D U S T R Y
P E R S P E C T I V E S
Assumptions are not always intentional. Sometimes
things must be identified and mitigated. Seasoned
the ambiguity of a requirement leads to assumptions
executives will confirm that protecting assets used
as to what that requirement means. Or perhaps a plan
to be relatively straightforward, with amateur or
is made by borrowing a requirement from a similar
opportunistic attackers being the most likely threat.
past project, not knowing that certain qualities may be preferred.
Today, the situation is different. Cybercriminals are organised, motivated and funded and possess a wide
This concept is frequently applied to design, but also
range of skills. In an assessment of the SolarWinds
directly applies to security. If everyone in the security
attack in 2020, Microsoft estimated at least 1000
team thinks the same and follows the same way of
engineers were involved in creating the attack. Is
working, they will assume users all interact with a
there any non-government entity that has comparable
system in a specific set of ways. Such absence of
resources defending its ecosystem?
creativity in thinking about user behaviour can result in threat vectors being missed.
It is a common trope in cybersecurity, and healthcare, to say people are the weakest link. This statement is
As defenders we are best poised for success when
often followed by a statistic from the The 2020 Cost
we understand the universe of threats we face
of a Data Breach Report, published annually by IBM
and can plan accordingly. The majority of security
and Ponemon, stating 23 percent of breaches were
breaches that occur today result from human error
the result of human error or negligence.
and social engineering scams. These attacks and techniques exploit and manipulate human behaviour
But maybe that statistic should be restated to say, in
to trick users. To prevent these attacks, defenders
23 percent of use cases, a human’s behaviour was
must understand the psychology and behaviour of all
misunderstood and technology failed, leaving the
users, not just those from a single background.
human as the last line of defence.
Building a cyber-resilient strategy means
A great example is email. We’ve all sat through
understanding more than technology. Getting a wider
training showing how to check various features of a
range of people into security is not just equitable;
received email message to avoid falling for a phishing
diversity is the best chance we have to make a real
scam. In reality, most email providers already have
difference with security.
ML/AI trained filters to identify potential scams and filter out suspicious emails out. If these filters cannot
BIASES AND ASSUMPTIONS ABOUT HOW INDIVIDUALS AND ORGANISATIONS DEPLOY AND USE TECHNOLOGY
identify a phishing email, is it really fair to ask an end
The absence of diversity at all levels makes things
As security practitioners we also face a larger societal
harder across the board, from identifying and
responsibility. The 2016 US presidential election
addressing threats to innovating and meaningfully
saw Russian disinformation heavily target black
collaborating with partners. For example, a more
communities, using fake accounts on all the major
seasoned population working in security might
social media platforms to share racially charged
assume a digitally native generation innately
posts and sow seeds of discord.
user to be able to do so?
understands cyber threats, while a mostly young team may be well aware of phishing attacks, and assume
How did the authentication model fail to identify these
baby boomers, who are frequently victims of these
fake accounts? What aspect of spoofing was missed?
types of attacks, are equally aware of them.
Or perhaps it was never expected that such politically sensitive data would be shared through social media.
There is an endless list of things that could derail the process of security system design, and these
And this practice did not stop with the elections. It has
WOMEN IN SECURITY MAGAZINE
73
continued with the harassment of Black Lives Matter (BLM) activists by cybercriminals. In early 2020 we saw DDoS attacks against BLM groups. Cloudflare reported organisations classed as advocacy groups had been subject to a much higher rate of attack than other organisations: Attack volumes in May were 1120 times greater than those
“As defenders we are best poised for success when we understand the universe of threats we face and can plan accordingly. The majority of security breaches that occur today result from human error and social engineering scams. These attacks and techniques exploit and manipulate human behaviour to trick users.”
in April. NIST found examples of age, gender, and racial bias
With a well-structured team that includes diverse
in several widely deployed systems where African
perspectives, our systems will grow to prioritise and
American, Alaskan Indian, Pacific Islander, and Asian
reduce reliance on users to counter unknown threats.
American faces were 10 to 100 times more likely
Note the nuance: I’m not saying the user does not
to be misidentified compared to their Caucasian
know how to use the device. I’m saying, with tech,
counterparts.
there will always be unknowns and there will always be weaknesses. The best systems are those that do
Bias breeds distrust in systems and institutions, and
not rely on the user for threat detection.
as noted above, there are multiple examples of how technology has exacerbated this problem Technology
In healthcare this is especially relevant, because we
and policy mitigations need to be implemented where
cannot have a situation where a patient or provider
society, systems and institutions have weaknesses.
questions the integrity of data from devices. As demonstrated in research around modifying CT
BENEFITS OF INCREASED PARTICIPATION
scans, malware could be used to add realistic
With the current US presidential administration‘s
growths to CT or MRI scans, or remove real nodules
commitment to prioritising cybersecurity, it is anticipated that the security of critical infrastructure will get a major overhaul.
and lesions without detection. This could lead to misdiagnoses and negative patient outcomes. We must be intentional and prioritise the design of
This reinforces the message that we cannot continue
user-considered security into devices if we are ever to
to deal with cybersecurity threats as we do currently.
change the landscape of cyberthreats in healthcare.
Instead, with a diverse team, we have a chance proactively protecting our users from threats.
BRINGING A WIDER RANGE OF PEOPLE INTO SECURITY
Measures that are proactive run the gamut, but can
Deloitte conducted a study focusing on closing the
include cryptographically signing commands that
cybersecurity gap that delivered multiple interesting
must be confirmed prior to being executed, reviewing
insights. My favourite part of the study is its title:
software bills of materials for systems to identify
“The changing faces of cybersecurity”. It focused on
known vulnerabilities, and proactively performing
changing the skillsets required to be successful in
digital forensics to identify potential vulnerabilities.
this space.
to design new systems with the intentionality of
Being proactive, as shown by the cybersecurity resource allocation and efficacy index, results in
We need to think about how we encourage more
higher confidence in system operation.
diversity in the cybersecurity workforce. This requires thinking about different ways to enter the security
74
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
field, as well as thinking about how we train people
We need better support systems, not only to better
moving into the field, and how we provide accessible
manage and monitor staff and keep them learning
tools that support the widest possible workforce.
and progressing their careers, but also to give them resilience training that enables them to deal with
Specific trends include changes in job descriptions.
being on the front line defending their organisation.
These are moving away from narrow technical disciplines and are becoming more esoteric. The
To be successful as a cybersecurity community,
report also emphasised that, in future, cybersecurity
we need to work to find pathways into the security
specialists will need expertise in privacy and security
industry that lead us to accept all who want to take
regulation.
part, hiring for skill and passion rather than just looking for the right certifications or college degrees.
A few suggestions to get started on building a more diverse and inclusive cybersecurity team are included below.
KEY TAKEAWAYS • Cybersecurity is not only coding. There is more to the development, implementation and
1. CHANGE THE DEFINITION OF QUALIFIED
sustainability of an effective cybersecurity
Often a specific set of criteria are requested when
program than can be achieved with technology
seeking candidates for cybersecurity. These formal recruitment paths do not easily accommodate
solutions alone. • Group think has real consequences. Attackers
different experiences.
need to find only one way into a system.
It takes effort to understand people who come from
be done effectively without a diverse mindset.
different backgrounds, who have different education
Defenders must try to find them all. This cannot • Non-technical voices make for more cyber-
and experiences. But there is a growing population of
resilient systems. Cybersecurity risks are
technology companies that are making this effort.
growing constantly and expanding beyond specific tech stacks. People, processes and
Salesforce, for example, released a cybersecurity training program for everyone - an attempt to address
technologies must mitigate cybersecurity risks. • How we define ‘qualified’ must change. Sticking
the systemic access issues in technical education,
to old-school criteria and strict educational
and change how candidates can demonstrate their
requirements will result in missed opportunities
qualifications.
to recruit great team members and will make bridging the resource gap more difficult than it
2. TARGET DIFFERENT POPULATIONS One way to attract a more diverse cross-section of job applicants is to work with organisations such as The Diana Initiative that focus on attracting underrepresented groups. If the oversubscribed womenonly Blackhoodie workshops are any indicator, there are plenty of women interested in cybersecurity
already is. • We will not get it right immediately, but we must start. Efficacy is difficult to measure in cybersecurity, and recruitment is no exception. There will likely be missteps along the way, but it is evident the strategy to date has been ineffective, and we must try something new.
opportunities.
3. RETAIN TALENT
www.linkedin.com/in/vidyakmurthy/
With all these efforts to attract diverse talent, it would be remiss not to think about retaining talent.
twitter.com/vmurthy84
How do we keep teams from burning out and protect
twitter.com/medcrypt
them from stress? Security can be very demanding.
WOMEN IN SECURITY MAGAZINE
75
AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO by David Braue
This year, step away from the mindset that security is about technological defences
W
ith major hacks happening
conventional cloak-and-dagger espionage as a key
regularly, the compromise of
form of intelligence-gathering.
global publishing giant News Corporation might have been
Yet for cybercriminals to target a major news
just another statistic – but when
organisation – whose network of reporters,
investigators quickly pointed the finger at a foreign
confidential sources, current investigations
government, it became clear that this particular
and leaked documents are a treasure trove of
security incident was far more nuanced than your
information with potential geopolitical repercussions
average ransomware strike.
– showed how cybercriminal activities continue to change in response to the ebb and flow of global
Attackers with links to China, security firm Mandiant
events.
concluded after being engaged to investigate
76
the incident, had been conducting a long-term,
“This is how it’s done now,” says Alex Tilley, Senior
persistent campaign and were “likely involved in
Threat Researcher with Secureworks’ CTU cyber-
espionage activities to collect intelligence to benefit
intelligence arm, “and I think every country is doing it
China’s interests”.
all the time.”
Such espionage has become rife in every part
Like its peers, CTU has investigated a range of
of the geopolitical spectrum, particularly in a
nation-state attacks and seen attack methods – and
cybersecurity space where the ability to remotely
targets – steadily changing as attackers’ capabilities
access key servers and information has supplanted
and motivations evolve.
WOMEN IN SECURITY MAGAZINE
F E AT U R E
“It’s quite interesting to see these mechanisms
interference, and “take a proactive approach to
of government being turned against all kinds of
protect groups that are common targets of foreign
different targets for the purposes of gathering
interference but are not classified as government
information,” says Tilley. “Rather than having to go
institutions” – a category that includes the likes of
and recruit agents and do things in-country, you
News Corporation.
can just use a couple of exploits in a malicious document, a bit of phishing, and off you go.”
A DIVERSE THREAT DEMANDS A DIVERSE RESPONSE
With an election looming in Australia and the
As cybercriminals explore new ways of
country’s testy relationship with Asia-Pacific
compromising their targets, defensive operations
neighbours continuing to create friction, the
need to evolve accordingly – making this year the
government has taken a keen focus on the need for
year when employers validate long-expanding calls
approaching the cybersecurity threat with a broader
to diversify their recruitment and retention policies.
lens. Whether for financial reasons, improving employees’ A recent Parliamentary committee report into social media-enabled foreign interference, for example, recommended the government task a single entity with dealing with “cyber-enabled
psychological well-being, attracting and retaining expertise or myriad other reasons, those policies have become so important that they are no longer
foreign interference”, provide “clear
remarkable – but that doesn’t
requirements and pathways”
mean they are automatically
for social media platforms
being adopted.
to report suspected foreign
Silos remain a real obstacle within cyber teams and more broadly within security firms –
WOMEN IN SECURITY MAGAZINE
77
which made breaking them down a key goal for John
Unconscious selection bias, which drives people to
Check, senior director of cyber protection solutions
hire and promote people that are most like them,
with Raytheon Intelligence & Space.
“is the enemy of diversity of thought,” Check said. “Giving one candidate an edge over others because of
When given the opportunity to build a new security-
cultural fit, or gut feel, can be a sign of unconscious
focused team from the defence contractor’s existing
bias creeping into those decisions.”
business units, Check – an environmental-science major thrust into a heavily engineering-focused
“It takes a deliberate leader to have the self-
workplace – said during the CISA Cybersecurity
awareness to question hiring choices,” he said, “but
Summit, “my prior experiences taught me that I
if we don’t commit to doing this, we choose to limit
needed to create an identity for the team, building on
the creativity that goes into brainstorming, problem
our culture as a rallying point.”
solving, and new ideas that are essential for fighting cybercrime.”
