08
MAY • JUNE
WHO RUNS the
WORLD W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
FROM THE PUBLISHER
I
Who Runs The World? f you’re a fan of Beyonce, you already know the
President Bill Clinton, first female U.S. Secretary of
answer. It’s girls (girls) – but it’s no joke.
State and the highest-ranking woman in the history of the U.S. government.
“I’m repping for the girls who taking over the world,” she sings.
Then there are the legends of politics and industry – women like Joan Clarke, an English cryptanalyst
“Help me raise a glass for the college grads… I
known for her work as a code-breaker at Bletchley
work my nine to five, better cut my check!”
Park during the Second World War; ‘first lady of naval cryptology’ Agnes Meyer-Driscoll, an American
Beneath the catchy lyrics is an all-too-true point:
cryptographer who was known as ‘Miss Aggie’ or
women are hardworking, have career aspirations,
‘Madame X’; Ada Lovelace, an English mathematician
care about their appearances, and know what they
and writer, chiefly known for her work on Charles
want.
Babbage’s proposed mechanical general-purpose computer, the Analytical Engine.
They strive to seize it all, while holding down their families, their mental health, and their home life.
And don’t forget Rebecca “Becky” Gurley Bace, an American computer security expert and intrusion
(Yes, we see the many men that are doing the
detection pioneer who spent 12 years at the US
same – but I haven’t found a song yet that says it so
National Security Agency where she created the
eloquently).
Computer Misuse and Anomaly Detection research program. She was known as the “den mother of
While researching this issue’s theme, I was pleasantly
computer security”.
surprised to see just how true this is. All over the world, women are distinguishing themselves in ways
And for all the lamentation about the IT gender gap,
that would have never been possible 50 years ago or,
women are distinguishing themselves in IT areas
in many places, even 20 years ago.
such as cybersecurity, privacy, innovation, defence, and more. Consider Caroline Millar, deputy secretary
Women are running countries – consider female
for national security; Jen Easterly, recently promoted
presidents and prime ministers such as New
to lead the US Cybersecurity and Infrastructure
Zealand’s Jacinda Arden, Estonia’s Kaja Kallas,
Security Agency (CISA); Australian Signals Directorate
Iceland’s Katrin Jakobsdottir, Finland’s Sanna Martin,
director-general Rachel Noble; ‘security princess’
Denmark’s Mette Frederiksen, Norway’s Erna Solberg,
Parisa Tabriz, who serves as director of engineering
Nepal’s Bidhya Devi Bhandari, Chile’s Michelle
at Google; Electronic Frontier Foundation director of
Bachelet, Germany’s Angela Merkel, Namibia’s Saara
cybersecurity Eva Galperin; video-game designer and
Kuugongelwa, and Taiwan’s Tsai Ing-wen.
researcher Brenda Laurel; and so many more.
The world recently farewelled Madeleine Albright, an
I could go on for days, weeks, and months with lists
American diplomat and political scientist who served
of the amazing leading women helping us achieve
as the 64th United States secretary of state under
greatness in the world, but I think I have made my point.
2
WOMEN IN SECURITY MAGAZINE
28.04.2022
Abigail Swabey
Despite their achievements, however, these inspiring women don’t get near enough attention in the media. So why don’t they get the raves they deserve? I stumbled across a film that seeks to address the gap, called The Empowerment Project: Ordinary Women Doing Extraordinary Things. Directed by Sarah Moshman, the crew interviews extraordinary women to explore its core idea that women can do anything they aspire to – whether it be mathematician, pilot, astronaut, ballerina, chef, architect, or US Navy fourstar admiral. “There are so many amazing female role models out there, and the film is simply a way for us to share these stories with audiences all across America so they can be inspired to see possibility in these women’s realities,” said producer Dana Michelle Cook. “We want our next generation of women to believe there is no dream too big, no idea too grandiose, and that it’s our own unique journey of following a dream that makes us who we are and gives us purpose in our lives.” “On our personal journey of this film, we learned to say and live our dreams out loud – and there’s nothing more rewarding than that.”
We need to provide more than just one role model for the next generation to look up to, so they too can see that there are some really cool things that you can do in our industry. I hope this issue shines a light on this theme. And if I may be so bold, I encourage you to nominate for our Australia and New Zealand Women in Security Awards, so that we can share the stories of today’s achievers and make some more noise about the women working hard to rule their worlds. And, with that, I might let Queen B close out this column.
“This goes out to all the women getting it in, you on your grind To all the men that respect what I do, please accept my shine… Endless power / With our love we can devour My persuasion / Can build a nation”
Rewarding, indeed. We need to make more noise about the achievements of women in our industry – and not just on International Women’s Day, but every day. We need to make sure we don’t forget the names of the women that are distinguishing themselves every day by living their dreams out loud.
28.04.2022
Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312/
aby@source2create.com.au
WOMEN IN SECURITY MAGAZINE
3
CONTENTS
2 PUBLISHER’S LETTER
CAREER PERSPECTIVES Diverse leadership perspectives
52
Certifications: What are they for?
54
Successful change starts with your brain’s wellbeing
WOMEN ARE DRIVING THE GLOBAL PRIVACY AGENDA
10
Navigating a cyber career
COLUMN Instagram based scams
62
and becoming a female leader 14
Don’t ask who runs cyber. Ask who should run cyber
84
Teaching through stories
108
64
What you can do in cyber security, with a degree that isn’t in it
66
Diversity-by-design: Pipelining cyber security talent, three practical ways to get involved
70
INDUSTRY PERSPECTIVES In cyber, language is the
TALENT 44 BOARD
WHAT’S HER JOURNEY?
REACH OUT NOW
Samantha Lengyel
18
Mel Migrino
20
Deepa Amrat-Bradley
22
Shrutirupa Banerjiee
26
Tayla Payne
28
Julia De Salvo
32
Natasha Hallett
weapon of choice
78
Better together: agency, advocacy, and being a good mentor in cyber security
80
Supportive communities help you run your world
82
Hedy lamarr - more than a
JOB BOARD APPLY NOW
56
famous actress
86
Preventing cybersecurity burnout: need of the hour
92
Let’s get more collaborators to solve the evolving cyber security puzzle
94
34
Who runs the world?
98
Vidya Murthy
36
Why supporting female emerging
Teena Hanson
38
Michelle Gatsi
40
Ela G. Ozdemir
42
146 THE LEARNING HUB VISIT HERE
leaders today is critical for the future 102 Who runs the world
106
MAY • JUNE 2022
74
WOMEN ARE SETTING THE CYBERSECURITY AGENDA
WOMEN ARE LOCKING DOWN GAINS IN PROTECTIVE SECURITY
48
FOUNDER & EDITOR Abigail Swabey
ADVERTISING Abigail Swabey Charlie-Mae Baker Vasudha Arora
TECHNOLOGY PERSPECTIVES 300 spartans security defenders 114 Sitting ducks
116
Harnessing a digitally democratic metaverse
118
Ransomware as a service
120
Gentlemen prefer Encryption:
WOMEN ARE TAKING THE FIGHT TO DEFENCE
88
JOURNALISTS David Braue Stuart Corner
SUB-EDITOR Stuart Corner
WOMEN ARE TEACHING AI HOW TO BE DIVERSE 110
DESIGNER Jihee Park
TURN IT UP
Protecting data in a post-pandemic world
122
148
Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine
STUDENT IN SECURITY SPOTLIGHT Charlotte Kohler
128
Elena Scifleet
130
Valentina Corda
132
Abigail Fitzgerald
134
OFF THE SHELF
150 ©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.
08
MAY • JUN E
WHO RUNS SURFING THE NET
138
152
ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07
08
MARCH • APRIL
MAY • JUNE
WHO RUNS
IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79
20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97
YEAR OF THE SECURITY WORKER
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
the
OFFICIAL PARTNER
SUPPORTING ASSOCIATIONS
SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content.
SUBSCRIBE NOW
08
MAY • JUNE
WHO RUNS the
WORLD W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 Australian Women in Security Awards. Register your interest today for various sponsorship opportunities.
I’M INTERESTED!
#2022WISAWARDS
womeninsecurityawards.com.au
WOMEN ARE DRIVING THE GLOBAL PRIVACY AGENDA by David Braue
Privacy achieved gender parity years ago – and why wouldn’t it?
P
etruta Pirvan had something of a baptism
having that confusion and aren’t that enlightened
by fire after she began working as group
about privacy concepts and terminology. It’s
data privacy compliance officer at Moller-
very complicated for a company to see the
Maersk in late 2018, just a year after the
competitiveness element in data protection.”
global shipping giant was brought to a
standstill by the NotPetya cyberattack.
The privacy overhaul was a massive three-year undertaking that gave Pirvan, who had previously
As the company worked to right its operations and
worked in data privacy law with Accenture, a chance
clean up its data-security practices, Pirvan was
to apply her expertise at an industrial giant in
charged with creating a global data protection
desperate need of her help.
compliance program – including establishing an organisational privacy vision and mission statement,
Now working as a senior privacy consultant with
developing e-learning policies and guidance, and
Amsterdam-based Wrangu and an advisor at the
more – to embed a ‘privacy by default and design’
Institute of Operational Privacy Design, Pirvan
approach into the company’s DNA.
said small businesses often find it “much more straightforward” to understand the importance of
The data breach “was the point that enlightened
respecting customers’ data privacy – but larger
[Maersk] and its management, and that was the point
companies, long accustomed to B2B operations, still
where they decided to invest in data protection,”
struggle to approach privacy in a B2C way.
Pirvan told Women in Security Magazine. “It’s much more complicated to make the switch to
10
“While I was there, there was still a struggle for the
more enhanced data privacy and data protection,”
company to understand the value of protecting data
she said, “but they need that approach to survive and
and the value of privacy – and many companies are
compete in the market.”
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
A well-regarded privacy professional, Pirvan’s
That rare situation has not been replicated globally,
expertise has helped many companies make the
however, and the 2021 IAPP figures showed that men
transition – and she’s in great company within a
are earning 9% more than women globally, on average
field that has proven particularly welcoming and
– and 14% more in the US, where privacy remains a
accessible to women.
particularly fragmented and challenging environment.
A BALANCED PLAYING FIELD – BUT WHY?
But just what makes privacy so well suited for
Indeed, despite ongoing difficulties in closing
women?
the gender gap across cybersecurity and other technical areas, privacy practitioners have enjoyed
The fact that 90 per cent of privacy professionals
an industry with a remarkably level gender balance:
were working from home, as of March 2021, can’t
the International Association of Privacy Professionals
have hurt the appeal of privacy roles, with half of the
(IAPP) reported a 50:50 gender balance as early as
privacy professionals expecting to maintain a hybrid
2015.
work arrangement in the long term.
At that time, the rush towards GDPR compliance
Yet women’s strong showing in the privacy industry
actually saw European women out-earning their
likely stems from other factors, too – not the least by
male counterparts – earning a median salary of
reports that the work is interesting, driving an average
$US100,100 against $US92,600 for men.
satisfaction rating of 7.3 out of 10. Many privacy professionals came emerged from lesstechnical careers in law and consulting, where women often bring a conceptual framing that helps them apply privacy across a range of operations. Pirvan cited the strong examples set by women such as Margrethe Vestager – a former Danish education minister and Parliamentarian who is leading privacy and other digital policy formation as executive vice president of the European Commission – and US Federal Trade Commission chair Lina Khan, a former law professor spearheading complex efforts to find common ground between federal and state privacy obligations. “There is a good representation of women in privacy,” Pirvan said, “and these are powerful voices that prove we need women in privacy.”
ATTRACTING WOMEN TO PRIVACY More than in most industries, the strong position of women in privacy has created opportunities
28.04.2022
WOMEN IN SECURITY MAGAZINE
11
“When I started my career, information security was the sexy place to be, because the technology was starting to bloom.But now we’re seeing information security and privacy going hand in hand. You can have security without privacy, but you can’t have privacy without security.”
- Nicole Stephensen, Ground Up Consulting
to engage with potential new women colleagues – building mentorships and other relationships that often become recruitment opportunities. Relationship building “is probably the biggest skill in my role, and has allowed me to be successful,” said Talya Parker, a privacy engineer at Google who got into privacy a decade ago on the recommendation of a peer mentor. Parker quit her full-time job in banking and took a four-month internship in another city, learning everything she could in the privacy space before moving into a consulting role at Deloitte. Working in privacy, she explained during a recent SANS Institute International Women’s Day webinar, “opened up a world of opportunities for someone like me, with my skill set, to interject myself and provide some immediate value.” Yet visibility is crucial to attracting women to any industry, and Parker recognised the lack of minority women in similar roles meant “there was not a lot of awareness about what these roles look like because we typically see white males in these roles – and that’s not something minority women want to aspire to.”
F E AT U R E
Parker founded the diversity advocacy group Black
AUSTRALIAN OPPORTUNITIES
Girls in Cyber to address a yawning gap within the
Australia’s growing focus on privacy has created
industry – and has quickly discovered her talent for
similar opportunities on our shores, where federal
relationship building.
privacy commissioner Angelene Falk has proven so adept at balancing overwhelming privacy and other
Coaching sessions, casual lunch catchups,
responsibilities that she was recently described as a
mentorships, and ongoing efforts to maintain
“one-armed juggler”.
relationships that are more than “transactional” have helped Parker share her love of the field with women
With the increasing accumulation and analysis of
who, she said, “are more willing to open up… when
data creating new privacy challenges daily, the need
they see that you take their time very seriously.”
to temper new online services with clear privacy practices has made this “probably the most exciting
“Women are naturally introverted and I just kept my
time” to be in privacy, says Nicole Stephensen, a
head down,” she recalled, “but sometimes that’s not
privacy consultant with Brisbane-based Ground Up
enough: even if you do good work, you have to learn
Consulting who laughs that “I’ve been in this career
how to advocate for yourself – and I realised that no
that long because it’s just not boring.”
one else would be able to advocate for me, more than me.”
Increasing awareness in recent years means privacy “is no longer the poor cousin to information security,”
“We have a responsibility to look back to others to
said Stephensen, who is in high demand helping
share, to create awareness, and to bring as many
businesses whose privacy practices are often weak
people as we can with us.”
after spending years focused on cybersecurity.
Advocacy for privacy careers may indeed be crucial
“When I started my career, information security was
for women, given the privacy industry’s current
the sexy place to be, because the technology was
struggles with an expanding understaffing crisis.
starting to bloom,” she said, “but now we’re seeing information security and privacy going hand in hand.
Just 8% of privacy practitioners in ISACA’s recent
You can have security without privacy, but you can’t
Privacy in Practice 2022 survey said they have five
have privacy without security.”
or fewer years of experience in privacy, while the percentage of understaffed companies increasing
Privacy as an industry offers great opportunities for
significantly over the last year.
women from all kinds of careers, Stephensen said, noting that “you don’t have to be a lawyer to be a great
Fully 46% of companies this year said their legal/
privacy person; if you are trained in principle-based
compliance privacy teams don’t have enough staff
decision making, you can do privacy.”
and 55% said the same about their technical teams – up from 33% and 46%, respectively, in 2021.
“There is a difference with cybersecurity, which is much more male-dominated,” she continued, “but
Privacy responsibility was spread across a range of
I don’t feel that I’ve been disadvantaged in this
executives – and while 37% said privacy was handled
profession.”
by CIOs or CISOs, the remainder said privacy was delegated to non-technical executives such as CEOs,
“I’ve always been taken seriously, and – by not myself
board members, chief compliance officers, or the
treating privacy as something male-dominated –
chief privacy officers now found in 21% of companies.
I’ve been able to offer myself as a mentor and give women a great opportunity to explore privacy as a
There are clearly many roads to a privacy career –
career and to be very successful in it.”
and with companies falling so far behind the curve on privacy, the opportunities for interested women may never be greater.
28.04.2022
WOMEN IN SECURITY MAGAZINE
13
AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.
C O L U M N
Instagram based scams Instagram is a popular way for individuals and businesses to share photos, videos and information with their followers. Thanks to its popularity, Instagram is also a popular target for cybercriminals. Look out for these scams that will allow criminals to take over your Instagram accounts, defraud you or
regularly comment on, or react to your photos, follow
disrupt your business.
you, then start to send direct messages to you. They will eventually share messages of affection
INSTAGRAM CREDENTIAL PHISHING
and romantic feelings with their targets and, once
This may take the form of emails that appear to
they have someone engaged with their fraudulent
be from Instagram, Instagram direct messages,
narrative, will start asking for money for a sick
or posts on Facebook that direct you to ‘log in’ to
relative, for an air ticket to visit or some other emotive
your Instagram account. The messages may say
reason.
your account is being deleted unless you verify it, that a friend needs help logging in or that you have breached someone’s copyright. Phishing posts on Facebook may urge you to click through the link to
HOW TO STAY SAFER USING INSTAGRAM • Enable multifactor authentication on your account.
see important information about your area of interest
• Use a unique and complex password.
or to log into Instagram via a provided link to view a
• Be cautious about messages from people you
photo.
do not know. • Check what third party applications have
INVESTMENT SCAMS
permission to connect to your Instagram
Criminals may create, or use, Instagram accounts
account.
they have compromised and share photos of themselves in expensive clothes or at exotic locations to convince people they are rich. They may share photos and comments about a new investment opportunity they are happy to share with you, their followers, so you can be rich like them. Once they
• Ensure the photos you upload do not show your address or other sensitive information. • Be cautious of what you are logging into: is it really Instagram, or is it a phishing page? • If something sounds too good to be true it probably is.
have a person on the hook they will ask for funds for the investment. Of course, once they have enough
Cybercrime is big business. We need to work together
money from their victims, or are close to being found
to stay safer from it.
out, they disappear with your money never to be seen again!
This column is dedicated to the memory of two very good men: my friend Kyle Maher (1989-2021), and my
ROMANCE FRAUD
Dad Gordon Turner (1925 – 2022)
Fraudsters will go to great lengths to build rapport and trust with their victims. On Instagram they may
14
WOMEN IN SECURITY MAGAZINE
www.demystifycyber.com.au/
28.04.2022
Rethink, Reskill, Reboot. 10 - 13 May 2022 The Star Hotel, Gold Coast
4
DAYS
50+
SPEAKERS
KEYNOTE SPEAKER
REGISTER NOW: conference.auscert.org.au
IN PERSON & VIRTUAL
KEYNOTE SPEAKER
+
MANY MORE Kath Koschel
THE KINDNESS FACTORY
Lesley Carhart DRAGOS
Adam Spencer MC
Source2Create Spotlight
Events Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?
REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
WHAT’S HER JOURNEY?
But that experience became the inspiration for her company, Decoded.AI, which seeks to build a stronger connection between the creators of technology and
Samantha Lengyel CEO at Decoded.AI
those who use it. “It keeps us up at night that technology with the capacity to change the world is still behind walls, simply because teams cannot easily understand their work,” says Sam. Sam began to see the disconnect between AI and its users after asking a team to describe how its
“A
AI technology had calculated a particular result. It quickly became apparent the team was unable to ny woman trying to become a cyber
easily explain, audit and verify the trustworthiness of
security founder is already fighting
the results. An AI model could be outputting incorrect
against the odds.” That’s the candid
or unrepresentative results—a problem sometimes
truth from Samantha (Sam) Lengyel,
known as ‘AI bias’—and users would be unable to tell
CEO and co-founder of artificial
they had a problem.
intelligence (AI) integrity company, Decoded.AI. She’s not wrong. Women remain vastly underrepresented
“There was a fundamental need to ‘cross the chasm’:
in cyber security with less than one in four cyber
to connect artificial intelligence and machine learning
employees identifying as female.
technologies to the people they would affect,” she says.
Given those statistics, it is perhaps surprising that Sam is part of a thriving community of female
After being drawn to build artificial intelligence tools
business founders at CyRise, a cyber security venture
through a desire to connect and communicate, Sam
accelerator program backed by NTT and Deakin
quickly hit a wall. She did not know how to code and
University.
needed that skill to build the tools she envisaged. She set to work teaching herself and credits her
18
Sam argues her success as a cyber security founder
background in linguistics with giving her a useful
comes not only from being ‘good at tech’ but also
learning framework. “With a mission, learning to
from leveraging the set of diverse skills needed to
code is really not that different from learning a new
lead and manage a business.
language,” she says.
“I was never on the ‘tech track’: I fell into it by
Sam’s first taste of entrepreneurship was at the
necessity” she says. “Technology, coding, even cyber
Canberra CyRise cyber Bootcamp in 2019 which
security, were never described as career options for
encouraged aspiring founders to test their ideas.
me. I never played video games, so I wasn’t exposed
This whetted her appetite to develop her AI concept
to computers to have fun. Technology was presented
into a business and she was accepted into the Griffin
as a tool, not something to engage with.”
Accelerator, a three-month intensive coaching and
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
mentoring program with funding for selected ACT
are patterned with military and combat analogies,” she
businesses. Sam, along with CTO and co-founder
says. “That aggressive narrative will pull in a certain
Josh Fourie, got to work building a tool that could see
type of person but may make others more reluctant to
‘under the hood’ of AI/ML models. Two years later
try and pry open the door to the industry.”
their hard work paid off and Decoded.AI earned a highly sought-after place in the CyRise accelerator.
Being a cyber security founder involves sitting at the intersection of technology and business and often
Today, Decoded.AI’s technology makes artificial intelligence and machine learning computations easy to understand allowing businesses to get insights into how an algorithm is generating its results. Because AI is often deployed by businesses to make sensitive decisions such as how much a person
“I was never on the ‘tech track’: I fell into it by necessity.Technology, coding, even cyber security, were never described as career options for me. I never played video games, so I wasn’t exposed to computers to have fun. Technology was presented as a tool, not something to engage with.”
can borrow and their risk of committing a crime, understanding the inner workings of AI models has become a top priority for
demands a broad set of skills and experience. Sam
many policymakers.
argues that coming into the industry from outside the tech sector has given her unique tools for success.
Also, AI models sit behind many of today’s cyber security tools and can be trained to detect malware
“Decoded.AI is about bringing people together, making
and a variety of cyber threats, but their effectiveness
it easier to communicate across silos and building
depends on identifying any blind spots before those
trust in artificial intelligence by creating safer, better
can be exploited by an attacker.
models. I think being female actually gives me an advantage in this industry,” she says. “It’s also great to
Sam attributes her early success as a cyber security
be a part of a community of cyber security founders
startup founder to her creativity and desire to
focused on working together to build each other up.”
communicate skills that are increasingly recognised as critical for cyber security. She argues that by
Sam represents perhaps a model for cyber security
simply reframing the way we describe cyber security,
leaders of the future: insatiably curious, community-
we can encourage more women to get involved.
focussed and deeply committed to building technology with a purpose.
“I am not sure that cyber has ever escaped the warrior culture. When you read a cyber textbook or the marketing material of a lot of cyber companies, they
28.04.2022
www.linkedin.com/in/samantha-lengyel/
WOMEN IN SECURITY MAGAZINE
19
I made some good progress as an infosec auditor at the start and I eventually gained a lead role in an IT multinational but became bored and ventured into consulting where life was exciting, despite the extended working hours. I went into various security implementations in process and technology.
Mel Migrino
After almost six years I decided to go back to a user
VP and Group CISO, MERALCO
organisation where I assumed concurrent leadership roles as data privacy officer and chief information security officer for a fintech company heading the deployment of the SOC and various initiatives to secure a mobile application and its supporting infrastructure.
L
I also established the organisation’s compliance with ooking back on how I succeeded as a cyber
data privacy regulations and I was given the chance
security leader, I remember the challenges
to head enterprise risk management. Wearing three
that made me realise it was not only my
hats in the midst of transforming the business was
technical abilities but more about the life
not easy but worth the effort.
lessons that moulded me into a better
leader.
With these past roles in the consulting and fintech industries I saw diversity of gender, experience and
More than 15 years ago I started a career in an
capabilities could lead to better outcomes.
applications development team where I assumed a business analyst role then transitioned to software
My current stop on my career journey is with Meralco,
quality assurance and became a project manager
the largest power distribution utility in the Philippines,
implementing enterprise applications.
where I provide management oversight and direction for the parent company and all its subsidiaries. Being
Assuming a leadership role in tech at that time was a challenge because the majority of leaders were male and women were assuming mostly mid-level lead roles. I heard from some of my industry colleagues there was a niche career in the market, information security, that also covered security in applications
“To succeed in this profession you need to approach cyber security with great dedication, not to want the limelight, but you will be in the spotlight during crises. Cyber security is a career that makes you want to learn more and at the same time makes you more human.”
development. I got interested and ventured into that field.
20
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
in such a male-dominated industry is a different ball game. Influence is crucial to getting things done. I told myself gender disparity is present in every industry, but especially in the power sector where the gender gap still permeates management teams and boardrooms. According to Boston Consulting Group (BCG) and Singapore’s Infocomm Media Development Authority (IMDA), the number of women in tech in Southeast Asia exceeds the global average. Women account for 32 percent of the tech sector workforce, compared to 28 percent globally. It requires continuous effort to bridge the gender gap, but I persevered and demonstrated I was confident and fit for the job while exercising strong leadership that would promote gender inclusivity and deliver the results I was mandated to deliver. To me, knowledge is power regardless of your gender. If you project the right attitude and posture people will listen and follow you. We cannot discount the fact that women are innovative, have better agility and inspire and motivate others. These are important factors that contribute to the success of huge projects such as process and technology transformation in the energy industry. While I manage various teams locally and in Asia, I also need to keep myself sane. I have a male mentor. He taught me how to be a tough but fair leader and to be results-oriented. He taught me to persevere and continue my journey, despite the obstacles. He reminds me we can achieve great things by making the right choices and actions. To succeed in this profession you need to approach cyber security with great dedication, not to want the limelight, but you will be in the spotlight during crises. Cyber security is a career that makes you want to learn more and at the same time makes you more human.
www.linkedin.com/in/mel-migri%C3%B1o-b5464151/ www.linkedin.com/company/wisap-women-in-securityalliance-philippines/
28.04.2022
WOMEN IN SECURITY MAGAZINE
21
ambitious portfolio we manage under the security banner.” Amrat-Bradley says her greatest strengths are her ability to lead and facilitate dialogue between subject
Deepa Amrat-Bradley Global Transformation Executive - Cybersecurity Specialist
matter experts, technical teams and the business to produce collaborative and fit-for-purpose outcomes. Her team is facilitating the review and design of SEEK’s security strategy, operational plan and reporting framework and is working to build up its portfolio management capability. Amrat-Bradley has received several awards for her work over the last two decades. Most recently she
D
was the recipient of the AMCham Global Leadership Program Scholarship 2022. Deepa Amrat-Bradley specialised as a transformation and business turnaround
She has a wide range of program management and
director for 15 years before entering the
leadership credentials gained over the years and is
cyber security industry. Originally from
looking forward to her journey of continuous learning
England, she has worked with clients in
and growth and to nurturing and building highly
the United States, India, the Middle East and, most
capable teams and empowering them to excel.
recently, Australia. She joined the online employment service SEEK
FROM BUSINESS TRANSFORMATION TO CYBER SECURITY
in January 2021 in the security leadership team
She made the transition from business
where she was tasked with leading SEEK’s cyber
transformation to cyber security in 2017 when the
security strategy development and managing its
UK government commissioned her to support the
cyber security program to address the growth and
development of an SME team to design and deliver a
increased complexity of its workload as a result of
cyber security strategy.
COVID. “I wasn’t sure I’d be the right fit for such a role as I At SEEK she leads cyber security strategy and
didn’t have a deep and specialist technical capability
enables program governance to support teams
in Cyber Security,” she recalls. “However, what the
in their role to protect the SEEK Group from cyber
government wanted was someone with strong
security risks by staying at the forefront of emerging
leadership and strategy skills to support the design
cyber threats.
and management of a team to deliver global risk and compliance nationally, and that’s what I brought to
“Security is a high-pressure working space managing
the table.”
governance, risk and compliance and incident
22
response to enhance business resilience and enable
Amrat-Bradley has extensive leadership and program
business continuity,” she says. “My work supports the
management credentials gained over the last 20
efforts, contributions and delivery of the complex and
years and is boosting her cyber security knowledge
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
by studying to become an ISCA Certified Information Security Manager (CISM). Her current role is a long way from her childhood ambition: to be a pilot or an astronaut, and she says her school years played a significant role in her career development. “My early years were crucial, and I was lucky enough to be encouraged and inspired to think big by my teacher at school, Steve Jones, who was ahead of his time in ensuring a level playing field and supportive environment for all his students,” she says. “Steve created a safe and happy space for all – an early example of ‘Break the Bias’, which I feel has influenced my professional approach. We are still in touch, sharing inspiring dialogue and life lessons with me and my family.”
COURAGE TO TAKE LEAPS AND EMBRACE THE UNKNOWN… Like so many women, and possibly men, when presented with a challenging career opportunity Amrat-Bradley questioned her ability to fulfil such demanding roles. She describes one of the most important decisions shaping her career journey as being “The decision to take a leap into consulting and work with amazing leaders on high profile programs that required precision delivery to succeed was a huge turning point and took courage”. “Like so many of us, I doubted whether I was good enough, but having received good feedback for my work and recognition for my success in a
“My early years were crucial, and I was lucky enough to be encouraged and inspired to think big by my teacher at school, Steve Jones, who was ahead of his time in ensuring a level playing field and supportive environment for all his students. Steve created a safe and happy space for all – an early example of ‘Break the Bias’, which I feel has influenced my professional approach.”
traditionally male-dominated field with an award for Interim Consultant of the Year 2008 [Awarded by the
28.04.2022
WOMEN IN SECURITY MAGAZINE
23
UK’s HR Magazine to the youngest change-maker
so much and encouraged me to lead with courage
in the industry as voted for by interim executive
and compassion. She is a true icon in leadership and
appointment agencies and client testimonials] I was
consulting, and continues to be an amazing friend,
able to grow, accept opportunities with enthusiasm
mentor and advocate for delivering excellence and
and encourage others to do the same.”
growing talent.”
Amrat-Bradley has been fortunate in having great
And, of course, husband Rob. “He supports my
support throughout her career journey, from
journey like no other, to embrace all that fulfils me, is
her childhood onwards. She says, as an Indian
my rock and the person cheering me on each day.”
female, she felt invisible at times, but support and empowerment from “amazing leadership initiatives
However, one personal attribute she believes comes
and great leaders” have been invaluable over the
from within rather than from education is leadership
years.
skills. She says it cannot be taught. “Leadership is a lifelong journey of development and personal
A SUPPORTIVE FAMILY
growth, with a focus on seizing opportunities to do
“My family always encouraged me to reach for the
great things for, and with, the talent around you.
stars, and my mum is an amazing forward-thinking
Leadership for me is also about being responsible
advocate of women in leadership who empowered
and accountable for the decisions you make, seeking
me and all my friends to break the glass ceiling.
to add value, empower others and operate from a place of integrity.”
“My dad showed me how hard work creates beautiful opportunities and he taught me about
ATTITUDE TRUMPS APTITUDE
smart discipline in business. Then my big brother,
When asked what advice she would give to anyone
a phenomenal athlete and now a successful
aspiring to a role similar to hers, she says: “I believe
entrepreneur, always championed me, encouraging
in attitude over aptitude. So I highly encourage people
me to shine and proudly highlighted my successes to
to get out there and work on delivering projects
keep me thinking outside the box.”
from inception to completion in their chosen field. Take advantage of opportunities to showcase your
Later, early in her career, there was Tom Bewick and
capabilities and interests, gain work experience by
then Bev Evans. “I had the pleasure of working with
spending your free time volunteering, or get a foot in
the incredibly well-respected and accomplished Tom
the door with a company that aligns with your end
Bewick, an executive Director consulting across
goal and then work out from this journey which key
Education, Business and Skills programs and advisor
credentials will add the most value and get you to
to prominent MPs. He was a leader who gave me a
where you want to go.”
springboard of opportunities in brand and project management, led by great example and allowed me
And she adds: “Whatever you study, I feel it has to
to really showcase my capabilities and grow.” Now
be a subject you enjoy, are invested in and try, if you
Tom is CEO of the Federation of Awarding Bodies UK
can, to gain placements that will give you hands-
and the top voice in leadership.
on industry experience and build your professional network. I follow Sai Honig and Nivedita Newar,
Bev Evans, partner at Carnall Farrar UK is a very
strong female leaders in technology. They share great
well-known and highly respected female leader
learning materials, and resources and write insightful
in the business improvement space and was the
articles for those interested in cyber security and are
accountable officer where she tasked me to deliver
great influential industry professionals.”
the NHS’s largest transformation program she says, “a leader who allowed me to shine brightly, taught me
24
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
For school leavers aspiring to a role in the security industry Amrat-Bradley offers the following advice. • Reach out to local businesses and meet with the CISO to have a career talk. • Attend security conferences to network and understand more about the industry. • Watch the amazing selection of free tutorials provided online around cyber security basics. • Join discussion forums about cyber security careers. • Reach out to a cyber security recruiter to gain a view from their lens about the industry. • Try to secure a simple role in a security space over school holidays and in your free time to support any aspect of work that they can offer to introduce you to the profession. • Write about and share your journey and interests in cyber security. • Persist! Don’t give up. “AI without a doubt in my view will play a leading And she is particularly upbeat about the opportunities
role in how we deal with threats in the future, and
for girls in cyber security. “Women have great skills
we will need to prioritise upskilling to manage this
and expertise to add value in all spaces, so it’s time to
space. The sophistication of AI offers capabilities that
help bring balance into this space. The opportunities
can present as ‘friend’ or ‘foe’. We need to continue
are available and women are being encouraged to
to invest in learning and development in the cyber
join, so don’t hesitate because of the traditional
security space to stay ahead of the game. I am proud
technology landscape.
to say, this is an investment that SEEK takes very seriously.”
“I envisage some great creative initiatives being launched to appeal to a broader, diverse and female
“The size of data is multiplying every day.
talent pool to close the skills gap and I encourage
Safeguarding digital data is another priority for SEEK,
more women into this exciting specialism.”
and we are keeping a watchful eye on the global trends around how this is regulated and managed,
From her perspective of cyber security, Amrat-Bradley
whilst also continuously monitoring and updating our
picks out a couple of issues she sees as major
approaches as needed.”
challenges: AI and the rapidly growing volume of data that must be protected.
28.04.2022
www.linkedin.com/in/deepa-bradley/
WOMEN IN SECURITY MAGAZINE
25
Undeterred she went on to study various topics in cybersecurity: cryptography, blockchain, vulnerability assessment and penetration testing (VAPT), malware analysis, RE, digital forensics and incident response (DFIR) and more. She also became a Certified Ethical
Shrutirupa Banerjiee Security Professional and Learner
Hacker (CEH) “to understand what cybersecurity is all about.”
A NATURAL STUDENT Studying, she says came naturally. “I have always been studious. Science and maths have been my all-time favourite subjects, but my enthusiasm for exploring and researching has always been the same regardless of the subject.”
S
Not surprisingly she is a strong advocate for hrutirupa Banerjiee is vice-chair and
continual learning. However, she is not a strong
the technical lead of Breaking Barriers
advocate for certifications. “The most important
Women in CyberSecurity (BBWIC), a new
thing, if you wish to be technically strong, is to
non-profit organisation based in Canada
keep learning and enhancing your skills. However, I
that aims to provide a safe space for
don’t necessarily recommend certifications unless
women to grow and evolve in the industry. It’s a role
your job or client has a requirement: I see people
she holds in addition to her day job working in web
with certifications and no knowledge. Many people
application firewall (WAF) research at cyber security
can’t afford those expensive certifications but have
company Qualys.
a fantastic skillset, which is what you should be focussing on.”
Her BBWIC role is not her first in the cyber security community, and she says these voluntary roles
And for those leaving school and contemplating a
have been important in shaping her career. “Joining
career in cyber security her advice is, rather than
several communities gave me opportunities to
focussing on the ‘what’ of cyber, focus on the ‘why’.
increase my network and communicate with different
“Understand what cybersecurity is all about: what
people about their journeys and struggles. I also got
kind of problems are we trying to solve? Once an
acquainted with opportunities by being part of the
individual understands the ‘whys’ of a subject,
right communities with vision and a mission.”
it gets easier to understand the ‘what’ and the ‘hows’.
Banerjiee’s own cyber journey has not been without
26
its struggles. After studying for a bachelor’s degree
THE USUAL CHALLENGES
in mathematics when she also studied computer
As to her own challenges, like so many women in
science. She was introduced to the basics of C
cybersecurity she has suffered from sexism, bullying
programming in her third year and went on to study
and gender discrimination in the workplace. “I am in
for an MSc in Computer Applications when “the only
a good environment now, but previously, especially
thing I knew about computers was how to turn them
when I was starting my career, there would be
on and some basic C programming.”
situations when I would not be given a specific task
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
because of my gender. These experiences were
Banerjiee has also been well-supported by family and
disheartening, but they also gave me a reality check,
friends. “They don’t understand what I am doing or
and I started focussing on myself and my career.”
talking about in a session or writing in my blogs, but they will not miss a chance to attend or read them.
Also, like most women who have shared their career
My partner kept motivating me to study, to participate
journeys, she says cyber security would benefit from a
in different conferences or challenges, and even start
more gender-diverse workforce.
a YouTube channel.”
Her advice to other women contemplating a cyber security career is to recognise they will face challenges and fight to overcome them. “A woman has to go through many struggles to pursue her
www.linkedin.com/in/shrutirupa-banerjiee/
twitter.com/freak_crypt
chosen career, but they must just keep moving ahead. There are good people out there who are supportive.”
28.04.2022
WOMEN IN SECURITY MAGAZINE
27
A VAST AND VARIED ROLE “As a cyber security consultant, my role is varied and vast. What makes the role so exciting is security is integral to securing the livelihoods and assets of our clients and without it there are severe implications.
Tayla Payne Associate Consultant at IBM
“Our teams are responsible for ensuring Australia’s and New Zealand’s critical infrastructure such as water corporations and energy suppliers remains secure from cyber attacks and threats that could potentially mean citizens going without power or water. If you’re into action movies, some days it
O
can almost feel like a real-life James Bond or Jason Bourne movie! ne of the greatest misconceptions about cyber security, says Tayla Payne,
“At the moment I am working on a complex cyber
is: “you have to be a seasoned technical
project for an Australian energy business that owns
expert to join this space.”
and operates more than $11 billion of electricity and gas network assets.”
And she is proof of the truth of
this statement. With two bachelor’s degrees, in
A CAREER SHAPED BY IKIGAI
psychology and developmental studies and in
As to the forces that have shaped her career journey,
political science and international relations from
Payne cites her parents, and the Japanese concept
Victoria University of Wellington, she gained a
‘Ikigai’.
Master’s in Political Economy from the University of Sydney and then went straight into a cyber security
“Ikigai describes your life purpose or your bliss and
role at IBM.
helps to determine what brings you joy and inspires you,” she explains. “The four components of this
“As my masters came to an end, I was looking for
being: What do you love? What are you good at? What
graduate roles in Sydney and came across IBM’s ad
does the world need? What can you get paid for?
to join their new cyber security team. While reading the job description, I knew I had to apply – it looked
“My parents instilled in me to do something you love.
like such an exciting role,” she says.
So I studied my passion at university and followed this into security.”
Payne is now an associate consultant in the cyber security – cloud, strategy and risk team with IBM in
Her parents, Payne says, had a huge influence on her
Sydney.
career journey “They taught me to appreciate and understand the importance of education, the pursuit
28
“We’re nested in IBM Consulting, which means we
of knowledge and leading with your heart. As my dad
focus on empowering and supporting our clients
always says, ‘The world is your oyster’. This led me
to digitally reinvent their business across cyber
to pursue anything I have a passion for, explore any
security, cloud, risk quantification, identity access
avenue I want to, then narrow it down, find what I am
management, vulnerability remediation and policy,”
good at, and then focus on becoming the best I can
she says.
be at it.
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
“While I didn’t know I was going to end up in cyber
failure to close the cyber security skills gap may pose
security specifically, I have continued into a role
a significant risk to the community if we do not have
shaped by my passions, interests and strengths.
the expertise to secure technology, especially critical
During school, I didn’t have a specific role in mind,
infrastructure.
but a general idea of where I wanted to end up. My advice is to be open-minded about what’s in store, as
“Organisations, universities, and government
opposed to locking in an exact role and specific title
departments must invest now in the younger
and be prepared for the industry to look different five
generations—as young as primary school age—and
years or even six months from now.”
even those who are considering a career move later on in life to assist with upskilling those who wish it,
POLITICS AND TECHNOLOGY DEFINING CYBER
into cyber security.”
From her political science/political economy perspective Payne sees the nexus between politics
And, not surprisingly, she sees getting more women
and technology as being one of the defining trends in
into cyber as part of the answer to the skills shortage.
cyber security over the next few years. “Cyber-attacks are becoming increasingly vast, disruptive and likely political,” she says. “The interplay between the political choices of state actors and cyber incidents should not be underestimated. New security concerns here
“As a female graduate working among incredibly talented individuals, in a male-dominated space (although this is changing), it can make you question if you have what it takes. However, supportive colleagues, managers and parents have helped reduce this feeling and reinforced my confidence.”
should be front and centre for governments and organisations, especially critical infrastructure. My perspective is that politics,
“I think the tech industry generally, including security,
economics, international relations and security will
requires more female representation across every
become more interconnected than ever before.”
single role, but particularly senior leadership,” Payne says.
If correct, her predictions will only exacerbate what she sees as the biggest issue facing cyber security:
“Forbes demonstrated that diversity generates
the skills shortage. “The skills shortage may be the
greater revenue, which is great for any business.
biggest challenge impacting security now and in
Women think differently, so this enables broader and
the future. Currently, the size of the workforce is 65
enhanced viewpoints leading to better outcomes for
percent below where it needs to be, with Asia-Pacific
all clients and female role models encourage more
having the most significant regional workforce gap,”
women to enter the security space.
she says. “There is an abundance of literature on the benefits
SKILLS SHORTAGE IS CRITICAL
that more women in a company can provide, so now
“As technology continues to provide more and more
is the time for businesses to take action and bring
immense benefits for society, it is also accompanied
more women into the security industry.”
by increasing threat surfaces and landscapes for all governments, organisations and individuals. I think
28.04.2022
WOMEN IN SECURITY MAGAZINE
29
And for school leavers eying cyber as a career, Payne says: “I would highly recommend reaching out to people in the industry and talking to as many people as you can and even see if you can find yourself a security mentor. The security network is close-knit and very welcoming. “Even if you reach out via LinkedIn, people are usually open to answering questions and offering industry advice. Talk to others already on their career path. They may offer advice and perspectives you may not get from reading about the industry online or learning about it in a university lecture.”
UNCONVENTIONAL PEOPLE WANTED And she says, rather than formal qualifications, what the industry needs is “entrants with unique and unconventional backgrounds because these offer unique perspectives to solve complex challenges for industry and government clients. Importantly, more diverse skill sets enable better interpretations of threat landscapes and better assist teams to deal with the ever-changing and advancing cyber-attacks. “The drive, passion and desire for life-long learning in this space are the most integral personal attributes, over and above any specific formal qualifications. However, I do highly recommend the AWS, Google Cloud and Azure trainings (some of which are free) to upskill, but also to allow you to try out different areas in technology and find what you may like the most.” Payne has impressive academic and career achievements, so it may come as a surprise that she cites imposter syndrome as her biggest career challenge. “As a female graduate working among incredibly talented individuals, in a male-dominated space (although this is changing), it can make you question if you have what it takes. However, supportive colleagues, managers and parents have helped reduce this feeling and reinforced my confidence.”
www.linkedin.com/in/tayla-payne-b619b6145
30
WOMEN IN SECURITY MAGAZINE
28.04.2022
STAY CONNECTED All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.
@wisms2c
@source2create
@womeninsecuritymagazine
DIGITAL
@Source2C
womeninsecuritymagazine.com
womeninsecuritymagazine.com
jumping into the deep end and learning as I go. I also question everything,” she says. “I don’t just do things because that’s how they have always been done. Working in this sector you must be dynamic and agile. I have never said that’s not my job,
Julia De Salvo Chief of Staff at Willyama Services
I just jump in and get it done or find the right person to get it done.”
CURIOSITY AND RELATIONSHIPS Her advice to others aspiring to a similar career is “be curious, don’t just accept things the way they are and always look to improve processes. Relationship building is key as you interact with everyone from
L
technical resources, CEOs, finance, vendors and of course customers.” ife tends to throw up curve balls that can radically disrupt the best-laid career
After gaining her diploma De Salvo started her
plans, but it was throwing up that radically
career as an executive assistant, worked her way
disrupted Julia De Salvo’s career plans.
up to managing business units then joined a cloud software startup where she ran its Australian
“When I left school I thought I was going to
operations. She has spent the last seven years
be a nurse or a dentist. However, vomiting over my
working for a global IT company “navigating my
first patient ended my dental career quick smart. I
way around complex operating environments within
decided to do a diploma in business and get straight
the cloud and cyber, which luckily, I found I was
into work,” she recalls.
surprisingly good at!” she says.
“My family are more in the medical field, so IT/
Today she is Chief of Staff at Willyama Services,
security is very foreign to them. I think it still surprises
a 100 per cent Aboriginal-owned information
them that I took a career in IT/security. I fell into it
technology and cyber professional services business
really and haven’t looked back!”
where she describes her role as “Overseeing all things people and business operations.”
One of the advantages of that unplanned career move was it suited her natural attributes. “I have been
SKILLS ARE THE BIG CHALLENGE
fortunate enough to have always been encouraged
In her role at Willyama, De Salvo is at the sharp end
to succeed and given room to take on whatever work
of the cyber security skills problem, which she cites
took my fancy. I think that is one of the greatest
as the biggest challenge facing the industry. “Salaries
benefits of working in the IT/security industry. I’m
are going up and not matching skill sets. Navigating
not sure I would have had so much freedom in other
salaries and careers with the right skills has become
industries.”
a big challenge.”
De Salvo sees the personal attribute that has
The ‘Willyama way’ to tackle this challenge, she says,
contributed most to her success as being inquisitive
is with internships, junior training programs and
and taking ownership. “I’m more of a doer. I love
other traineeship programs with Willyama’s industry partners.
32
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
“We love to hire juniors. Their passion, enthusiasm
“If you don’t love studying, at the minimum, do a Cert
and drive are contagious and it’s such a pleasure
III in Cyber. We take trainees and guide them up the
watching them grow into amazing security
ranks, but we look for personal attributes such as
professionals, particularly our females who start off
self-starters, quick learners and people with excellent
so quiet and unsure and become driven, confident
communication skills. These basic ‘soft’ skills are
leaders paving the way for future generations.”
necessary if you are to work effectively in a team and to have a future in front of customers.”
She adds: “I have had the privilege of managing young professionals’ careers for a few years now and I’m
THE BIG ISSUES
always amazed at the talent we hire. With a good
Many of Willyama’s clients are government bodies
internal program and support we can move staff up
and this perspective colours what De Salvo sees as
the ranks quickly and they are often outpacing the
other major upcoming issues for cyber security: the
seniors.
three-nation AUKUS nuclear-powered submarine agreement and the USCyber Security Maturity Model
THE ‘WILLYAMA WAY’
Certification (CMMC).
“And we have a great traineeship program for Indigenous staff and all juniors. We want to grow
“The security requirements around AUKUS for
our staff the ‘Willyama Way’ which means giving
Australia are yet unknown. However, given the work
them opportunities to grow in an interesting, safe
we do with Defence this is something that will impact
environment with clear training pathways.”
us and allow us to provide our services in support of it. CMMC has the potential to set the tone in
For young people contemplating a role in cyber De
government/defence cyber maturity.”
Salvo recommends first and foremost a non-technical In retrospect, De Salvo’s unfortunate nauseous dental debut has served her well.
“I have been fortunate enough to have always been encouraged to succeed and given room to take on whatever work took my fancy. I think that is one of the greatest benefits of working in the IT/security industry. I’m not sure I would have had so much freedom in other industries.”
She says not only is cyber a great career choice, but it’s also one where women are outpacing men. “I love IT/security because I love the people. I’m constantly surrounded by good, fun, smart people where women are encouraged to succeed. And women are succeeding, sometimes faster than the
qualification. “Finance, psychology, or an HR degree
men. Most of my female colleagues have moved to
would definitely set you up for success. IT/security
leadership roles after doing their time in technical
in general is made up of many different personalities
positions. Women tend to have more of the ‘get $hit
and as a manager, you need to have a high emotional
done’ gene, which means we churn out the work.”
intelligence quotient and a good understanding of what the business needs and how to navigate your staff to those outcomes whilst ensuring they are getting the right level of care.
28.04.2022
www.linkedin.com/in/juliadesalvo/
www.linkedin.com/company/willyama-services/
WOMEN IN SECURITY MAGAZINE
33
intelligence, regulatory, all of the government understanding and security. She holds a master’s degree in emergency
Natasha Hallett Senior Advisor, Maritime National Security
management but says overseas training was necessary for her current role because it is not available in New Zealand. “When I started at Maritime NZ I had no background in the industry. However, I made it a priority to understand the whole industry rather than just the security side of the business; understanding the bigger picture means you can do your role in
N
collaboration rather than in isolation. atasha Hallett is Senior Advisor,
“Conferences, readings and international relationships
Maritime National Security at Maritime
have taught me everything that the port security
New Zealand, which means she is
personnel haven’t, not because they don’t know but
responsible for ensuring New Zealand’s
because we are all still learning as this world and
ports and New Zealand registered
technology changes.
vessels are protected against security threats of all kinds.
“These are essential as we navigate our way through an ever-changing world, which includes new things
She is also the chairperson of an international port
like cyber, drones and other technological advances.”
security program for ports across the Pacific and has a voice across the government to ensure port security
In addition, Hallett says: “A key personal attribute
is considered a priority.
is the understanding and capability to build solid relationships. Without this skill, the job becomes a lot
She says her role crosses multiple areas: the national
harder.”
security system, intelligence, understanding of the government’s regulatory role and cyber security.
PORT SECURITY NEEDS CYBER SECURITY Increasingly, Hallett says, cyber security is becoming
Her role also extends to responding to significant
an important issue for ports, and having a big impact,
maritime incidents as a member of the Incident
especially with the automation of various aspects of
Management Team and to working with other port
port and vessel operations.
authorities in the Pacific and around the world. “The more ports become automated, the greater the
34
She has worked in emergency management since
need for robust cyber security policies and practices.
leaving school and has been a member of the New
Ports are critical infrastructure for New Zealand,
Zealand Police, where she says a variety of roles
and while physical security will always be needed,
prepared her for the one she now holds, which
advancing technology also needs to be considered
crosses multiple areas: the national security system,
and implemented. Measures need to be understood
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
not only by the information technology teams but also
who I get to mentor and help grow has championed
by those on the port. It is everyone’s role to help keep
me as much as I have championed her. It has been
ports secure.
awesome to watch her find herself in this industry.”
“Cyber security is starting to merge into physical
MORE WOMEN NEEDED
security. It is increasingly important to protect both
Hallett would like to see more women in her industry.
the physical assets and the digital assets. This needs
“The ability to develop relationships is essential in the
to be done in conjunction with the port’s in-house
port industry, from the port staff to the cruise vessel
information technology teams rather than in isolation.
interactions. Women do this more authentically.
Traditionally physical security and information
Women can also bring the compassion that helps
technology were very separate skill sets. Now they
address all components. They are inherently curious
need to work closely as technology and threats
multitaskers and this diversity is needed in this male-
continue to evolve.”
dominated industry.”
MALE DOMINANCE- NO PROBLEM Many women who have shared their security journeys have described dealing with male dominance as an unpleasant aspect of their experience. However, Hallett says: “It was the challenge of working in a male-dominated industry
“When I started at Maritime NZ I had no background in the industry. However, I made it a priority to understand the whole industry rather than just the security side of the business; understanding the bigger picture means you can do your role in collaboration rather than in isolation.”
that led me to love the security work I do. “My biggest challenge has been having a voice in the industry. Being female and younger than most when I started meant I had
Her advice to anyone considering a security career
to develop techniques to ensure I was heard. These
is: “Don’t limit yourself to one area of security. There
took time, and frustrations were there in truckloads.
are many areas not widely publicised that open you
However, by looking to the future with determination
up to limitless opportunities. At no point in my life
and building the right relationships I was able to
did I think there was a thing called port security,
overcome them.”
and that it would take me around the world working with international partners. Working with people and
During her career journey, Hallett says she has been
working with countries to help them enhance their
well-supported by colleagues and family.
port security measures is seriously satisfying.”
“My husband and kids have supported me even when it meant they did not see me for more than a week
www.linkedin.com/in/natasha-hallett-memergmgt282b7a122/
sometimes while I travelled. And my work colleague
28.04.2022
WOMEN IN SECURITY MAGAZINE
35
GLACIAL PROGRESS, OF A SORT Murthy’s time at Wharton gave her much more than an MBA, with extracurricular activities designed to
Vidya Murthy Chief Operating Officer at MedCrypt
test and foster leadership abilities, one being trekking and camping for a week on a glacier. “The underlying aim was to see if you had embodied the studied leadership abilities when you were at your physical weakest,” Murthy explains.
V
“When I didn’t think I could go another step, or make it up a peak, I was able to accomplish it because of idya Murthy is Chief Operating Officer at
my team and my mental fortitude. That was my ‘I got
medical device manufacturer MedCrypt,
this’ moment,’ that gave me the confidence to pursue
based in San Diego, California. She
anything I wanted to.”
describes her role as “all things outside of committing code, [helping] keep
Her time at Wharton was formative in other ways:
the company functioning so our people can keep
she says her classmates were inspirational. “It’s a
building what our customers need: from marketing to
program targeting working professionals. Everyone
customer strategy to health insurance renewal.”
was making real sacrifices to be part of the community, to learn, to apply something new every
It’s a long way from her university education—in
week.”
accounting and biology studies—but the move to cyber followed after graduation: while looking for
CLEAR CAREER ASPIRATIONS
her first post-degree job, Murthy found the most
The great thing about gaining an MBA, says Murthy,
interesting people she met were in cyber security, so
is “it makes you see a whole world of opportunities.”
she decided to join them.
She did not graduate with any specific career aspirations but “a clear desire on the scale of impact I
The transition came with some challenges “Not
wanted to have in my career going forward.”
having a technical background made me question whether I belonged and what my value was to an
After gaining her first degree, Murthy joined PwC
organisation,” Murthy says. “But learning to articulate
in California as a consultant and was given the
security into business value helped me overcome
opportunity to work for PwC in South Africa. “It
‘nay-sayers’ and advocate successfully for myself.”
opened my eyes to people and place that I had no exposure to previously where I only knew the person
When the company she worked for was acquired
who had hired me. It was incredible for my personal
Murthy decided the time was ripe to get an MBA,
and professional growth,” she says.
from the Wharton Business School, while continuing
36
to work full time. After graduating she joined a fellow
For Murthy, connections to people are one of the
graduate as employee number three in his startup,
most important priorities for aspiring cyber security
MedCrypt.
professionals.
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
changes impacting the cybersecurity landscape is likely to be desensitisation to the impacts of cyber security incidents. “Business, consumers and regulators need to maintain an understanding of the impact of incidents and of everything being connected.” And, like every other woman who has shared their “I would encourage connecting with folks early on and
career journey with Women in Security Magazine,
finding something that interests you beyond ‘keeping
Murthy points to diversity in ways of thinking as one
you busy’,” she says. “Go where you are seen and
of the most powerful arguments for having more
valued. Perhaps most importantly, always surround
women in cyber security.
yourself with people you can learn from and keep growing.”
“Security is a field that benefits from diverse opinions and perspectives because if everyone thinks the same
She adds: “There’s always more to learn and
when defending, your attacker’s job is that much
experience, especially in security. Just because
easier. There are real missed opportunities to build
someone is more seasoned, technical or faster than
defences that consider all users and ways of thinking.”
you, doesn’t mean you aren’t valuable in your own way.”
This lack of a women’s perspective, she believes, has impacts well beyond dealing with cyber security
BEWARE BURN-OUT
incidents: all the way to the design of global products.
And she offers some cautionary advice: “Guard your
“Countless facets of tech have been designed without
mental health; security has a high burn-out rate for
having a woman’s perspective, such as the design of
a reason. Don’t take the world’s problems onto your
smartphones, and as a result missed out on major
shoulders.”
use cases.”
The challenges facing cyber security professionals that result in burn-out are many, and growing, but Murthy singles out one in particular: increased connectivity in healthcare systems within hospitals. “Threats are proliferating, and medical device connectivity is going to expand the threat landscape
www.linkedin.com/in/vidyakmurthy/
twitter.com/vmurthy84
twitter.com/medcrypt
in healthcare faster than we’ve ever experienced.” While an elevated threat level will produce increased vigilance and concern, Murthy says one of the biggest
28.04.2022
WOMEN IN SECURITY MAGAZINE
37
THE BENEFITS OF BEING GENDER NEUTRAL Further career-boosting help came from a recruiter who advised her to be up front about her gender in job applications, rather than trying to be genderneutral. “This gave me confidence to apply for roles I might have excluded myself from, such as when I did
Teena Hanson Cyber Protective Services Manager at AMP Cyber Defence Centre
not meet all the criteria in a job description,” she says. During her time at the bank she built up her cyber and risk knowledge and moved through three internal positions, ending her time there as a security architect. She then joined AMP and gained the opportunity to
I
work on building the Cyber Defence Centre and to become the leader for the Cyber Protective Services f you want proof that formal qualifications are
team.
not a prerequisite for a successful career in cyber security, look no further than Teena Hanson, high
Her role involves leading a small internal team and
school leaver and now Cyber Protective Services
overseeing managed security services to ensure
Manager at AMP.
cyber operations continue effectively.
Hanson left school part way through year 11, before
“Within the Cyber Protective Services team we have
taking her HSC exams, started work in tech support
several key security domains we operate or have
and worked her way up to specialising in system
oversight of, including infrastructure, network, cloud
management. One thing she had going for her was
and email security, certificate and key management,
that her parents, rather than berating her for dropping
vulnerability scanning, application security and end
out, supported her.
user device security controls,” Hanson says.
“My parents were hugely influential. They allowed
She has been fortunate to have had helpful and
me to take my unusual path when I dropped out of
supportive managers in her career journey from the
high school and helped me in those initial years by
Commonwealth Bank to AMP.
encouraging me to take any job I was offered,” she says. In that first role she developed an interest in
SUPPORTIVE MANAGERS
cyber security because it embraced vulnerability
“One of my managers at Commonwealth Bank,
management and antimalware operations.
Ben Jones, really helped me grow my corporate confidence and encouraged me to take on work
However her first real cyber security role was when
and interact with people outside my comfort zone,”
she joined the Commonwealth Bank in 2015 on the
Hanson says. “My current and previous managers
invitation of a former NBN colleague. And Hanson
at AMP, Jonathan Cook and Steve Espino, also
says she needed this external validation of her
supported me as I moved into my first leadership role
security skills to make the leap from IT to cyber
at AMP.”
security specialist. “I had already built up sufficient
38
knowledge and skills but needed that external vote of
However, Hanson’s cyber journey has not always
confidence.”
moved forward. She spent several years working
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
towards becoming a security architect and 12 months
“In the next few years I anticipate a lot of
after achieving that goal, realised it was not a role
organisations will focus on cyber visibility. We’ve
she was happy to be in. It then took he a further six
seen a focus on our external suppliers in response
months to make a lateral move into a career path she
to regulation and to high profile supplier breaches.
was much happier with.
Over the next few years I believe we’ll see companies change course again in response to recent cyber
Given her career journey it is perhaps no surprise that
incidents. They will begin focusing on their code and
Hanson is not a fan of formal qualifications but says
their cloud workloads and getting deeper visibility into
they can provide value for people looking to change
those areas.”
careers or starting out in their career. To combat these threats she says a more proactive One rather less easily assessable personal attribute
approach to security is essential. “A lot of the
she does see as valuable in cyber security is curiosity.
organisational pivots are reactionary in nature.
“Cyber is constantly evolving and the ability to stay
There should be a lot more focus on predicting
curious, be interested and keep learning is key in this
major incidents and on a proactive strengthening of
landscape.”
controls.”
And she adds: “Also, IT experience outside of cyber is valuable because the cyber team interfaces with all other IT teams. Being able to bring in-depth or background knowledge into a cyber career helps when working with other teams. “And never be afraid to switch careers. What you
“One of my managers at Commonwealth Bank, Ben Jones, really helped me grow my corporate confidence and encouraged me to take on work and interact with people outside my comfort zone. My current and previous managers at AMP, Jonathan Cook and Steve Espino, also supported me as I moved into my first leadership role at AMP.”
decide today is not set in stone. You can find a way to apply any experience you have to a cyber security
More specifically, Hanson says there is a need for
career. Security is an extremely broad domain that
much greater emphasis on application security
allows people from all backgrounds to find a space in
(AppSec): the process of finding, fixing, and preventing
which to work and specialise.”
security vulnerabilities at the application level in hardware, software and development processes.