“My goal was to build an inclusive culture where every voice was welcomed and heard – even from those of
MAINTAINING FOCUS THROUGH DISRUPTION
us that aren’t engineers,” he said. “There is absolutely
Crises such as the COVID-19 pandemic inevitably
space for those who may not have the perfect pedigree or situation, to make an incredible difference in the cyber workplace.” Persisting gender imbalances in cyber teams were
push some companies to the wall, while providing impetus for others to revisit their core strengths and think differently about the way they are delivering on their mission.
one of many signs that the problem was far from
For ridesharing company Lyft, the disruption of the
resolved.
pandemic triggered a series of dramatic changes that, head of diversity and inclusion Sherida McMullan told a recent CES 2022 session, kickstarted a new level of ongoing engagement with diverse elements of the company’s nearly 5000 employees. “We had to dial our levers on hiring,” she explained, and didn’t necessarily maintain the hiring that we had; we still did hiring but it was very neat, and specific within our lines of business.” Despite this change, she continued, “we also had to keep in mind that representation matters… we needed to make sure that we were not unjustly impacting our women or people of colour – and from a workforce perspective, we have been able to keep our focus there.” As the workforce adapted to the pandemic’s new requirements, internal employee resource groups (ERGs) became critical in maintaining cohesion across a broad range of employees’ individual circumstances. “There were conversations that needed to be had,”
78
WOMEN IN SECURITY MAGAZINE
F E AT U R E
McMullan explained, “and we had a playbook within
actually works in these cyber criminal networks – so
inclusion and diversity that really guided those
we need to be diverse in our thinking as well.”
individuals that wanted to have those conversations. You did not have to be a subject matter expert; you
In a climate where information warfare is becoming
literally just had to look at the documentation, open
as common as cybercrime, that includes building out
the invite to anyone that wanted to come, and have
teams with non-technical individuals that can bring
the dialogue.”
more than just hardcore technical skills. “I hope there will be a lot
“It’s quite interesting to see these mechanisms of government being turned against all kinds of different targets for the purposes of gathering information. Rather than having to go and recruit agents and do things in-country, you can just use a couple of exploits in a malicious document, a bit of phishing, and off you go.” - Alex Tilley, SeniorThreat Researcher at Secureworks
more people working in a collaborative team in the future,” she said, “and that people will recognise the act that to be in this industry, we can’t just have technical people; we need to have people with different backgrounds, that can communicate to the C-suite, communicate to teams, and communicate to the people using the technology.” As public discourse continues to be shaped by the implications
Such efforts were part of a strategy of inclusion –
of News Corporation’s compromise, and broader
proactively engaging with diverse groups within the
concerns about social-media manipulation and
company – and they represent some of the many
election threats, maintaining that diversity will be
tools that organisations can use to best support the
crucial for companies building and maintaining
diversity of their employee bodies.
cybersecurity teams this year.
By maintaining that diversity throughout times
And if you make your cybersecurity teams about the
of dramatic corporate change, cybersecurity
workers, those workers will deliver better outcomes
organisations can ensure they don’t create new
than ever.
systemic weaknesses for cybercriminals to exploit. “We’re in a business that faces a diverse set of It’s a defensive strategy that, Australian Women
challenges proliferated by a diverse set of actors,”
in Security Network (AWSN) founder Jacqui
said Raytheon’s Check, “and we must combat these
Lostau notes, also includes the active recruitment
diverse threats by bringing our best diverse thinking to
of neurodivergent individuals that bring new
the table, and welcoming and inviting those different
perspectives and problem-solving techniques to bear
from us to bring forward new ideas.”
on the cybersecurity problem. “A challenge that affects all of us needs to be solved “When it comes to a cybersecurity team, tabling all
by all of us,” he said, “and the best ideas and solutions
those different perspectives is really important,” she
will come from taking a new path, shown to us by an
said. “Our adversaries are diverse; they’ve got really
unexpected guide.”
great marketing teams; they’ve got people with really great skills. And they’re not discriminative of who
WOMEN IN SECURITY MAGAZINE
79
BROCK RODERICK
A SECRET SAUCE RECIPE THE DELICIOUSNESS OF TRYING STUFF by Brock Roderick, Founder of Education Arcade
I have eaten two sauces in my life that were so mind-
HOW HARD CAN IT BE?
blowingly delicious I asked the chefs if they could
The idea behind Education Arcade wormed its way
feed them to me intravenously. Fortunately, these
into my brain while I was participating in a gamified
requests were met with a chuckle, some words of
table-top cybersecurity incident simulation. The
gratitude, and zero trips to the hospital. Unfortunately,
‘hacker versus defender’ game was the perfect
they never resulted in me getting the secret sauce
way to add engagement and memorability to a
recipe.
dry, but essential, security incident playbook. With an enthusiastic, but limited, audience due to the
While chefs may guard their secret sauce recipes,
technical nature of the session, I thought to myself:
the pursuit of knowledge and sharing of information to better people’s lives are two of my core values.
“How hard can it be to bottle this enthusiasm, simplify
They were why I started Education Arcade, a website
the messaging, and scale the gamified experience to
offering free gamified security awareness content to
a wide audience?”
the public. At 2:00am that night, my obsessive personality After three years developing Education Arcade into
kicked into overdrive and I ran through every
a content delivery business for the public, I held
website, blog and YouTube tutorial I could find on
a mirror to myself in an intense session of self-
game development, website creation and cloud
reflection and realised I had my very own secret
hosting. I was fixated on the idea of making learning
sauce recipe! Fortunately for you, I am not a chef. So
experiences that were so memorable they could solve
let me spill my guts on what I think helped me start a
cybersecurity for the world.
niche cybersecurity business.
80
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
The next morning, I floated back down to earth and
Luckily for me, I live in a city with a concentration
realised that if I could help even a single person
of security consulting firms, and I had access to
identify a phishing attempt or scam it could prevent
Google. After a quick search I found a local firm that
them from making serious financial and emotionally
had a friendly looking website and a contact page. I
impacting errors online. To me, that is success.
crafted an email introducing myself, expressed my enthusiasm for security, and added a heartfelt plea to
This all started with the question ‘How hard can it be?’
show these industry experts what I had created.
and the impact that question had on me. Why not give it a try? How hard can it be?
Even luckier for me, I was greeted by a friendly seasoned cyber veteran with decades of experience
PASSION PUSHES YOU
who was keen to meet for a coffee and check out
Playing games is fun. Making games on the other
Education Arcade. After some personal chat and
hand, well that’s a different type of fun.
some serious cyber talk, I put our latest game in his hands and he immediately smiled. He gets it. Eureka!
Day one and my first task as a newbie game developer was to make a yellow box move around a
I would soon learn that 99 percent of the people I
screen via user input. It took me nine hours and when
would meet in the infosec community were just like
it finally worked, I had a genuine ‘eureka’ moment.
me: passionate about our industry, genuinely full of
Being immensely proud of my achievement, I took a
personality and super supportive. We’re not aliens –
video on my iPhone of the little yellow box dancing
make contact and see where it leads.
around the screen and watched it 5,000 times.
BIG BUTS Fast forward to day 365 and I had turned that little
My final ingredient in the secret sauce recipe is a
dancing yellow box into a fully animated, story-driven,
seasonal one. I write goals every January to keep
phishing awareness game called ClickBait.
me pointed north. I have them broken down into categories: personal, business, financial, professional.
Throughout those 365 days there were many very
These goals live on a whiteboard in my office and
late nights, long weekends and moments where I was
stare me down every day.
confused beyond belief, but thankfully there were also thousands of eureka moments. The intense
It is rare to hit all of these targets – there are usually
satisfaction felt after each eureka moment drove me
only three or four I feel really earn their giant green
to seek out the next, and so the free space on my
completion tick. However, every goal is attempted
iPhone depleted.
and I never use a ‘but’ as a way to excuse myself from starting something.
I have learnt to lean into what I’m passionate about by celebrating every little success - especially the weird
“I need to set some goals for this year, but I don’t
ones.
know where I put my whiteboard markers.”
LET’S GET UNCOMFORTABLE
Don’t let your big ‘buts’ get in the way of finding how
After a year of spending every spare minute in front
hard something is, screaming eureka, or making
of a computer screen my social butterfly wings wilted
contact with non-aliens.
and I became a recluse. Going outside felt alien and talking to people became internally uncomfortable.
Brock Roderick www.linkedin.com/in/brock-roderick-17a92a108/
This was not good for business. Education Arcade www.linkedin.com/company/education-arcade
WOMEN IN SECURITY MAGAZINE
81
SAI HONIG
ARE YOU A POACHER OR A GARDENER? by Sai Honig, CISSP, CCSP, Co-founder New Zealand Network for Women in Security
It’s a big business, run by local and international
People with cybersecurity skills do not come cheaply,
networks and organisations. By its very nature, it is
and they could be lured away before critical projects
almost impossible to obtain reliable figures. Globally,
are completed. While there may be contract clauses
it could cost organisations lost time, productivity
to prevent staff leaving until projects are completed,
and, collectively, billions of dollars. Often, it operates
they cannot keep staff beyond project completion.
covertly. This is where organisations need to move from a Does this sound like something illegal? It’s not. It’s
“poacher” mindset to a “gardener” mindset.
how we (mostly) recruit in cybersecurity. We “poach” staff from other organisations or hire consultants
While the experienced staff member is working in the
to fill roles. When staff leave, lost productivity,
organisation, include “knowledge transfer” as one of
recruitment and onboarding new staff cost
their objectives. This includes, but is not limited to:
companies millions of dollars. • Ensuring key knowledge from experienced The Merriam-Webster dictionary defines poaching as being “to encroach upon especially for the purpose of taking something” or “to attract (someone, such as an employee or customer) away from a competitor”. We may call it recruiting but isn’t it very much like poaching?
employees is shared with team members. • Having less experienced team members mentored by an experienced team member. • Having less experienced team members take on related project tasks. • Setting aside time each day for experienced team members to document their knowledge of
Organisations need to have experienced staff
projects.
with specialised skill sets. Cybersecurity is often considered a specialised skill set. Often it
Here are a few questions to consider as you set goals
is necessary to recruit cybersecurity staff. The
for knowledge transfer:
challenge may not be in recruitment but in retention.
82
WOMEN IN SECURITY MAGAZINE
• In what areas or positions do you face the
I N D U S T R Y
P E R S P E C T I V E S
greatest potential for knowledge loss? • Who are the key people possessing this knowledge?
Be open-minded as to what backgrounds or knowledge other staff should have. Non-technical degrees are useful in cybersecurity. According to
• How much knowledge needs to be captured?
Wesley Simpson, former COO of ISC2, “About 58
• What information is critical and what can be
percent of cybersecurity professionals come from
learned in other ways? • How will critical knowledge be captured and transferred to those who need it?
fields outside technology”. Simpson also points to the liberal arts. The frequent reports of cybersecurity teams not getting management support for the tools and personnel they need, he says, comes down to
You then need to develop a plan of action based on
them being unable to tell the cybersecurity story
the answers to these questions.
effectively. That is where liberal arts graduates can help.
These activities should occur before the experienced staff member announces their departure. Otherwise,
Dan Basile, chief information security officer for
the knowledge transfer is rushed, and other staff
the Rellis Campus at Texas A&M University, agrees.
members may not be able to fully grasp all duties.
“We all need a greater diversity of thought and
Implementing these measures early will also reduce
background, in addition to traditional diversity
the likelihood of staff burnout.
concerns, in order to attack the complex problems we face,” he explains. “All nontechnical majors have
Knowledge transfer is the first step for organisations
something that is of value to the cybersecurity field.”
to move from a “poacher” mindset to a “gardener” mindset. In this way, the organisation is “growing” the
Such diversity would also require the organisation
next experienced staff members. This process can
to provide mentors to the transferred employees.
be repeated many times. The more staff members
Organisations need to identify how the transfer will
“grown” in this way, the more the organisation can
occur (e.g. half time in their old role and half time in
retain knowledge and experience.
their new role), and how long the transfer will take. A good start would be for transferred employees to
Another approach could be “grafting” staff from other
shadow those already in cybersecurity roles.
roles into much needed cybersecurity roles. This requires the organisation to have an open mind about
Of course, organisations can grow cybersecurity staff
staff transferring their skills to other roles. There may
from “seedlings”. Consider employing new graduates
be staff within the organisation who have an interest
or offering true entry level positions. Organisations
in cybersecurity roles. For example, network engineers
should be aware that not all educational programs
may be excellent candidates for cybersecurity roles.
are the same. For example, a master’s in software
WOMEN IN SECURITY MAGAZINE
83
development may not include security aspects (e.g. OWASP Top 10, SDLC, threat modelling, etc). So, organisations should be patient and offer these individuals time to learn new subjects and gain new skills and experience by getting them to work with experienced staff. This approach also takes time: the results may not be seen for years. When advertised, these must be REAL entry-level positions with career progression and development. Job descriptions that require certifications or experience with tools or technology are NOT entrylevel positions. Time for developing mentoring relationships and real learning should be set aside. Also, allow time to document learnings. In order to retain staff, organisations should include career progression possibilities. Someone starting as an analyst could be given the opportunity to work towards consultant and senior consultant roles. Having several levels of staff can also enable the tasks appropriate to each role to be identified. Simple or rote tasks can be used to educate those starting out in cybersecurity leaving the complex or long-term projects for more senior staff. With all approaches, organisations need to consider what educational opportunities should be made available. I have worked in organisations where educational budgets for cybersecurity staff did not exist. In those cases, staff had to put up their own funds to further their education. This practice does not encourage staff to stay with the employer. Organisations need to consider other ways to grow and retain employees – especially experienced employees, because poaching employees can be become an expensive proposition in the long run.