A DIVERSITY CHAMPION She says this broad domain needs a breadth of
“The vulnerability of Log4J showed what I believe is
approach that would be greater with more people
the tip of the iceberg in terms of library dependencies.
from more diverse backgrounds, not only women, in
It really highlighted the need for deeper visibility
the cyber security workforce to combat the growing
not only into our own code but also into the code
challenges.
of commercial off-the-shelf products. I believe organisations that have not yet begun their AppSec
“As a cyber security professional my biggest fear is
journey will find it gives them the impetus to
the things we don’t know about. How do we protect
investigate software composition analysis tools.”
against the things we don’t have awareness of: the unknown, the shadow IT, the code dependencies, the suppliers to our suppliers?
28.04.2022
www.linkedin.com/in/teenahanson/
WOMEN IN SECURITY MAGAZINE
39
A DIPLOMA AND DEGREE IN SOCIAL SCIENCE AND CRIMINOLOGY So Gatsi went on to study social science and criminology at university, expecting to pursue a career
Michelle Gatsi
in community corrections or policing. It was not to be.
Technology Consultant at EY
“Unbeknownst to me, my cyber stars were aligning behind the scenes. Over time, cybercrime was becoming more difficult to ignore, especially with advancements in technology. It became apparent to me traditional criminals were taking their activities online and finding new and improved ways to carry
T
out their campaigns.” hieves took some of Michelle Gatsi’s
It was at this point that Phillimon Zongo, CEO of the
childhood possessions but gave her
Cyber Leadership Institute, stepped in to play a key
inspiration for a career in cyber security.
role in shaping Gatsi’s career when she reached out to him for advice.
Just prior to Christmas 2010 thieves broke into Gatsi’s family home, stole
a number of the family’s possession but, strangely,
Zongo helped Gatsi create a plan to kickstart her cybersecurity career.
inflicted their greatest damage on Gatsi’s bedroom. • Register and pursue a relevant cybersecurity “What was initially a traumatic experience helped me
course. “I started with an eight-week intensive
to discover my career purpose and establish life-long
course provided by Harvard University called
friendships and mentors along the way,” she says. “As
Cybersecurity Risk Management: Managing Risk
a young girl, to discover that complete strangers had
in the Information Age.”
ravaged through some of my most personal items was a violating experience.” The event left her with one question: why? “It triggered a curiosity within me to learn more about the factors that lead certain people onto a path of deviant behaviour. Ultimately, I wanted to prevent others from having to experience the trauma my
“The way I see it, I am a conduit in helping people protect what is most precious to them, and this is where my passion for cyber security stems from. Whilst I am still fairly new, I have had the opportunity to get involved in some exciting initiatives such as a university lecture on zero trust, as well as my first client-facing project.”
family and I went through.”
40
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
• Use personal branding to help accelerate her career. “In other words, dust off my dormant LinkedIn account and start creating meaningful relationships.” • Expand her network by joining cybersecurity communities and attending events. • Start writing. Gatsi followed the plan and connected with many cyber security professionals including Anu Kukar, Associate Partner of Cyber Security Cloud, Strategy and Risk at IBM, and Jay Hira, Director of Cyber Transformation at EY. Later that year she was offered two entry positions in cyber security. She chose to join EY as a Technology Consulatant where one of her key responsibilities was to deliver practical cyber security initiatives for EY’s clients based on their communicated requirements. “The way I see it, I am a conduit in helping people protect what is most precious to them, and this is where my passion for cyber security stems from,” she says. “Whilst I am still fairly new, I have had the opportunity to get involved in some exciting initiatives such as a university lecture on zero trust, as well as my first client-facing project.”
DRIVE AND PASSION ARE KEY TO SUCCESS Gatsi sums up her career journey to date, saying: “I have learned that technical knowledge can be taught if you are willing to learn, but drive and passion from within are essential. I would encourage anyone seeking a career in security to start by asking themselves, why? It’s not an easy journey, but your passion will motivate you to never give up in your pursuit.”
www.linkedin.com/in/michellegatsi/
28.04.2022
WOMEN IN SECURITY MAGAZINE
41
course in Information Technology, Digital Media and Networking for one semester before transferring to a Certificate IV in cyber security.
LEVERAGING LINKEDIN
Ela G. Ozdemir Cyber Security Analyst at ParaFlare
And she got active on LinkedIn. “I expanded my LinkedIn network with professionals and recruiters across the cyber security domain during and after my studies,” she says. “My regular postings and articles on social media platforms about cyber security did not go unnoticed.
M
“Thanks to my activities on LinkedIn, I was approached by a LinkedIn friend with a role as a cyber any women who have shared their
security analyst at Verizon. After a successful round
stories of the cyber career journey
of interviews, I gained the position.”
have talked positively about the role of LinkedIn. If you need convincing
She was particularly fortunate. Most cyber security
about the power of LinkedIn to
jobs in Canberra require a security clearance,
progress your career, take note of Ela Ozdemir’s
which Ozdemir as a non-citizen could not obtain.
career journey.
Verizon offered her a position in which she would be responsible only for areas not requiring a security
She graduated with a bachelor’s degree in chemistry
clearance.
in her native Turkey in 2007, just before the Global Financial Crisis engulfed the world. She had difficulty
After her experience of gaining entry to the cyber
finding a job in chemistry and moved to the USA
security industry, it’s hardly surprising that Ozdemir’s
where she worked as an au-pair before returning to
advice for school leavers aspiring to roles in cyber
Turkey to take up a role in the chemical industry. She
security is very much LinkedIn focussed.
came to Australia in late 2016 and found work in 2018 as a Turkish language tutor in the Department
“I recommend they have a good LinkedIn network
of Foreign Affairs and Trade (DFAT).
of cyber security professionals and show their enthusiasm through posts, research, going for
Seeing few chemistry jobs available she turned her
projects and seeking feedback on their work in the
attention to cyber security, a move she describes
cyber security space. These activities will make them
as “probably the best decision in my life,” adding,
stand out from the crowd and definitely help them get
“although I was a little fearful of studying something
their foot in the door.”
new in a different language, I never doubted my decision, and more importantly never underestimated
And, reflecting on her own career path, she says
my potential to achieve something in an uncharted
lengthy study and “super tech skills” are not needed
territory.”
to break into the industry. “I didn’t have to undertake lengthy studies to get to where I am now. I would
42
She embarked on IT and cyber security training at
recommend that those wanting a career in cyber
Canberra Institute of Technology, initially taking a
security take baby steps. Even a basic course on IT
WOMEN IN SECURITY MAGAZINE
28.04.2022
W H AT ’ S
H E R
J O U R N E Y ?
would be a good start, followed by cyber security
mainly monitoring, triaging and responding to cyber
courses.”
security alerts and writing reports on incidents for customers,” and represents a realisation of career
She adds: “I think anyone with some level of curiosity
goals as a school leaver.
and a passion for problem-solving can consider a career in cyber security. I believe we women
“I envisaged working in a place where I could
especially possess the qualities that are essential to
contribute my skills and be enthusiastic and curious. I
unlock the door of cyber security.
am satisfied that my current role allows me to achieve all that I had wished for. As I move forward though, I
“I met so many hardworking, smart, and emotionally
would like to explore other areas of cyber security to
intelligent women that didn’t have the right education
venture into.”
or opportunity to have a career in the technology sector. It makes me wonder how these women
Since entering the cyber security industry Ozdemir
with such abilities would shape the future of cyber
has completed a number of security courses and
security.
gained several certifications. These include Splunk Fundamentals and Searching and Reporting,
“In my opinion, without role restrictions, a career in
Microsoft Ninja and Microsoft SC-200, the Verizon
cyber security where everyone can be a target to
Cyber Security Accreditation Program and the SANS
hackers requires different ways of solving problems,
FOR508 Threat Hunting and Digital Forensics course.
a lot of patience, resilience, multitasking and teaching skills that many women naturally possess.”
She also studied Critical Analysis in Business at the Australian Defence Force Academy for one semester
SOFT SKILLS ARE ESSENTIAL
as a prerequisite for a master’s degree course in cyber
Certainly, Ozdemir sees one of the biggest issues
security she plans to embark on down the track.
facing cyber security as having nothing to do with technology and one that could well benefit from more
THE POWER OF FAMILY SUPPORT
people with soft skills.
Throughout Ozdemir’s career, one influence has been constant and significant: her older brother. “He
“Miscommunications and lack of coordination
has been the most influential person not only in my
between the cyber security teams and customers
current profession but also in my education,” she
have also been a continuous challenge because they
says.
have caused delayed actions on cyber security threats resulting in loss of data, funds and reputation.”
“He particularly inspired me with his intelligence in science and methodological approach when he
Ozdemir’s role at Verizon was a good start in cyber,
tackled problems. His move to study computer
but not her ideal job. “The role involved 12-hour shift
engineering made me envious and I wanted to follow
work from 7 am to 7 pm and 7 pm to 7 am,” she says.
in his footsteps. Thanks to his homeschooling,
“Some people may find it enjoyable to work after
especially in maths, I have gained excellent
midnight, but I struggled to keep my focus. So now I
mathematical skills which were quite handy in my
know that working after midnight isn’t my cup of tea.”
cyber studies.”
Today, Ozdemir is a cyber security analyst working remotely for Sydney based ParaFlare, a provider of
www.linkedin.com/in/ela-gezerli-ozdemir-72b70048
managed detection and incident response services, where she says her role “involves a lot of things but
28.04.2022
WOMEN IN SECURITY MAGAZINE
43
TALENT BOARD Lynley Vinton STATE AVAILABLE QLD but would consider Auckland, NZ as well.
WHAT KIND OF ROLE GRC role has been recommended to me so that I can use my leadership and communication skills to ensure more people understand the risk of cyber security and what they can do to control it.
WHAT EXPERTISE Led physical security strategy and team for a large corporate, implemented a new property access management system, created the security risk profile and now looking to move into cyber security. Studying CISM right now and want a role where I can learn more.
WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED I’m experienced in the corporate world, working from the office and home.
DM ON LINKEDIN
Caitlin Sauza POSITION Full-time or Part-time
STATE AVAILABLE WITHIN ACT or Remote
WHAT KIND OF ROLE Marketing, Awareness, Diversity, Risk Management, Engagement, Consulting.
WHAT EXPERTISE Being able to interact with people is where my work flourishes. Human interaction, communication and interpersonal skills to me are above all else. I will be graduating with my Bachelor of Cyber Security from Deakin University this year, and I lean towards the non-technical side of Cyber. In saying this, I am always willing to take any learning opportunity offered to me, technical or non-technical.
WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED Hybrid, client-facing & non-technical / Ongoing professional development opportunities, Flexible working arrangements, Inclusive workplace, Employee benefits (e.g. Employee Assistance Program, Professional Memberships, Salary Sacrifice and Subsidised Parking).
DM ON LINKEDIN
44
WOMEN IN SECURITY MAGAZINE
28.04.2022
EACH ISSUE WE WILL LET YOU KNOW WHO IS LOOKING FOR A NEW ROLE, WHAT KIND OF EXPERTISE SO THAT IF YOU HAVE SUCH A JOB OPENING AND LIKE ONE OF THESE CANDIDATES, YOU CAN CONTACT THEM.
Yonitha Thava POSITION Full-time / Contract
STATE AVAILABLE WITHIN Victoria (preferred), however willing to relocate within Australia.
WHAT KIND OF ROLE Cybersecurity Consultant, Security Analyst/ Specialist, IT Support.
WHAT EXPERTISE I have experience working as a cybersecurity analyst and providing onsite technical support. I have experience of identifying security gaps within an organisation using analytical skills. I have worked on asset management and provided in-person IT support.
WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED I would like a workplace where growth and learning opportunities are present, e.g., the ability to attend workshops and practical sessions to help with upskilling and growth of myself and the organisation.
DM ON LINKEDIN
ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role.
aby@source2create.com.au
28.04.2022
REACH OUT
vasudha@source2create.com.au
WOMEN IN SECURITY MAGAZINE
45
Women in Security Leadership
HAVE YOU BEEN LOOKING FOR A PROGRAM THAT HELPS YOU WITH A STEP UP IN YOUR SECURITY LEADERSHIP CAREER? WE UNDERSTAND THAT LEADERS COME FROM VARIOUS BACKGROUNDS
Applications are now open for our 2022 Women in Security Leadership Programs, including:
Emerging Leaders Aspiring Senior (C-Suite) Leaders Aspiring Global Leaders Leaders wanting to increase their technical knowledge Leaders wanting to increase the impact of their presenting
Sponsored by
To find out more, visit: awsn.org.au/initiatives/women-in-leadership/
CAREER PERSPECTIVES
WOMEN ARE SETTING THE CYBERSECURITY AGENDA by David Braue
Outnumbered by men overall, women are gunning for the roles that can drive real change
M
any were surprised when AustCyber
“We are absolutely at an inflection point in this
CEO Michelle Price announced
country,” she said during a recent AISA industry
in March that she was leaving
conference. “We do need to accelerate what we’ve
the organisation she had led
started – because what we’ve started has worked. It
since its inception in 2017 for a
has been fantastic.”
role as a partner in consulting giant EY’s Oceania cybersecurity, private and trusted technology
Referencing some of the cybersecurity innovators she
practice.
helped guide to commercial success, Price said, “We need to see more Cynches and more Pentens – and
Well known and respected in cybersecurity circles,
there are plenty of them in the pipeline. So this is the
Price spent the past five years helping Australia’s
time for us to double down – and it is being realised
cybersecurity industry pull itself up by its bootstraps
by all parts of the political spectrum, including at the
– supporting startups, advocating for the sector here
state, territory and local levels.”
and abroad, building bridges with industry, and raising the government’s perception of the cybersecurity
With the federal government recently committing
sector as it grew from a loosely-affiliated network of
$10 billion to expand its cybersecurity capabilities,
innovators into a core national-security interest.
Price was a transformative force for the industry she poured her heart and soul into.
Price’s boundless energy made her an omnipresent voice, her presence a rallying cry for an industry
Price “is probably the core reason why the Australian
that was struggling to find its identity and establish
cyber security industry is as vibrant as it is,” one
its critical mass – and has grown from modest
industry figure commented after her departure was
beginnings into a diverse commercial space with more than 600 companies.
48
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
announced. “The energy she’s given means we all owe her: defenders, vendors, startups, bureaucrats. Impossible shoes to fill.” As a dynamic leader, Price has been immensely successful in prosecuting her agenda and bringing an entire community along for the ride. But as a woman, she represents the kind of high-profile leadership that is helping reshape the cybersecurity industry – guiding it away from its roots in stereotypical male hacking culture to become a stronger, more inclusive discipline where gender diversity is no longer a mirage.
WOMEN LEADERS STEPPING UP
“We are absolutely at an inflection point in this country. We do need to accelerate what we’ve started – because what we’ve started has worked. It has been fantastic.”
-Michelle Price, Partner at EY
Indeed, in Australia and around the world, women leaders are charging into cybersecurity – often into leadership positions where they bring not only their exceptional knowledge but a breadth of experience that often provides a fresh approach to policy analysis and decision making. Price’s success in industry development, for example, was matched by the vision and support of women ministers like former Minister for Defence Linda Reynolds and current Home Affairs Minister Karen Andrews – under whose purview the cybersecurity sector has rapidly gained momentum, become a unified national capability, and answered a clarion call to unify Australia’s cybersecurity community against national-security threats.
28.04.2022
WOMEN IN SECURITY MAGAZINE
49
The United States Cybersecurity & Infrastructure
education, could prove instrumental in bolstering the
Security Agency (CISA) recently saw a similarly
industry’s ranks of women.
significant change as Jen Easterley – a former military cyber specialist with a host of high-level
“Our nation’s ability to attract and retain and promote
cyber, counter-terrorism, corporate cybersecurity and
women in the field is absolutely vital,” Easterley said.
other credentials – take the helm after the departure of maiden director Chris Krebs.
“We’re going to help close the gender gap, and bring more talented young women into the workforce to
Easterley – who announced a formal partnership with
prepare our nation to be able to defend ourselves
cybersecurity diversity organisation group Girls Who
against some of the most serious threats there are.”
Code at the recent CISA Cybersecurity Summit – has made advocacy of diversity a key part of her platform.
“Without women pursuing careers in cybersecurity, the industry is missing out on a huge talent pool. We
“We need to do everything we can to ensure a cyber
can build that next generation of cyber talent, where
workforce that reflects America and who we are,” she
young women everywhere can see themselves in
said during a recent conference session, “because we
cyber, see themselves in tech, and see themselves in
know it’s not just the right thing to do; it’s the smart
us.”
thing to do.”
PAYING IT FORWARD “I learned a long time ago that it takes a lot of good thinking to solve the hardest problems,” she continued – citing the influence of pioneering women like Ada Lovelace, Katherine Johnson, and Grace Hopper – “and technology and cybersecurity present some of those problems.” “When your team is comprised of people with different backgrounds, you get different perspectives
For all the progress made to date, however, the gender imbalance in cybersecurity has remained stubbornly persistent. Widely-cited figures from industry group (ISC)2’s Cybersecurity Workforce Study suggest that just 24% of the overall cybersecurity workforce is comprised of women – an improvement from 11% in 2017, but still far short of where proponents would like it to be.
– and the results are, of course, better.” Such high-profile commitments to diversity have helped set the stage for Easterley’s tenure heading the cybersecurity organisation protecting the world’s most frequently-targeted government and industrial complex. One of her aspirational goals is to increase the participation of women in cybersecurity – and her explicit support for a high-profile organisation like Girls Who Code, which has already engaged over 450,000 school-aged students in cybersecurity
50
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
There are positive signs, however, that increasing
“A big problem with cybersecurity is the cost of
representation of women in cybersecurity leadership
education,” she told Women in Security Magazine
positions could be laying foundations for a faster
– but with strong backing from a venture capital
righting of the imbalance in the future.
partner, Janca said, “we’d like to approach groups that specifically have underrepresented individuals, and
“Buoyed by higher levels of education and more certifications than their male counterparts, (ISC)
offer our courses for free.” 2
found, women cybersecurity professionals “are
Those courses have already been completed by
forging a path to management” –outpacing their
thousands of students, but opening them to larger
male counterparts in C-level/executive roles (28% of
numbers of high school students and university
which are held by women, compared to 19% men); IT
graduates would help Janca realise a long-held dream
director (18% vs 14%), vice president of IT (9% vs 5%),
of making cybersecurity more accessible.
and chief technology officer (7% vs 2%). In so doing, she hopes to help women pursue their Women cybersecurity professionals, the workforce
interests in cybersecurity without being limited by
survey found, are more likely than men to hold a
resources, or by the all-too-common fear that they
post-graduate degree – 52% compared with 44%
aren’t technical enough.
– and younger, with 45% of women cybersecurity professionals identifying as millennials compared
“I was a programmer and a pen tester, so obviously
with 33% of men.
I always want to take the dirty hands route, because that’s the part I like best,” Janca said, recalling a
Significantly, women reported having similar job
recent collaboration in which a male colleague
responsibilities and job satisfaction, while younger
handled all the less-technical aspects.
women reported less pay inequity than their older counterparts – suggesting that efforts to promote
“But there are all sorts of parts you can do in
equal pay are finally gaining traction.
application security without getting your hands super dirty. When people take our programs, they don’t have
All that remains is ensuring that there are enough
to be awesome at coding.”
women in cybersecurity to benefit from these improvements – and Tanya Janca is among the
The key to improving women’s access to
women fighting to make sure they get the chance.
opportunities in cyber, Janca says, is being able to take a leadership role where possible – and to build
A longtime IT and cybersecurity professional, Canada-
an organisation that reflects the diversity of everyday
based speaker and advocate Janca founded We
life.
Hack Purple with the goal of providing cybersecurity training for companies that want guidance in areas
“It’s so hard when you go into a meeting, look around
such as building security champions, developing
and no one looks like you,” she said. “But in starting
meaningful security metrics, and demystifying PCI
my own company, I get to decide who works there –
compliance, and more.
and I could hire a rainbow of people and find the best candidate, versus the candidate that reminds me of
The venture has been wildly successful, with a busy
me.”
roster of cybersecurity training and speaking helping her raise awareness about cybersecurity. Yet in the
“Canada is a rainbow when you look out, and you see
long term, she envisions partnering with another
every type of person. I didn’t use to see that at work –
organisation to address one particularly challenging
but things are improving, and I’m seeing it a lot more.
issue.
And to me, cybersecurity needs everyone.”
28.04.2022
WOMEN IN SECURITY MAGAZINE
51
NATASHA PASSLEY
DIVERSE LEADERSHIP PERSPECTIVES by Natasha Passley, Partner, Management Consulting - Technology, Risk and Cyber at KPMG Australia DIVERSE FEMALE LEADER
Part of being a leader is promoting yourself and the
As a partner in the cyber practice at KPMG and a
work you do to attract younger, aspiring leaders.
senior female with a diverse background I’m very
For young women in cyber, it helps to see women
aware of the role I play in cyber. And I’m pleased
succeed in a male-dominated world. If there are times
to represent an organisation that recognises the
when I do not feel like being out there, I remind myself
importance of diversity. My cultural background is
I want to do this for others seeking a role model who
British and Jamaican and I had a non-traditional route
resembles them and demonstrates they can achieve
into technology strategy and transformation. Diversity
success in life via various routes.
in leadership is of particular importance in the world of cyber where security threats are wide-ranging
SKILLS TRANSFERABLE INTO CYBER
and adversaries come from all walks of life. Threat
As a young girl at school I had no idea which route
actors think broadly, are unconstrained and willing to
I wanted to take. In those days, cyber security as
try anything to get results. Combatting their threats
a study subject did not exist. I chose a Bachelor of
requires diverse thinking, which is best provided by
Arts degree in German and French and entered the
people from differing backgrounds.
world of technology working on a European technical helpdesk before moving into technical support and
Over the course of my career I’ve had a variety of
project management.
roles, so I’m a good example of career transition. I believe my varied experiences have helped me get
Project management is a good entry point into
to where I am now. The one thing driving all my
cyber security because it allows you to have a
decisions has been my desire to be in a leadership
broad, holistic perspective on security and deliver in
position, because I wanted to be a role model for
areas relevant to your project. From there you can
others. When I was growing up I could count on
decide if you want to learn more about, or gain more
one hand the number of people of colour in senior
experience in, a particular area of cyber security.
positions, whether in large corporates or on the TV.
There are also many skills and qualities of project
I remember wishing there were more people who
management that can set you up for a leadership
looked like me I could aspire to emulate. So, I see it as
position. Project management, when done well,
my responsibility to be that visible, ethnically diverse
results in the individual being a skilled negotiator who
leader who can drive the change.
develops strong interpersonal skills that bring people together and drive collective, cross-functional teams
52
WOMEN IN SECURITY MAGAZINE
28.04.2022
C A R E E R
P E R S P E C T I V E S
to achieve outcomes. The ability to combine technical
things you can learn about yourself, whether they
skill or subject matter expertise with some of the
be through feedback from your team and peers or
softer skills is necessary for leadership roles.
through your own learning. Empathy and emotional intelligence are essential for a leader. They enable you
I’ve been pleased to observe several women in my
to read the room and understand the subtle nuances
team successfully grow and develop into other areas
and unspoken communications of others.
of cyber security from a starting point in project management. They had the desire to succeed, the
Adopting communication styles that suit the situation
willingness to learn and a growth mindset.
and the person helps to get the right message across and increase understanding. Understanding
I think it’s important as a leader to support and
how an individual best receives and interprets
encourage the people around you to grow. In the
information is helpful when conducting one-on-
words of Simon Sinek, “The true value of a leader is
ones and performance reviews. Knowing the type of
not measured by the work they do. A leader’s true
leader you are and want to be is important.
value is measured by the work they inspire others to
Some of my core values are learning and
do.”
growth, so I tend to attract people into my team who seek the same. Some positive
PERSONAL GROWTH AND DEVELOPMENT
feedback I’ve had from team members is that they
If you’re considering transitioning to a career path that
learnt a lot through working for me. They didn’t learn
requires skills different from your current skillset don’t
a lot because I have a great store of knowledge but
underestimate the importance of self-development.
because I encouraged them to regularly think of their
Don’t limit your learning to technical or subject matter
long-term career aspirations and goals.
expertise. Undertake self-reflection and introspection. Consider your key strengths, your areas of weakness
TOP FIVE TIPS
and what you like and don’t like about your current
1.
Define your long-term career aspirations and
role then build a plan to address those areas of
set goals for yourself every year, reflecting
weakness. Develop the areas that will take you to
regularly on your progress against them.
the next stage. Seek advice from others who are not afraid to point out where you need to develop.
2.
Spend time on personal development so you can
You may not have an official mentor, but if you
explore who you are and what is unique about
consider your peers and your friendship circle you’d
you. This helps you understand what you bring
be surprised at how many people you can turn to for
to the table and how you are different to other
advice, even though you don’t call them mentors.
leaders.
Nowadays, there are so many ways to learn and
3.
Get to know your leadership style and improve
develop personally through podcasts, articles, books
on it. Understanding your typical traits, your
or online sessions and events. You can learn and
strengths and your areas for development will
grow everywhere you go. I combine walking with
make you a better leader.
listening to development podcasts because it’s a great way to get some exercise while learning. At any
4.
Build a diverse team in terms of gender, culture,
one time, I like to be reading a development book, a
age and thinking. It’s important to have people
leadership book and something to extend my current
who think different from you.
knowledge. Your career development takes planning, determination and dedication.
5.
Mentor someone. It’s surprising how much you learn about yourself when you start listening to
GETTING TO KNOW YOURSELF
and helping others.
Leadership is like any skill in that it needs continued development. It’s not something you achieve one day and think “that’s it, I’m done now.” There are always
28.04.2022
www.linkedin.com/in/natashapassley/
WOMEN IN SECURITY MAGAZINE
53
SAI HONIG
CERTIFICATIONS WHAT ARE THEY FOR? by Sai Honig, CISSP, CCSP, Co-founder New Zealand Network for Women in Security The statements in this article are the opinions of the writer only.
The other day a woman said to me she could
I have seen many men in my career who have no
not apply for jobs because she did not have any
certifications and work in the same job and at the
certifications. This woman, with over a decade of
same level (or higher) as me. I don’t ask them why
experience in cybersecurity, was misguided. She
they do not have the appropriate certifications; that
was letting a misguided perception exclude her from
can be a touchy subject. But if men can get jobs
opportunities.
without certifications, why can’t women?
I once had the same misguided perception. I was
I have heard from many women who have said they
recommended to apply for a job and said the same
cannot get into cybersecurity without certifications.
thing. At that time, I had no certifications. The
I know where that idea comes from. Just look
individual who recommended me wrote a two-page
at job descriptions: many say certifications are
email explaining why I was qualified for the position.
recommended or required. The companies
I went ahead and applied. I was offered the job, and
posting such ads fail to understand the purpose of
I accepted. After the requisite years of experience, I
certification.
obtained certifications.
Gain knowledge and experience
54
WOMEN IN SECURITY MAGAZINE
Certify knowledge and experience
Continuously update knowledge and experience
28.04.2022
C A R E E R
P E R S P E C T I V E S
Certifications are part of a continuum. If employers
I saw one student who, outside of class work,
cannot identify a potential candidate based on
completed labs and projects about cybersecurity. She
experience, there are two possible issues:
showcased this extra work on a public website. She included a link to that website in her CV, and her cover
1. 2.
The candidate is not able to adequately express
letter described these projects. She received multiple
their knowledge, skills or experience.
interview requests after submitting her CV. Eventually,
The organisation is unable to assess a potential
she was offered a role in cybersecurity that required
candidate’s knowledge, skills or experience.
a certain level of knowledge and skills. At the time she did not have certifications.
Their failure to correctly assess a potential employee may be a combination of both.
I met another woman whose resumé was rejected by a company’s application tracking system. She reached
Let’s address the first issue. CVs and resumés
out to the cybersecurity team at that company, people
need to express the applicant’s knowledge, skills
she did not know personally. She actively networked..
and experience and how these pertain to the duties
Her conversations focused on her knowledge, skills
of the role. So, they need to be tailored to each
and experience (she had no certifications). After a few
job description. This may seem like a lot of work.
conversations and emails her resumé was submitted
However, there are many tools, including LinkedIn,
internally by one of her contacts, bypassing the
that can simplify the process.
application tracking system (and human resources). She gained interviews and eventually received a
In addition, a cover letter should explain how a
job offer. After accepting the offer she worked with
candidate’s knowledge, skills and experience meet the
human resources to improve the application process
position’s requirements, not simply summarize the
and find good candidates.
CV. Even volunteer work can be used to demonstrate suitability for a position
.
Obtaining certifications is the end of the job search process. Many certifications require continuing
Now let’s address the second issue. Many companies
education to maintain them. Some may require
rely on their human resources department to find
recertification through exams.
candidates. These personnel have neither the experience nor the knowledge of cybersecurity roles.
In summary, the processes to hire cybersecurity
Therefore, they rely on a candidate’s certifications to
staff at all levels are broken in many ways. There are
identify those that make the first cut.
many barriers to women entering cybersecurity. This magazine addresses many of them in each issue.
Mature organizations see certifications not as a bar
However, we women should not be putting up barriers
but as a barometer. Certification demonstrates the
of our own. Women shying away from even applying
candidate’s experience, but an assessment of the
for cyber security roles is just one of the barriers we
candidate is still necessary. This assessment may
need to tear down.
include technical reviews or interviews by hiring team members. There is very little a candidate can do if a company decides to require certifications. However, the candidate can still work to fully express their
www.linkedin.com/in/saihonig/
NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com
knowledge, skills and experience.
28.04.2022
WOMEN IN SECURITY MAGAZINE
55
JOB BOARD CYBER SECURITY SPECIALIST | SA POWER NETWORKS ADELAIDE
FULL TIME
DIVERSE & INCLUSIVE WORKPLACE FLEXIBLE WORKING
MIN 3 YEARS EXPERIENCE
SIEM - ENDPOINT DETECTION & RESPONSE \ VULNERABILITY MANAGEMENT
WHO WE ARE SA Power Networks delivers energy solutions to empower South Australia today and in the future. We are always seeking to build a more sustainable, efficient and innovative business that creates real value for our customers. As one of the State’s largest employers, we have a commitment to integrity and take pride in doing the right thing for our people, customers and community. Progress your career and help us in empowering South Australia. THE ROLE The Cyber Security Specialist is responsible for providing cyber security operational uplift and support across Information Technology (IT) and Operational Technology (OT) networks through execution and continuous improvement of SA Power Networks’ cyber security prevention and detection capabilities. The Cyber Security Specialist assists in ensuring that Cyber Security operations are aligned with business risks and policy and that appropriate security controls are in place and operating effectively.
APPLY NOW SECURITY ARCHITECT | ENDEAVOUR GROUP SYDNEY CBD, INNER WEST & EASTERN SUBURBS RISK MANAGEMENT
FULL TIME
SECURITY INFRASTRUCTURE KNOWLEDGE
DIVERSE & INCLUSIVE WORKPLACE
GOOGLE CLOUD
THE OPPORTUNITY As a member of the Security Architecture Team, you will be a critical part of the Endeavour cybersecurity team and a key driver of the Cyber Security strategy via engagement with the IT transformation and underlying projects. The complexity of the environment creates the opportunity for the successful candidate to establish a solid foundation for the organisation to traverse the required transformation over the coming years. The candidate will work closely with stakeholders both in the business and the Cyber Security team. They will be involved with an assortment of security projects that support the business. A DAY IN THE LIFE OF A CYBER SECURITY ARCHITECT AT ENDEAVOUR… You will be talking to project teams to provide security recommendations and explain what needs to be done to increase the systems' security posture. Your interactions will be mainly with developers, project managers and solution architects. You need to provide concise, clear and pragmatic recommendations to various stakeholders and be able to explain the rationale behind them. Your primary duties include: •
Work closely within the solution architecture team to ensure security requirements are accounted for at design time.
•
Produce security documentation and patterns
•
Seek endorsement from senior management on patterns or material decisions
•
Analyse the current state and propose or implement improvements
APPLY NOW 56
WOMEN IN SECURITY MAGAZINE
28.04.2022
SENIOR SECURITY CONSULTANT | LA TROBE UNIVERSITY LA TROBE UNIVERSITY BUNDOORA FULL-TIME
VICTORIA
AUSTRALIA ON-SITE
MID-SENIOR LEVEL
ABOUT THE JOB •
Full time, Fixed Term (18 months)
•
Flexible working arrangements offered including working for the City campus.
•
Attractive Remuneration Package
ABOUT THE POSITION The Senior Security Consultant has a key function in support of this goal by being responsible for the design and build of security processes and technology controls through a flexible and robust security architecture that promotes a security culture where controls are consistently and routinely designed and delivered by solutions. This role is responsible for engaging with projects and other Latrobe architecture functions to ensure compliance with La Trobe’s Security policies and standards and meet the growing needs of the business. Provision of subject matter expertise and high-level technical support ensuring that strict network access and intrusion prevention guidelines and policies are deployed within the University Network and associated services. With broad direction, resolve complex operational issues over the range of technologies employed across the University, and develop and implement strategies with a focus on client services and sustaining University operations across the University technology set. In conjunction with authorised University Officers, be responsible for projects and services that support the operations of the University Network.
APPLY NOW SECURITY ANALYST| CYBERCX PERTH
CBD, INNER & WESTERN SUBURBS
AUSTRALIAN CITIZEN OR PERMANENT RESIDENT
FULL TIME OPERATIONS OR AN ICT TECHNICAL TEAM
2 YEARS EXPERIENCE OR EQUIVALENT KNOWLEDGE IN SECURITY
SECURITY ANALYST CyberCX is Australia’s leading independent cyber security consultancy organisation. To support our rapid growth, we are looking for motivated and passionate Security Analysts to work in our Perth office. In this role, you’ll work with your team to deliver great client outcomes and grow your career rapidly as a cyber security professional. We’re looking for candidates that have a sound and relevant technical background. You don’t need extensive experience in security, but a passion to learn, a great attitude, and a keen interest in security are essential. You will receive formal and on the job training that will help you grow your career in the cyber security field. This role is part of our Managed Security Services team and will require participation in a rotating shift schedule. KEY RESPONSIBILITIES: •
Technical analysis of alerts and data from security products including (but not limited to) SIEMs, Intrusion detection and prevention systems, endpoint security solutions, web proxies and network security devices, and vulnerability scanning and management systems
•
Incident response, including liaising with customers and their ICT operations staff
•
Vulnerability analysis including triaging vulnerabilities and advising on associated remediation activities.
•
Taking on a wide variety of security operations tasks on an as-needed basis.
APPLY NOW 28.04.2022
WOMEN IN SECURITY MAGAZINE
57
JOB BOARD INFORMATION SECURITY ANALYST | AUSCERT THE UNIVERSITY OF QUEENSLAND BRISBANE, QUEENSLAND, AUSTRALIA ON-SITE FULL-TIME · ASSOCIATE
AUSCERT - BASED AT LONG POCKET CAMPUS
TOTAL SALARY PACKAGE NEGOTIABLE BASED ON INDIVIDUAL MERITS 2 YEAR FIXED-TERM POSITION
ABOUT THIS OPPORTUNITY The Information Security Analyst is responsible for technical and operational support within the Australian Cyber Emergency Response Team (AusCERT). The Information Security Analyst is responsible for technical and operational support within the Australian Cyber Emergency Response Team (AusCERT). Analyst staff operate a roster system across multiple roles, giving the successful candidate exposure to a wide and interesting spread of information security disciplines. Duties include triaging requests and incidents from members, researching vulnerabilities and publishing standardised bulletins, performing malware analysis and reverse engineering, and working on incidents with members and some minor documentation roles. The AusCERT Analyst team use a variety of open-source tools, tactical solutions and some in-house developed systems, and the successful candidate will participate in projects to improve the products and services AusCERT offers to members. Automation and scripting tasks are actively encouraged. The Analyst team actively participates in information security training, knowledge sharing and general discussion. Ideas for innovative and relevant products and services for AusCERT’s members are actively encouraged by all team members, and most products AusCERT delivers today have originated from ideas developed by past and current Senior Information Security Analysts. The role also actively contributes to the running of the world-class AusCERT Cyber Security Conference including speaker and paper reviews. In addition, AusCERT analyst staff are also actively supported to attend other information security events, as well as to interact with other CERTs and agencies within Australia and worldwide to maintain and develop relationships.
APPLY NOW
SENIOR APPLICATION ENGINEER | ATLASSIAN GREAT PERKS & BENEFITS
SYDNEY
FULL-TIME
Atlassian can hire people in any country where we have a legal entity. Assuming you have eligible working rights and a sufficient time zone overlap with your team, you can choose to work remotely or return to an office as they reopen (unless it’s necessary for your role to be performed in the office). Interviews and onboarding are conducted virtually, a part of being a distributed-first company. The Product Security team is responsible for making sure Atlassian products and services are safe and secure. We are looking for a Senior Application Security Engineer who thrives on working with development teams to secure their products across the entire software development lifecycle. Your responsibilities will include source code auditing, performing threat models, reviewing new features and architectural designs, and finding ways to empower engineering teams to build secure software by default. You must have a strong ability to work with colleagues to understand our products and then come up with ways to improve existing security infrastructure. Since we work closely with our product engineering teams, the ability to read and understand code is very important. Our products are built using a number of different languages but Java, Go, and Python are the most common. As part of the focus on learning at Atlassian, you’ll be able to spend up to 20% of your time on independent research.
APPLY NOW 58
WOMEN IN SECURITY MAGAZINE
28.04.2022
LEAD CONSULTANT, DIGITAL FORENSICS AND INCIDENT RESPONSE (DFIR) | PARAFLARE FULL-TIME
MID-SENIOR LEVEL - AUSTRALIA (REMOTE)
•
Lead digital forensic investigations and incident response engagements by prioritising and allocating tasks and resources logically and efficiently.
•
Acquire (or guide others to acquire) data necessary to undertake an investigation from a variety of sources using appropriate tools and techniques.
•
Undertake forensic analysis tasks independently with a high level of accuracy and efficiency using both commercial and opensource tools.
•
Use endpoint detection and response tools already present in the client environment or assist with the selection and deployment of EDR and artefact collection tools as required.
•
Produce high quality technical and executive level reports, requiring minimal revision.
•
Support other team members in their professional development by providing guidance on the use software and accurate interpretation of artefacts.
•
Support the Director of DFIR with peer review of analyses and reports.
•
Strengthen internal and external awareness of cyber threats, investigative techniques, and other relevant topics in a format of your choice. This may include writing blog posts, presenting at conferences, or developing tools.
•
Assist with the delivery of proactive services as required.
•
Contribute to the development and improvement of DFIR services at ParaFlare.
APPLY NOW
DIRECTOR CYBERSECURITY | GRIFFITH UNIVERSITY FULL TIME
BRISBANE
APPLICATIONS CLOSE: 30TH APRIL 2022
ABOUT THE OPPORTUNITY Reporting directly to the Chief Digital Officer, the newly created position of Director, Cybersecurity is a highly visible and important leadership position within Digital Solutions and the broader University environment. Providing strategic direction, management and oversight of essential cybersecurity capabilities, the Director will: •
Develop and deliver the digital security strategy and program aligned to the Digital Masterplan, safeguarding the University’s strategic interests.
•
Work closely with key stakeholders, across academic and professional groups, as well as externally to implement security programs across all areas of the University.
•
Provide advice to the University’s senior leadership in relation to security direction, cyber risk position and resource investment.
For more about this opportuntiy, please click here https://www.griffith.edu.au/director-cybersecurity ABOUT YOU This role requires extensive experience developing and implementing a cyber security strategy and program in a large, multifaceted organisation. Demonstrated experience delivering a multi-year program of work to mature cybersecurity capability should be complemented by the ability to build trusted relationships, and effectively influence and collaborate to achieve strategic and operational outcomes. If you are seeking a new challenge and a leadership role in a collaborative environment where you can make a difference, then we would like to hear from you.
APPLY NOW 28.04.2022
WOMEN IN SECURITY MAGAZINE
59
JOB BOARD SECURITY AND NETWORK ARCHITECT | KORDIA AUCKLAND OR WELLINGTON, NZ
FULL-TIME
FULLY VACCINATED
NEW ZEALAND CITIZEN OR RESIDENT OR HOLD A VALID WORK VISA TO LEGALLY WORK IN NEW ZEALAND
Great opportunity for an experienced Security & Network Architect with a passion for NZISM and other security standards to join our growing Security Design and Operations team, reporting to the CISO. If you have security operations experience and possess a real passion for security– please apply today.
ABOUT YOU You will be responsible for carrying out Security Design and Operations functions including being responsible for the architecture and design of the Kordia Group’s internal networks and security systems, security operations, including vulnerability, threat and incident management, secure by design and security assurance activities. To be successful in this role, you will possess: •
A minimum of 3 years of experience in cyber security with hands-on experience with security compliance and assurance, ideally NZISM and/or ISO 27001
•
A broad understanding of security controls
•
Proven experience in providing excellent customer service
•
A positive attitude, open mind, highly analytical and enjoy working as part of a team
APPLY NOW
SENIOR IT & CYBER SECURITY ANALYST, SECURITY OPERATIONS, SENIOR SPECIALIST, BISO OT, RISK OFFICER TRANSPORT FOR NSW
DIVERSITY
ENTRY-LEVEL ROLES
Transport for NSW is creating more opportunities for young people from diverse backgrounds to kick start their careers in IT. Project Wahine was launched by their IT department for the Transport branch to provide a range of newly established entry-level roles, as well as clear career pathways, aiming to help a new generation of IT professionals begin long term careers with Transport. Ally Morgan, a recent program recruit who has secured a role with the Greater Sydney IT, Innovation and Capability team said, “As a young professional, I’ve been able to jump-start my career and I am excited about starting my role. I appreciate the opportunity to continue to make a difference in the Transport community.” Check out the latest IT opportunities at Transport and kick start your career today:
APPLY NOW
60
WOMEN IN SECURITY MAGAZINE
28.04.2022
TEAM LEADER ENTERPRISE SECURITY | GREATER WESTERN WATER LIMITED FOOTSCRAY, AU FLEXIBLE WORK
BEST PLACE TO WORK 2021 FOR WOMEN IN CYBER SECURITY HYBRID WORK ENVIRONMENT
LIFE INSURANCE & SALARY CONTINUANCE
LEARNING AND GROWTH OPPORTUNITIES
GREAT EMPLOYEE BENEFITS
ABOUT THE ROLE Greater Western Water (GWW) is seeking an experienced Enterprise Security professional to lead a high performing team of security specialists or an existing lead to take on the next challenge. Reporting to the IT & Security Operations Manager, the forward-thinking leader will manage and improve the day to day security operations by championing the information security capability across GWW. This position will provide security leadership to improve the security posture of the organisation and will work closely with the business and technology operational teams to help deliver innovative solutions that strengthen GWW customer and community trust.
DUTIES •
Lead threat detection, investigation and response activities to manage internal/ external threats and vulnerabilities.
•
Lead implementation of security controls to protect data, applications, and networks in cloud and hybrid environments.
•
Provide technical leadership to Security incidents, forensics investigations and the prioritization of actions during a declared incident.
•
Lead and manage a team of security specialists
•
Support the IT Controls and compliance function on the annual protective data security planning and OVIC reporting.
•
Collaborate with Internal Communication and Learning & development team to develop security awareness materials and manage cyber awareness campaign.
•
Monitor service delivery performance of security service providers and manage contractual obligations under scope.
APPLY NOW
DO YOU WANT YOUR COMPANY'S JOB LISTED IN THE NEXT ISSUE? Contact us today to find out how we can boost your job listing and help you find the top talent in the security industry aby@source2create.com.au
28.04.2022
REACH OUT
vasudha@source2create.com.au
WOMEN IN SECURITY MAGAZINE
61
VANNESSA MCCAMLEY
SUCCESSFUL CHANGE STARTS WITH YOUR BRAIN’S WELLBEING by Vannessa McCamley, Principal Consultant, Coach, Facilitator & Keynote Speaker
There’s potentially a ‘great resignation’ on Australia’s
new because it is the right thing to do versus seeking
horizon. Many have experienced burnt out during
change as an escape from total exhaustion. The latter
the pandemic, so it’s no surprise many of us are
situation will likely re-emerge in a new job if change is
considering a change of profession and lifestyle. A
only a band-aid for a deep problem.
new job is the modern version of the post-break-up haircut.
REASONS FOR CHANGE Good reasons for changing jobs include:
MY SITUATION
• Increased flexibility
Like many people, I have used downtime to reflect on
• Better work/life balance
my 27-year career. Over those years my professional
• Working for an inspiring leader
calling has pivoted several times. Before landing my
• A more enjoyable team environment
current gig, I was already feeling some discontent.
• Experiencing the personal satisfaction of making a difference.
By age 26 I had changed my profession and my study subjects twice. Working an average 80-hour week,
Burnout resulting from deep unrest is not a good
living on a diet of stress and immediacy to please
reason. Recommend taking a break to re-energise
everyone except for myself, will do that to you.
your brain and body before making important decisions like changing careers.
Change can be disruptive, and there is great value in
62
pivoting to find happiness and fulfilment. However,
WORK SHOULD COMPLEMENT YOUR LIFE
there is a difference between seeking something
Difficult times reveal the things we value most. And
WOMEN IN SECURITY MAGAZINE
28.04.2022
C A R E E R
P E R S P E C T I V E S
the challenges of the present create the impetus for
I was able to let go of the expectations of other
reinvention or a change of career path.
people that led me to becoming a perfectionist. The trials of pivoting taught me to be resilient. That
Over the last two years the wellbeing and mental
resilience led me to find what I love most: helping
stamina of many of us have been pushed to their
others to navigate obstacles in more brain-friendly
limits. And we’re feeling it.
and healthy ways.
Humans are social creatures. We require connection
IN CONCLUSION
and we gain stimulus from others. We also require
Finding a rewarding career is not always a walk
downtime, exercise and good food to function
in the park: there can be challenging times along
properly. In lockdown, few of those needs were fully
the journey. As scary as it sounds, there is nothing
met.
wrong with admitting your needs are not being met. I encourage you to first consider what those needs, and
Changing jobs can feel like the solution. However,
your purpose, really are.
once the adrenaline of a new gig passes, the underlying self-neglect that drives change will return unless that change is accompanied by a purposeful focus on wellbeing and on better professional outcomes.
“The cave you fear to enter holds the treasure you seek.” -Joseph Campbell
FINDING YOUR LIFE’S WORK
ABOUT VANNESSA MCCAMLEY
Through helping people understand their brain to
A leadership and performance expert, specialising
achieve more in the workplace, I’ve learnt that abrupt
in neuroscience practices to help individuals and
decisions and moves can often be a reaction to an
businesses grow in meaningful ways whilst delivering
adverse environment rather than a deep need for
measurable results in healthy ways.
change. With a passion for helping people and businesses The good news is that the latest neuroplasticity
to overcome obstacles allows them to reach their
research shows we never stop learning. When
strategic goals. Bringing over 20 years
enabled to succeed our brains can build new and
business experience working extensively
lasting behaviours that improve wellbeing and
with individuals at all levels and spanning
performance, regardless of age.
across several industries with a strong background within the IT Security Industry.
The key to changing your brain is to carve out space for a daily check-in, even when you have a lot on.
Vannessa is the book author of REWIRE
This allows you to better face known and unknown
for SUCCESS – An easy guide for using
obstacles, and to let go of behaviours that no longer
neuroscience to improve choices for
serve your purpose. This means ensuring you have:
work, life and wellbeing.
• Good diet • Movement • Sleep • Social connection • Gratitude
www.linkedin.com/in/vannessa-mccamley/ www.linksuccess.com.au/
• Relaxation and mindfulness
28.04.2022
WOMEN IN SECURITY MAGAZINE
63
RACHEL MAYNE
NAVIGATING A CYBER CAREER AND BECOMING A FEMALE LEADER by Rachel Mayne, Senior Associate, Cyber Security at u&u Recruitment Partners I’ve been lucky to have always had strong female role
I remember playing with computers when I was
models in my personal life, but at work I’ve always
young, starting with the Commodore 64. My year 6
been in a very male-dominated industry, recruiting in
teacher had a PC and I would spend hours playing
male-dominated markets. However, I am fortunate
Where in the world is Carmen Sandiego.
to have met some exceptional female leaders, one of
In my last year of high school, I discovered the
whom is Shanna Daly.
internet and live chat. I think that put an end to any chance of me having a career that did not involve the
I met Shanna a few years ago when she was
internet!
speaking at ParaFlare’s Women in Security event. I remember being very impressed with how she broke
However, when I went to university, I started out
through stereotypes and appeared to be completely
studying microbiology and immunology. I wanted to
unapologetic about who she was, no matter how
be a virologist. I guess I’m not far off that now, except
much society might expect her to be different.
I specialise in digital viruses instead!
So, for this piece I asked Shanna, now Chief Trust
I soon decided microbiology and virology were not
Officer and previously Director of Digital Forensics &
for me. I dropped out of university when I was 19
Incident Response at ParaFlare, to share her story in
and started working in hospitality. I still had a love
the hope it inspires others to follow in her footsteps.
of computers and hacking. So, when a role came up with a dial-up internet access provider, I moved into a
64
WHAT LED YOU INTO A CAREER IN CYBER SECURITY?
technical support role.
For me, getting into cyber security happened by pure
From then on, I was always quick to say yes to
chance. Although I had a passion for computers from
opportunities that came my way. I taught myself a lot
a young age, I did not grow up thinking they would be
but was also lucky to be surrounded by friends and
the focus of my career.
colleagues willing to show me the ropes.
WOMEN IN SECURITY MAGAZINE
28.04.2022
WHAT ARE YOUR THOUGHTS ON CERTIFICATIONS AND WHY DID YOU DECIDE TO OBTAIN THE SANS CERTIFICATION?
I wish I had backed myself more often, but despite not
Personally, I think any certifications you can gain
having done so, I’m pretty happy with where I am and
simply by studying a textbook will not help you in the
how I got here.
IS THERE ANYTHING YOU WOULD HAVE DONE DIFFERENTLY?
long term. However, certifications that require some hands-on, practical experience, such as SANS courses or some higher education courses, can be beneficial.
DO YOU HAVE ANY ADVICE FOR OTHER FEMALES IN THE INDUSTRY? Put your hand up for opportunities presented to you if
I was lucky enough to be offered the chance to obtain
you think you will enjoy them. Don’t wait to be handed
my first SANS certification through Verizon. Being a
them, and certainly don’t expect to know everything
US company, it was big on SANS courses, so I was
about a role before you start.
able to take several. I think finding a company that invests in training courses like this was a big plus.
SUMMARY Chatting with Shanna was very refreshing and I
WHAT LED YOU TO GAIN YOUR MASTER’S DEGREE?
could see from the exceptional female team she has
I decided to do a master’s because I wanted a degree
for women looking to break the mould and redefine
of some sort in case I ever wanted to gain an MBA or
expectations, not only around career paths but also
needed one for some other reason. At the time, it was
around appearance and behaviours.
built around her that she is a fantastic role model
mainly to confirm my skills. I graduated with honours, so I was pretty stoked.
My main takeaway from speaking with Shanna about her journey is you should seize any opportunity that
WHAT DIFFICULTIES HAVE YOU FACED WORKING IN THIS INDUSTRY?
excites you and be prepared for the consequences of not fitting in.
The biggest difficulty for me was feeling I needed to fit in and knowing I never would.
You’ll never regret giving something a go. Far worse to look back and think “what if?”
Unfortunately, when I started out it was rare to find another woman doing the same technical work as
I think, as women, we often limit ourselves because of
myself. Over the past 15 years, I’ve worked mostly as
others’ expectations and biases. Instead, we should
a consultant for vendors and that meant working in a
be reminding ourselves that being passionate about
macho sales culture where there was a lot of bullying.
something is far more important than appearance and background, and we should not let these define
I’ve always tended to dress on the ‘grunge’ side of style, which was often seen as inappropriate. So, I found it difficult to behave or appear, as society expected.
WHICH PARTS OF YOUR ROLE DO YOU ENJOY MOST? I love how I can be hyper-focused on the technical side of digital forensics and get lost for hours trying to work things out or following leads. I also really enjoy researching and building capabilities. I’ve had a great experience building an amazing consulting team at ParaFlare that has made me feel redundant, which is fantastic.
the path we take. www.linkedin.com/in/rachael-mayne/ www.linkedin.com/in/shannadaly/ www.uandu.com/team/rachael-mayne
WHAT YOU CAN DO IN CYBER SECURITY, WITH A DEGREE THAT ISN’T IN IT Josephine Vu, Cyber Intern | Akira Singh, Associate Consultant | Tayla Payne, Associate Consultant | Amit Gaur, Executive Consultant, Anu Kukar, Associate Partner from the Cybersecurity – Cloud, Strategy & Risk Team at IBM A/NZ
INTRODUCTION Did you know you can have a rewarding career and add value in cyber security without necessarily having a traditional technology and cyber security background? Cyber has become such a wide-ranging discipline that a diverse background can enable you to play a valuable role in any business. Skills and perspectives that complement the technical aspects of cyber security are now needed as organisations begin to seek new points of view to reshape,
This has been dubbed the ‘New Collar’ approach by IBM. Regardless of educational background candidates with the right mindset and qualities can be taught the skills necessary to succeed in cyber security. Cyber security has become multifaceted. There is a need not only for people with the traditional technical background but for people with experience in law, policy, data science, risk, governance or finance and
reorganise and rethink their cyber posture.
more. Research from Frost & Sullivan shows that
WHY SHOULD YOU GET INTO CYBER SECURITY?
industry come from non-IT disciplines. This means
In recent years there has been increasing demand
job. Furthermore, organisations are now looking for
from companies for cyber security professionals, but
those with non-technical perspectives to help bring a
their recruitment attempts have been hampered by a
holistic view to managing cyber security.
30 per cent of people working in the cyber security technical skills can be learnt and developed on the
shortage of talent. According to Mercer’s 2021 Total Remuneration Survey, over 2020-21 there was a 49 per cent rise in advertised cyber security roles and 17,
HOW CAN YOU CONTRIBUTE TO CYBER SECURITY?
000 cyber professionals will be needed by 2026. To meet this demand organisations are trying to boost the talent pool by introducing programs, training initiatives and certifications to cultivate cyber talent.
66
WOMEN IN SECURITY MAGAZINE
Law Law plays a huge role in cyber security. Most aspects of cyber and IT operate within a complex framework
28.04.2022
C A R E E R
P E R S P E C T I V E S
of laws and compliance requirements with new regulations introduced frequently. In consulting each client engagement will contain a legal compliance
• Statistics, modelling and running software tools; and • Research, analysis and drawing insights.
aspect and every team will require someone with a legal lens and an understanding of cyber to ensure
Accounting and finance professionals who have
deliverables and services are provided in accordance
backgrounds working with numbers, analysing
with relevant laws and regulations. Having someone
data and understanding business drivers can bring
with a legal background in a cyber team can ensure
these skills and experiences and contribute to cyber
the team’s work on a cyber project is compliant. A
security.
legal lens can provide a unique insight into business problems and solutions. Legal expertise is highly
Potential roles: cyber exposure advisor, cyber
valued in the cyberspace and those with legal
quantification analyst, business analyst, consultant.
qualifications have many opportunities in the field. Political economics For example, in 2021 all organisations in Australia with critical infrastructure assets were tasked with a major cyber security uplift by an amendment to the Security of Critical Infrastructure Act 2018. CISOs and CIOs turned to cyber consultants, like those in IBM, to ask questions about compliance, the impact on their organisation and the penalties imposed. Being able to answer these questions, assess client pain points and provide much needed legal information-enabled IBM’s cyber security team to provide trusted advisors to multiple industries.
In the past decade cyber attacks have become increasingly disruptive, diverse, critical and, in many instances, more political. Additionally, surveys, media and literature all suggest the international community is seriously, and increasingly, threatened by cyber attacks. Forty-nine percent of respondents to the World Economic Forum’s 2021 survey claim cyber security failure to be one of the top-10 threats globally. Cyber security, therefore, requires people who can collaborate globally on these global threats. The intersection between cyber security and political
Potential roles: cyber security lawyer, cyber
economics is vibrant and varied and is significantly
consultant, cyber compliance investigator, policy
enhanced by individuals who have interdisciplinary
advisor.
expertise, an understanding of the relevance to national and international policy and the ability
Accounting & finance Two key questions boards and CxOs are asking: 1.
What is our current cyber exposure?
2.
What is our RoI from our cyber security program?
to recognise the interplay between technological possibilities and the political choices of nation-state actors. For example, the Russian military attack launched on Ukraine in late February 2022 has left the West
Front of mind across all industries is the ability to
vulnerable to both physical and virtual attacks. The
quantify cyber risk exposure and ensure investments
international community, including Australia, has
in cyber security programs are effective in reducing
come together to defend Ukraine through a variety
cyber exposure.
of sanctions, bank exclusions and funding for humanitarian, security and military aid. Australia’s
To quantify cyber risk exposure requires, in addition to
support of Ukraine, in opposition to Russia, has meant
cyber security, several other activities, experiences or
all Australian critical infrastructure is at increased
knowledge such as:
risk from cyber-attacks, fuelling the requirement for organisations to urgently adopt enhanced cyber
• Facilitating workshops with diverse stakeholders;
security postures to protect against disruptive
• A curious mindset and asking open-ended
malware, etc.
questions;
28.04.2022
WOMEN IN SECURITY MAGAZINE
67
Potential roles: cyber security advisor/consultant,
For example, in recent years ransomware has grown
cyber risk quantification subject matter expert,
to be one of the largest cyber threats to organisations
policy analyst or advisor, researcher, threat analyst.
around the world, with many critical infrastructure industries at risk. People with the necessary
Psychology Psychology and cyber security can go hand-in-hand. By understanding the goals and motives of cyber criminals you can influence the protection of your organisation’s assets and infrastructure from a cyber security perspective. The ability to reduce cybercrime becomes easier when you can identify and become conscious of a criminal’s motives and what drives them to commit a cybercrime. Employee behaviour towards cyber security is also based on many psychological aspects. Telling employees cyber safety is essential but not taking the necessary measures to ensure cyber security rules are complied with can be detrimental. With the frequency of attacks, many employees can become desensitised to the importance of cyber security, with consequences for your organisation. As a psychologist, you can help to introduce cultural and behavioural shifts that encourage employees to develop a heightened sense of security.
68
WOMEN IN SECURITY MAGAZINE
psychological skills can help vulnerable organisations stay ahead of these criminals by identifying possible targets and, in some cases, even mitigating the ransomware attacks before they occur. Potential roles: cybersecurity policy advisor, threat analyst, ethical hacker, cyber consultant. Business IT projects are often dependent on gaining the necessary funding so there is a need to be able to communicate technical concepts simply and concisely. The business knowledge and strong communication skills you possess can complement the traditional technical skills IT professionals have and enable more effective communication with decision-makers and the board. This is where a business degree can confer many benefits: it helps to bridge the gap between business functions and cyber security.
28.04.2022
C A R E E R
P E R S P E C T I V E S
Some business skills desirable for a career in cyber
Sources
are:
https://www.mercer.com.au/what-we-do/workforce-rewards-andtalent/rewards-and-employee-experience/salary-benchmarking-
• The ability to communicate technical concepts to non-technical teams;
surveys/au-total-remuneration-survey.html https://www.ibm.com/blogs/ibm-training/new-collar-coursera/
• Strong project and resource management skills;
https://www.stu.edu/news/cybersecurity-law-top-career-
• An understanding of how organisations operate;
opportunities/
• Exceptional presentation skills and
https://www.optiv.com/insights/discover/blog/how-get-
communication skills;
cybersecurity-even-without-technical-background
• The ability to help organisations change their business; and • Good listening skills and the ability to understand issues. Business professionals who possess a humancentred approach to their work, project management experience and strong communication skills can go a
www.linkedin.com/in/jo-vu/ www.linkedin.com/in/akira-singh/ www.linkedin.com/in/tayla-payne-b619b6145/
long way in the cyber security space.
www.linkedin.com/in/amit-gaur-183907105/
Potential roles: business information security officer,
www.linkedin.com/in/cyberuntangler/
project manager, cyber security consultant, cyber security analyst.
KEY TAKEAWAY – JOIN US We hope to have demonstrated anyone with the right interest and a desire to learn can have a successful and rewarding career in cyber security. Both technical and non-technical professionals are needed. They complement each other and together can make a difference. As cyber threats continue to emerge and evolve the cyber security industry needs both technical and nontechnical skills and perspectives to combat them. The skills you have gained from your diverse background can be used to complement and uplift the capabilities of your organisation’s cyber security. If you come from a non-traditional cyber security background you should not consider this a limitation, but rather a significant asset to any team. If you’re ready for a career change, just starting your career, or wondering what you could do with your degree, think about making the move towards cyber security. There are no limitations to what you can do in the cyber industry.