www.linkedin.com/in/saihonig/
NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com
84
WOMEN IN SECURITY MAGAZINE
The big picture! We look after the marketing and content as add-on modules for your business so you can get on with what you do best - running your business
As-A-Service our products are Customised Client Programming we are
Strong Unbeatable
www.source2create.com.au PA S S I O N A T E - I N N O V A T I V E - C R E A T I V E - T R U S T W O R T H Y - I N S P I R I N G - Q U A L I T Y S O L U T I O N S
ALEX NIXON
WHEN THE SKILLS SHORTAGE REACHES BOILING POINT by Alex Nixon, Vice President Cyber Risk at Kroll As I write from the cool comfort of an air-conditioned
Two and a half years, or a whole pandemic, ago,
office, I reflect that, barely weeks into a new year,
I spoke at the Australian Information Security
cyber social media is running hot. Heated opinions on
Association conference in Melbourne. The theme of
who deserves a seat at the table - or who even wants
my presentation was Securing the Leadership Pipeline
a seat - zip back and forth with fiery debate taking
in our industry. I wanted to tackle the accepted
place in the comments section. It seems the war of
wisdom that only certain people with a certain
words over the cyber labour shortage is reaching
background should enter the cyber industry and rise
fever pitch. This labour shortage should enable the
to the top. My gut feeling was that we needed people
newest graduate with an ink-wet BSc CompSci to
who brought difference of opinion, background and
easily find their first security role. Alas, computer
experience, or we risked stagnation of ideas.
science graduates tell us this is not the case. The research in favour of my hypothesis was
compelling. Multiple studies showed homogenous workforces outperformed by those with a diverse employee body led by a diverse leadership team. Not only were the latter more likely to be financially successful, they were also more likely to develop solid reasoning and rational answers to questions. I think we can all agree the these attributes are particularly critical in cyber. I am certainly not alone in the belief that diversity is a critical building block for success in our industry. AustCyber estimates a shortage of around 16,600 cyber workers in Australia by 2026. and ISC² considers that figure to be circa two million in the
86
WOMEN IN SECURITY MAGAZINE
I N D U S T R Y
P E R S P E C T I V E S
wider Asia Pacific region. We cannot ignore these
To that end, I want to commit to print a resolution for
figures. I consider this lack of cyber workers to be
2022. It has been two and a half years since I spoke at
one of the greatest challenges facing our country in
AISA about the need for people with a wide spectrum
the age of cyber warfare, working from home and
of ideas to graduate into our industry, lest we become
ransomware-as-a-service.
an echo chamber. Two and a half years later and with thousands of cyber jobs in Australia due to be left
This macro environment should present the young
empty in the next half decade, the same gatekeeping
security professional with many options, such
still abounds on social media, where aspiring security
as a rotational graduate scheme, a focus on a
professionals can read the words and feel excluded.
specialisation of particular interest or a complete
I am not one to stand on the sidelines gnashing my
career change with on-the-job training. The choices
teeth at injustice.
should be there, and they should be accessible to aspiring and early-career cyber professionals from all
So I, along with a small number of cyber professionals
backgrounds.
who feel passionately about this have resolved to play our part championing emerging talent in cyber. By
And yet, just last month, a post popped up on
the time this issue goes to print (in the digital sense)
my LinkedIn feed, liked by a former colleague. A
we will be on the cusp of launching a significant
young woman was celebrating her first job offer
initiative across the Asia-Pacific region. I look forward
in cyber after 500 applications. Many members of
to sharing more details in a future issue of Women in
our community were celebrating with her. She is to
Security Magazine.
be lauded for her tenacity, but it should not be this difficult when we have a global cyber skills shortage.
The savvy, driven recruits who have persevered
I hate to think of the loss to our industry of many
through countless interviews to land an entry role
talented professionals snapped up by another
in cyber represent the future of our industry. The
industry quicker to recognise their skills.
passion and determination these individuals have already demonstrated to overcome myriad challenges
So, as we turn to celebrate the year of the security
and land a role in which they have proven themselves
worker in this issue of Women in Security Magazine,
must not be underestimated. Not only do they
what does the ideal emerging security professional
deserve their seat at the table, in the fullness of time
look like?
they might just deserve ours.
I remain a firm believer in the importance of the skills we cannot teach people; a willingness to learn, an
www.linkedin.com/in/alexlnixon
open mind and an ability to be comfortable in the face of the unknown. We can teach the technical skills on the job, and we should be doing just that. I am yet to be convinced we can teach enthusiasm, drive and passion; the qualities that drive the very best security professionals I have worked with. We in the industry must not shut the door in the face of those following us.
WOMEN IN SECURITY MAGAZINE
87
JAYDE LOVELL
YOU CAN HAVE IT ALL: a parent’s perspective on being a cybersecurity founder by Jayde Lovell, Head of Communications at CyRise and cybersecurity student at the University of Adelaide
Many women feel having children and a family
cybersecurity startup focused on securing digital
somehow precludes them from becoming startup
communications, is a mother of three. She notes:
founders. It’s simply not true. More than half the
“The whole premise of being a parent is about being
founders who have gone through the CyRise
agile and open, which is exactly what being a startup
cybersecurity accelerator program run by NTT and
founder is like. The best-laid plans can easily go
Deakin University were parents.
awry.”
However, if you plan to launch a startup it’s important
She says being a parent-turned-founder, or vice-versa,
to do so with your eyes open.
gives a person super skills, such as the ability to react calmly to the unexpected. “It’s about openness. Being
To find out how it’s done I spoke to Australians facing
a parent, you often hear things you weren’t expecting
the challenges of being parents whilst parenting
or aren’t comfortable with that you need to be able to
their own cybersecurity startups. Whether they were
handle. It’s the same in cybersecurity.”
first-time or experienced parents with kids about to leave the nest, there was much in common in the
Mike Loewy, the co-founder of Tide, the Australian
experiences of these different cybersecurity founders,
Cybersecurity Startup of the Year 2021, has recently
and useful advice for anyone considering making the
become a father for the second time. He smiles as
leap into startup land.
he says, “When people ask how many children I have, I say three. I’ve always counted my startup as a kid
PARENTS MAKE GREAT CYBERSECURITY FOUNDERS Jacqui Nelson, the co-founder of DekkoSecure, a
88
WOMEN IN SECURITY MAGAZINE
because there are so many similarities between being a founder and being a parent.”
I N D U S T R Y
P E R S P E C T I V E S
Loewy adds, the busier people are, the more efficient
to stay competitive with corporations that might have
they become at work, and busy parents often make
more cash but a stricter working schedule. Indeed, the
the best cybersecurity founders. “The more you take
flexibility to set their own work routine seems to be
on, the better you become at focusing, avoiding
preferred by many employees without children as well
procrastination, and delegating jobs that don’t come
as by parents. Nelson says, “I have one employee who
naturally to you.”
likes to leave early on Friday to go sailing.” But flexibility must work both
“When people ask how many children I have, I say three. I’ve always counted my startup as a kid because there are so many similarities between being a founder and being a parent.”
ways. Founders such as Nelson look for self-starters who understand that with flexibility comes responsibility. Her employee who leaves early on a Friday is also willing to take calls on the weekend.
- Mike Loewy, Co-founder of Tide
Ultimately, startups can best support parents — and all members of the team — by agreeing on a work schedule that suits both Adam Selwood, the co-founder of Cynch Security and
parties. “It’s about actually talking to people and
father of two, says being a busy parent can make you
understanding what works best for them. If people
more efficient at work, and a career in cybersecurity
prefer early morning meetings because maybe their
can equip you for the challenges of being a parent.
partners have the kids at that time, we try to do
“I think it helps to be in the cybersecurity world,
that. There are no hard and fast rules,” says Kirstin
as everything is broken all the time. So you’re
McIntosh, head of partnerships at CyRise and mother
used to fixing things and working with limitations.
of a nine-year-old.
Cybersecurity is often chaotic and constantly changing, and that’s no different to parenting.”
IT’S VERY DIFFICULT WITHOUT A GOOD PARTNER
THERE ARE NO SILVER BULLETS FOR PARENTS
Whether founding a cybersecurity business or being
I asked parents who had founded startups if their
team makes a world of difference. Founders freely
startup had a particular strategy for making the
acknowledged they would not have been able to
workplace more parent-friendly. Unfortunately, there
manage running a startup and fulfil their parenting
does not seem to be a one-size-fits-all solution, but
commitments without a supportive partner. “Cynch
the 24/7 demands of cybersecurity do seem to suit
would not exist if my wife is not as amazing as she
many new parents. “I’m awake anyway, I might as well
is,” says Selwood. Loewy adds, “My wife also runs her
work,” jokes Brad Smorgon, co-founder of Traild, who
own business, so we both understand what’s involved.
recently welcomed the third baby into his family.
She gets it when I have a crazy schedule or late-night
a parent, a great partner and an excellent support
calls.” The good news for security startups is that flexible working arrangements have benefits for employees,
That’s not to say it’s impossible to be a single parent
parents and the company. In an article published in
founder, but it’s important to acknowledge you will
The Australian, startup founders reported they were
need support, and then work out where that support
more able to recruit and retain top talent by offering
will come from.
flexible working arrangements, and this helped them
WOMEN IN SECURITY MAGAZINE
89
Smorgon – whose wife Rachel works as a Director for Philips Healthcare- describes the benefits of building the cost of paid support, including occasional childcare, house cleaning, and food delivery, into the household budget. The benefit of paid support is that “you’re spending your time with the kids, not working for the kids whilst they watch TV. McIntosh finds delegation to be a useful skill at home as well as at work, noting that she and her husband have designated days when each supports their nine-year-old son in his activities and says they divide the workload at home according to their respective strengths. “It’s not just the doing,” she observes, “It’s the planning that takes time.” Because planning is a skill she excels at she handles the organisational side of the household; managing the family’s social calendar, keeping up about her son’s activities on WhatsApp groups, etc. “But Simon does all the cleaning!” she says with a laugh.
IT’S OK TO MAKE SOME SPACE As a group, tech founders of all genders, whether they are single or married, with children or without, are notorious for burning the candle at both ends, but that’s not sustainable, and McIntosh stresses the importance of scheduling personal time. “I get up early and exercise and no one can talk to me, and that helps me get my head straight for the day.” She also makes space for quality time with her husband and son. “I’m quite explicit in my diary. Because people can book meetings in my calendar, it’s important that I protect those times.” Whether or not you and your team have children, there are valuable lessons to be learnt from these working parents about flexibility, teamwork and valuing everyone’s precious time, and a real payoff from parent-friendly policies. Nelson says, “If you allow people to be with their families when it really matters, they’ll give that back to you in spades.”
www.linkedin.com/company/cyrise
twitter.com/cyriseco
cyrise.co/
90
WOMEN IN SECURITY MAGAZINE
JOIN THE GLOBAL CAMPAIGN #Switch2Cyber Do you want to switch your career and use your diverse skills in cyber? Do you want to help someone switch their career into cyber? Do you want to support bring more professionals from diversae backgrounds into cyber?
JOIN #Switch2Cyber AT www.cyberuntangler.com AND CONNECT WITH ANU KUKAR Global collaborations with
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
Life in cyber security Life in cybersecurity, what is it really like? I get asked
This is life in cybersecurity. We need to get a million
this question quite a lot. I do a lot of mentoring and
things right to keep our organisations safe, but a
get into as many cyber information sessions as life
malicious actor just needs us to get one thing wrong.
and time allow. One of the first things most people
Just one vulnerability missed, one patch not applied,
want to know is, are you a hacker? Once that is out
one password reused (Please don’t do that.)
of the way they want to know what it is really like to work in cybersecurity. Is this a mythical place where
You will need to constantly learn and hone your craft
unicorns and dragons walk freely among us? Is it a
to make sure you keep up with the latest threats.
place where the wizards and witches conjure magical
Sometimes you will fail. All of us will experience a
spells for good and evil, and wage fantastical battles?
breach of some kind in our time. It is inevitable. I am not being pessimistic. I am being honest. The
Well, cybersecurity is great. You won’t see any of that
avalanche is growing and everyone, no matter their
mythical or magical nonsense, or even any of the
budget, will be the victim of an attack. The key is
Hollywood hoopla with darkened figures hunched
being able to reduce the impact and keep the threat
over their keyboards with leather gloves and a dark
as isolated and controlled as possible.
coloured hoodie. You might be lucky enough to see a hoodie-wearing hacker in the colder parts of the
I am painting a grim picture, but when I give this
world, just because it is so bloody cold. Hoodies can
answer to someone, I would normally get a follow
be very useful to keep you warm in some situations,
up question: why do you do it? or, is it worth it?
but they do not improve your hacking skills, which
Absolutely, it is worth it. I love what I do. No question.