28.04.2022
WOMEN IN SECURITY MAGAZINE
69
KATE BROUGHTON
DIVERSITY-BY-DESIGN: pipelining cyber security talent, three practical ways to get involved by Kate Broughton, Head of Delivery at Decipher Bureau The time for talking about the cyber talent shortage,
building a diverse team was designed, planned and
the lack of diversity and the gender pay gap is long
implemented.”
over. Even pre-Covid, senior leaders were pushing back, saying: “No, we really don’t want to sit on yet
And let’s be honest, in an industry that aims to build
another panel to merely talk about these same old
an ecosystem secure by design, diversity-by-design
issues. Now is the time for action.”
should be a given. So, what are some practical ways you can start today, no matter the size of your
Whilst quotas continue to be a contentious issue, I
organisation?
ask clients and the industry in general to focus on the end goal: what do you want your team and your
WOMEN IN STEM DECADAL PLAN
business to look like in 12 months? Let’s lose the
The Women in STEM Decadal Plan was developed by
word ‘quota’ and focus on diversity-by-design. Not
the Australian Academy of Science in collaboration
just for today, but for a successful economic future.
with the Australian Academy of Technology and Engineering. It argues that government, academia,
Setting targets and measuring progress towards
the education system, industry and the community
them is a fundamental part of any successful
have a shared responsibility to attract women and
business. So why, when looking at the heart of a
girls into STEM professions in general, and it sets out
business—its people—does designing targets seem
ways to help them achieve this.
complicated, become stigmatised or is simply overlooked?
It offers a vision and opportunities to 2030 to guide stakeholders as they identify and implement specific
With much research demonstrating how diverse
actions they must take to build the strongest STEM
teams positively impact the bottom line, diversity-by-
workforce possible and support Australia’s prosperity.
design should be seen as a smart business move. At
70
a recent AustCyber event, Ian Yip, founder and CEO of
The Tech Girls Movement Foundation, founded by
Australian cyber security software company Avertro,
STEM advocate Dr Jenine Beekhuyzen, is “a tribe of
said his business had done just that: “From inception,
young STEM leaders committed to solving real-world
WOMEN IN SECURITY MAGAZINE
28.04.2022
C A R E E R
P E R S P E C T I V E S
problems with technology across urban, regional and
opportunities for increasing diversity, just as they
rural Australia and New Zealand.”
forecast costs and other developments in a business.
The organisation is a Women in STEM Decadal Plan
Like any forecast, the diversity forecast should be
champion, committed to knowledge sharing and
reviewed quarterly and progress towards it measured
collaboration. It can help organisations large and
at the end of the year. The Decadal Plan can assist
small align their activities with the six opportunities in
with this task.
the Decadal Plan.
RE-IMAGINING GRADUATE PROGRAMS Tech Girls has been assisting its current partners,
Hiring university graduates is a common recruitment
including specialist cyber security recruiter, Decipher
tactic. However, today there are additional pathways
Bureau and software development company WK
for acquiring cyber skills. TAFE and a range of
Digital. Amanda Rodgers from WK Digital states: “My
certification providers assist people transitioning into
intention in publicly committing WK Digital to be a
cyber from another career path. To support these
Women in STEM Champion is to jumpstart active
people the creation of entry-level or junior roles must
commitment to gender equity in STEM by other
be a collective effort.
organisations. The economic future of Australia is too important to simply discuss big goals. We must
I do not claim to have all the answers. I have heard
actively plan for their realisation.”
time and time again from clients that they “don’t have time to train” or are “worried this person will get up to
The Decadal Plan aims to create a richly diverse
speed and then leave.” Most cyber professionals are
industry and Decipher Bureau has enjoyed working
already running at top speed, that situation will not
on its plan with Tech Girls, understanding where we
change unless we all take time to bring in and train up
are today, identifying opportunities for growth across
new talent.
our business and the wider cyber ecosystem and providing some accountability for our actions.
Decipher Bureau is working with three clients that are taking on entry-level candidates with the aim to train
PIPELINING TOP TALENT
and retain them. Through the interview process I have
Recruitment is reactive. That will not change.
seen candidates transitioning from a different career
However, firms that have strong policies to attract
often bringing extremely strong communication and
and retain diverse talent, and partner with specialist
leadership skills.
recruitment firms who engage with talent ‘off market’ on their behalf, are much better equipped to hire from
According to ISACA’s State of Cybersecurity 2021
a diverse pool of candidates.
Part 1, 56 percent of security professionals identified soft skills—including communication, flexibility and
Such an approach does not mean your recruitment
leadership—as those most lacking among today’s
agency will give you a 50/50 male/female shortlist
cyber talent.
for your pen testing role. However, having policies to attract and retain diverse talent means identifying
So, another benefit of tapping into this talent pool
the teams and/or roles where diversity is lacking
is that it will help ensure the next generation of
and building in the ability to create an opportunity
cyber professionals comes with well-developed
for the right person when the opportunity arises.
communication skills and its members will be more
Organisations need to forecast, to anticipate
than ready to be the leaders of tomorrow. www.linkedin.com/in/katebroughton/
twitter.com/DecipherBureau
28.04.2022
WOMEN IN SECURITY MAGAZINE
71
We’d like to say a special thanks to everyone who participated in the 2021 AWSN Women in Security Mentoring Program pilot! PROGRAM HIGHLIGHTS
99
Participants
53
Mentors
46
Mentees
172
Hours completed
207
Mentoring sessions
AWSN would like to recognise the outstanding contribution of the following mentors/mentees: Mentor of the Year Gyle dela Cruz Mentor Great Achievers Cath Wise and Liz B. Mentor Super Connector Lukasz Gogolkiewicz Mentee of the Year Cheryl Wong Mentee Great Achievers Aarati Pradhananga and Queen Aigbefo Mentee Super Connector Jocasta Norman First Mentoring Match Farrell Tirtadinata and Miranda Raffaele If you are interested in joining our 2022 mentoring programs, please register here: https://www.awsn.org.au/initiatives/mentoring/. If you are not yet a member join today! platform powered by
proudly sponsored by
INDUSTRY PERSPECTIVES
WOMEN ARE LOCKING DOWN GAINS IN PROTECTIVE SECURITY by David Braue
They come for different reasons, but changing culture is part of the reason they stay
P
rotective security can be a tough gig. Just
with them when they join the sector – and I think
ask Lisa Reilly, executive director of the
perhaps we don’t make enough of that.”
Global Interagency Security Forum (GISF), who for more than 16 years has been
“There are so many hidden factors that we have, and
working to provide and execute security
we need to create a culture where we’re comfortable
plans in support of humanitarian missions across
to bring all that to the table and to be able to bring our
Africa and Asia.
whole selves to work.”
The harsh realities that attract the need for
Yet bringing one’s self to work has been particularly
humanitarian support have also spawned a
challenging during the COVID-19 pandemic, when
“very macho culture,” Reilly said during a recent
conventional notions of physical security, asset
International Women’s Day webinar, “and I see this
protection, information security, reputation and risk
reflected in the security sector.”
management, and other related areas were cast in a completely different light – and security professionals
Like any woman in such an environment, Reilly
were forced to adapt accordingly.
admits that culture has shaped her experience of a job to which she was attracted by interest, but – like
“If there’s anything that COVID brought out, it is that
many in the security industry that came from other
security is something that needs to be taken very
fields – never expected to become her career path.
seriously,” said Monicah Kimeu, a Kenyan security training and communications consultant whose
74
“We need to have more women” in security to provide
company, Mo n’ More Concepts, has become a
a broader range of support for both men and women
leading voice for women’s security, diversity and
engaged in the industry, Reilly said. “Every woman is
inclusion, and the development of safe and secure
different and every person brings something different
working spaces.
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
The spectrum of security-related competencies “is
support from bodies like the UN recognising the value
critical in today’s business world,” Kimeu said, “and
of increasing women’s participation in peacekeeping
for anyone who would like to consider a career in
operations – recognition of the importance of
security, this is the future of the world.”
women’s perspectives in security has never been stronger.
The protective security industry won’t reach its full potential, she said, until long-established masculine
The UN Action for Peacekeeping initiative, for
culture makes way for the capabilities that women
example, flags the importance of “full, equal and
bring to the table.
meaningful participation of women in all stages of peace processes, as well as the integration of
“This paradigm shift requires a synergy of
a gender perspective into all stages of analysis,
competencies from both men and women to be
planning, implementation and reporting.”
able to come up with solutions for the world,” she explained. “Women are bringing in soft skills to the
In this context, one might believe that the experience
space that are required in terms of critical thinking
in Australia was far more progressive – yet despite
and multi-tasking in the boardroom.”
the successes of many individual women working in protective security, the Australian industry remains
“We are going beyond the cultural thinking of security.”
less focused on bolstering gender diversity and more focused on improving the professionalism
UPPING THE GAME IN AUSTRALIA
of an industry that has changed rapidly with the
With women fighting to expand the acceptance of the
convergence of physical and cyber security.
talents they bring to security in some of the world’s most difficult security environments – and strong
Security 2025, an industry-wide assessment and strategic guide released late in 2021 by the Australian Security Industry Association Limited (ASIAL), weighs
“We just need to have open conversations and equal conversations, and involve as many people as possible to ensure that we have that diverse perspective – and that if we are making changes, that we’re including everyone in that process.” -Krissy Waley, Project Manager at Arup
28.04.2022
WOMEN IN SECURITY MAGAZINE
75
in at nearly 100 pages but does not mention gender diversity once. For an industry where women are still generally outnumbered – in one recent survey of webinar participants, 41% said women comprised between 0 and 20% of their employees, while 47% said the same about their company leadership – those women that are engaged with the industry are wasting no time making waves. Consider the likes of Amanda Pitrans, a protective security specialist for intelligence and operations with IAG whose work in managing the company’s COVID-19 response to protect its nearly 13,000 employees – and her tireless mentorship of students and engagement with security industry organisations – earned her recognition at the AWSN Women in Security Awards as the Most Promising Newcomer in Any Area of Protective Security/Resilience.
PLANTING THE SEEDS OF DIVERSITY Engagement with peers and the next generation are crucial to building the momentum that will normalise the role of women in protective security, said Kate Bright, CEO of UK-based protective security firm UMBRA International Group. “Is security seen as a career by young females?” she asked. “Not necessarily – but it’s up to us women who are prepared to talk and be visible about what we’re doing, to help the younger generations to raise their hands.” By engaging with younger workers at an early age, Bright added, it becomes possible to “demystify these places that we occupy. We won’t be asking that question in a few years’ time, because security will just be a career path for both younger men and women.” Tireless advocacy has already produced wins for the likes of Christina Rose, a more than 20-year industry veteran security consultant who was named Most Outstanding Woman in Protective Security/Resilience at the awards.
76
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
“I lead by example,” said Rose, whose work improving the engagement of women has driven a 50:50 gender split across more than 100 people from over 60 nations. “Watching my team grow and learn and gain more confidence in the work they do, is very satisfying and a pleasure to be a part of.” Facing systemic gender inequities across the protective security industry, women taking advantage of the broad range of opportunities often report a high degree of initiative and determination to succeed. Yet many others still need a helping hand – and that, AV sales manager and founder of Women in AV Australia Toni McAllister noted, will be crucial for driving organic growth in the numbers of women in Australia’s protective security industry. “We have come a long way already in the industry but we can’t sit back and rely on that,” McAllister said. “I don’t think people understand how difficult it is for a female to build the same support networks as it is for a male, and I think that’s where women need to champion each other as well.” “Having a really good male mentor and female mentor gives you that balance – and it gives you the ability to build those networks. You just can’t do it in isolation either way.” Ultimately, says Krissy Waley, project manager with built environmental consultancy Arup, greater engagement with women will make mentorship redundant: “it is a necessity, but the goal is that it won’t be needed at all” as women are normalised in every part of the industry, she explained. “We just need to have open conversations and equal conversations, and involve as many people as possible to ensure that we have that diverse perspective – and that if we are making changes, that we’re including everyone in that process.”
28.04.2022
WOMEN IN SECURITY MAGAZINE
77
SIMON CARABETTA
IN CYBER, LANGUAGE IS THE WEAPON OF CHOICE by Simon Carabetta, Cyber Communications Specialist
In February of 2000 I stepped into the wide, scary,
Yes, you know what I’m talking about.
intimidating world of tertiary education. “Prepare to have your mind blown,” quipped the lecturer of one of
The old guard love them! Nothing better than
my first units where we were introduced to an equally
unsheathing a finely forged HMAC or wielding a
scary, intimidating concept known as Semiotics.
couple of SQLs. Hell, I’ve even seen those WMDs
For those who have retained their sanity and did
(weapons of mass destruction) known as OWASP
not complete a bachelor’s in communication, a bit
used on a few occasions in front of unsuspecting
of background. Semiotics, in a nutshell, is the study
individuals.
of signs, symbols and signifiers and the meaning they give us based on cultural understandings and
The point I’m trying to make here (in a very
context.
roundabout way but how else am I going to get the message across?) is that acronyms in cyber security
You’re still with me, right? Okay.
are a great way for people to assert their expertise, their vast knowledge and their profound wisdom of
I may or may not have slightly skewed that definition.
all things cyber and IT. However, we’re all forgetting
It’s been 22 years so I can be forgiven for being a
one very important thing here: not everyone in cyber
little loose with the finer details, but you get the point.
security has a technical background.
Anyway, one thing stood out for me during the blur of my entire first semester and that was language
Now, I’m not saying it took a communications major
is power. In fact, language is bloody powerful.
who had to sit through one too many screenings of
So powerful I began to understand how it can be
Battleship Potemkin to point that out, because it is
wielded, manipulated and fashioned into weapons.
common knowledge, and has been for quite some time. However, what I am saying is, despite this being
In cyber security that weapon of choice is the
common knowledge, there are still far too many
notorious acronym.
people who are handing out acronyms like candy at a fifth birthday party. Simply put, it is difficult for
78
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
CARTA
ISO 2FA SIEM
SQL WAF
many people who have transitioned into cyber from non-technical roles to keep track of general workplace
NIST
OWASP DDoS
WAP IPSec MitM
conversations if most of what is being said sounds like a foreign language. I’m going to credit a good friend and former colleague
UTM
CSPM
APT SQLi DoS SSO IDS AES
of mine, the formidable Caitriona Forde, with the
BAS
inspiration for this article because she has spoken
CTI
CVSS
DLP EDR APWG
BCP
about it at length many times. Caitriona is one of the most talented cyber security professionals I know. I have tremendous respect for her knowledge and the impeccably clear way in which she speaks about cyber security. Caitriona has been in IT for years, yet she is always ready to call out someone else’s BS when they overuse or misuse an acronym, to give the impression they understand more of what they are talking about than is the case. A similar issue arises from the way in which many men in the industry use cyber language to talk down or ‘mansplain’ to women, sometimes forgetting those women may in fact be more knowledgeable on the subject than they are.
“Language is power, life and the instrument of culture, the instrument of domination and liberation”
– Angela Carter
Now, with all this being said, there are also many exceptionally talented and supportive people working
to explain after I found my feet (and my voice) and
in cyber who overuse acronyms and technical jargon,
began taking those opportunities.
but not on purpose. That’s just how they speak. That’s their world, and that’s completely fine in
I urge any newcomer to cyber to find their voice and
their professional circles. On the flip side, it is also
ask questions. Call out the use of acronyms and
important as a graduate or someone coming from
complicated jargon on occasions when it would be far
another field to take some responsibility for your own
easier to ‘speak human’ and tone down the language.
development and get to know the language of cyber.
Learn the language for your own sake, but be mindful:
However, a newcomer cannot be expected to know
working in cyber security should not mean having to
everything (and who really knows EVERYTHING about
decode every conversation you are a part of. Working
cyber?) and the game must be played fairly by all.
in cyber security should not mean having to analyse every email you receive. Working in cyber security
Newcomers to the industry, much like myself in
should mean plain, simple human communication.
2019, feel intimidated and suffer from imposter
Otherwise, you may as well sit through three years of
syndrome (see my article from Issue 7). When I
a communications degree.
began my first job in cyber as the security awareness trainer for Water Corporation in WA I did not take the
www.linkedin.com/in/simoncarabetta/
opportunities to have particular acronyms or terms explained to me. Luckily, I worked with an inclusive
twitter.com/carabettasimon
and supportive team whose members were happy
28.04.2022
WOMEN IN SECURITY MAGAZINE
79
TRAVIS QUINN
BETTER TOGETHER: AGENCY, ADVOCACY, AND BEING A GOOD MENTOR IN CYBER SECURITY by Travis Quinn, Principal Security Advisor at Trustwave
Agency is a concept in sociology that describes the
Mentoring is a proven way to empower women in
ability of a person to make independent decisions
cyber security. A good mentor can be an advocate
and to have an impact on their environment. The
and an enabler, helping to create opportunities for
capacity to do both is derived from their influence
professional and personal development for their
and access to resources. The lack of either reduces
mentees. Similarly, a proactive mentee can take
their agency and this can be very disempowering for
advantage of the experience, connections, etc. of
an individual. Agency is also important in establishing
their mentors. Through this relationship, challenges
how egalitarian a community is, particularly with
to the agency of women in the cyber security industry
respect to gender identity.
can be reduced and we can support them effectively in their careers.
The cyber security community is no different. The agency of women in our field is a significant issue
However, not all mentoring is constructive. The
and we see evidence of its absence in practically
dynamic between a mentor and a mentee can be
every domain of cyber security. The most glaring
mutually beneficial, but the focus must remain on the
example is at the senior leadership level where the
mentee and their needs. In the age of social media,
agency of the individual is naturally at its zenith, but
we are exposed to visible forms of appropriation
gender diversity is chronically poor: only 24 per cent
in which high profile organisations and individuals
of senior leadership roles in IT are held by women,
espouse their mentoring initiatives, events, etc. but
according to a 2019 report from International Data
fail to really empower the participants. Genuine
Corporation (IDC).
80
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
mentoring cannot be used as an opportunity for self-
benefits the organisation more than the participants.
promotion at the expense of the mentee.
It fails to provide an open, supportive environment for the mentee and creates a dichotomy between their
Fortunately, there are many examples of mentoring
mentorship and their performance management.
done well in cyber security. For example, the
In this dynamic, one of these drivers will invariably
Australian Computer Society (ACS) runs a structured
trump the other. Ideally, organisations should create
mentoring program out of its state and territory
separate channels for mentoring staff that are
branches. The mentor and mentee jointly develop
disconnected from any performance considerations.
a mentoring work plan with clear outcomes and
An appropriate workplace mentor is one that
timeframes. The program also uses the Skills
understands the organisation, whose experience
Framework for the Information Age (SFIA) model to
and skills are relevant, and who is removed from the
identify opportunities for the mentee’s professional
hierarchy of the mentee.
development. Returning to the concept of agency: mentoring The AWSN also runs an excellent mentoring program
remains one of the best ways we can empower
that takes advantage of the OK RDY mobile platform
women in cyber security. When you share your advice
to streamline the process of matching mentors to
and perspectives as a mentor you are enabling your
mentees. While these two programs differ greatly in
mentee(s) to profit from your experiences, in much
their approaches they share some key features such
the same way you have learnt from your experiences.
as their explicit expectations of participants and their
All experience has value and if you’ve been in the
earnest focus on the mentoring outcomes. Together,
industry for any length of time you should earnestly
the ACS and AWSN programs set the standard for
consider being a mentor, whether in your workplace
mentoring in IT and cyber security.
or through a mentoring program. In this way, you can help to make cyber security a more positive and
Mentoring in the workplace can be effective. However,
inclusive industry.
in large organisations it is often incorporated into the performance management process, i.e. your performance manager is expected to act as your
www.linkedin.com/in/travis-quinn1/
mentor. This is a practical approach. However, it
28.04.2022
WOMEN IN SECURITY MAGAZINE
81
MEGHAN JACQUOT
SUPPORTIVE COMMUNITIES HELP YOU RUN YOUR WORLD by Meghan Jacquot, Cyber Threat Intelligence Analyst at Recorded Future
Maybe you are new to cyber or maybe you’ve been
in the line for registration they are joyous and
in cyber security for some time. Either way, you may
friendly. Imagine sessions that pique your interest
have noticed there are many groups for those in cyber
and imagine finding groups to join at different times
security. Some such as the Cloud Security Alliance
throughout the conference. I went from meeting new
focus on specific topics. Some like BlackGirlsHack,
people to hanging out with a group of women who
focus on bringing underrepresented groups into
had decided to name themselves after a restaurant:
the industry. Still others like BSides and DefCon are
Chicken Biscuit Krewe. We supported each other,
focused on conferences.
cheered each other on, and we still hangout together online about once a month.
Wherever you are in your cyber security journey there will be a group for you. I’d like to share the story of my
Several of us were able to go to the WiCyS conference
experience with a few such organisations.
in 2022 from March 17-19. We attended each other’s talks, had meals together and shared our joy with
Women in CyberSecurity (WiCyS) was the first cyber
others. We now even have our own swag. We have
organisation I joined in 2020. The following year
become a community within a community, and the
I applied to attend the 2021 conference and was
larger WiCyS community exhibits these supportive
accepted. Since the start of the pandemic, I had met
traits too. Over time I have become more involved in
many people online but never in person. I made plans
WiCyS and am now an affiliate chapter president in
to meet some of them in person, and in September
the Mid-Atlantic area of the USA. If you ever get the
2021 those plans became reality.
chance to attend a WiCyS conference or to become involved with the organisation I can recommend it.
82
What’s the WiCyS conference like? Imagine entering
Here are some other cyber security focussed
a large conference centre and as you meet people
organisations I can recommend.
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
help because they support you, are where you can share your struggles, and will cheer you on. I have had many opportunities arise because of these communities and I have also been able to give back. For example, by participating in the SANS community I was able to meet one of the main designers of their capture the flag programs. I shared an idea I had and he encouraged me to try my hand at writing a section of the CTF. If I had not been involved in the community I would not have had the chance to work on this project, learn more about CTF creation, and see my work become part of a BBWIC Foundation is focused on breaking barriers
challenge. Communities help us rule our world.
of entry to cyber and within the industry, such as It is a community of supportive individuals who will
WHY AM I A MEMBER OF MULTIPLE COMMUNITIES?
celebrate you in your journey. There are monthly
In different settings, I focus on different things. I find
meetings that provide opportunities for learning and
it helpful to have a variety of communities to meet
mentoring. Members share out projects in a Slack
these different needs.
barriers to moving laterally or forward in one’s career.
group in the #dream-big channel, encourage each other and offer help. I help as the research advisory
HOW DO YOU START?
chair on the board. Its focus is to help members who
• Find a group that is of interest to you.
want to conduct a study and to help find conference
• Figure out how to join the group and do so.
presenters and papers on topics of interest.
• Be active in the group. This can be as simple as adding a resource to the group’s platform and
SANS has multiple summits every year that are
then building up to interacting with members.
completely free and usually virtual. During these
Often, the more you share the more you will
summits, a Slack group is created and a sense of community emerges as people network, ask questions and share pet photos and details of their home set-up. I decided to get more involved with the
become known and gain a sense of community. • Experiment and try different communities to those that have the best fit for you. • Enjoy, and know I will also be celebrating you!
SANS community. I became a call-for-papers reviewer, helped mentor new speakers and developed a section of the capture the flag challenge for the New2Cyber
www.linkedin.com/in/meghan-jacquot-carpe-diem/
summit. This group focuses on different aspects of cyber security for each summit and allows people to share their learnings.
twitter.com/CarpeDiemT3ch www.youtube.com/c/CarpeDiemT3ch
HOW DOES HAVING A COMMUNITY HELP? There will be times when imposter syndrome creeps in and you think you cannot do something. I’ve had this happen and so have many others. Communities
28.04.2022
WOMEN IN SECURITY MAGAZINE
83
KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.
C O L U M N
Don’t ask who runs cyber. Ask who should run cyber The way we work has changed thanks to the
a small business) that makes the ultimate decision
pandemic. We are now all doing some variation of
around spending, delicately balancing “How much
the work from home/work from the office two-step. So, it makes sense to rethink how we view
risk is the business willing to accept?” versus “How much security can the business afford?” It is IT that provides
cybersecurity: its ownership
each business with the ability to
and responsibilities.
make the most appropriate decision.
So “who runs cyber?” is not the real question, it’s more a question of “who should be running cyber?” The answer is: a business/IT hybrid team - the ultimate symbiotic relationship. Want to know why? The lines between IT and business
Silos are so old school Cyber security cuts across every department and through every level of an SMB. Hoping to “keep the cybercriminals out” is not the sole responsibility of IT. Everyone in a business — whether it be large or small — needs to be cyber aware because everybody has
are becoming increasingly blurred as SMB owners
something of value. For example, HR is responsible
become the default “inhouse technical experts”
for personally identifiable information; Finance for
Recent statistics have small businesses and family enterprises representing 97% of businesses in Australia. Traditionally, they are left behind when it comes to cyber security. They are considered too small by the big consultants or are unable to afford the measures and staff available to big businesses.
client invoicing details; Compliance for all corporate activities; Operations for insurance policy terms and conditions, etc. In an SMB all those business units may be just one or two individuals. A single machine or server going down can mean the loss overnight of a business that has taken years to build.
This means they often end up with a mish-mash of
A business, its IT and its cyber security need to be in
cyber security measures made up of ‘do-it-yourself’
lock step. No cyber security can mean no business.
plus ‘outsource some’ plus ‘what free stuff I can find to make do with?’ There is no clear coordinated
www.linkedin.com/in/karen-stephens-bcyber/
strategy. As a result, the delineation between technical and business becomes blurred.
www.bcyber.com.au karen@bcyber.com.au
There are no blank cheques Securing an entire business is an unrealistic goal but it is the business and not IT (the IT department in a big business or the external service provider to
84
WOMEN IN SECURITY MAGAZINE
twitter.com/bcyber2 youtube.bcyber.com.au/2mux
28.04.2022
Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! REACH OUT TODAY
charlie@source2create.com.au
aby@source2create.com.au
vasudha@source2create.com.au
MARISE ALPHONSO
HEDY LAMARR MORE THAN A FAMOUS ACTRESS by Marise Alphonso, Information Security Lead at Infoxchange
Over the past decades many women have contributed
The young Lamarr was recognised for her beauty.
to developments in science and information security.
Aged 19 she married Fritz Mandl, a rich Austrian
One of those women was Hedy Lamarr, widely known
munitions dealer. A few years into the marriage
for her acting roles and her on-screen beauty but little
she felt imprisoned and had more to give the world,
recognised for her ingenious, inventive streak, kept
and could not bear being seen simply as a doll. She
hidden for most of her life.
made her way to Hollywood where she acted in Metro-Goldwyn-Mayer (MGM) films alongside movie
Hedy Lamarr (originally Hedwig Eva Maria Kiesler)
legends such as Clarke Gable and Spencer Tracy.
was an Austrian-American actress born in 1914. As
She had two sides to her life: to the public she was a
an only child, Lamarr was exposed to music, the arts
beautiful actress, in private she was an inventor.
and the sciences by her parents at an early age. In the documentary Bombshell: The Hedy Lamarr story
Years later, while in Hollywood, Lamarr was
(2017) Lamarr gave credit to her father for explaining
introduced to Howard Hughes, an aviation tycoon
how things such as the trams on the streets of
working to make faster planes for the military. She
Vienna worked and she mentioned her love of
was given access to Hughes’ team of scientists
chemistry at school. When she was five years old she
and was able to experiment and innovate as a
took apart her music box toy and reassembled it to
hobby. She had an invention table in her home and a
understand how it worked.
smaller version in her trailer she used between movie takes. To assist Hughes with his aviation goals, she suggested redesigning the plane’s wings to mimic those of fast birds and fish. Hughes told her she was
“All creative people want to do the - Hedy Lamarr unexpected.”
a genius. In 1940 Lamarr met George Antheil, a quirky music composer. Both were keen to do something about the impending war and help combat the Nazis.
86
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
Photo by United Artists, Kobal, Shutterstock / Source: Pinterest
Antheil had experience with synchronising piano
They perhaps provide some insight into her life
music and Lamarr had knowledge of munitions
principles:
learned from dinner party conversations during her first marriage. With the intention of developing a means to guide torpedoes to their targets, Lamarr and Antheil combined their knowledge and developed a communication system that used frequency hopping to reduce interference and prevent signals being jammed or intercepted. It was patented with US patent number 2,292,387 in 1942. Lamarr and Antheil passed their patent to the US Navy where it was marked ‘Top Secret’ and shelved. Lamarr was told to set science aside and instead focus on selling war bonds to finance US military operations! It was only years later that this technology was put
People are illogical, unreasonable, and selfcentered. Love them anyway. If you do good, people will accuse you of selfish ulterior motives. Do good anyway. The biggest people with the biggest ideas can be shot down by the smallest people with the smallest minds. Think big anyway.
escalation of the Cuban missile crisis. Lamarr’s
What you spend years building may be destroyed overnight.
invention now forms the basis of the spread spectrum
Build anyway.
to use when it became instrumental in preventing
communication technology that has given the world Sadly, at the time, Lamarr and Antheil were not given
Give the world the best you have and you’ll get kicked in the teeth.
any compensation for the patent.
Give the world the best you have anyway.
In recognition of her contributions to the world of
Thank you Hedy Lamarr for being a source of
film and science, Lamarr has a star on the Hollywood
inspiration and for the encouragement to do the
Walk of Fame (1960). She received the Electronic
unexpected and think big.
secure GPS, WiFi and Bluetooth communications.
Frontier Foundation’s Pioneer Award (1997), was the first woman to receive the BULBIE Gnass Spirit of
References:
Achievement Award, known as the ‘Oscar of Inventing’
Bombshell: The Hedy Lamarr Story (2017) - IMDb
(1997) and was posthumously inducted into the National Inventors Hall of Fame (2014). The 2017 documentary Bombshell concludes with
Hedy Lamarr (1914 - 2000) US Patents and Trademarks Office (US patent number 2,292,387) The Paradoxical Commandments
Lamarr reciting these lines from Kent M Keith’s poem, “The Paradoxical Commandments.”
28.04.2022
www.linkedin.com/in/marise-alphonso/
WOMEN IN SECURITY MAGAZINE
87
WOMEN ARE TAKING THE FIGHT TO DEFENCE by David Braue
But despite real progress to date, there’s still much to be done on diversity
I
t was not too long ago that the idea of including
“We now have a system where you’re mixing
women in military combat roles was a flight of
graduates and non-graduates, 18 to 28-year-olds in
fancy.
the training platoon systems, different races, different backgrounds. That diversity is a real strength, and it’s
When Colonel Lucy Giles enlisted back in the early
reflective of our society.”
1990s, she said, “I was only able to be employed
in certain roles, there was no flexible working, and my
“There is still some work to go, but from my lived
training was segregated from the men.”
experience we have come on leaps and bounds.”
That has changed rapidly in intervening decades,
That’s a significant stamp of approval for the diversity
Giles – who climbed through the ranks to become
efforts of the British Armed Forces, whose 148,000
president of the Army Officer Selection Board and
personnel are more diverse than ever after years of
the first female College Commander at the UK’s
proactive policymaking that has enabled women
prestigious Royal Military Academy Sandhurst – told
like Giles to take their careers in directions that prior
a recent International Women’s Day webinar.
policies would never have allowed them to imagine.