I am sure is disappointing for the many would-be hackers out there.
You need to have the right mindset. You need to understand that cybersecurity will be hard.
However, I have been lucky enough to see a few of
Sometimes you will get hit. It might be hard, but
those mythical unicorns in my time: hackers with
at the end of the day, the community is absolutely
uncanny skills who blow your mind and who every
awesome, the job is interesting most of the time,
recruiter in the world would pounce on if they got so
and it would be hard to find the constant intellectual
much as a whiff of one contemplating a move from
challenge of cybersecurity in any other career.
their current habitat. It is rare to meet these fabled creatures and I feel lucky to know a few, especially
Take what I have told you, prepare for what is to
ones without the horrible egos that sometimes come
come and let us stand tall together and push the
with the territory.
malicious actors back. We may never be one of those unicorns, but this industry needs all of us. No matter
So, I have gotten a little distracted. What is life really
our backgrounds or skills we can all help in this fight.
like in cybersecurity? Well, if you want the truth, it can be really tough. I am not going to sugar coat this
So, who is with me?
for you. I want you to walk into cybersecurity with eyes open, clear of any of the floss and fluff that you
www.linkedin.com/in/craig-ford-cybersecurity
can often get. Cybersecurity is a constant challenge. You will be pulled in a million directions. Defeat one opponent and ten more may spring up in their place.
www.amazon.com/Craig-Ford/e/B07XNMMV8R www.facebook.com/pg/AHackerIam/ twitter.com/CraigFord_Cyber
92
WOMEN IN SECURITY MAGAZINE
TECHNOLOGY PERSPECTIVES
IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE by David Braue
As cybersecurity spending comes under the microscope, culture is taking the limelight
F
or all the focus on digital transformation
impact of breaches – raising inevitable questions
and cybersecurity during the pandemic,
about value for money.
recent executive surveys suggest that the era of blank cheques may be growing
This change in mindset was corroborated by a
to a close – and that security strategists
recent Trend Micro study that identified a looming
should stop trying to buy good security, and shift
contradiction in attitudes towards cybersecurity
their attention to empowering their staff instead.
investments, with 49% of respondents reporting that cyber risks are still being treated as an IT problem.
The change in attitude is reflected in studies
94
such as Accenture’s recent State of Cybersecurity
Although 62% of Australian IT decision-makers in
Resilience report, which found that 84% of large
that survey believe cybersecurity has the highest
Australian companies had increased their spending
cost impact of any business risk, 89% said their
on cybersecurity technology – but that 81% believe
business leaders would be willing to compromise on
staying ahead of cybercriminals is a constant and
cybersecurity spending to focus investments around
unsustainable battle.
digital transformation, productivity, or other benefits.
That’s because fully 55% of global organisations
Worryingly, those IT leaders seemed to be complicit
admit they are not effectively stopping cyber attacks,
in allowing attention to drift away from cybersecurity,
finding and fixing breaches quickly, or reducing the
with 87% admitting they have felt pressured to
WOMEN IN SECURITY MAGAZINE
F E AT U R E
downplay the risks of cybersecurity attack to the company board “for fear of appearing repetitive or too negative”, said Trend Micro ANZ vice president Ashley Watkins. “Self-censoring” by IT leaders “will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure,” Watkins added. “We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who are fighting for the same cause.”
FIGHTING ATTRITION WITH CULTURE Delivering that unity of purpose, however, requires cultural change – including an ability to attract and retain the talented workers necessary to maintain a robust cybersecurity defence no matter what happens to cybersecurity spending. That means building long-term career pathways that start with hiring well-qualified workers and providing a workplace environment and sense of purpose that convinces them to stay. The value of good culture became clear for Monash University CISO Dan Maslin after several employees departed that organisation’s cybersecurity team during the pandemic – leaving, he told a recent AISA conference panel, for what they “saw as better opportunities.” Many of the defections were short-lived, with one returning after a YouTube opportunity fell through: “he said he had really missed the team culture and was happy to be back,” Maslin said. “Another went off to corporate life and became pretty frustrated around the lack of progression and lack of strategy. So we welcomed him back, and I was happy to see him back.” “We’re fairly lucky that our organisation has a really strong mission and 10-year strategy – and we try to align our cyber strategy with that as well. It does keep a lot of people, that do want to be part of the big picture.”
WOMEN IN SECURITY MAGAZINE
95
Not every organisation is so lucky, however, with culturemanagement specialist Kincentric recently noting that only just half of the surveyed employees feel
“Self-censoring” by IT leaders “will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure. We need to talk about risk in a way that frames cybersecurity as a fundamental driver of business growth – helping to bring together IT and business leaders who are fighting for the same cause.” -Ashley Watkins, Vice Presidnet, Trend Micro ANZ
their organisation is attracting or retaining the people they need to achieve their business goals – and that
“Given the present challenges around talent retention,
the percentage of workers saying their leadership
employees who do not see good career opportunities
demonstrates care and concern for employees was
and organisational response to their well-being are
down 11%.
four times more likely to leave,” Kincentric APAC regional leader Stephen Hickey said, noting that
96
Even more worrying was the finding that only 55%
the best employers “are differentiating through
of employees see strong career development
people practices, retaining key talent and leadership
opportunities for high performers.
transformation.”
WOMEN IN SECURITY MAGAZINE
F E AT U R E
It’s hardly revolutionary to suggest that a key part of
Yet creating demand is only part of the solution:
these people practices is embracing diversity in all
hiring companies, she said, need to play their part
its forms – but simply declaring one’s company to be
by “keeping an open mind, like redefining what they
diverse is hardly enough to make it work.
see as an appealing hiring candidate,” she said, “and assessing promotion practices that keep women and
The key, Cybersecurity and Infrastructure Security
women of colour out of leadership positions.”
Agency (CISA) director Jen Easterley said while interviewing Girls Who Code CEO Dr Tarika Barrett
“I know this kind of self-reflection remains difficult,
during the recent CISA Cybersecurity Summit, is
but it can be the difference between an all white-male
to “build a culture of psychological safety, where
office and an office that more accurately reflects the
everybody feels included and feels like they belong.”
world we’re living in today.”
Young women entering the workforce will quickly
THE POWER OF A GUIDING HAND
form indelible opinions about the culture at their new employers – and once they develop enough skills to
If companies are spending less on cybersecurity
give them autonomy in the market, their choice about
technologies, they will by inference lean more
whether to stay or not will be determined by the long-
heavily on the capabilities of the staff they’ve hired
term prospects of their current role.
– who will be able to offload many of their every day responsibilities to cybersecurity automation
“We are busy building this incredible pipeline” of future
technologies.
cyber workers, Barrett said, “but we know the rubber meets the road when our young women get that first
This frees them for higher-level strategic thinking
job – and that 50% of them leave by the age of 35.”
and a closer relationship with the objectives of the business – optimally delivering more value for the
That’s around the age that experienced cybersecurity
company’s cybersecurity spending.
workers begin weighing their career goals and deciding whether they need to look elsewhere – and
By reaching out through the ranks, Australian Women
it’s the time when employers need to make sure they
in Security Network (AWSN) founder Jacqui Lostau
can offer both a supportive culture and real prospects
notes, senior managers can make all the difference
for continued advancement.
– reinforcing a culture of acceptance even if they, like so many in the Accenture survey, are winding
“Every company is different,” said Barrett, “and there’s
back their enthusiasm for spending on cybersecurity
no magical blueprint for this type of process. But
technologies.
at the very least, we hope that companies have discussions about work culture and academic
“The conversation has changed,” Lostau explained,
credentialing. It’s really about how we get that
“and senior managers are recognising why it’s
connective tissue in place, so we can create that
important.”
ecosystem for young people.” “A lot of it has to do with the fact that they have seen Outreach programs like Girls Who Code are tackling
young people – who bring creativity, and look at
the inputs to that ecosystem with programs such as
things in a different way – really making a difference
its Work Prep program, a two-week virtual program
in terms of what they can bring to the table. And they
that targets university-age students and has, Barrett,
have grown up being used to having diverse types of
said, convinced half of the attendees to continue
people around them.”
pursuing a career in technology.
WOMEN IN SECURITY MAGAZINE
97
MARISE ALPHONSO
THE IMPORTANCE OF PARTNERSHIPS IN SECURITY by Marise Alphonso, Information Security Lead at Infoxchange
The answer to the question “What does someone
The CSF outlines five functions: identify, protect,
who works in security do?” is extremely broad. It
detect, respond and recover. Each of these comprises
would take many books to cover the necessary
a number of controls: policies and procedures or
competencies (technical and non-technical),
technical controls such as the implementation of
knowledge areas and practices. The US National
multifactor authentication or encryption.
Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) presents a useful,
The primary capability that must exist in all
comprehensive approach to the components of a
organisations is the ability to understand the
security capability (outlined below) and hence the
cybersecurity risks faced and the impact on the
security activities required within an organisation.
assets of the organisation if these risks were to materialise. Risk management is a core competency required to facilitate decision making and justify the investments and improvements required to ensure the organisation’s security. The individuals who perform risk management activities and can answer the questions: What could happen? Why could it happen? Why do we care? could be in any department or team in an organisation. Discussions around these questions help drive the investment in security controls required for information/cybersecurity risks to be reduced to an
(Source: NIST, Framework v1.1 SlidePresentation, https:// www.nist.gov/cyberframework/getting-started)
98
WOMEN IN SECURITY MAGAZINE
acceptable level. The implementation of controls often falls to other security roles or individuals within the organisation who partner with the security
T E C H N O L O G Y
function, for example: • the communications team to assist with security awareness initiatives.
P E R S P E C T I V E S
in the event of a critical security incident, or partners who provide threat intelligence via data feeds that the organisation can act upon.
• the IT service desk to be the triage point for security incidents. • those in governance and compliance roles
In Australia, the Australian Cyber Security Centre (ACSC) has a partnership program that offers a
who develop policies and procedures and who
collaborative approach to cyber resilience. Partners in
understand contractual obligations.
this program benefit from the collective intelligence
• employees who report security events or incidents. • the people and culture team that screens employees and oversees their onboarding and offboarding.
and experiences of other organisations in addition to the useful material provided by the ACSC to improve security practices. The ACSC has a number of close allies supporting its security capability. They include: • The Office of the Australian Information Commissioner (OAIC). The protection of
Ideally, security responsibilities across the
personal information supported by the regulatory
organisation will be slotted into a responsible,
functions of the OAIC is paramount to instilling
accountable, consulted and informed (RACI) matrix because different roles perform the activities required
consumer trust in the digital economy. • eSafety, which plays an increasingly important
to fulfill the requirements of the security practice.
role as individuals of all ages build digital skills
The specific operating model will depend on the
and spend more time online. Each February,
organisational context and structure and could draw
eSafety promotes Safer Internet Day to generate
on internal or external capabilities within a core
awareness of online safety.
security team or on partnerships with other teams as stated above.
• The Australian Competition and Consumer Commission, which operates Scamwatch. This plays a pivotal role in educating Australians on
External security partnerships are also increasingly
current scams, how to avoid them and how to
important because of the leverage such partnerships
report them.
provide to facilitate cyber resilience in the face of global cybersecurity threats. These partners could
The importance of partnerships to lift security
be vendors who provide expertise by way of an
maturity within organisations cannot be overstated.
outsourced security operations centre, cyber insurers
Partnerships are indeed key to cyber resilience.
who would provide business continuity assistance www.linkedin.com/in/marise-alphonso/
WOMEN IN SECURITY MAGAZINE
99
SHRUTIRUPA BANERJIEE
THE MISSING ART OF UNDERSTANDING VULNERABILITIES - the undiscussed approach by Shrutirupa Banerjiee, Security Professional and Learner
I have more than three years of experience in
A security professional needs to understand why
cybersecurity. I have attended several sessions,
application developers are trying to provide security.
read numerous articles and interacted with many
Developers always try to maintain the confidentiality,
cybersecurity enthusiasts. I have noticed that not
integrity and availability (CIA) of data shared over
every individual in cybersecurity understands the
the internet. There are other factors too, such as
process of finding a security flaw.
authenticity, authorisation, non-repudiation, and many more. These are related to the primary CIA triad.
People do not understand why they are trying to find a certain kind of vulnerability in an application. For
The first step in the analysis of a vulnerability in an
example, some vulnerabilities are specific to web
application is to understand how the application
applications and exist nowhere else. In this article,
works: enumeration or information gathering. This
we will try to understand the approach to finding a
gives us an idea of the technology, language and
vulnerability in any application using web application
dependencies used. Let’s understand this analysis in
security as an example. Let’s get started.
detail.
First, a fundamental concept: nothing is 100 per cent
We will start by answering a very valid question: why
secure. A simple flaw in an application can quickly
should we not test for all types of vulnerabilities in all
become a vulnerability that may be exploitable in the
kinds of web applications?
future.