“Three decades later,” she continued, “all of that has
FIGHTING CULTURAL INERTIA
completely changed. The journey has been slow at
Since it lifted all formal restrictions on women’s
times – but in the last five years, it has been pretty
military service in 2013, the Australian Defence Force
impressive.”
(ADF) has similarly been undergoing a modernisation of its diversity policies – engaging with and
88
“The training has completely changed,” she
accommodating women in new ways, recruiting more
explained, noting new policies that not only include
flexibly with an eye on work/life balance, and opening
maternity and paternity leave but include dedicated
up around 88% of ADF employment categories to
breastfeeding facilities for new mums.
women.
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
When the United Nations codified the importance
the Navy and Air Force are aiming to have 25%
of women in combat in 2000 within UN Security
women and the Army, 15% – progress towards which
Council Resolution 1325, women comprised 12.8%
is benchmarked in the annual Women in the ADF
of permanent ADF workers – including 15.1% in
Report.
the Royal Australian Air Force, 14.6% in the Royal Australian Navy, and 10.6% in the Australian Army.
A key goal of this initiative is to create an environment that will encourage women to aim for leadership
Those branches are working to significantly increase
positions that would have been out of reach for them
the proportion of enlisted women by next year when
in the past. “For a very, very long time, especially in an environment like Defence, in the absence of visible female leaders, a certain type of male leader
28.04.2022
WOMEN IN SECURITY MAGAZINE
89
stereotype has been reinforced promoted, and
Despite progress, however, that review identified an
deferred to – and there was little imagination or
issue that has plagued the ADF and other militaries:
courage for any other possibilities,” said former
because women often leave military roles to start
Defence Minister Linda Reynolds.
their families, they have often been concentrated in lower-level roles – leaving only a small number of
Reynolds, who reached the government front bench
women to stay long enough to be promoted to senior
after a 29-year career in the Army Reserves, started
positions.
her military career at the age of 19, eventually graduating as Second Lieutenant in the Royal Australian Corps of Transport. “I stuck it out, and learned just how resilient I am,” she said, “but I also learned how to lead.” Reynolds recalls many of
“We now have a system where you’re mixing graduates and non-graduates, 18 to 28-year-olds in the training platoon systems, different races, different backgrounds. That diversity is a real strength, and it’s reflective of our society.”
-Colonel Lucy Giles
her peers fighting hard to deny their woman-ness, believing they could only be taken seriously if they could de-gender their identity
For all its support for an increased role for women
within the military. It was an epiphany for Reynolds,
both before and after motherhood, the analysis noted,
who became acutely aware of how much the military
the ADF faces significant inertia that has slowed
needed to change its approach to engaging with
down the pace of change.
women. “Past implementation of well-intentioned policies and “Of course, women are likely to lead a bit differently
strategies for change has been met with significant
from men,” she said, “because we’re different and
resistance,” the report notes, “even where there has
that is something to be celebrated and not talked
been support from leadership. It will therefore be
down. So why don’t we as an organisation and as a
necessary to present policies as fair and beneficial
society embrace that difference as a strength and an
for service members to ensure buy-in from personnel
opportunity? If Australia is truly to be the world leader
at all levels.”
on women, peace and security that it can be, it’s a journey that has to begin here at home.”
DRIVING ENDURING CHANGE Defence, then, faces many of the same challenges
By all accounts, that journey has paid dividends –
around change as its private-sector counterparts
with one recent UNSW Canberra benchmarking study
when working to improve gender equality within its
noting that the ADF “compares favourably” with other
ranks.
Five Eyes nations and NATO militaries in terms of
90
attracting, recruiting, and retaining women – and that
And while women continue to penetrate the highest
the Army and Air Force are on track to achieve their
realms of ADF command – think of standouts like
2023 participation targets.
Command Sergeant Major - Forces Command Kim
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
Felmingham, Warrant Officer of the Air Force Fiona
Cybersecurity, critically, could prove to be another
Grasby, and Commanding Officer of the Australian
bridge that infuses the defence community with many
Army 2nd General Health Battalion, Lieutenant Colonel
of the diversity, equity and inclusion efforts that are
Anna Reinhardt – a significant opportunity for cultural
being adopted to improve participation in the cyber
change may well come as Defence institutions
sector.
increasingly engage with private-sector organisations that have doubled down on diversity as a way of
“It is still the case that women have more challenges
attracting and keeping the best leaders and the best
as a result of their gender than men do,” said Lindy
talents.
Cameron, a longtime international development consultant who graduated from the UK Ministry of
“You have to wonder why we’re continuing to have
Defence’s Royal College of Defence Studies before
this difficulty having women at some of the most
serving in a variety of conflict zones and, most
senior roles regularly, so that we don’t have to have
recently, being appointed as CEO of the UK’s National
a conversation about it,” said Leanne Caret, CEO of
Cyber Security Centre (NCSC).
Boeing Defense, Space & Security (DSS), a privatesector defence contractor that has worked hard to
As one of the most important leaders in that country’s
improve options for its women employees to improve
storied GCHQ Bletchley Park cryptography and
retention and advancement.
cybersecurity operation, Cameron pointed to the “astonishing” legacy of significant women at Bletchley
The Boeing division has implemented a range of
Park as a reminder that improving the standing of
policies and programs providing support for time-
women requires constant commitment.
pressured mothers including childcare and eldercare, as well as implementing policies that let women
“When we look at the workforce that we have now
resume their careers when they return after taking a
– which is male, to be honest, across cybersecurity
break for any number of reasons.
in general and national security specifically – I am confident that those female role models of early days
“It’s about how we let them have their career when
teach us that is not a given,” she said during a recent
they decide to step back,” Caret said during a recent
WiCyS webinar.
interview, “and get recognition for the time they’ve already done… so they don’t walk away and lose
Like Giles, Cameron recalls being the only woman
everything they’ve achieved.”
in her course – something that she describes as “a really powerful experience [and] real moments of
There is significant work to be done, she added,
understanding the power of a diverse voice in a room
noting that the DSS workforce is just 23% women; “we
of people with very similar experiences.”
have made some progress, but we’re not where we need to be,” she said.
Through initiatives such as running hackathons for school-aged girls and mandating equal representation
“We have to make certain that we don’t forget
of women in panel presentations, Cameron’s NCSC is
that there is a constant pipeline that needs to be
drawing out those voices – and channelling them into
filled, and we need to nurture it and we need to
a growing pipeline to shore up critical cybersecurity
give opportunities and chances – so it is really
defences for the long term.
important to make sure that we are continuing to create opportunities for women at all levels of the
Cybersecurity “is not just the web security threats, but
organisation.”
about massive potential prosperity,” she said. “And, therefore, we think it is vital to ensure that women are not just represented – but celebrated, and leading.”
28.04.2022
WOMEN IN SECURITY MAGAZINE
91
NEHA DHYANI
PREVENTING CYBERSECURITY BURNOUT: NEED OF THE HOUR by Neha Dhyani, Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender). Senior Security Consultant at Nokia Solutions & Networks
The World Health Organization (WHO) defines
defence systems — all to reach their ultimate goal:
burnout as a syndrome resulting from chronic
your data.
workplace stress that has not been successfully managed. It is characterised by three dimensions:
These threats mean the SOC team is constantly in a state of hyper vigilance and research shows this
• feelings of energy depletion or exhaustion;
has adverse impacts on wellbeing, quality of life
• increased mental distance from one’s job, or
and relationships. According to VMware’s Global
feelings of negativism or cynicism related to
Incident Response Threat Report, 51 percent of cyber
one’s job; and
security professionals self-identify as burnt out,
• reduced professional efficacy.
and of that group, 67 percent had lost work hours because of stress. Cyber security skills are already
It is evident the intensity and scale of cyber attacks
in short supply, so the prospect of losing additional
has increased greatly. So, it should come as no
workers is troubling, especially in the era of the Great
surprise that cyber defenders, despite their best
Resignation.
efforts, are struggling to counter these complex attacks and gain visibility into new environments
Strain on security teams was further amplified
such as the cloud, containers and business
towards the end of 2021 when the ubiquitous
communication applications.
Log4Shell vulnerability threatened a complete security meltdown. Social platforms were flooded
92
Threat actors continue to exploit vulnerabilities
with popular #log4j memes suggesting the Internet
across endpoints, workloads and cloud environments
was on fire and cyber defenders were struggling to
and are ramping up innovation to bypass legacy
contain the blaze.
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
When burnout is considered disgraceful and people
Actions needed by cyber defenders
see no way to fix it, it becomes the epitome of suffering. That is why people leave and hence why it
1.
Make self-care a priority. This is often neglected.
is the ‘need of the hour’ to identify signs of burnout
There is research showing taking care of
and combat it effectively.
ourselves not only improves our relationships with ourselves, but also with others. For me,
There are many good practices managers and cyber
taking long evening walks and practicing deep
defenders can implement to help each other stay
breathing without any gadgets works like magic
healthy in this high-stress profession. The best way to
and helps me relax. Find your magic mantra to
address burnout is via personal care, empowerment
connect with your inner self.
and compassion. From a people and organisational development perspective, here’s what I believe
2.
Identify early symptoms of burnout. These can include being cynical and short-fused, a loss of
leadership and all individuals can do to beat burnout.
empathy, lack of energy, having trouble sleeping What needs to be done by team leads/security
and increased absenteeism or presenteeism.
managers
After identifying any such symptoms, remember it’s time to refocus priorities and seek support
1.
Practice active listening, which makes team
from mentors, coaches and health professionals.
members feel heard and valued. It is important team leaders and managers express empathy
3.
Be open and brave enough to share concerns
during team meetings and create a safe zone
over work pressure and ask for help when you
where employees can be confident they will not
need it. Managers can then be flexible, share
be shamed, criticised, blamed or otherwise put
workloads between the team and temporarily
down. This helps prevent emotional exhaustion.
cover for a team member who might not be at their best.
2.
Encourage ‘Me Time’ by creating flexible workforce policies (remote working, enforced
4.
Be mindful that your professional excellence is
vacation, etc). This helps busy brains unplug and
one of several areas of your life essential to your
unwind. In doing so we relieve stress which helps
wellbeing. There are many other major areas
us sleep better, gives us more control over our
including your family, relationships, physical
moods and increases our productivity level after
health, supporting community and spirituality.
the extended intensity and pressure of incident
It is really important to set specific and realistic
response.
goals for all areas of your life so when you are not working you truly feel great about your progress
3.
Adopt automation (AI/ML) to reduce repetitive
in all aspects of life.
tasks so the team can focus on more complex threats and attack analysis. This allows
As a cyber leader for more than a decade I feel cyber
cyber defenders to use human intelligence to
security professionals have one of the best and most
proactively hunt for adversaries that get past the
exciting jobs in the world. Burnout is a professional
first line of defence.
hazard and it is more important than ever for everyone to recognise and manage it effectively. With
4.
Foster a culture of continuous learning and a
collective efforts I am sure we can successfully beat
growth mindset that enables teams to gain new
burnout and create healthy work environments for
skills. The threat landscape is evolving so rapidly
everyone to enjoy.
that even the most senior threat hunters will need to dedicate time to stay up to date. Hence
www.linkedin.com/in/neha-dhyani-7274941/
investing in training to advance skills is crucial to empowering security teams.
28.04.2022
twitter.com/Neha_dhyani1
WOMEN IN SECURITY MAGAZINE
93
JAY HIRA
LET’S GET MORE COLLABORATORS TO SOLVE THE EVOLVING CYBER SECURITY PUZZLE by Jay Hira, Director of Cyber Transformation at EY
94
My journey in cyber security began in 2006 when it
connecting the blocks, falling awkwardly silent when
was known simply as ‘security’. Despite the variety of
they finished. One of the organically formed all-girl
confused and disbelieving responses I have received
groups soon realised their individual creations meant
when I tell people what my profession is, my passion
little but, when brought together with the others,
for learning about the cyber world continues to grow.
formed a bridge.
You must be wondering where my love for cyber
Inspired by this fantastic puzzle game we present
security comes from. For starters, there are no
three loosely connected stories. We’re not going
two days alike and there is a constant need for
to conclude and/or summarise but leave you, the
practitioners to learn and adapt. Cyber security is a
readers, with the fun task of connecting the dots: no
constantly evolving puzzle with layers of complexity,
instructions, no time limits, just you and your diverse
leaving you both curious and motivated.
perspectives.
Thinking of puzzles reminds me of a birthday party
UNFAIR FIGHT
we recently attended. Kids were divided into three
The harsh reality of our working day as cyber security
groups and each group was given twelve building
practitioners is that we’re fighting an unfair fight.
blocks. The groups assumed they were competing
As a boxing enthusiast, every time I get into a ring
against each other and got straight to work
to practice the skills acquired through months of
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
training I witness how fair the sport is. In the boxing ring both opponents get equal opportunities to attack and defend, unlike cyber security where we’re constantly on the back foot defending against the oncoming punches from threat actors. To add to that disadvantage, the threat actors continue to collaborate and innovate faster while we continue to protect from our silos.
POWER OF COLLABORATION
and competent leadership style, one that informed
We’ve all experienced the
my own leadership journey. Despite research from the
power of collaboration. In the
OECD suggesting women are excellent collaborators
race to find a safe and effective
and strong community builders they continue to be
vaccine for COVID-19 we witnessed the global
underrepresented in certain fields and make up only
science community come together. In case you’re
11-20 percent of the global cyber security workforce.
wondering, there is no commonality between the current pandemic and emerging cyber threats.
I invite you to picture one of the most influential
Borders may constrain humans, but they don’t
leaders who successfully led her country through the
command any respect from transmissible diseases
current pandemic. While you do so I’m going to wrap
and cyber criminals.
up with one of her quotes. “Leadership is not about necessarily being the loudest in the room, but instead
We’re at an inflection point where we have realised
being the bridge.”
cyber crime needs to be treated as a global issue deserving both local and international collaboration
References:
between cyber security communities. With the
Are school systems ready to develop students’
various parts of our world becoming increasingly
social skills? - OECD Education and Skills Today
interconnected and interdependent there is greater
(oecdedutoday.com)
need than ever for collaborators and orchestrators. Women are better at collaborative work than men -
WHO RUNS THE WORLD?
Digital Journal
I was brought up in an extended family in India with my grandmother as the matriarch. I experienced and appreciated her collaborative, empathetic, authentic
28.04.2022
www.linkedin.com/in/jayhira/
WOMEN IN SECURITY MAGAZINE
95
THE CYBER SIBLINGS TACKLING THE GLOBAL CYBER SKILLS SHORTAGE Can professionals from a diverse skills background contribute to the cyber industry? Meet Anu Kukar and Sumeet Kukar, the cyber siblings from Australia, and read about the global campaign #Switch2Cyber, which aims to do just that.
lightning-fast. He is a Chartered Accountant and Certified Ethical Hacker, yet has built cyber and risk capabilities as an interim Chief Risk Officer and also taught four disciplines of Science at the University. Formerly awarded Australia’s Emerging Leader of the Year.
BACKGROUND Anu is known as the Cyber Untangler™. She brings diverse skills to solve problems using her 20 years of experience working across both industry and consulting. Having done five career switches, she was awarded Australia’s IT Security Champion 2021 and Global Power 100 Women in Cyber 2022. Her journey into cyber came from a diverse background. Anu started as a tax accountant before moving into audit and then governance, risk and compliance. This then paved a way into supply chain, risk innovation, data, artificial intelligence and machine learning. She now specialises in cybersecurity and cloud strategy, risk and technology. Sumeet is known as the Learning Nibbler™. He finds bite-sized learning in everyday things to help build capabilities in cyber - short, sharp and
96
WOMEN IN SECURITY MAGAZINE
THE CYBER SKILLS SHORTAGE The global cyber skills shortage is front of mind for all organisations. Cyber attacks are increasing exponentially. The recent statistics from the World Economic Forum (WEF) and other major industry publications show:
151%
the increase in cyber ransomware attacks globally in the first half of 2021
270
the number of times, on average, that an organisation was attacked in 2021
$1.8m
the predicted cyber workforce skills shortage in 2022
28.04.2022
THE URGENCY TO ACT NOW The current workforce has called out an increasing workload and a high burnout rate on their cybersecurity teams due to the current skills shortage. The recent WEF Report Cyber Security Outlook 2022 showed that 59% of all respondents in their global survey would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team. The demand is only increasing for these cyber skills and there is a great opportunity for professionals with non-traditional or diverse backgrounds to contribute to the cyber industry.
skills gap through helping professionals with diverse backgrounds switch to cyber. The objectives are twofold: 1.
Opportunity: Raise awareness to give opportunities to professionals with diverse backgrounds, such as accounting, finance, marketing, legal, communications, risk and compliance, a chance to grow and contribute in the cyber industry; and
2.
Support: Provide a network of support to professionals on the journey of switching careers into cyber.
THE #Switch2Cyber CAMPAIGN IS BORN At the end of 2021, Anu was awarded Australia’s IT Security Champion of the Year. In her acceptance speech she shared how she was humbled with the opportunity to have been able to join and contribute to the cyber industry and proceeded to give the room of cyber professionals a challenge to take two diverse professionals under their wing and help them switch into cyber by next year’s award ceremony. From there the global campaign took off. Given her own journey into cybersecurity, Anu is passionate about paving a way for others to have the same opportunity. The aim of the campaign is to reduce the cyber
Anu Kukar, CA
28.04.2022
CURRENT SUPPORTERS We have had over 20 organisations from across the world so far, including USA, Australia, New Zealand, UK, South Africa and Canada, with more expressing interest to join.
HOW CAN YOU GET INVOLVED? For more information on the campaign: 1.
Visit and read at https://www.cyberuntangler.com/switch2cyber
2.
Follow #Switch2Cyber on socials, share and support the cause
3.
Connect with Anu Kukar
Sumeet Kukar, CA
WOMEN IN SECURITY MAGAZINE
97
LAURA JIEW
WHO RUNS THE WORLD? by Laura Jiew, External Engagement from the UQ School of IT & Electrical Engineering
Here are some outstanding achievements from the University of Queensland computing community.
Cyber security and
Data science:
software engineering:
Dr Yadan Luo
Dr Abigail Koay Dr Abigail Koay is a research fellow in the School of
Dr Yadan Luo is a postdoctoral research fellow in
Information Technology and Electrical Engineering.
the School of Information Technology and Electrical
Her research interests include applied machine
Engineering. Her research interests include domain
learning, cyber security and critical infrastructure
adaptation, few-shot learning in computer vision
security. Originally from Malaysia, Abigail pursued
and multimedia data analysis. She was awarded a
university studies in computer systems and
Google PhD Fellowship In 2020 and won a Women
networking, a study field in which female students are
in Technology (WiT) ICT Young Achiever’s Award
typically not well-represented in her home country.
in 2018 under the supervision of Professor Helen Huang.
After graduating and working in the industry for several years Abigail emigrated to New Zealand to
She has led multiple AI-oriented collaborative projects
pursue her PhD at Victoria University of Wellington. In
with local governments and industries. RoadAtlas, a
2021 she relocated to Brisbane where she has been
derived vision-based road defect analysis system, has
an active contributor to cyber security and software
been adopted by the Logan City Council. A sample of
engineering. In 2021 she received a grant from the
her work can be found here.
Department of Defence’s Artificial Intelligence for Decision-making’ initiative.
98
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
Power, energy and control
Human-centred computing:
engineering:
Dr Jess Korte
Dr Feifei Bai
Dr Jess Korte is an Advance Queensland TAS Defence CRC Fellow based in the School of Information Technology and Electrical Engineering. Jess is passionate about the ways good technology can improve lives. In her work Jess advocates involving end users in the design process, especially when those people belong to ‘difficult’ user groups, a term which usually translates to ‘minority’ user groups. She has been awarded a fellowship to create an Auslan Communication Technologies Pipeline, a modular, AI-based Auslan-in, Auslan-out system capable of recognising, processing and producing Auslan signing. Jess recently blogged about her work here. By working with members of marginalised groups in the design of new technologies Jess has set an awesome example of overcoming bias.
Dr Feifei Bai is an Advance Queensland Industry Research Fellow based in the School of Information Technology and Electrical Engineering. Her research interests include renewable energy integration, phasor measurement unit (PMU) applications in smart grids, power system oscillation detection and damping control and energy storage for frequency control. She is also an active representative of the Women in Power (WiP) special interest group for the IEEE Power and Engineering Society Queensland section. Originally from China, Feifei has also lived and studied for a PhD at the University of Tennessee in Knoxville, USA. In 2020, one of the projects Feifei is involved with as a lead researcher received an Australian Engineering
Imaging, sensing and biomedical engineering:
Excellence Award. In 2021 she was a recipient of funding under the UQ Amplify Women’s Academic
Dr Tina Xiaoqiong Qi UQ AI Collaboratory: Dr Tina Xiaoqiong Qi is an Advance Queensland Industry research fellow based in the School of
Dr Alina Bialkowski
Information Technology and Electrical Engineering. Her research interests include terahertz sensing, imaging and laser dynamics in semiconductor lasers. Research Equity (AWARE) Program. Tina joined the School of Information Technology and Electrical Engineering through the University of Queensland Fellowship in 2015. In 2017 she received funding from the Advance Queensland Maternity academic funding scheme. In 2020, Tina was the recipient of a mid-career Advance Queensland Industry Research Fellowship. Her fellowship was awarded to develop terahertz imaging technology for skin cancer detection and to investigate the contrast mechanisms in terahertz images for skin cancer through close collaboration with Princess Alexandra
Dr Alina Bialkowski is a lecturer in Computer Science in the School of Information Technology and Electrical Engineering. She specialises in computer vision and machine learning. Her research interests include quantifying and extracting actionable knowledge from data to solve real-world problems and giving human understanding to AI models through feature visualisation and attribution methods. Alina plays an integral role in the UQ AI Collaboratory
Hospital and industry.
28.04.2022
WOMEN IN SECURITY MAGAZINE
99
and is the Student Experience lead in this hub. She has been leading the student internship program as part of the Student Experience initiative within UQ AI Collaboratory. To date she has successfully coordinated the 2021 UQ-wide workshop on artificial intelligence as well as the inaugural AI Showcase event. In addition to high impact journals and conferences her work has resulted in six international patents filed with Disney Research, Toyota Motor Europe, University College London and the University of Queensland.
CIRES:
PhD candidate, Daisy Xu Daisy Xu was recently recruited as a PhD candidate in The Centre for Information Resilience (CIRES), one of many interdisciplinary research initiatives led by the School of Information Technology and Electrical Engineering. Her research interests are in data monetisation and data science. Daisy is a seasoned business analytics professional and management consultant and founder and CEO of a boutique consultancy providing software programs that enable organisations to rapidly assess their workforce productivity. Daisy is a UQ MBA alumna and looks forward to her PhD journey with the CIRES team. www.linkedin.com/in/laurajiew/
www.linkedin.com/school/university-of-queensland/
100
WOMEN IN SECURITY MAGAZINE
28.04.2022
EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 New Zealand Women in Security Awards. Register your interest today for various sponsorship opportunities.
I’M INTERESTED!
#2022WISAWARDS
womeninsecurityawards.co.nz
MEGAN KOUFOS
DR SUSAN MCGINTY
WHY SUPPORTING FEMALE EMERGING LEADERS TODAY IS CRITICAL FOR THE FUTURE by Megan Koufos, AWSN Program Manager and Dr Susan McGinty, Director, Aya Leadership
It is no secret women in security account for less than a quarter of professionals in the sector, and the numbers in leadership positions are even lower. The reasons are not unique to our sector and include: • The toxic culture of an organisation
opportunity to grow into a role; • Building a company culture where different forms of leadership are recognised. On the importance of nurturing emerging leaders and setting them up for success
• Burn-out and stress • Life changes
Tailored leadership development is critical for
• Lack of role models/support/mentors
women at all levels and in male-dominated industries
• Lack of opportunities/confidence/recognition
like security is a key contributor to their career satisfaction and retention. But it’s particularly
Ways to tackle this problem include:
important for emerging female leaders.
• Early recognition of emerging leaders and exposing them to leadership opportunities; • Mentoring programs (both within and outside an organisation);
102
Women who are passionate in their field of expertise can lack confidence in their own leadership abilities and as a result, forego opportunities that give them
• Training tailored to their development needs;
leadership experience and pathways to a leadership
• Promotion based on merit and creating the
role. They often try to understand how to develop
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
their own leadership style and struggle to find role
The program is informed by neuroscience, leadership
models for the type of leader they want to be. They
research and best practice. It gives participants
often have not articulated their leadership purpose or
the right foundations to set them on a leadership
do not know how to apply their strengths as a leader.
growth trajectory and unlocks the self-exploration that will shape their leadership journey. Participants
Tailored leadership development at this stage can
are nurtured by qualified coaches and experienced
help build a strong foundation for the journey ahead
educators with a passion for resilience and leadership
by providing the self-reflection, self-knowledge,
in the STEM and security professions.
skills and frameworks that will give a woman the confidence to realise her leadership potential and
They are equipped with practical leadership resources,
develop her own leadership style. Tailored leadership
strategies and tools for workplace application. The
development puts emerging leaders on the right path
coaching approach supports individual learning,
to gaining leadership experience, and finding the right
builds confidence and sets the path for ongoing,
role models, mentors and networks to support them
focused leadership growth.
in becoming leaders. Networking is recognised as a key leadership This is why the AWSN Emerging Leaders program
development practice for women to access senior
was developed. It is part of a broader Women in
leader role models, peers and resources and gain
Security Leadership initiative sponsored by the
confidence in themselves as leaders. It is particularly
Australian Signals Directorate and delivered by our
valuable in male-dominated professions such as
training partner, Aya Leadership.
security.
Together, our goal is to increase the number of
As well as a focus on networking strategies, the
women in leadership roles. The Emerging Leaders
program’s small group setting enables participants
program focuses on supporting 55 early-career
to build a strong peer network and learn through the
women in security professions to build strong
real-world experience of their peers.
leadership foundations. It is for women who want to define, influence and develop their leadership style,
Through the Women in Security Emerging Leaders
mindset and skills with conviction.
Program, participants develop a strong foundation for future leadership through:
AWSN recognises that leadership takes many forms, including informal leadership, where the real work gets done. Emerging leaders are often already sharing their knowledge by mentoring others, working on collaborative projects and leading others in work. This program supports them to become the leaders they want to be with confidence in their strengths and with the tools and techniques to continue growing on their leadership journeys.
• Understanding purpose-driven and authentic leadership; • Understanding of self, identification of leadership motivations and self as a leader, and strategies for growing a leadership mindset; • Building confidence, resilience and emotional resilience; • Learning how to amplify their impact as formal and informal leaders through effective
The Women in Security Emerging Leaders Program assists women in the early stages of their security career to develop a foundation for future enduring
communication, influence and maximising their own performance. • Understanding the purpose and utility of
leadership through a focus on transformation, insight,
mentoring and networking, and applying
resources, growth and networks.
associated strategies;
28.04.2022
WOMEN IN SECURITY MAGAZINE
103
• Considering career goals and potential pathways; • Coaching and goal setting.
• More than three years in security and want to apply for a leadership position in the next 2-3 years, or • One to three or more years as a leader/manager
The Women in Security Emerging Leaders Program
(in any field) and have recently moved into a
takes a unique approach to the development of
security role, or want to move into a security role,
female leaders by emphasising the development of:
or • Have returned from a career break (either in
• Compassion: strong leadership that unites and inspires;
security or leadership) and want to refresh and update their leadership skills.
• Coping strategies: tools and strategies to manage change and adversity; • Clarity of vision, the self-awareness and clear
Participants may have a desire to move into a leadership role now or be wanting to get their
goals to propel forward with purpose;
leadership journey on the right track for the future.
• Courageous action that is considered,
This program can help them understand the type of
appropriate and bold; and • Capacity: the strength to commit and see things
leader they want to be and connect them with other emerging leaders in the industry.
through. For more information and to put in your application The program focuses on empowering emerging
head to https://www.awsn.org.au/initiatives/women-
leaders in security professions to navigate the
in-leadership/emerging-leaders-application-form/
gender-biased barriers that can exist for them, through leveraging the specific protective factors that can reduce the negative impacts of these
www.linkedin.com/in/megankoufos/
barriers. The program amplifies and leverages the inherent strengths of women to deepen participants’ motivation, mindset and skills around developing
www.linkedin.com/in/susanmcginty-ayaleadership/
their leadership.
www.linkedin.com/company/australian-women-insecurity-network-awsn/
This includes a focus on expanding participants’
twitter.com/awsn_au
awareness and understanding of their own emotional intelligence via the MSCEIT emotional intelligence
www.awsn.org.au/
assessment, coupled with learning how to apply their emotional intelligence more purposefully and effectively in the workplace. The program’s coaching foundation further magnifies its impact. In addition to theory and tools for foundational leadership development, the program is underpinned by coaching techniques to ensure the learning is targeted to the needs and motivations of the individual and supports the application of theories into practice through targeted goal setting. The course is best suited for women who have:
104
WOMEN IN SECURITY MAGAZINE
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
What past participants have had to say: “The program has given me a new perspective
“I recently participated in the first AWSN Emerging
about being a leader that is fresh, sustainable and
Leaders program. Not only did I meet and make
allows future growth. Having some management
new connections with a cohort of incredible women
background, I thought I understood leadership but
from diverse professional backgrounds, but I learned
this program has given me a better perspective
far more about myself than I expected from the
about being one, starting from understanding my
incredibly impressive and highly personable Dr
own core values. I am so glad to have joined the
Susan McGinty. The course contained a wealth of
program and I look forward to applying the learning
practical information that identified things I wanted
in my career and in my everyday dealings.”
to understand about myself but didn’t know how to. Being exposed to frameworks that put shape and
Meidi van der Lee – Security Analyst (REA Group)
meaning to unconscious thought meant I could immediately apply the techniques presented to better understand myself and the people I engage with professionally and personally on a daily basis.
“The Emerging Leaders Program helped me to
The course was invaluable and something I will
unpack what it means to be a female leader in
continue to revisit.”
an often male-dominated industry. Each session included practical and tangible discussions and
Leigh - Senior Cyber Security Professional
exercises on growing leadership skills that are both effective in the workplace and authentic to who I am as a person. After completing it, I feel more confident in my leadership style, because it has emphasised how so many of the traits and skills I already hold can be used to consciously help me be a more successful leader. I would recommend this program for any woman who is unsure of taking on leadership roles or uncertain of how you become a leader (spoiler alert, you probably already are!).” Caroline Faulder
“After participating in the AWSN Emerging Leaders program I feel more confident in articulating and applying my strengths, values and purpose. I now have practical frameworks and tools to continue developing my leadership capabilities, including communication, resilience, and career planning and management. I would recommend this program to any aspiring leader in security, or anyone seeking a greater understanding of the leadership mindset.” Simone - Public Sector Cyber Security Professional
28.04.2022
WOMEN IN SECURITY MAGAZINE
105
MARTY MOLLOY
BEK CHEB
WHO RUNS THE WORLD by Marty Molloy, Events, Marketing and Communications Coordinator, AusCERT. Bek Cheb, Business Manager, AusCERT
“I’m not going to limit myself just because people won’t accept the fact that I can do something else.” — Dolly Parton As true and inspiring as Dolly Parton’s words are,
At AusCERT we use the call for presentations to
often the absence of opportunity can hinder the
encourage women to provide submissions. These
pursuit of goals.
are then evaluated by industry peers and selected on merit, not just because they were submitted by
Having worked on the AusCERT Cyber Security
females.
Conference for seventeen years, ten of those directly with AusCERT, Bek Cheb has witnessed much change
By working with organisations like UQ Cyber, AWSN,
in the industry. Greater diversity of gender, age and
Source2Create/Women in Security Magazine
culture have influenced those in the field and created
and WomenSpeakCyber we’re able to keep the
new opportunities.
conversation going to sustain and grow awareness all year round.
One change AusCERT has been proud to see has been the growth in the number of women speakers at
Consequently we have seen steady growth in the
the AusCERT Cyber Security Conference.
number of submissions from women and in those selected to present.
I chatted with Bek to understand why this was important and overdue.
Bek, this year’s line-up of speakers includes many more women than previous years. Was that intentional or perhaps a by-product of this year’s conference theme?
106
WOMEN IN SECURITY MAGAZINE
Can you share some details of female speakers at this year’s conference and why they were chosen? Absolutely! We have already seen some excitement around one of our keynote speakers, Lesley Carhart.
28.04.2022
I N D U S T R Y
P E R S P E C T I V E S
advisor graduate with Trustwave.
There has been a lot of discussion about the imbalance in the numbers of men and women working in cyber security. Do you feel this can be improved by showcasing more women already working in the industry? You can’t be who you can’t see. We have tried for several years to get Lesley to
As we improve the gender balance, I think it will show
present at the conference but there were some
more women the opportunities that exist for them.
restrictions with Lesley being able to present only within the USA.
Is there anyone you have on your ‘dream list’ of possible speakers for future conferences?
She is also known by her Twitter handle, @
I am still building my dream list and it is forever being
Hacks4Pancakes, and is a high profile figure in the
added to.
world of cyber. She was named a “Top Woman in Cybersecurity” by CyberScoop and has been in the IT
We talk to some speakers for several years before
industry for more than twenty years.
things fall into place and they’re available at the time our conference is held.
Lesley is the Director of Incident Response for North America at industrial cybersecurity company Dragos
I would like to think there are women working in cyber
leading the response to, and proactively hunting for,
who are honing their skills and mustering the courage
threats in customers’ ICS environments.
to speak, and perhaps others not yet in the industry who will one day have something they want to share
We are also excited to allow individuals to speak for
we can showcase at the conference.
the first time, including Jasmine Woolley. Jasmine was one of only 20 Australian women selected as
Wouldn’t it be fantastic to one day soon be spoilt for
part of Project Friedman, a scholarship program
choice of engaging, talented, skilled and motivated
supporting women working in the cyber security
women wanting to educate and elevate others in the
industry and wanting to speak at a cyber security
field?
conference for the first time.
Thanks Bek!
Jasmine is also a member of WomenSpeakCyber, an initiative formed to combat the lack of gender diversity in speakers at cyber security conferences in
www.linkedin.com/in/marty-molloy-14100932/
Australia. Jasmine is planning to study for a Master of National
www.linkedin.com/in/bek-cheb-39546554/
Security Policy Studies at and is currently a security
28.04.2022
WOMEN IN SECURITY MAGAZINE
107
CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards
C O L U M N
Teaching through stories As many of you would know, I like to tell a good
and businesses face. Stories can teach children
story to get my point across. I do it with my A Hacker
about the dangers of the internet and online gaming
I Am books, my regular articles here, and I have
without all the boring textbook-style information.
taken this even further with my upcoming novel series, starting with Foresight, to be released in June
If the stories are entertaining these lessons will
2022. Storytelling is not a new concept. It has been
sink in and readers will enjoy and remember the
practiced for thousands of years by many indigenous
experience. They may even read the story more than
cultures around the world; in legends or stories
once and share it with friends and family. This would
passed down through generations. Mine do not have
be a huge success.
the importance of those intergenerational stories, but they do have something in common.
To recap, a story gets people to read and enjoy the content, to learn an important lesson and then spread
All these legends or stories (mine included) aim
the word about it. If we change our approach to cyber
to impart meaning or a message. They are told to
awareness and help people understand the topic in
teach the listeners, or readers in my case, something
a fun and enjoyable way we will have a much better
of value: something of importance they can take
chance of succeeding in the constant fight to both
away and apply in their own lives. I love this style of
protect systems and help people to help themselves
teaching and writing. It is my default style and I feel it
be more secure and safer online.
to be a very effective way to impart learning. My point is simple: next time you are thinking about Why? Have you ever read a textbook? Almost all of
teaching someone about cyber security consider
us have at some point in our lives. They suck. They
my approach. Consider telling a story, embedding a
are usually big, bulky books. They offer extremely dry
message, and making it easier for your audience to
reading, and a good cure for insomnia. Textbooks
understand. It will be a win-win situation. I know from
are horrible, but they have a purpose: they effectively
experience it works, so let’s do this together. Let’s tell
cram in a lot of information and have been the go-to
the world in a new way. Let’s talk about security in
means of delivering information for universities and
a better way, the way indigenous people have been
schools for at least as long as I have been on this
doing for millennia.
earth. However, I am not sure they represent the best way to teach, especially to teach cybersecurity. It can be a complicated and confusing topic for anyone trying to learn how to better protect themselves against the
Go tell your stories. www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R
continual threats in the digital world.
www.facebook.com/pg/AHackerIam/
Stories are fun. They can be easily read, and in many
twitter.com/CraigFord_Cyber
cases are very entertaining. An author can use humour, pain, love; anything they want to help weave a web, one that not only draws a reader into their world but can teach subtle lessons, such as why IoT devices must be secured, and the threats individuals
108
WOMEN IN SECURITY MAGAZINE
28.04.2022
TECHNOLOGY PERSPECTIVES
WOMEN ARE TEACHING AI HOW TO BE DIVERSE by David Braue
Writing algorithms without women builds a society that ignores them
D
110
r Nandita Sharma recalls how strange
operations, which are leaning heavily on AI-driven
it was to walk into her first-ever
data analytics to streamline one of the government’s
engineering lecture at university, to find
most important agencies.
around 200 students in a lecture theatre – and not one other woman.
“AI is quite pivotal in what we do by 2025,” she told a recent IWD webinar. “We’re modernising our data
“I looked around and I couldn’t find a single female,”
analytics capability for service delivering, using cloud
she recalls. “It was slightly daunting at that moment…
computing and AI to meet the growing demand….We
it got me thinking that none of my school friends
need to be doing more to be leveraging automation
were doing what I was doing, and it was a bit of a
and AI to deliver better client and staff experiences
strange thing to be doing.”
and business outcomes.”
“But having that goal and focus in mind as well,
As a data-science leader in a high-profile public role,
because I was completely interested in taking a
Sharma is one of the numerous women who have
career path in the space of computer science, and
defied stereotypes, pursuing their love of STEM
more so in software engineering – that set my
and engineering topics to build up the skills and
motivation. And my interest in engineering and
experience necessary to play in the tech-heavy AI
technology kept me going throughout.”
industry.
More than 15 years later, Sharma – who has
They are, lamentably, still among a small minority
worked as an ABS analyst, CSIRO researcher,
in an industry that is continuing to struggle from a
artificial intelligence (AI) data scientist, and fraud
pervasive gender gap that is even larger than the one
analyst – has spent over six years as director of
plaguing the cybersecurity field – and, in many ways,
the Australian Taxation Office (ATO)’s data-science
harder to fill because senior data science positions
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
often require advanced degrees that require years of rarefied study.
HITTING A MOVING TARGET Investments such as the Australian Government’s
A recent Deloitte report noted that women comprise
AI Action Plan, a broad $124.1m commitment
47% of the US workforce but just 26% of data
to commercial development, skills development
and AI roles, but a 2018 World Economic Forum
and business AI capability, have crystallised
analysis pegged the global participation rate at 22%
the commitment to building out the ranks of AI
– reflecting not just the above-average results in
specialists.
countries like the US but the below-average results in countries like Germany, which is known as a
That said, it’s a long way from committing money to
global engineering power but has an AI talent pool
producing qualified graduates with the specialised
comprised of just 16% women.
skills necessary to drive AI innovation and adoption.
The persistence of the talent gap “suggests a
Post-graduate pipelines may struggle to change the
hardened talent gap that will require focused
situation any time soon, with Stanford University’s
intervention,” the WEF said, noting that industries like
2021 AI Index Report finding that just 18.3% of
manufacturing, energy and mining, and hardware and
AI-related PhD graduates in the past decade were
networking were struggling with the biggest gaps in
women – and that women comprise just 16.1% of
the availability of AI skills.
tenure-track faculty who are primarily focused on AI.
28.04.2022
WOMEN IN SECURITY MAGAZINE
111
And while other fields suffering a shortage of women
Dr Catherine Ball, an associate professor within the
are actively recruiting women from other fields, data
Australian National University School of Engineering,
science is advancing so quickly that can be a moving
highlighted the impact of poor gender representation
target for those wanting to get involved.
in the development of the Health app loaded onto every iPhone.
“We need to invest in these specialist skillsets… [but] it’s very hard to look into a crystal ball and project
Despite including a broad range of functionality, the
exactly what specialist skills you need,” noted Dr
app failed to include a period tracker – a feature, Ball
Erika Duan, a data scientist with the Department of
told the recent ADMA Global Forum 2022, that would
Employment, Skills, Small and Family Business.
have been relevant to half of the phones’ user base but was ignored.
“It absolutely takes time to upskill,” she continued, “especially in a career path like a data scientist. You
“There probably wasn’t a single woman around
have to be really, really good at everything – at maths
the table” when the app was designed, she said.
and statistical thinking, and you have to program well
“It’s all about calories in, calories out, your macros,
or you’ll introduce technical debt.”
your protein, how much you lift. It wasn’t aimed at everybody.”
That said, she added, “it is possible” for women interested in analytics to upskill into data pathways by focusing on one area that really engages them. “There’s always a need to look at data, analyse it, and communicate it to someone else,” she said, “so if you find yourself really interested in finding the right questions
“At the end of the day, you don’t need thousands and thousands of AI researchers,” she said, “but you need technicians for future jobs. It’s a matter of how to link the right curriculums and write programs so we can really support the new generation with more education.” -Angela Kim, Director of Data Analytics and AI at Deloitte
to ask and the best way to answer it, I recommend that you just pick up one extra skillset that you can work in on the side. Over
“So when we talk about AI for good,” Ball continued,
time you’ll be able to use your incredible domain
“[consider] who is building that AI? When you have
knowledge, but also see the different types of tasks
meetings, look around the table to see if you have
that can be done in the data analysis space.”
a diversity of people around that table. Whoever’s building AI really is controlling how we see that data.
GETTING THE BIAS OUT OF AI
When it comes to AI, it really is that way – and what
Persistent skills shortages in AI pose challenges for
you put in is what you get out.”
other reasons, however: because the very nature of
112
AI involves using data to shape company policies and
Fixing this issue requires rebalancing the gender mix
practices, data scientists have become increasingly
around AI’s development and its application – but
concerned that the low representation of women
with university researchers dramatically skewed
is poisoning AI models against women – often in
against gender parity, what hope is there for the
unexpected ways.
industry?
WOMEN IN SECURITY MAGAZINE
28.04.2022
F E AT U R E
Angela Kim, director of data analytics and AI with
engagement and internship opportunities with data-
Deloitte who serves as Women in AI Australia
driven companies.
Ambassador, believes the key is outreach – highlighting the potential applications of AI to young
After a recent boot camp for high school-aged girls,
girls, and encouraging them to look outside of
Kim noted, some high-achieving students ultimately
conventional career paths to consider data science
opted to pursue data-related courses of study at
and AI as a long-term option.
university.
“At the end of the day, not everybody has to create
TAFEs haven’t often been engaged in the push to
algorithms,” she told Women in Security Magazine,
improve women’s participation in the AI industry,
noting the availability of half-baked systems that
but Kim believes a more coherent narrative across
“mean you don’t have to code. But you do need to
learning institutions would serve the industry well.
know how to push the button. To do that, you have to be tech and AI literate – and that can be learned. It’s
“At the end of the day, you don’t need thousands
not rocket science.”
and thousands of AI researchers,” she said, “but you need technicians for future jobs. It’s a matter of how
Often, institutions’ entrenched habits are exacerbating
to link the right curriculums and write programs so
the problem: unless students are studying computer
we can really support the new generation with more
science, Kim said, many top business and other
education.”
students are learning little more than Excel capabilities. Once exposed to more-capable tools like Power BI and Visual Analytics through targeted workshops, Kim said, “the girls loved it” – paving the way for ongoing
28.04.2022
WOMEN IN SECURITY MAGAZINE
113
QUEEN AIGBEFO
300 SPARTANS SECURITY DEFENDERS by Queen A Aigbefo, Research student, Macquarie University The Battle of Thermopylae famously fought
every move from the dispatch of Greek ships to
between an ancient Greek city-state, Sparta, and
intercept the Persian fleet to choosing the narrow
the Achaemenid Empire has spawned several
Thermopylae location for the battle.
Hollywood movies, especially the 2006 rendition: 300. The Persian Achaemenid Empire had a vast
In 2019 Gartner forecast global spending on
army estimated to have numbered between 150,000
information security would hit $170 billion in 2022.
and one million including allies. At a million the army
The actual figure may turn out to be double that,
would have accounted for about 40 per cent of the
given the global pandemic of the last two years.
world’s estimated population in that era. How could
Purchasing the next hot security product might
a handful of Spartan soldiers hold out against such
not guarantee the protection of your organisation’s
a force for three days? I was curious to know what
network and assets. Products and tools must be
gave the Spartans the audacity to take on King
implemented and used strategically to effectively
Xerxes’ army and, more importantly, what the security
ward off cyber-attacks.
industry can learn from these brave Spartans. Reduce the attack surface - Building on strategy, the Early initiatives - The ancient Spartan nation laid
Greeks focussed on reducing the Persian’s attack
great emphasis on military fitness and strength. Boys
surface as much as possible when faced with the
began military training at a very early age and by the
much larger Persian army. By forcing the Persians
time they were integrated into the broader society,
to attack them at Thermopylae, a narrow alley, the
they were equipped with a military mindset to defend
Greeks could control their attack against the Persians
their nation. Today there is a growing skill-shortage
at any given time.
in the security industry. So perhaps some early STEM initiatives would assist in strengthening the cyber
Limiting the organisation’s attack surface means
defence force in a few years.
having fewer internet-facing points or devices. Organisations also need to maintain an inventory of
Strategy over strength - In the Battle of Thermopylae
decommissioned assets when newer technologies
some 4000 Greek soldiers were facing more than
and products are acquired and plugged into the
70,000 Persian soldiers. Yet, it was a clear case of
network.
strategy trumping numbers. The Greeks planned
114
WOMEN IN SECURITY MAGAZINE
28.04.2022
T E C H N O L O G Y
P E R S P E C T I V E S
Adaptability breeds resilience - It is interesting to
but algorithms can be fooled if a malicious actor is
note that, the Spartans were quite resilient on the
sufficiently knowledgeable. Human security defenders
battlefield. Despite its small size the Spartan army
are still vital to gather intel and test the algorithms
easily adapted to the various tactics employed by the
with the right datasets to improve organisational
Persian army.
defensive security
The cyberattack landscape keeps evolving so security
Watch out for the malicious insider - Unfortunately
professionals must also evolve and adapt their
for the Greeks, their well-trained soldiers, their
defence tactics and mechanisms to protect their
strategy, their knowledge, and their adaptability
crown jewels. Taking a hint from Sun Tzu, “the art
could not save them because Ephialtes showed the
of war (security defence) teaches us to rely not on
Persians a back door.
the likelihood of the enemy’s not coming, but on our readiness to receive him; not on the chance of his not
There is no hard and fast technique for detecting
attacking, but rather on the fact that we have made
who a potential malicious insider might be. However,
our position unassailable.”
proper organisational security hygiene could limit the access of a potential malicious insider. For example,
Use your ‘intel’ - The Spartans were more
using the principle of least privilege and conducting
knowledgeable about the Persian army’s resources,
frequent access audits could restrict unnecessary
routes and battlefield. The Persian army was too
employee access to information assets. Additionally,
large, it took days to move from one point to another.
employees can be trained to spot malicious insiders.
These sluggish movements favoured the Greeks
Remember they are one of the most important
because they used every intelligence report received
sources of threat intel.
to launch strategic attacks when the Persians arrived at a battle location.
There is a lot the security industry can learn from the Battle of Thermopylae, or the Hollywood rendition
The people within your organisation represent one of
(300). History provides us with an arsenal of tactics
your best intelligence weapons. Regular and targeted
and strategies that we can harness and refine to deal
security awareness and training equip them with
with the issues we face.
the knowledge to report suspicious activities they encounter, activities that often slips past technical defences. Artificial Intelligence (AI) and Machine Learning (ML) can help guard against cyberattacks,
28.04.2022
www.linkedin.com/in/queenaigbefo/
twitter.com/queenaigbefo
WOMEN IN SECURITY MAGAZINE
115
ALEX NIXON
SITTING DUCKS By Alex Nixon, Senior Vice President of Cyber Risk at Kroll
Q: What do sitting ducks say?
our extensive exposure to incidents globally (Kroll dealt with over 3,200 incidents in 2021 alone) shows
A: Probably not “Gee, what a great vulnerability
the use of phishing attacks as an infection vector
remediation program we run.”
increased 122 per cent from January to February of 2022. The only other time I have personally seen an
I’m sure I’m not the only one having regular
increase of this magnitude was at the very beginning
conversations about what the Russian-Ukrainian
of the COVID-19 pandemic.
crisis means for domestic Australian organisations. I think it is at once a very rational position and an
So, how do you fortify your organisation’s resilience?
innately primal response to view world events and
Based on the threat intelligence we’re seeing at
consider what they mean on a micro-level. In this
Kroll, there are a couple of areas I think are worth
specific instance the question I’m fielding is: what can
tightening up.
an organisation do to increase resilience in the face of heightened geopolitical, and therefore cyber, risk?
First, perhaps unsurprisingly, is email security. The growth we’ve seen in phishing emails, coupled with
I believe we need to accept there is no such thing
the increase in zero-day exploits, makes this the
as ‘secure’. ‘Secure’ is a qualitative expression that
perfect time for a freshen-up of your anti-phishing
means different things to different people, and the
defences. The only potential downside of this is you
relevance of their answers can change by the (zero-)
may find more legitimate emails being caught in
day. Accepting that we may be breached, in spite of
your spam filters. This trend can be countered with
our best efforts, can shift the conversation from a
communication. The pandemic may have made us
repetitive cycle of ‘how do we prevent an attack?’ to
all a little less friendly and gregarious, but people
‘how do we recover from an attack?’ Whilst the latter
are perfectly reasonable when we provide them with
takes the former into account, the same cannot be
clear reasons for tightening security controls. That
said vice versa.
communication is also a perfect moment to remind them of how to spot a phishing email. With a little
116
And I think this mindset in which we accept the
investment, you can turn your employees into another
worst may happen is entirely practical in the current
security control, rather than viewing them as another
environment. Proprietary data gathered by Kroll from
attack vector. With business email compromise
WOMEN IN SECURITY MAGAZINE
28.04.2022
T E C H N O L O G Y
P E R S P E C T I V E S
assessments, but these costs pale in comparison to the costs resulting from exploitation of a lingering vulnerability and the associated mop-up. From a risk management perspective, it’s an absolute no-brainer. However, not everyone is ready and willing to build security into their budget in the same way as those of us who live and breathe it. This is where I recommend contextualising your approach. In an ideal world, you would be running enterprisewide security assessments frequently, but your organisation may not have the budget (or inclination) to do so. If that’s the position you find yourself in, this is where business context is key. Communicating where making up a third of the incidents our team observed
you reasonably assume your
in February, having your employees on heightened
greatest risks reside, such as
alert for phishing attacks is a necessary part of your
your internet-facing applications,
cyber security strategy.
can help when there’s a tough call to be made on the scope.
The second is having a strong vulnerability detection and remediation program in place. I know, penetration
We agree to trade-offs every day,
testing alone is not enough (who would’ve thought?),
consciously or otherwise. Some are
but whilst we may know this in theory, in practice it is
as simple as 10 more minutes with the
very easy to allow your remediation timelines to slip,
snooze button versus a barista-made
especially in smaller organisations where it would
coffee in the morning (for me it’s the
not be cost-effective to have a dedicated resource
snooze. I haven’t been a Melburnian long
to oversee this. However, I cannot stress strongly
enough to pick coffee to oversleep). Others are
enough the importance of prioritising vulnerability
more complex with greater consequences.
remediation. When I talk to people hesitant to make the investment Kroll analysed the National Vulnerability Database
case for greater vigilance over security controls
and the Common Vulnerability Database of the US
amidst ongoing geopolitical risk, I am reminded of the
National Institute of Standards and Technology
Parmenides Fallacy, the human tendency to assume
(NIST) and observed that 2021 was a record-breaking
the present situation will remain the same. Inaction
year for vulnerabilities logged by researchers. In Q4,
will not increase your organisation’s resilience in the
Kroll witnessed a 356 per cent increase from Q3 in
face of increased cyber attacks, only make you more
common vulnerabilities and exposures (CVEs), or
likely to be breached, less likely to know when you’re
zero-days, being exploited to gain initial access.
breached and less able to respond quickly. Knowledge of our control gaps may make it a little less easy to
To combat threat actors organisations need an agile
sleep well and enjoy that morning snooze trouble-free,
vulnerability detection and remediation program. This
but I’d rather go without my snooze than be a sitting
is a must-have rather than a nice-to-have. Seeking
security duck.
buy-in from management may be necessary because there could be additional costs associated with
www.linkedin.com/in/alexlnixon/
more regular penetration testing and vulnerability
28.04.2022
WOMEN IN SECURITY MAGAZINE
117
JOANNE COOPER
HARNESSING A DIGITALLY DEMOCRATIC METAVERSE By Joanne Cooper, CEO, Australian Data Exchange
Data privacy is a strange and unique subject that
Having got their attention I continue, “because
can mean very different things to each and every one
ignoring privacy in a digital world is like giving
of us. In a digital world, or in the future ‘Metaverse’
yourself no levels of self-protection. You are inviting
we are all seemingly moving rapidly towards, data
cybercriminals, data predators and information
privacy and information holdings are taking on a
thieves to walk into the ‘home’ of your personal data
completely new and very powerful aspect.
and take whatever they like. They can then trade/sell this information (which might be sensitive) on black
Far greater education on this subject is needed
markets or potentially use it to harm you.
in society so individuals are well prepared to dive into their digital selves and understand why their
Some intruders might only analyse what your data
individual privacy rights and data footprints matter.
reflects, appraise from your information assets what
With the digital realm moving towards the new
you do, your habits, choices, tastes or culture, or just
Internet 3.0 and its decentralised models each of us
observe you with predictive modelling machines.” The
will need to consider how our personal information
question is: do you want companies to access your
is rightfully and ethically used. Our personal data is
data when you believe no one is watching?
valuable and as consumers, we typically do not like it to be traded unknowingly behind our backs.
This conversation is often met with an awkward body shuffle. I understand only too well no one likes to be
For me, as a leader in privacy-enhancing
told they are willingly putting themself at risk, but
technologies, when people say to me: “I don’t care
my frankness is not designed to cause distress. It
about who has my personal data,” claiming it is all too
is important. There is an immediate need to rapidly
hard and too late to get a handle on data privacy, my
educate people to care about, and take action to
retort is often, “well I guess then, when you go home
understand, the risks associated with personal
tonight you should start embracing another non-
information.
privacy practice by leaving all your doors, windows and gates open, permanently.”
118
WOMEN IN SECURITY MAGAZINE
28.04.2022
T E C H N O L O G Y
P E R S P E C T I V E S
Digital overreach for personal observation without
My company, Australian Data Exchange, is all about
your knowledge is unsettling. That said, individuals
privacy, protection and power. We want to give every
also need to understand the types of services and
individual the ability to easily take stock of how their
tools available to best mobilise digital identity,
data is used, to make sure it does not cause them to
consent and privacy in our connected world. There are
harm and empower them to maintain their unique,
consumer technologies specifically designed to help
individual digital rights.
you comprehensively protect yourself during data exchange. It is not too late to do so.
At a corporate level, ethical data sharing infrastructure is now an imperative that has increased the appetite
Privacy in the Metaverse is really important. It is a
for B2B2C-compliant infrastructure that promotes
human right for everyone to have the ability to self-
transparent and ethical data exchange. Developing
determine permissions around personal data use.
consent technologies with self-sovereign identity and verifiable credentials allows companies to optimise
The good news is that privacy advocates globally
artificial intelligence and machine learning practices
are working extremely hard to enhance regulation,
with full user transparen cy and to engender trust.
policies and law in favour of citizens so effective data
This enables an exciting new breed of trusted hyper-
privacy, transparency and implicit consent controls
personalised services through value exchanges that
are required to be in place for data holders, recipients
people consent to and desire.
and users. Others are fighting against government surveillance overreach that infringes our civil liberties
www.linkedin.com/in/joanne-cooper-50369734/
and undermines democracy. twitter.com/idexchange_me
For me, it’s about forming new grass roots consents that put the consumer in control of their data so
www.idexchange.me/
they have a clear auditable record of personal data transactions that specifies what personal data is used, when, by whom and how.
28.04.2022
WOMEN IN SECURITY MAGAZINE
119
MADHURI NANDI
RANSOMWARE AS A SERVICE By Madhuri Nandi, IT Security Manager at Till Payments
Most of you may have started to hear about a
Any hacker’s dream is to bypass security controls and
new threat to cybersecurity: the proliferation of
break into a network. Most new hackers make use of
ransomware-as-a-service (RaaS). If you think it is not
IABs to enable them to achieve this goal. Most IABs
real, I suggest you check out the Dark Web.
sell their accesses to the highest bidder.
Who would use this service? Anyone: for taking
Accessing the Dark Web is not difficult.
your business down, for testing the strength or your controls, or even just for fun.
Download a dark web browser like Tor, SubgraphOS, Waterfox or Invisible Internet Project (IIP). Once
In the past, to be successful, a hacker required coding
installed type the URL for the website you want and
skills. Now, with RaaS all they need to do is search
you will get there. But searching is not as simple as
the Dark Web and submit a bid.
searching the normal web, because the Dark Web is not indexable.
So, what is the most used attack vector for launching these attacks? It’s none other than phishing. These
Now, let’s look at another dimension of ransomware:
days phishing attacks are common and most
cyber insurance. Does cyber insurance help you to get
organisations have counter measures in place.
protection from ransomware?
However, it is not easy to block all phishing emails
It’s a double-edged sword. It helps to cover costs
and even the most sophisticated security systems
in the event of an attack but at the same time, an
can fall victim to vulnerabilities. But even if you
insured organisation attracts more ransomware
can block all phishing emails there are other ways
attacks.
for RaaS to get through your defences. There is
120
something new gaining popularity and aiding RaaS:
The Australian Government’s strongly advices
initial access brokers (IABs).
organisations against paying ransoms to cyber
WOMEN IN SECURITY MAGAZINE
28.04.2022
T E C H N O L O G Y
criminals but banning insurance cover against ransomware would not prevent attacks. Ultimately, ransomware is here to stay, so let’s shift
P E R S P E C T I V E S
- Religious patch management across all environments. - Slicing and dicing your network with segmentation.
the focus to prevention strategies. Finally, employees are your human firewalls. They are • If your business is based in Australia, consider implementing the Essential Eight Maturity Model. • Focus on
your first line of defence. Invest in educating them on the necessary controls and make clear that security is everyone’s responsibility.
- Endpoint protection. - Backups, backups, backups. Have regular and more frequent backups and get them tested regularly.
www.linkedin.com/in/madhurinandi/ www.itsecurityawareness.com/
28.04.2022
WOMEN IN SECURITY MAGAZINE
121
ANNE GRAHN
GENTLEMEN PREFER ENCRYPTION: PROTECTING DATA IN A POST-PANDEMIC WORLD By Anne Grahn, CISSP
They say diamonds are a girl’s best friend. Diamonds
Cryptography is the science of secret
are gorgeous. They’re brilliant. They’ve fascinated
communication. Its fundamental objective is to
men and women alike for centuries.
enable communication over an insecure channel in such a way that unintended recipients cannot
“Better a diamond with a flaw than a pebble without.” – Confucius
understand what is being said. Accelerated digital transformation initiatives and cybercrime amid the pandemic have led one component of cryptography—encryption—to become
But we’re living on the edge of a post-pandemic world
critical in the effort to safeguard data.
filled with cyber threats, where protecting data is top of mind. Diamonds can’t scramble content. They can’t
THE IMPACT OF COVID-19
make sensitive data more secure. And as stunning as
In the early months of the pandemic, millions of
they are, they can’t help you achieve your goals as a
people transformed their homes into virtual offices
security professional. You need cryptography for that.
or classrooms. A sudden surge in the use of videoconferencing tools such as Zoom led to privacy
Why? Because the world is run on codes and
concerns and disruptive ‘Zoombombs’ that left
ciphers. From emails and texts to entertainment and
organisations scrambling.
shopping online, cryptography inhabits our every waking moment. In fact, life as we know it would be
Major incidents unfolded as opportunistic threat
impossible without it.
actors ramped up their efforts. The SolarWinds supply chain attack provided hackers with access to
122
WOMEN IN SECURITY MAGAZINE
28.04.2022
T E C H N O L O G Y
P E R S P E C T I V E S
as many as 18,000 government entities and Fortune
Encryption is a process based on a mathematical
500 companies and set the stage for the Microsoft
algorithm (known as a cipher) that makes information
Exchange server hack, the five-day shutdown of the
hidden or secret. Unencrypted data is called plain
Colonial Pipeline in the US, the disruption of the Irish
text; encrypted data is referred to as ciphertext. For
health service and more.
encryption to work a code (or key) is required to make the information accessible to intended recipients.
OFFICIALS HAVE HAD ENOUGH Governments are increasing regulation to guard
Encrypting sensitive data can add to an organisation’s
against future breaches and protect personal data.