100
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
P E R S P E C T I V E S
This is because every website is based on different
You check for different endpoints and perform your
technologies and dependencies. Even though the
enumeration manually. The scanner gives you a
client-side language may be the same, the backend
report from which you can start figuring out some
and other technologies used are different. A website
more endpoints and the vulnerabilities it may have
may be built from scratch or built with the help of
identified. Once you find a suspicious endpoint, you
a CMS like WordPress. If the latter, you start by
can begin examining its functionality.
checking the version for any issues that have been reported. Finding something new will require more
After reviewing, you find the application is using
time and patience. If you have the source code of the
templates. Again, you can use a tool with several
application you can perform a source code analysis.
valid payloads to determine the kind of template (if this could not be determined during the enumeration)
If an application has used PHP in its backend it will
and the kind of behaviour the application is showing.
make no sense to use Django-based test cases to
If there is any suspicious behaviour and you shave
look for vulnerabilities. The question is then whether
identified the nature of the payload generating it,
to take a manual or tool-based approach to seek
you may create your own payload. This is where
vulnerabilities.
manual intervention will be more helpful, and a way to combine both approaches to vulnerability research.
Both approaches go hand in hand. The manual system helps you identify the kind of payloads you
Getting into cybersecurity requires a whole lot of skill.
should be using. The tool-based process eases the
You may not be a coder, but make sure to become a
manual task and helps you find the payloads.
good programmer. You may not need to write a lot of exploits (depending on your choice of domain),
For example, it is useful to know how to exploit SQL
but you will need to analyse several code segments.
injection in the application (if the application uses a
Everything is readily available on the internet; all you
SQL-based database in the backend). But exploiting
need to understand is the approach behind each task
it manually can take a lot of time. So, you can use the
and then explore accordingly.
manual approach to determine if it is vulnerable and if so use a tool to perform the exploitation. Although
In conclusion, it is not very difficult to find payloads
it would be beneficial to understand the entire manual
from the internet and apply them against an
exploitation process, it is not necessary to perform
application to test its vulnerability. You will often be
this every time.
successful, but that method is not guaranteed to work for every application, nor to work every time. It is also
Of course, there are scanners to help you analyse
not guaranteed to grow your learning. So, focus on
the application’s different vulnerabilities, but these
the approach, have patience, and keep learning.
can give you false positives. If you have gathered information correctly and have proper knowledge of the subject, you will understand which reports are
www.linkedin.com/in/shrutirupa-banerjiee/
genuine and which can be ignored. twitter.com/freak_crypt
Let’s take an instance where you must perform security testing on a web application. You run it against a scanner while it is performing its task.
WOMEN IN SECURITY MAGAZINE
101
MEL MIGRINO
A CYBER WARRIOR IN THE ENTERPRISE OF THINGS by Mel Migrino, Chairman and President of Women in Security Alliance Philippines (WiSAP) The cyber warrior has evolved from being the
immense impact on our social lives. The proliferation
traditional computer professional tasked to configure
of connected devices, sensors and services globally
and manage computer networks to a dedicated
has created enormous demand for both defensive
technology risk practitioner who is an expert in
and offensive cybersecurity strategies.
identifying cyber risks and finding solutions to address vulnerabilities. Today’s cyber warrior looks
Vulnerabilities exist throughout the IoT environment:
at cybersecurity as a vocation. Strong dedication is
sensors, networks, devices, platforms, applications
required to continuously find potential loopholes and
and interfaces. The nature of the IoT environment,
the footprints of the adversary.
and the fact that IoT devices are all connected to the Internet, expand the attack surface, giving adversaries
The Enterprise of Things, the use of IoT to improve
more opportunities to compromise systems. These
enterprise operations and integrate different types
IoT devices usually lack essential device protections
of services, is a fast-growing technology having an
such as strong passwords, updateable operating systems and segmented networks. The evolving cyber warrior plays a crucial role in the Enterprise of Things, from conceptualisation to full implementation of systems. Thus, the cyber warrior should focus on the key themes of attack, defence and facilitation that can be performed by the following teams.
RED TEAM The red team is usually a team independent of the target. However, for a large organisation, this can be a
102
WOMEN IN SECURITY MAGAZINE
T E C H N O L O G Y
P E R S P E C T I V E S
separate team under the CISO that aims to covertly test the organisation’s defences. This team mimics sophisticated real-world attacks to highlight gaps in the organisation’s technical and cybersecurity controls that require fixing, thus improving its security posture. The red team also tests the blue team’s defensive capabilities.
BLUE TEAM The blue team is typically the security operations centre (SOC). The SOC consists of highly skilled analysts who work on defending and improving their organisation’s defences, 24x7. The blue team focuses on detecting and combating adversaries. This team leads the analysis and forensic investigation of the various operating systems used by their organisation, including third-party systems. Cyber simulations are run to enhance its skills and prepare it for dangerous real-world attacks.
PURPLE TEAM This team combines the capabilities of the red and blue teams. It assumes the mindset and responsibilities of both teams. It aims to analyse how red and blue teams work together and to recommend necessary adjustments to the current cyber simulations. Ultimately, purple teamers are responsible for analysing the results and overseeing the closure of remedial actions. The red and blue teams could not be more opposite in their tactics, techniques and procedures, but the differences are precisely what makes them part of effective execution. The red team is the attacker and the blue team the defender while the purple team is a facilitator for continuous integration. Their shared goal is to improve the cybersecurity posture of the organisation to ensure the continuous protection and operation of its core business. www.linkedin.com/in/mel-migri%C3%B1o-b5464151/ WISAP www.linkedin.com/company/wisap-women-in-securityalliance-philippines/
WOMEN IN SECURITY MAGAZINE
103
Women in Leadership Program
WE UNDERSTAND THAT LEADERS COME FROM VARIOUS BACKGROUNDS
THE AWSN WOMEN IN LEADERSHIP PROGRAM HAS SOMETHING FOR EVERYONE - NO MATTER WHERE YOU ARE IN YOUR LEADERSHIP JOURNEY
Applications are now open for our 2022 Women in Leadership Programs for:
Emerging Leaders Aspiring Senior Leaders Aspiring Global Leaders Leaders wanting to increase their technical knowledge Leaders wanting to increase the impact of their presenting
Sponsored by
To find out more, visit: awsn.org.au/initiatives/women-in-leadership/
STUDENT IN SECURITY SPOTLIGHT
Gabriela Sorsa recently completed a Certificate IV course in cybersecurity, focussing on computer forensics and incident response management, also is undertaking a Certificate IV in Security Management - risk and compliance at Asset College in Brisbane.
GABRIELA SORSA
Cyber Business Adviser | AWSN Brisbane Chapter Lead Best Security Student Special Recognition award winner at 2021 Australian Women in Security Awards
What first piqued your interest in security? Six or seven years ago my account was hacked and all my life savings disappeared in a matter of days. There was nothing I could do to stop it. The bank was holding me accountable and I was at risk of not recovering my savings. I then started to read as much as I could and found a way to prove I was not at fault. Since then I have become cyber-obsessed and advocated for cyber hygiene wherever I have worked. I started my own personal campaign to help those who had suffered losses in similar ways. (PS - I have recovered the money)
Were you doing something else before you started studying security? When my account was hacked I was working in the maritime industry, a job I loved so much and that gave me worldwide travel. I have visited and worked in
From hotels and hospitality in general I learned each approach and solution is a matter of perception, one size does not fit all, customers must feel valued to unlock their trust, and the most valuable assets in an organisation are its people, the employees. From aged care, I learned the dimensions of risk and the intricacies of human dignity in personal choices. I learned how to value time and make choices knowing each choice brings long term consequences, although sometimes that might not appear to be the case. Other valuable lessons from this sector were that the results are far better when you care, and that in aged care everything has an impact on human life.
Can you briefly summarise your security career to date: how did you get into your current study program?
95 countries. I moved to Australia with my husband,
When COVID hit Australia my redundancy hit me hard,
following love and sunshine. I took a short break
I lost a job I loved very much. So, with plenty of time
trying different jobs, in retail, shopping centres and
on my hands, I started Cert 4 in cybersecurity at TAFE
hotels, but nothing was as thrilling as being around
and security management at Asset College.
cruise ships. So I returned to the maritime industry. Unfortunately, with the arrival of COVID-19 in
Just before completing my TAFE cert 4 in
Australia, I was made redundant, and I thought I
cybersecurity, my mentor offered me the opportunity
would have plenty of time on my hands. So I started
to undertake further training in governance risk
studying cybersecurity and security management.
and compliance (GRC) while working in her team – an offer I could not refuse. I am grateful for the
During my studies, I joined the world of aged care:
opportunity and consider myself lucky to have
a world like no other, full of wisdom and tough
had this chance to train and work with such a
learnings, compliance, risk and dignity, love and tears.
knowledgeable professional, who is also a beautiful and smart woman.
I brought with me resilience, flexibility and problemsolving skills from my previous roles in a maritime
I have worked in a GRC role where I was auditing
environment. In that environment I was working
existing policies and creating new ones, and was
every day with people I had never met before, with
able to implement this knowledge in the healthcare
different languages, facing different country rules
industry. That was a great experience: merging
and challenges in each port I visited. I learned about
knowledge of cyber and knowledge of healthcare.
teamwork and how to overcome language barriers,
I recently joined the Cyber Security team at BDO in
education and mentality differences, and take from
Australia as Cyber Business Support. I look forward
each team member the most valuable lessons.
106
WOMEN IN SECURITY MAGAZINE
S T U D E N T
S E C U R I T Y
S P O T L I G H T
to learning as much as I can in the corporate
cyber recruiting works. It went really well. Our group
environment and to put my previously acquired skills
was getting larger and larger, and topics were diverse
to use. This is an exciting time and I look forward
and popular.
to what the future holds in a workplace that offers countless opportunities.
To what extent have (a) the course and (b) the institution met your expectations? The course had no prerequisites, yet so many of my new colleagues seemed to know everything. I felt overwhelmed and started doubting myself. Then, as I studied and read more, I felt empowered. I think learning cyber never stops. But then, in life when do you stop learning? I have enjoyed the discovery, the realisation when we successfully completed our penetration testing project how easy it is to hack into someone’s computer. I loved the connections I made with some of my colleagues, discovering we had similar values, were hard workers and curious. I thought “I could trust them if I was to work with them in an incident”. I commend some of the teachers for their patience and their guidance in explaining over and over again the same thing until it made sense.
What do you find • most rewarding or fulfilling about your course? • most challenging or unsatisfying about your course? Rewarding: the knowledge and power that come with knowledge. Challenging: the lockdowns that kept us away from school and the large size of the class for one teacher.
What is your approach to studying (time management, etc)? Any tips for other students? Time management is the most important skill to deliver good quality projects on time, to be able to fit everything into a busy schedule, including some personal time. Use a notebook or calendar. Do not delay. Do not procrastinate. I am very lucky to have a partner who is very supportive and who understands my passion. More importantly – everything you do is an
What I did not enjoy so much was the disconnection
investment in your future. So, give it your best to get
of the school from the real world. There were no
the best for yourself.
workshops or coaching sessions on how to get a job as a junior in cyber, how the principles apply in an
It is also important to connect with professionals
organisation, how to put all the pieces of the puzzle
you admire. Ask questions, attend seminars and
together.
webinars, read as much as you can so the vocabulary of cyber is imprinted on your day-to-day life.
So, I took matters into my own hands and started gathering enthusiasts, colleagues who had the same ideas and started asking questions about how they would like to engage with senior professionals and organisations. I organised cybersecurity seminars, inviting speakers from different backgrounds and fields of expertise in cyber: recruiters to explain how
What subject(s) do you find most interesting and/or do you expect to be most useful? Incident management and the business risks associated with the technology enablers an organisation adopts resonate with me.
WOMEN IN SECURITY MAGAZINE
107
If you could spend a day with a security expert to learn about their role, what role would you choose?
How do you gain general information about the security industry?
I hugely admire John Borchi and his mission with the
and teachers. We have formed study groups where
Federal Government as CISO at the Australian Digital
we gather and discuss or invite someone to the table
Health Agency (ADHA). I would like to understand the
to share their knowledge.
threat landscape and the threat intelligence at the
I have kept in contact with many of my schoolmates
macro level.
What are your longer-term - five or 10 year career aspirations?
What involvement do you have in security outside your course?
Become the best version of myself. Become CISO in
I have now joined BDO in Australia, working in
colleagues from school who I trust and admire.
Cyber Business Operations, also I have finished my traineeship last year and have undertaken a few freelance contracts. I also undertake voluntary projects, educating the older generation and teens on how to stay safe in the digital environment. I am a proud AWSN Brisbane chapter co-lead, changing the world for women like myself who have joined the cyber army.
a company I admire, working alongside some of my
Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? Being a woman in cybersecurity might not be the easiest thing one can do, but it is very rewarding to be in a non-traditional role. The best protection a woman can have is the courage that comes from pursuing her dreams.
I would like to keep delivering cybersecurity seminars
I encourage other women and girls to jump in if they
to young students, to encourage them to complete
feel this to be their calling and not to be discouraged
their studies and help them gain the confidence to
by the gender disparity.
apply for junior roles in which they would thrive. “Each time a woman stands up for herself she stands
What are your aspirations when you graduate? • What roles(s) would you like to take? •
What kind of organisation would you most like to work for?
for all the women.” I would also like to touch on how important collaboration between companies and professionals is. We are all in the same fight together, fighting the invisible enemy.
I would like to keep growing in GRC and business advisory. I love the idea of being a trusted
Also, I sincerely hope that companies will learn
cybersecurity adviser. I imagine the role comes with a
to trust the newer members of the cybersecurity
high price to be paid when incidents happen.
workforce, especially those like myself who have come from different industries and bring unique skills
I have grown as a professional in a corporate
to cybersecurity.
environment, and I am happy to be able to work for a company where community and teamwork are important, where women are valued as much as men
www.linkedin.com/in/gabrielasorsa/
for their unique contributions. I would like to be able to offer assistance in NFP projects from time to time, giving back is vital to our cyber mission to help the most vulnerable.
108
WOMEN IN SECURITY MAGAZINE
www.travelonlineconcierge.blogspot.com/
Source2Create Spotlight
Media The media landscape used to be easy and simple to navigate, now not so much. Delivering to your target audience the right message, through relevant media platforms and formats, with the right content, at the right time of their journeys to achieve maximum results is complex. At S2C, we can help you build a multi-touch decision making the journey to your customer persona, taking the complexity out of your hands.
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
www.source2create.com.au
Arifa Upola is in the final year of a Bachelor of Information Technology degree at Macquarie University, majoring in cybersecurity. She came to Australia three years ago as an international student from Bangladesh.
ARIFA UPOLA
Final year Bachelor of Information Technology Student at Macquarie University
What first piqued your interest in security? After finishing my HSC I started studying computer science and engineering at a university in my home country but after a few semesters I realised I wanted to focus on a specific area. Hence I started to research different aspects of computer science and discovered an interest in networking and security. I also saw the career opportunities in cybersecurity and the opportunity to help companies and consumers. I also loved the fact that cybersecurity is a huge sector with many different career paths. I would definitely recommend cybersecurity to people who want to transition from other subjects.
To what extent have (a) the course and (b) the institution met your expectations? The curriculum at Macquarie University is very flexible, but certain units are mandatory. This is
learner this strategy really helps me to remember important information. And because I also hold part time jobs, it can be hard to finish the work required from my lectures. I try to use the travel time on my way to work or university. It is critically important to take care of your mental health, because managing study, jobs and personal relationships can be difficult at times. Ask for help if you need it.
If you could spend a day with a security expert to learn about their role, what role would you choose? I would choose a pen tester because I find what they do extremely intriguing, and I definitely see myself being a pen tester if I get the right opportunities.
What are your aspirations when you graduate?
helpful because it forces you to learn the important
After graduation I hope to gain a role as a junior
topics. Furthermore, there is a mandatory internship
cybersecurity analyst or information security analyst
at the end of the course which I will be doing this
and then work my way up to either pen tester or
semester. I believe this will be very beneficial for my
cybersecurity project manager. I don’t have any
career because it will help me gain some real-life
preference for a specific organisation, but I would
experience. I love how the whole course has been
like to work for a company with a collaborative work
designed with small segments and includes weekly
environment and that promotes inclusivity.
exams, assignments, etc based on the lectures. Furthermore, flexibility to attend online lectures really helped with my job schedule.
What would you like to see done differently?
How do you gain general information about the security industry? I have gained most of my security knowledge from university and online sources. I like to educate myself
I would like to see more career fairs and other career-
continuously and connect with like-minded people.
related workshops to help us in our job searches.
So I try to join as many security organisations as
I think the university should collaborate with more
possible. I also like to read books, blogs and security
companies to create better opportunities for its
related magazines and watch YouTube videos to
students.
expand my knowledge.
What is your approach to studying (time management, etc)? Any tips for other students?
What are your longer-term - five or 10 year – career aspirations?
I am a big fan of taking notes on paper and drawing
110
diagrams of important topics. Because I am a visual
WOMEN IN SECURITY MAGAZINE
After 10 years I see myself either working for myself or in a managerial position. I would also love to help
S T U D E N T
S E C U R I T Y
S P O T L I G H T
younger people starting their security careers by sharing my knowledge via online courses or YouTube videos.
Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? At the moment I am studying for a security plus certification because I love to learn new things and I believe this certificate will increase my chances of gaining a better job.
www.linkedin.com/in/arifa-upola
WOMEN IN SECURITY MAGAZINE
111
Pranjali Karve is a first-year Bachelor of Cybersecurity student at Deakin University. She grew up in Pune, India. She was a building architect before transitioning into cybersecurity in 2020, starting with a Certificate IV in Cybersecurity.
PRANJALI KARVE
Bachelor of Cybersecurity student at Deakin University
What first piqued your interest in security? My husband, Niranjan Karve, has worked as a cybersecurity analyst for almost 20 years. When I was looking for a career change, he encouraged me to study cybersecurity.
Were you doing something else before you started studying security? For over two decades I worked as an architect in the building construction industry and had very little to do with technology, apart from using the software required for designing and detailing architectural drawings. In that career, I acquired project management and customer service skills. Architecture taught me creative problem solving and a master’s degree in town planning honed my research skills. Starting a second career is very much like becoming a second-time parent. You know what to expect and are better prepared to deal with it. To someone transitioning into cybersecurity, I would say: if you
a big risk, and I had trepidations. So, I decided to try out the free TAFE cybersecurity course. As it turned out, it was the best decision of my life. After completing Certificate IV, I was encouraged by my teachers to go back and teach. I completed a six-month training and assessment course and was fortunate to gain a position as a cybersecurity teacher at TAFE. I also enrolled in a Bachelor of Cybersecurity course at Deakin University, and I am halfway through the first year.
To what extent have (a) the course and (b) the institution met your expectations? Deakin University is one of two universities in Victoria that offers a Bachelor of Cybersecurity. The course is giving me a solid foundation in all the skills a cybersecurity professional would require. It has inbuilt internship/industry placement, which is very important to help students get a foot in the door. The university also pays eligible students for industry certifications throughout the course.
have the will, there is always a way. Perseverance is
Certificate IV in Cybersecurity, offered free by TAFE, is
key, and hard work is non-negotiable.
a fantastic introduction to the world of cybersecurity.
Can you briefly summarise your security career to date: how did you get into your current study program?
What is your approach to studying (time management, etc)? Any tips for other students?
In 2020, for various personal and professional
When it comes to time management, family support is
reasons, I decided to change careers. I was looking
very important. My family helps me with housework,
for a career that would be intellectually challenging,
cooking cleaning and so many other things, so I can
had prospects for career growth and would give
focus on my studies. Support of friends is crucial as
me the opportunity to realise my potential while
well since they can help in so many ways.
contributing to the world in a meaningful way.
From struggling to understand the concept of binary
I had been flagged by Mensa at the age of ten as
to achieving a high distinction at university, my
being gifted and had confidence in myself based on
journey as a student has taught me some important
successes in my past career. Even then, moving into a
lessons. Start early, stay disciplined, take breaks when
completely new career after years in one industry was
needed, put in the hard work and have confidence in yourself.
112
WOMEN IN SECURITY MAGAZINE
S T U D E N T
S E C U R I T Y
S P O T L I G H T
What subject(s) do you find most interesting and/or do you expect to be most useful?
How do you gain general information about the security industry?
I enjoy practising hacking and coding skills. I am
As a student I have come to realise it is essential
also looking forward to learning cybersecurity
to take control of your own knowledge acquisition
management in my next term. This would tie together
and not rely completely on course or certification
my past work experience with whatever opportunities
content. To do that, in addition to completing
present themselves in the future.
university assignments, I explore and research topics
If you could spend a day with a security expert to learn about their role, what role would you choose?
I find interesting using different resources such as Pluralsight, edX, GitHub and books from the library (A CAVAL card gives me access to all the university libraries in Victoria). I spend time keeping abreast of
I would like to spend a day with, and learn from, a
industry events and new CVEs through LinkedIn and
malware analyst.
other blogs; listening to podcasts such as Darknet
What involvement do you have in security outside your course? I work as a casual teacher of cybersecurity at TAFE. I volunteered as a peer mentor at the university, assisting other students with their assignments. I have memberships with various organisations such as AWSN, AISA and Girl Geeks, and I attend webinars, seminars and events organised by these organisations as well as those by SANS, IRATE etc. I use learning platforms such as Pluralsight, Cybrary, edX, Codecademy, TryHackMe, Cisco Networking Academy and LinkedIn Learning for informal, personal study.
What are your aspirations when you graduate?
Diaries, Risky-Biz and the cybersecurity weekly podcast from MySecurity Media; reading memoirs by people in the industry such as The Gift of Obstacles by Phillimon Zongo; attending webinars and events by SANS and AISA; talking to people in the industry; networking in organisations such as AWSN; practicing hands-on hacking and coding skills on online platforms such as TryHackMe and Codecademy; and pretty much anything that will add to my knowledge of cybersecurity. The end goal is to acquire all the knowledge essential to fight cybercrime. Degrees, certification and self-study are all just means to an end.
Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? By the time I graduate, I will be in my mid 40s. I remember being 20 with my whole life ahead of me.
My long-term goal is to work as a cyber threat
I am conscious I now have a lot less time left to build
detection and response team lead. My short-term
a career. But you miss 100 percent of the shots you
goal is to start my career as a SOC analyst to get a
don’t take. So here I am, as excited for my new career
strong foundation, preferably securing my first job
as a 20-year-old would be.
before I graduate in mid-2024. I hope to harness the power of mentoring in the coming year.
www.linkedin.com/in/pranjali-karve
WOMEN IN SECURITY MAGAZINE
113
Aditi Sigroha graduated from La Trobe University in Melbourne in June 2020 with a Master of Cyber Security degree. She grew up in Chandigarh, India.
ADITI SIGROHA
Junior Security Analyst at Cynch Security
What first piqued your interest in security?
institution met your expectations?
I obtained a bachelor’s degree in computer science
My expectations for the course and of the university
from Kurukshetra University in India before embarking
have been exceeded.
on my master’s in cybersecurity. A requirement of my bachelor’s degree was the completion of an internship. I did mine in the security department of India Bulls, an Indian conglomerate whose primary businesses are housing finance, consumer finance, and wealth management. That was my introduction to the wonders of cybersecurity. Towards the end of my internship, I knew I had found my passion and wanted to explore the field.
• What do you like most? The opportunity to apply the knowledge gained. La Trobe has a dedicated cyber lab that is available to students like me whenever we need to use it.
What do you find • most rewarding or fulfilling about your course? The units/subjects and diversification of topics followed up with lots of practical sessions.
Were you doing something else before you started studying security?
• most challenging or unsatisfying about your
• If so, what made you transition to the security
For two semesters fortnightly classes were
industry? I was already working in IT, so there was no transition. • Are there any skills that you have carried from your previous roles/studies? Soft skills like adaptability, communication, passion have helped me a great deal.
What advice would you give to someone thinking of entering this industry from a different background? Be open to learning and focus on perfecting your skills. Keep an eye on the latest developments and
introduced as an experiment. These were challenging because they comprised a four-hour class followed by four hours of lab work.
What is your approach to studying (time management, etc)? Any tips for other students? Attending classes and proactively engaging with new learnings really helps. With so much going on, it’s easy to find yourself in a situation of stress. My mantra “take one day at a time” really helped. Also, be open to collaborating with your peers.
stay updated.
What subject(s) do you find most interesting and/or do you expect to be most useful?
How did you get into your current study program?
There were quite a few I would consider useful,
India lacked a cybersecurity education program at the
penetration testing and computer forensics.
level available in Australia, and I knew I need to gain more skills and knowledge.
To what extent have (a) the course and (b) the
114
course?
WOMEN IN SECURITY MAGAZINE
but I particularly enjoyed Cyber Risk Management,
If you could spend a day with a security expert to learn about their role, what role would you choose?
S T U D E N T
S E C U R I T Y
S P O T L I G H T
I would choose that of chief information security officer.
What are your aspirations when you graduate? • What roles(s) would you like to take? I am presently a junior security analyst in governance risk and compliance • What kind of organisation would you most like to work for? I am currently working for a cybersecurity startup that aims to develop solutions for small to medium businesses. I think I would prefer to be in an organisation where I can make a difference, add value and work on creating new solutions customised to specific needs.
What are your longer-term - five or 10 year career aspirations? To grow into the role of CISO.
Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? As an international female student my journey has had its ups and downs, but throughout I have learnt to take up any opportunity, reach out and make the most of it. www.linkedin.com/in/aditisigroha/
twitter.com/aditi_sigroha www.instagram.com/aditi_sigroha/
www.facebook.com/aditi.sigroha.7
WOMEN IN SECURITY MAGAZINE
115
Danielle Rosenfeld Lovell is studying for a Bachelor of Science majoring in computing and software systems (computer science with a software engineering overlay). She grew up in Brisbane, which she says was great, because it “has so much space and greenery.”
DANIELLE ROSENFELD LOVELL
Bachelor of Science Student at University of Melbourne
What first piqued your interest in security? I was already studying computer science and my first exposure to the idea of pursuing a career in infosec came from a talk delivered at a Linux user group meeting. My interest in infosec became more concrete after attending the first 0xCC conference in Melbourne, created to provide free cybersecurity training to women. Many of the people at that conference were incredibly encouraging and supportive. I felt I had found a community. I believe community to be really important when you’re starting out in any career.
Were you doing something else before you started studying security? If so, what made you transition to the security industry? •
Are there any skills that you have carried from your previous roles/studies?
•
What advice would you give to someone thinking of entering this industry from a different background?
I was, and still am, a practicing nurse specialising in paediatrics. I made the decision to study computer science because many factors made a technical career appealing to me. I could see working in a technical career would help me make a broader impact than I could achieve as a nurse, even though I would be providing a different kind of value to people. I also felt strongly that I wanted to interact with
of incoming information, interpret numeric data, recognise anomalies, and identify and prioritise timecritical tasks — come from my first career and are directly transferrable to information security. Simply having prior experience of interacting professionally with colleagues and, potentially, consumers will set you up well for success in any industry.
Can you briefly summarise your security career to date: how did you get into your current study program? To date I’ve worked as an intern in the cyber team of a large consulting firm. It was an excellent opportunity to try on a few different hats and see what sort of specialisations there are in cybersecurity, and what working in some of them day-to-day might look like. In terms of my studies, I am very nearly a graduate! I don’t think the pathway into my degree course was overly complex. I was already a mature age student when I entered my second degree. One of my early challenges was getting the university to recognise my maths education, because many years had passed since I studied engineering maths. So, I had to take maths units after years of doing no maths. However, everything worked out in the end.
To what extent have (a) the course and (b) the institution met your expectations? •
What do you like most?
learn a lot about the way different businesses and
•
What would you like to see done differently?
industries work, and I liked the idea of dabbling in
I have enjoyed the emphasis on computing more
domains other than health. In security you get to
many topics and industries. For any “seasoned” worker looking to make a career change, I would really highlight that you do not lose what you learnt in your first career. Many of the core skills I have to offer security — being able to comprehensively research topics, assess
116
the credibility of evidence, analyse high volumes
WOMEN IN SECURITY MAGAZINE
broadly, as opposed to cybersecurity. Some of the computer science specific content set me up very well for understanding more about the low-level aspects of how modern computers work, which I really wanted to understand in some depth. I would have loved to have been able to do more of my program face-toface. I learn well independently, but I learn exceedingly
S T U D E N T
S E C U R I T Y
S P O T L I G H T
well in social environments, and I really missed
It wasn’t perfect, but it mostly got me through
engaging with students and teaching staff more
multiple semesters of remote learning. I write lots of
comprehensively in the way I did when studying for
paper notes, more because the act of note writing
my first degree.
helps me to retain information than for future reference.
What do you find •
most rewarding or fulfilling about your course?
•
most challenging or unsatisfying about your course?
The most fulfilling aspect of my course was that it made me reconsider my own capabilities. I used to believe I was not a particularly capable maths student and perhaps not sufficiently intelligent to study computer science or engineering. I’ve enjoyed crushing that assumption. The most challenging aspect of my course was being constantly very busy, because I worked “frontline” throughout the course. As a result, I was too time poor to appreciate the process of studying as much as previously. However, when I look back at what I managed under the circumstances I think, “I don’t know how I did that”, which is pretty cool.
Many of us have heavy extra-curricular workloads these days, including having work or caring responsibilities. If so, getting straight high distinctions may not be a realistic possibility. Instead, you might have to prioritise the high value topics that will help you get through your exams. You might not be able to deep dive into everything. Instead, try to identify what’s achievable and important to you and really focus on those topics.
What subject(s) do you find most interesting and/or do you expect to be most useful? I wish I could have studied computer systems in more depth, because that was really where my interests lay. We were introduced to network protocols and operating systems, and I think those subjects will add considerable value to my skillset in information security.
What is your approach to studying (time management, etc)? Any tips for other students?
If you could spend a day with a security expert to learn about their role, what role would you choose?
My study techniques really changed over this degree
I would love to spend some time with someone
course, particularly because of COVID and remote
whose job involves incident response in really critical
learning. My typical approach to study has been to
settings, particularly in organisations that maintain
commit to blocks of up to two hours at a time, then
critical infrastructure. I would love to see how they
go for a walk to clear my head and reflect on what
approach crisis communications.
I’ve learnt. I am a big fan of libraries and comparable spaces that allow you to mentally compartmentalise your
What involvement do you have in security outside your course? a.
part-time job?
to emulate that compartmentalisation by using noise
b.
volunteer role?
isolating headphones to block out household noise,
c.
outplacement as part of your course?
d.
member of security organisations?
e.
informal, personal study?
study and other roles/functions. During COVID I tried
and I mostly used only one area in my apartment for study but tended to get up and move regularly.
WOMEN IN SECURITY MAGAZINE
117
In addition to completing a paid internship in a cyber consulting team, I was also a member of my university’s information security team throughout my degree, and a student member of AISA. I have also been part of the AWSN Cadets program for a couple of years. I’ve done some free or cheap courses on understanding security frameworks, using Linux including some basic BASH scripting, and an entrylevel Azure certification. However, I’d say some of the most valuable uses of my time have been attending conferences. I was particularly delighted to attend my first BSides conference in Canberra in 2021. It was a great experience to be at an event with so many outstanding information security professionals
From mentor(s)?
•
Online sources?
I have been very lucky in that I’ve had people I could call upon to provide insights from the time I started my degree course. Over the past few years, I’ve been fortunate to have multiple mentors who were already in the industry, and they have been invaluable resources. Also, I cannot overstate the value of informal conversations with people for information about who’s hiring and what careers in cyber are like. I did not have pre-existing contacts in the industry but met a lot of people as a result of attending Meetups quite early in my studies. Also, the university
who had different skills and interests.
clubs can provide a wealth of information about
What are your aspirations when you graduate?
a club member and club executive. Firms interact
•
What roles(s) would you like to take?
joining, and making the effort to attend some events.
•
What kind of organisation would you most like to work for?
career options and graduate recruitment. I’ve been directly with student clubs, so they are worthwhile
Although I feel my aptitudes lend themselves well
What are your longer-term - five or 10 year career aspirations?
to working in a blue teaming role, where I would be
I want to develop a rounded experience in the
interested in pursuing a career in digital forensics and incident response or threat intelligence, I am open to discovering what I do enjoy, or not enjoy, by doing. I’d also love to get some pentesting experience. It strikes me that, when I started my first career, I had very little idea of what different specialities would be like to work in before actually working in them. For example, I did not realise I would like working with children and young people until I started getting some incidental exposure to paediatric nursing in a rural general medicine and surgery ward. So, perhaps ask me again in a couple of years. That being said, at some point I would love to put my hand up for a management or technical lead role, because I do genuinely care about fostering a really supportive and nurturing work environment and would really like
118
•
information security industry and try my hand at a couple of different things. As I mentioned earlier, I would really value getting some leadership experience. However, my 5-10 year plan is very much a work in progress. I’m just starting out and look forward to seeing where my preferences and aptitudes lie. In the wise words of Tim Minchin, on the occasion of his award of an honorary doctorate by the University of Western Australia, “be a teacher” is always a worthy aspiration once you have cut your teeth. So, by the time I’m somewhat more experienced I look forward to being able to train and mentor newcomers to the industry. I feel this to be one of the most deeply fulfilling things you can do in any job. It was
to get some experience in leadership in the future.
my favourite aspect of my first career: I’ve trained
How do you gain general information about the security industry?
for people.
•
From your university?
•
From friends and colleagues?
WOMEN IN SECURITY MAGAZINE
both juniors and new parents to independently care
www.linkedin.com/in/danielle-rosenfeld-lovell
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 New Zealand Women in Security Awards. Register your interest today for various sponsorship opportunities.
I’M INTERESTED!
#2022WISAWARDS
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller Lisa is passionate about engaging children and their parents in a fun way to learn about keeping safe online. Endorsed by many leading experts and institutions including Family Zone, NSW Department of Education, and Australian e-Safety Commissioner. How We Got Cyber Smart is available at all good online bookstores. In this issue of the Women In Security Magazine, we have created a fun activity for kids with an online security theme. Can you find the cyber smart words hidden in the How We Got Cyber Smart find-a-word puzzle? All the words relate to staying safe online, especially for kids and families. If you get stuck the answers are in the box on the side. Have fun and stay safe online. Follow for more chidlrens’ cybersafety tips: www.linkedin.com/company/how-we-got-cyber-smart/
twitter.com/howwegotcybers1
www.facebook.com/howwegotcybersmart
If your school is interested in How We Got Cyber Smart please contact contact@howwegotcybersmart.com For partnership and sponsorship opportunities please contact lisa@howwegotcybersmart.com
How many online safety words can you find below? PRIVACY
STRANGER
SOCIAL MEDIA
PASSWORD
ONLINE
RESPONSIBLE
MOBILE PHONE
CHAT
SECURITY
DEVICE
CYBERSMART
LAPTOP
TABLET
SURFING
UNCOMFORTABLE
PERSONAL
PRINT TO USE
120
WOMEN IN SECURITY MAGAZINE
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
2. DIONDRIA HOLLIMAN CISSP, PMP
03
04
3. FATEMA HASHMI Senior Security consultant at Telstra Purple Unsung Hero Highly Commended Award winner at the 2021 Australian Women in Security Awards
4. DIANA SELCK-PAULSSON Lead Security Researcher at Orange Cyberdefense
05
06
5. ARCHANA PURI Security Assurance Manager at Harvey Norman The One to Watch in IT Security Highly Commended Award winner at the 2021 Australian Women in Security Awards
6. DORIEN KOELEMEIJER
07
08
Cloud Security Engineer at Afterpay Best Female Secure Coder Highly Commended Award winner at the 2021 Australian Women in Security Awards
7. ROBIN LENNON MHRD, MSc Information Security; Human Factors Performance Lead at Scoutbee
8. SIMON CARABETTA 09
10
Cyber Communications Specialist Male Champion of Change Award winner at the 2021 Australian Women in Security Awards
9. STEVE SCHUPP Executive Director (WA), CyberCX Male Champion of Change Highly Commended Award winner at the 2021 Australian Women in Security Awards
10. DEBRA CHRISTOFFERSON CISSP, CISM and CCSK
122
WOMEN IN SECURITY MAGAZINE
11
12
11. TRAVIS QUINN Principal Security Advisor, Trustwave & PhD Candidate, UNSW
12. TAYLA PAYNE Cybersecurity – Cloud, Strategy & Risk Associate, IBM A/NZ
13. AMIT GAUR 13
14
Cybersecurity – Cloud, Strategy & Risk Executive, IBM A/NZ
14. ANU KUKAR Associate Partner, Cybersecurity - Cloud, Strategy & Risk IBM Australia and New Zealand Director Arascina IT Security Champion winner at the 2021 Australian Women in Security Awards
15
16
15. MEGHAN JACQUOT Associate Cybersecurity Threat Intelligence Analyst, Recorded Future
16. MADHURI NANDI IT Security Manager, Till Payments
17
18
17. ASMITA GOVIND Account Manager for Technology Recruitment at Sirius Technology
18. POOJA SHIMPI Regional Business Information Security Officer (BISO), APAC at State Street Bank & Trust
19
20
19. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
20. KAREN STEPHENS Karen is CEO and co-founder of BCyber
WOMEN IN SECURITY MAGAZINE
123
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 21
22
21. LAURA JIEW AWSN Marketing & Social Media Lead
22. ANKITA DHAKAR Managing Director at Security Lit and Founder & Chief Cyber Warrior at Cyber Cosmos World
23
24
23. DELLA WEIER Junior Privacy Consultant at Ground Up Consulting
24. NICOLE STEPHENSEN Director and Principal Consultant at Ground Up Consulting
25
26
25. VIDYA MURTHY Chief Operating Officer at MedCrypt
26. BROCK RODERICK Founder of Education Arcade
27. SAI HONIG 27
28
CISSP, CCSP, Co-founder New Zealand Network for Women in Security
28. ALEX NIXON Vice President Cyber Risk at Kroll
29
30
29. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2 Male Champion of Change Special Recognition award winner at the 2021 Australian Women in Security Awards
30. MARISE ALPHONSO Information Security Lead at Infoxchange
31
32
31. SHRUTIRUPA BANERJIEE Security Professional and Learner
32. MEL MIGRINO Chairman and President of Women in Security Alliance Philippines (WiSAP)
124
WOMEN IN SECURITY MAGAZINE
33
34
33. GABRIELA SORSA Cyber Business Adviser | AWSN Brisbane Chapter Lead Best Security Student Special Recognition award winner at 2021 Australian Women in Security Awards
34. ARIFA UPOLA Final year Bachelor of Information Technology Student at Macquarie University
35
36
35. PRANJALI KARVE Bachelor of Cybersecurity Student at Deakin University
36. ADITI SIGROHA Bachelor of Cybersecurity Student at Deakin University
37
38
37. DANIELLE ROSENFELD LOVELL Bachelor of Science Student at University of Melbourne
38. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
39
40
39. GYLE DEL CRAUZ Senior Security Consultant - Incident Response
40. JOCASTA NORMAN 41
42
Senior Analyst at SEEK
41. CHERYL WONG Security Culture & Change Management Lead
42. MALLORY (MAL) V DFIR Specialist, currently on a career break
43
43. JADE LOVELL Head of Communications at CyRise and cybersecurity student at the University of Adelaide
WOMEN IN SECURITY MAGAZINE
125
TURN IT UP
REBOOT CYBER WITH AVERTRO | THE BOARDROOM SERIES By Avertro
CLICK TO LISTEN A series of discussions with cyber leaders and senior executives breaking down the issues, solutions, and innovations surrounding cybersecurity and their executive leadership teams.
WOMEN AT WORK By Harvard Business Review
CLICK TO LISTEN HBR staffers Amy Bernstein, Amy Gallo, and Emily Caulfield unearth some of the knottiest problems faced by women. They interview experts on gender, tell stories about their own experiences, and give advice on how to deal with it.
126
WOMEN IN SECURITY MAGAZINE
BUSINESS BIG BANG THEORY
CYBER SECURITY INSIDE
By The Business Centre
By Tom Garrison and Camille Morhardt
CLICK TO LISTEN
CLICK TO LISTEN
Hear conversations between The Business Centre team and key industry experts on all things small business, regardless of what stage of business you are in.
In this podcast, Tom Garrison and Camille Morhardt discuss relevant cyber security topics in clear, easy to understand language. Intended for security experts and businesspeople alike, the podcast features industry leaders discussing today’s most important and timely security topics.
CYBER SECURITY SAUNA
CYBER SECURITY UNCUT
By F-Secure
By Momentum Media
CLICK TO LISTEN Cyber Security Sauna features expert guests with sizzling insight into the latest information security trends and topics. F-Secure’s Janne Kauhanen hosts the show to make sure you know all you need to about the hotter-than-ever infosec game.
CLICK TO LISTEN Cyber Security Uncut features key influencers, their stories, and the emerging technology that’s contributing to Australia’s resilience, security and growth. As Australia moves forwards in its transition to a digital future, learn how businesses, governments, and our armed forces are tackling the growing threat of cyber attacks.
REWORKED: THE DIVERSITY AND INCLUSION PODCAST By EW Group
CLICK TO LISTEN Listen in as the EW Group team interviews leaders in diversity and inclusion, discussing best practice and wellbeing tips. Learn how you can rework your company culture to make it more inclusive.
THE WILL TO CHANGE: UNCOVERING TRUE STORIES OF DIVERSITY & INCLUSION
CLICK HERE
By Jennifer Brown
Listen to click here, where Dina Temple-Raston dives deep into everything from ransomware to misinformation to the people shaping the cyber world, from hacking masterminds to the people who try to stop them.
CLICK TO LISTEN Everyone has a diversity story- even those you don’t expect. Hear from leading CEO’s, bestselling authors and entrepreneurs as Jennifer uncovers their true stories of diversity and inclusion.
DIVERSITY DEEP DIVE
RISKY BUSINESS
By Audra Jenkins
By ITRadio.com.au
CLICK TO LISTEN Diversity Deep Dive features insights and uplifting stories of resilience and perseverance against the odds. The podcast aims to dispell stereotypes, tackle biases, and provide best practices for achieving greater cultural competence.
CLICK TO LISTEN Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. It’s a must-listen digest for information security pros and is a security podcast without the waffle.
By The Record Media
CLICK TO LISTEN
COFFEE AND BEER | TECH4EVIL PODCAST By Manal al-Sharif and Reinhardt Sosin
CLICK TO LISTEN Join Manal and Reinhardt as they cover the latest news and developments from around the world. It’s the perfect podcast for people interested to see what Big Tech, Social Media Giants and other evildoers are up to.
WOMEN IN SECURITY MAGAZINE
127
OFF THE SHELF
CONFIDENT CYBER SECURITY: HOW TO GET STARTED IN CYBER SECURITY AND FUTUREPROOF YOUR CAREER Author // Jessica Barker Confident Cyber Security is written by Dr Jessica Barker. This jargonbusting guide will give you a clear overview of the world of cyber security. Exploring everything from the human side to the technical and physical implications, this book takes you through the basics: how to keep secrets safe, how to stop people being manipulated and how to protect people, businesses and countries from those who wish to do harm. Featuring real-world case studies from organizations and people such as Disney, the NHS, Taylor Swift and Frank Abagnale as well as entertainment, property, social media influencers and other industries, this book is packed with clear explanations, sound advice and practical exercises to help you understand and apply the principles of cyber security. With a dedicated section on what it could mean for you, let Confident Cyber Security give you that cutting-edge career boost you seek.
BUY THE BOOK HERE
128
WOMEN IN SECURITY MAGAZINE
INVISIBLE WOMEN: DATA BIAS IN A WORLD DESIGNED FOR MEN Author // Caroline Criado Pérez Data is fundamental to the modern world. From economic development to healthcare, to education and public policy, we rely on numbers to allocate resources and make crucial decisions. But because so much data fails to take into account gender, because it treats men as the default and women as atypical, bias and discrimination are baked into our systems. And women pay tremendous costs for this bias, in time, money, and often with their lives. Celebrated feminist advocate Caroline Criado Perez investigates the shocking root cause of gender inequality and research in Invisible Women, diving into women’s lives at home, the workplace, the public square, the doctor’s office, and more. Built on hundreds of studies in the US, the UK, and around the world, and written with energy, wit, and sparkling intelligence, this is a groundbreaking, unforgettable exposé that will change the way you look at the world.
BUY THE BOOK HERE
NAVIGATING THE CYBERSECURITY CAREER PATH: INSIDER ADVICE FOR NAVIGATING FROM YOUR FIRST GIG TO THE C-SUITE Author // Helen E. Patton Finding the right position in cybersecurity is challenging. Being successful in the profession takes a lot of work. And becoming a cybersecurity leader responsible for a security team is even more difficult. In Navigating the Cybersecurity Career Path, decorated Chief Information Security Officer Helen Patton delivers a practical and insightful discussion designed to assist aspiring cybersecurity professionals entering the industry and help those already in the industry advance their careers and lead their first security teams. Perfect for aspiring and practising cybersecurity professionals at any level of their career, Navigating the Cybersecurity Career Path is an essential, one-stop resource that includes everything readers need to know about thriving in the cybersecurity industry.
BUY THE BOOK HERE
WOMEN AND LEADERSHIP: REAL LIVES, REAL LESSONS Author // Julia Gillard & Ngozi OkonjoIweala An inspirational and practical book written by two high-achieving women, sharing the experience and advice of some of our most extraordinary women leaders, in their own words. Women and Leadership takes a consistent and comprehensive approach to tease out what is different for women who lead. Women and Leadership presents a lively and readable analysis of the influence of gender on women’s access to positions of leadership, the perceptions of them as leaders, the trajectory of their leadership and the circumstances in which it comes to an end. By presenting the lessons that can be learned from women leaders, Julia and Ngozi provide a road map of essential knowledge to inspire us all, and an action agenda for change that allows women to take control and combat gender bias.
BUY THE BOOK HERE
A LEADER’S GUIDE TO CYBERSECURITY Author // Thomas J. Parenty Protection against cyberattacks can’t be treated as a problem solely belonging to an IT or cybersecurity department. It needs to cast a wide and impenetrable net that covers everything an organization does-from its business operations, models, and strategies to its products and intellectual property. And boards are in the best position to oversee the needed changes to strategy and hold their companies accountable. Not surprisingly, many boards aren’t prepared to assume this responsibility. In A Leader’s Guide to Cybersecurity, Thomas Parenty and Jack Domet, who have spent over three decades in the field, present a timely, cleareyed, and actionable framework that will empower senior executives and board members to become stewards of their companies’ cybersecurity activities. Filled with tools, best practices, and strategies, A Leader’s Guide to Cybersecurity will help boards navigate this seemingly daunting but extremely necessary transition.
BUY THE BOOK HERE
THE GIFT OF OBSTACLES: A MEMOIR OF GRIT, GRACE AND GRATITUDE Author // Phillimon Zongo Zimbabwean Phillimon Zongo lived in squalor with two of the township’s toughest prostitutes when he was a teenager. He topped his class and became the first to graduate from university in his family. Zongo migrated to Australia in 2007, armed with $300 and boundless ambition. But the belief that his odds to succeed in Australia as a young African were wafer-thin proved all too-crushing. In 2011, he sold everything and returned to Zimbabwe. But a strange twist of fate forced Zongo to return to Australia in 2012. A mindset shift ignited a whirlwind run of success. Zongo published a bestselling book, won multiple global awards, co-founded the Cyber Leadership Institute, and keynoted events alongside the former Head of FBI cyber-crime division. This poignant, hilarious and impeccably written memoir spanning Savannah grasslands, Harare ghettos, Australia and beyond - proves the remarkable power of education and grit to defeat poverty and despair.
BUY THE BOOK HERE
WOMEN IN SECURITY MAGAZINE
129
SURFING THE NET
TRANSMIT SECURITY BLOG By Transmit Security Transmit Security blog discusses all things in the world of identity security, orchestration and authentication. You can stay upto-date with the latest IAM news, industry insights and emerging technologies from Transmit Security.
READ BLOG
DA VINCI CYBERSECURITY BLOG
TREND MICRO SIMPLY SECURITY
By Da Vinci Cybersecurity
By Trend Micro
The Da Vinci Cybersecurity’s blog covers articles related to cyber security, cybercrime, data breaches, phishing, ransomware and scams. Read about cyber security across varied industries, how cybercrime is increasing and what we can do to protect our business ecosystems.
Trend Micro’s Simply Security News, Views, and Opinions provides breaking security research and threat news that affects your life on a daily basis.
READ BLOG
130
WOMEN IN SECURITY MAGAZINE
READ BLOG
THE LEADER’S DIGEST By Suzi McAlpine Suzi McAlpine’s blog The Leader’s Digest is widely recognized as one of the top leadership blogs in the world. Her posts include advice on everything from delivering bad news to managing up to productivity hacks for leaders.
READ BLOG
UNTAPPED BLOG
AWAKEN BLOG
TECHINCLUSION BLOG
By Untapped
By Michelle Kim, Awaken
By Melinda Briana Epler, Change Catalyst
Untapped helps companies track their Diversity and Inclusion goals, and aim to help organisations build diverse teams. Their blog focuses on providing readers with the latest industry news, diversity and inclusion best practices, hiring tips and more
Awaken Blog is the brainchild of Michelle Kim, co-founder of Awaken, a training company focused on Diversity and Inclusion. The blog’s mission is to create a compassionate space for uncomfortable conversations to develop inclusive leaders and teams.
TechInclusion is a blog focused on exploring innovative solutions to tech diversity and inclusion developed by Change Catalyst. Founded by Melinda Briana Epler, the blog looks thoroughly at the challenges of Inclusion in tech jobs.
READ BLOG
LEADINGBLOG By Leadership Now Leadership Now was started in 1980 by Michael McKinney as an information source for leadership knowledge. Leading Blog has a huge archive of blog content, dating back 15 years. The blog offers a wide range of content to promote leadership thinking and training.
READ BLOG
READ BLOG
READ BLOG
WOMEN ON BUSINESS BLOG
IMMUNIWEB SECURITY BLOG
By Susan Gunelius, KeySplash Creative
By ImmuniWeb
Women on Business is owned by the author, speaker, and President & CEO of KeySplash Creative, Inc., Susan Gunelius. With a team of diverse contributors, Women on Business delivers valuable information as well as career and educational resources to an audience of businesswomen working in all areas of business, from solopreneurs to corporate executives, across the globe.
Read daily posts by ImmuniWeb’s cybersecurity experts about web application security, compliance, and cybercrime.
READ BLOG
READ BLOG
WOMEN IN SECURITY MAGAZINE
131
THE 2022 AUSTRALIAN WOMEN IN SECURITY AWARDS Don’t miss Australia’s largest security awards of the year! Want to be part of it? Register your interest today by contacting aby@source2create.com.au