RoI in security by rendering data useless in the event
Numerous global privacy laws and regulations
of a breach. However, organisations without a mature
have recently come into force, including China’s
understanding of security often think traditional full-
Personal Information Protection Law, South Africa’s
disk encryption that protects data at rest is “good
Data Protection Act, and the UAE’s Personal Data
enough” to keep information secure.
Protection Law.
MEETING TODAY’S CHALLENGES In Australia, revision of the Privacy Act 1988 is
As we chart a course through 2022 and beyond, good
expected by the end of this year, with the introduction
enough is no longer enough. The world has changed,
of the Privacy Legislation Amendment (Enhancing
and cybersecurity needs to catch up.
Online Privacy and Other Measures) Bill 2021 to Parliament. Enforcement of Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) is set to begin in June, and next year we’re likely to see changes to Europe’s General Data Protection Regulation (GDPR), Canada’s
36%
Personal Information Protection and Electronic Documents Act (PIPEDA), and Hong Kong’s Personal Data (Privacy) Ordinance.
HOW ENCRYPTION CAN HELP There is no magic wand for security, but encryption is an essential part of a multi-layered approach
$1.2 BILLION
of organisations are using multicloud, with adoption expected to reach 64 percent within three years -Nutanix Enterprise Cloud Index
worth of fines were issued against organisations in 2021 for violations of the GDPR Global law firm DLA Piper
to data privacy and protection that incorporates data classification, key management, and access management controls.
“Encryption...is a powerful defensive
90%
of organisations worldwide say data privacy has become mission-critical -2022 Cisco Data Privacy Benchmark Study
weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government… It’s hard to think
Using multiple types of encryption can advance your efforts to secure sensitive and regulated data
of a more powerful, less dangerous tool for
throughout its lifecycle (data at rest, data in transit
liberty.”
and data in use).
– Swiss-born American investor, journalist and author Esther Dyson
28.04.2022
• Encryption at rest: Encrypts stored data. If data is exfiltrated or systems are compromised, it remains encrypted. Example: Advanced
WOMEN IN SECURITY MAGAZINE
123
encryption standard (AES) • Encryption in transit: Encrypts traffic between two entities or systems. Even if the communication is intercepted it will be
undecipherable. Additionally, authorities will consider the use of encryption in decisions regarding fines. • Protecting data in the cloud: Leading cloud
undecipherable. Upon receiving the message the
service providers (CSPs) provide native
endpoint is authenticated, and data is decrypted
encryption and key management capabilities,
and verified. Example: HTTPS/Transport Layer
but many organisations struggle to effectively
Security (TLS)
manage workload encryption across multi-
• Encryption in use: Protects data while it’s being
cloud environments. Deploying cloud encryption
used to run analytics or computation. Example:
products helps secure multi-cloud workloads
Format-preserving encryption (FPE)
across different infrastructures—including onpremises—and with the leading cloud platforms.
The Cost of a Data Breach Report 2021 by IBM
• Supporting incident response: Responding
Security and the Ponemon Institute found encryption
effectively to security incidents is critical to
can dramatically reduce the total cost of a data
minimising damage. Use of enterprise-grade
breach. Organisations using high-standard encryption
secure collaboration tools that leverage end-to-
methods (at least 256 AES encryption) had an
end encryption (E2EE)—which prevents anyone
average breach cost of $US3.62 million, whereas
except those communicating from accessing
those using a low standard encryption method, or
or reading the content of messages, including
no encryption, had an average data breach cost of
vendors themselves—enable private out-of-band
$US4.87 million.
communications for security teams, even on a compromised network.
Multiple encryption use cases have come to the forefront during the pandemic:
IT’S TIME TO SHINE As surely as diamonds will endure, so will the efforts
• Accommodating privacy laws: Regulations like
of malicious hackers. While there is no cybersecurity
the GDPR—which continues to set the standard
silver bullet, encryption is critical to protecting your
for emerging requirements—stress encryption
most valuable asset—your data. Recognising that
as an “appropriate technical measure.”
baseline security efforts are no longer enough and
Encrypting personal data may
aiming high to encrypt data at rest, data in motion
exempt you from the 72-hour
and data in use will better position your organisation
breach notification requirement
to combat cyber threats, maintain regulatory
because data has technically
compliance, and build customer trust in a post-
not been “breached” if it is
pandemic world. www.linkedin.com/in/annegrahn/
twitter.com/anne_grahn
124
WOMEN IN SECURITY MAGAZINE
28.04.2022
Connecting - Supporting - Inspiring
AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/
Thank you to all our amazing sponsors for their generosity and for helping us to CONNECT, SUPPORT and INSPIRE our members! For further sponsorship opportunities in 2022, please get in touch! awsn.org.au/supportus/sponsors/
# TOP WOME N IN S E CURITYAS E AN
NOMINATIONS CLOSE 30TH MAY 2022 This initiative has been established to recognize women who have advanced the security industry within the ten countries of the Association of Southeast Asia Nations (ASEAN). Nominations were opened on Tuesday March 8th, 2022, coordinating with International Women’s Day.
SPONSORS
SUPPORTERS
ASEAN REGION
WOMEN IN SECURITY NETWORK
MEDIA PARTNERS
STUDENT IN SECURITY SPOTLIGHT
Charlotte Kohler recently completed a bachelor’s degree in Security Studies at Macquarie University and is now studying online at Charles Sturt University for a graduate diploma in Fraud and Financial Crime. She grew up in the Hills District of Sydney, New South Wales.
CHARLOTTE KOHLER
Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime
What first piqued your interest in security? I wanted to undertake a course with practical applications that would give me a variety of career options. At the same time, I wanted to study subjects for which I had a natural curiosity. The more I learned about security the more I saw it as an interesting area of study from a theoretical perspective. At the same time, it is very relevant to the modern world. Studying security also gave me diverse career options in both the public and private sectors.
high school. Tutors would often give us very useful advice on how to make the most of our time at university, as well as the best way to approach job searching when we graduated. I would like to have seen the career fairs for those interested in working in the security studies field done differently. Almost all careers advertised were within the public sector, but there are also plenty of opportunities for security students in the private sector.
Were you doing something else before you started studying security?
What did you find:
I became involved in security studies straight from
- most rewarding or fulfilling about your course?
high school. However, in my opinion any experience gained in other areas would be beneficial because
One of the most fulfilling aspects of my course was
security is a career that requires general knowledge in
the exposure it gave to a range of individuals who had
addition to particular expertise.
the same interests as myself. I was able to learn a lot from people who already had experience. Discussing
Can you briefly summarise your security career to date: how did you get into your current study program?
a variety of security issues with likeminded individuals
I have just completed my degree so I am still in the
- most challenging or unsatisfying about your
early stages of exploring my career options. I am
course?
helps you to better understand complex issues from different perspectives.
involving myself in a wide variety of security-related activities. This will give me the opportunity to explore
The most challenging aspect of the course was
numerous career options in a dynamic and rapidly-
having to complete a substantial part of it online
changing industry.
because of COVID-19 when I was supposed to attend classes on campus.
To what extent have (a) the course and (b) the institution met your expectations?
Had I been able to spend more time physically in class with other students and meet them in person,
- What do you like most?
I think I would have had a more enjoyable university
- What would you like to see done differently?
experience.
One of the things I liked most about my bachelor’s
What is your approach to studying (time management, etc)? Any tips for other students?
degree was that many of the tutors had real world practical experience. I would say the majority of students in my degree course were straight out of
128
WOMEN IN SECURITY MAGAZINE
28.04.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
Start work on your assignments early. This will allow
I don’t like to say I have one specific role in mind. I
you to undertake detailed research and formulate
think the early stages of anyone’s career are a time
your ideas and arguments long before the due date.
to take chances and explore a variety of experiences.
Doing this also provides you with a buffer in the
I think having such a perspective increases the
event of unforeseen disruptions to your studies.
likelihood that, when you decide to specialise in one
I also recommend attending classes, even when
particular area, it will be one you are passionate
attendance is not compulsory. You will learn much
about. Making the most of every opportunity gives
more by doing so and will meet other students.
you the best chance for success.
Networking is an important part of positioning yourself for a career in the security industry.
What subject(s) do you find most interesting and/or do you expect to be most useful?
How do you gain general information about the security industry? - From your university? - From friends and colleagues?
I think all the subjects I completed at university will
- From mentor(s)?
be useful down the track because of the content or
- From online sources?
because of what I learnt from the people teaching those subjects. One of the things I found the most
I would say all of these. Having a combination of
interesting was how important security is for modern
all four means you are open to the largest possible
businesses, particularly those heavily dependent on
range of opportunities and can learn about different
information technology. This is an area that interests
areas of work in the security industry.
me greatly, hence why I have undertaken further study of fraud and financial crime.
If you could spend a day with a security expert to learn about their role, what role would you choose?
What are your longer-term - 5 to10 years career aspirations? I think it is important to keep one’s options open. At this stage I don’t see the need to specialise in any particular area of the security industry. The next five
I would definitely be interested in learning more about
to 10 years will be an opportunity to experience as
cyber security. For example, it would be interesting to
many different aspects of the industry as possible.
spend the day with a penetration tester, learn more
I am very open to working overseas in either the
about the various techniques used to identify security
private or public sector. What is important is to
vulnerabilities in a system and use that knowledge to
experience as many new things and learn as much as
build overall system resilience. I see pen testing as
I can. By working hard and being open to new ideas I
a uniquely challenging role given the ever-increasing
believe I will have the greatest opportunity to grow as
threats to cyber security.
a person and build a rewarding career.
What are your aspirations when you graduate? - What roles(s) would you like to take?
www.linkedin.com/in/charlotte-kohler-504905199/
- What kind of organisation would you most like to work for?
28.04.2022
WOMEN IN SECURITY MAGAZINE
129
Elena Scifleet is in the final year of studying remotely for a master’s in cyber security through Charles Sturt University. She grew up in Ukraine and New Zealand.
ELENA SCIFLEET
Senior Consultant | Cyber Capability, Education and Training at CyberCX
What first piqued your interest in security? I first learnt about cyber security when I heard a presenter at a conference speak about the current threat landscape. I found the combination of technical skills and psychology in the subject really interesting.
What do you find most rewarding or fulfilling about your course? The course gives me the opportunity to learn from the lecturers, share ideas and build industry connections
I would choose a threat intelligence role. I absolutely love the fast-paced environment and investigative nature of this role. I also speak several languages so that role would provide me with broader research opportunities. Cyber security is a great profession for people with multiple skills: it gives them opportunities to put those skills to good use.
What involvement do you have in security outside your course?
with my fellow students. Because it is a postgraduate
I am a strong believer in self-growth and in supporting
course most of the students already have valuable
the people around me. I participate in many cyber
experience in different aspects of cyber security to
security initiatives outside my course.
share.
• I volunteer my time as a cyber security
I also love that CSU has partnered with IT Masters.
ambassador in NSW. This role provides me with
This gives us access to industry experts who
opportunities to speak to high school students
deliver our lectures. Having lecturers with industry
about cyber security and encourage them to
backgrounds greatly enriches the learning and gives students a real-world perspective.
consider it as a career. • I was one of the founders of, and run, a Discord server for all the cyber security students in CSU
What do you find most challenging or unsatisfying about your course? Online studies can be very isolating. Unlike oncampus studies where you get to interact with fellow students and staff members and attend different functions, studying online you see staff members only during lectures and most of the time you have limited interaction with students. I would like to recommend all online students to
to help overcome the isolation of online study. This has grown into an online community of almost 700 students where we talk, share ideas and support each other in our studies. • Recently I have also started a cyber security society in CSU to provide a platform for students to present their ideas, join capture the flag teams and work to improve cyber security awareness in the CSU student body. • I am also starting a new Australian Women in
look for a likeminded community and groups. If you
Security Network (AWSN) chapter in Newcastle.
can’t find anything in your university, there is a great
I come from a regional location and I really want
opportunity to start something. Connecting with
to create an opportunity for women in security to
other people who study with you will support you and
network closer to home in the Newcastle area.
provide more opportunities.
What are your aspirations when you graduate? If you could spend a day with a security expert to learn about their role, what role would you choose?
My study is at postgraduate level and I am already working fulltime at CyberCX. Working fulltime in a cyber security role provides me with practical realworld knowledge that compliments my studies very
130
WOMEN IN SECURITY MAGAZINE
28.04.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
well. CyberCX is an amazing company to work for: I get to learn from and collaborate with many leaders.
What are your longer term - 5 to 10 years career aspirations? I plan to work in a technical cyber security role. I have not yet chosen my specialisation because I enjoy many aspects of cyber security. My career aspiration is to work in the area that provides me with learning opportunities and growth. I love the journey as much as working towards my goals. www.linkedin.com/in/elena-scifleet-605911164/
28.04.2022
WOMEN IN SECURITY MAGAZINE
131
Valentina Corda is enrolled in a Master of Cyber Security at the University of Queensland, with a focus on cybercriminology. She was born in Italy where she gained a bachelor’s degree in Investigation and Security Sciences. She is now based in Brisbane.
VALENTINA CORDA
Student of Cyber Criminology at the University of Queensland
What first piqued your interest in security?
What do you find
I have always been interested in criminology and in
- most rewarding or fulfilling about your course?
ways to investigate crime. As a child, I read only crime novels. When I had to choose my university pathway I
requires a multiplicity of professional approaches.
selected a criminology-related course.
Therefore, I am glad I am able to contribute without
Can you briefly summarise your security career to date: how did you get into your current study program?
- most challenging or unsatisfying about your
I do not yet have practical experience in cybercriminology. I graduated in Italy in February 2019 and arrived in Australia in October 2019 to do a master’s degree in a related area. It took me a couple of years
having a technical background.
course? My weakness is my computer science knowledge so the purely technical subjects in the course make me feel a little uncomfortable.
postgraduate courses in criminology in Queensland
What is your approach to studying (time management, etc)? Any tips for other students?
where I am based.
My best personal attributes are determination,
to familiarise myself with the language and save some money. I then started researching possible
One day I came across the University of Queensland website and the opportunity to choose from four fields of studies within the master’s degree in cyber security. One of them was cyber-criminology. I had never thought of doing a study related to cyber security because my background is in social science and I have no particular technical skills. However, that program seemed to be exactly what I had been looking for.
To what extent have (a) the course and (b) the institution met your expectations?
precision, self-motivation, time management and organisation. They have always guided me as a student and as an employee. To other students, I would suggest planning in advance the amount of time to dedicate to each assignment based on its type and its importance. In addition, starting earlier is always an advantage because it helps to reduce mental pressure and if an unforeseen event happens you have your job already done.
What subject(s) do you find most interesting and/or do you expect to be most useful? Obviously, given my background, I am interested more
I would say that both the course and the institution
in subjects focused on the human factors of the cyber
have exceeded my expectations.
world, such as those concerning offenders, ways of
- What do you like most?
offending, victimisation and prevention/investigative
I love watching cybercrime from a criminological/
practices.
social science perspective.
I would perhaps have preferred starting my work
If you could spend a day with a security expert to learn about their role, what role would you choose?
placement in my second semester to gain expertise
I would love to learn about digital forensics and the
- What would you like to see done differently?
as soon as possible.
132
The course makes me understand that cyber security
WOMEN IN SECURITY MAGAZINE
different tools needed to collect digital evidence.
28.04.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
What involvement do you have in security outside your course? I am an Australian Women in Security Network (AWSN) member.
What are your aspirations when you graduate? - What roles(s) would you like to take? - What kind of organisation would you most like to work for? I would like to work investigating online child exploitation and protecting children from sexual abuse on the internet. Ideally, I would like to work for the National Centre for Missing and Exploited Children (NCMEC).
How do you gain general information about the security industry? At the moment, from my university and online sources.
What are your longer-term - 5 to 10 years career aspirations? I do not have grand career ambitions. I would like to see my work help people and produce concrete outcomes, rather than simply giving me an income. www.linkedin.com/in/valentina-corda
28.04.2022
WOMEN IN SECURITY MAGAZINE
133
Abigail Fitzgerald is studying, part-time and online, at the Holmesglen Institute in Victoria for a Cert IV in Cyber Security. She grew up in the Philippines where, she says, the IT industry is male-dominated.
ABIGAIL FITZGERALD
Cert IV Cyber Security Student at Holmesglen Institute
What first piqued your interest in security? I’ve always been fascinated by technology, even during my primary school days when we had only a dial-up internet connection. I remember waiting patiently for the pinging followed by the sound of static as it tried to establish the connection. It was music to my ears.
- Are there any skills you have carried from your previous roles/studies? Yes, but they were mostly soft skills. From my bachelor’s degree, I brought business relations, business systems and designs and presentation skills, and from my past roles, customer service and customer education skills.
My interest in security was piqued about four years ago while I was working in a small real estate agency
- What advice would you give someone thinking of
in Bayside after being a stay-at-home mum for almost
entering this industry from a different background?
a year. I witnessed how the thriving conveyancing
I found joining groups and organisations in the
business’ Outlook email was compromised by a
industry to be essential for getting my start in cyber
malicious actor who then started sending forged
security and navigating my way through the industry.
emails to all the real estate agencies the conveyancer
Secondly, education, training, and certification
was dealing with. I believe their aim was to divert
are important. There are a number of TAFEs and
deposit payments.
universities offering free certifications, training, mentoring programs and educational webinars
I learned later that these online attacks are
offered by security organisations. I found these
widespread globally and there is a profession in IT
in AWSN, AISA, AustCyber, Microsoft Education,
that helps keep these online adversities at bay. I also
Holmesglen TAFE, etc.
read stories of people working in the information security industry raving about how every day in
There are also webinars and podcasts that talk a
their job was different: how there were always new
lot about people entering cyber security. Two, in
security measures to implement and businesses
particular, are one from OzCyber titled Students-
to protect. I knew I had found my passion: security
jumpstart your cyber security career in 2022 and
implementation, or cyber security.
Cyber Hacker from CTRL Group which talks a lot about the importance of diversity in the cyber security
Were you doing something else before you started studying security? Yes, I completed my bachelor’s degree in office management and worked in a number of financial institutions and in retail banking in The Philippines and Dubai. - If so, what made you transition to the security industry? I’ve always imagined myself making the online world a better and much safer place for individuals and businesses, especially vulnerable members of the community: old people and young children.
134
WOMEN IN SECURITY MAGAZINE
industry.
Can you briefly summarise your security career to date: how did you get into your current study program? I started my study program, Cert IV in Cyber Security, at Holmesglen TAFE. I wanted to start something somewhere and learn about cyber security. I started researching universities and financial assistance programs. However, because I am only a permanent resident of Australia pending my citizenship application confirmation, I am not eligible for such
28.04.2022
S T U D E N T
S E C U R I T Y
programs. Then, I found TAFE certifications and I chose an online course from Holmesglen TAFE because it was close to my home in case I needed to
S P O T L I G H T
Nothing really. However, I would like to see more discussion of current events in the industry.
go to the library or decided to do an in-person class.
What do you find
I’m now in my 16th month of part-time study and I’m
- most rewarding or fulfilling about your course?
loving every bit of it. One of my favourite subjects
That sense of accomplishment after successfully
so far has been python programming. I was able
finishing every assessment in each unit and getting
to successfully create a basic CRM with a login
good results, and something I had never imagined
validation program, incident response plan and
I would be able to do: writes a basic customer
security network infrastructure.
relationship management program with login validation.
It would be an understatement to say I find it very rewarding. When I successfully finish a subject my
- most challenging or unsatisfying about your
sense of accomplishment absolutely makes the hard
course?
work I put in—the time, logistics and the juggling
Everything was very satisfying and challenging.
between full-time work, kids, and family—worth the
Every course unit was well-created, planned and
effort. These subjects are all new to me and I’m
interconnected.
pretty much starting from scratch.
To what extent have (a) the course and (b) the institution met your expectations?
What is your approach to studying (time management, etc)? Any tips for other students?
The course and institution have met my expectations
It’s all about planning the week. I’ve always been
in terms of providing the basic learning, resources
spontaneous but since becoming a mother I have
and support when needed. I believe they will give me
learnt to plan and have become obsessed with
the baseline experience and knowledge to get into
planning. However, I am still spontaneous at times.
the cyber security industry.
If you’re a mother, set a reasonable goal each day or
However, I wish the institution could provide
night after work and kids’ bedtime, such as reading
consistent support online along with in-person
for an hour, or reading a chapter or two. Then
support from the educators and information on
increase that to an hour and a half or two hours
events and resources in Australia, such as the
depending on time and situation. Just remember,
Essential Eight Maturity Model, endpoint detection,
every bit of study effort matters, be it reading,
etc.
research, programming or watching a webinar related to your units.
- What do you like most? I like programming because I was challenged and
Mix activities to make your study more interesting,
had to work hard and think outside the box. I think I
either by reading about a hack or current malware,
got smarter as a result.
listening to a cyber security podcast, or watching a YouTube episode about hacking, phishing etc.
- What would you like to see done differently?
28.04.2022
It’s also important to know what’s happening in the
WOMEN IN SECURITY MAGAZINE
135
security industry because that’s how you can relate
I used to work for a global vendor of network
all your learnings to the real world.
infrastructure.
Finally, remove distractions to ensure you focus
- Member of security organisations?
on your study for the time allocated. If your phone,
I’m a member of AWSN, AISA, and an ACSC individual
friends, kids or pets are distracting you then put your
partner
phone into a silent or ‘do not disturb’ mode to block any notifications. Tell your loved ones what you’re doing and tell them to support you by not distracting you. With a pet, I’m sure you can ask your friends or family to look after it for a while or take it for a walk for however long is needed to sap its energy in the hope it will sleep or rest while you’re studying.
What are your aspirations when you graduate? I’d like to collaborate with businesses and enterprises to fortify their cyber security postures and create an engaging and interactive platform that will educate businesses and individuals, particularly the young and the vulnerable, on how to be safe online.
Keep in mind that work, study, friends, family and life
- What roles(s) would you like to take?
balance are all important. If you are starting to feel
Because one of my passions is people, I’d like a role
study fatigue, step back and take a break. Either go
talking to people and businesses about security and
for a walk or other exercise, meditate or just have a
presenting to boards on risks and what they can do
rest. Whatever you do, take things one step at a time.
to protect their assets. I’m also interested in doing
It’s very easy to become overwhelmed with a lot of
incident response planning and governance risk and
stimulation, information, certifications and to-do lists.
compliance.
We want to make sure we don’t lose momentum and motivation by getting too stimulated and fatigued. So
- What kind of organisation would you most like to
it is essential to take a break once in a while.
work for? Ideally, an organisation that shares my goal and
What subject(s) do you find most interesting and/or do you expect to be most useful? The subjects I find most interesting are programming, monitoring and managing security, and networking
passion to help people secure their digital portfolios and is supportive, respectful and understanding of my trajectory in the security industry.
essentials. These cover the basic aspects of security.
How do you gain general information about the security industry?
If you could spend a day with a security expert to learn about their role, what role would you choose?
As mentioned above, I’ve gained a lot since I started studying cyber security by joining security organisations and surrounding myself with people
Very good question. First and foremost, I’ve always
who share the same passions and goals.
wondered about and been interested in the SOC analyst role, followed by the responsibilities of a CISO
I’m also a member of a mentees and mentor program
and what a CISO’s day looks like.
initiated by AWSN where I’ve met many good and highly experienced mentors.
What involvement do you have in security outside your course?
I also register for AISA webinars where they have many well-known and highly experienced security
- Part-time job?
people talking about current events, etc.
’ve recently started a full-time job in an MSP company focusing on security collaboration with our partners.
136
WOMEN IN SECURITY MAGAZINE
28.04.2022
S T U D E N T
S E C U R I T Y
S P O T L I G H T
And I use online resources such as AustCyber, Dark Reading, TryHackMe and ZDNet.
What are your longer-term—five or 10 year— career aspirations? Five years from now I want to be in a senior role continuously making a difference and helping people, enterprises and businesses fortify and protect their assets. Ten years from now I will be in the development phase of a security platform I’ll be creating with my partners.
Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? I just want to say that one of the things I learnt from this experience is that, regardless of who or where you are, once you discover your passion it is yours to fulfil. I had a learning difficulty from grade school up to high school, but I strived to overcome it. It has taken me many years to discover what I want to do and be in my career, but I’m getting there with flying colours. www.linkedin.com/in/abigail-fitzgerald-3563a049
28.04.2022
WOMEN IN SECURITY MAGAZINE
137
LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
Olivia and Jack’s Technology Contract – with the Cyber Safety Tech Mum Olivia and Jack have had their devices for
technology is going to be used in your home
a little while now and during the recent
means the whole family is on the same page
lockdowns with extended time spent at home,
about safe device use.”
their parents noticed they had been using their devices more than they should. Olivia had been spending a lot more time playing coding games and Jack had been spending more time playing basketball boomers. Their Mum was concerned they had both been on their devices too much and were not spending as much time riding their bikes and hanging out with friends. Their Dad was concerned they had fallen into some bad habits during lockdown and felt it was time to set some more boundaries, especially because they would soon have laptop computers for school. Mum and Dad asked their friend the Cyber Safety Tech Mum to help.
They all spent some time talking together about ways they could make using technology safer in their home. Olivia and Jack knew being safe with devices was very important. Mum and Dad thought this was a great idea and were excited to get started. Olivia wasn’t so sure because she was really enjoying spending time on her coding game. Jack was curious to see how it would work and said, “Let’s give it a go Olivia, it might be fun to do.” So together they decided to create their own family technology contract. Jack and Olivia suggested they use their
The next day the Cyber Safety Tech Mum zoomed in and spoke to Olivia, Jack, Mum and Dad about a technology contract, what it should contain and why it was important. She said, “Agreeing on how
devices on the comfy bean bags in their bedrooms, but Mum and Dad explained keeping them safe would be much easier if they used the devices in the lounge room where Mum and Dad could see and what they were doing. Jack said, “Let’s move the bean bags into the lounge
hear
NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
room.” Dad said, “That’s a great idea, Jack,
home, it would be helpful to add some tips
that way we can supervise you.”
about privacy and sharing so Olivia and Jack
Olivia and Jack’s Mum were worried about when the devices should be used. After discussing what they normally did each day it was decided Olivia and Jack could use their devices after showing their completed homework to their parents. They also agreed to have “Total Tech Blackouts”—times when they knew devices could not be used. The whole family sits together at the dinner table each night, so this was the first Tech Blackout time to go on the list. This was followed by a rule that devices would not be used when visitors were at the house or when friends came over to hang out. By putting their tech down during
would be constantly reminded to be careful when online. They created a list that included information they would not share, such as their full names, age, address, school and sporting clubs and friends’ names. They also made a note not to add friends or request friends without their parents’ permission, and to make sure it was someone they knew in real life. A few weeks later the Cyber Safety Tech Mum zoomed in to check on how everybody was feeling about the family technology contract. Jack and Olivia said, “it’s great to have the list on the fridge to remind us of the rules if we forget them.”
these times, Jack and Olivia would be able to
Mum and Dad said it was very handy to always
focus on their family and friends.
have devices charged when needed and they
They also learnt it is very important to agree on where devices would ‘sleep’ for the night. The Cyber Safety Tech Mum suggested central charging stations located in a common area of the home or Mum and Dad’s bedroom was a good idea. Charging cables would live there and devices would be put on charge in the
felt comfortable that Olivia and Jack were using their devices safely. Lisa Rothfield-Kirschner www.linkedin.com/company/how-we-got-cyber-smart/
www.facebook.com/howwegotcybersmart
twitter.com/howwegotcybers1
evening and left overnight. Olivia and Jack’s family already had their charging cables set up in a corner of the kitchen bench. As a family they agreed all devices would be put on charge at the charging station by 6.30 pm each evening, and they would always stay there when not in use.
Nicole embra www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum www.pinterest.com.au/thetechmum
The Cyber Safety Tech Mum also suggested, because the family technology contract
www.linkedin.com/company/the-cyber-safety-tech-mum/
would be displayed in a common part of the 28.04.2022
WOMEN IN SECURITY MAGAZINE
139
Family
TECHNOLOGY
CONTRACT
Devices may be used in these rooms •
Lounge Room
•
___________________________
Devices must be placed on charge at the CENTRAL CHARGING STATION at:
The following are TECH FREE ZONES •
Bedrooms
•
Toilet/Bathroom
•
___________________________
Devices may be used when:
•
_____________________________________
TOTAL TECH BLACKOUT Times are:
•
____________________________________
•
Meal Times
•
____________________________________
•
____________________________________
•
____________________________________
•
____________________________________
•
____________________________________
•
____________________________________
REMINDER: We do not share private details online.
CONSEQUENCES for not following the contract are:
STRATEGY for if we see something inappropriate:
__________________________________________ __________________________________________
__________________________________________
__________________________________________
__________________________________________
__________________________________________
Signatures:
Recom mend ed by F amily zone
How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.
READ NOW
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01
02
1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist
2. SAMANTHA LENGYEL
CEO at Decoded.AI
03
04
3. MEL MIGRINO VP and Group CISO, MERALCO
4. DEEPA AMRAT-BRADLEY Global Transformation Executive Cybersecurity Specialist
05
06
5. SHRUTIRUPA BANERJIEE Security Professional and Learner
6. TAYLA PAYNE Associate Consultant at IBM
07
08
7. JULIA DE SALVO Chief of Staff at Willyama Services
8. NATASHA HALLETT Senior Advisor, Maritime National Security
9. VIDYA MURTHY 09
10
Vidya Murthy, Chief Operating Officer at MedCrypt
10. TEENA HANSON Cyber Protective Services Manager at AMP Cyber Defence Centre
11. MICHELLE GATSI 11
12
Graduate Technology Consultant at EY
12. ELA G. OZDEMIR Cyber Security Analyst at ParaFlare
142
WOMEN IN SECURITY MAGAZINE
28.04.2022
13
14
13. NATASHA PASSLEY Partner, Management Consulting - Technology, Risk and Cyber at KPMG Australia
14. SAI HONIG CISSP, CCSP, Co-founder New Zealand Network for Women in Security
15
16
15. VANNESSA MCCAMLEY Principal Consultant, Coach, Facilitator & Keynote Speaker
16. RACHEL MAYNE Senior Associate, Cyber Security at u&u Recruitment Partners
17
18
17. KATE BROUGHTON Head of Delivery at Decipher Bureau
18. SIMON CARABETTA Cyber Communications Specialist
19
20
19. TRAVIS QUINN Principal Security Advisor at Trustwave
20. MEGHAN JACQUOT Cyber Threat Intelligence Analyst at Recorded Future
21
22
21. KAREN STEPHENS Karen is CEO and co-founder of BCyber
22. MARISE ALPHONSO Information Security Lead at Infoxchange
23
24
23. NEHA DHYANI Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender). Senior Security Consultant at Nokia Solutions & Networks
24. JAY HIRA Director of Cyber Transformation at EY 28.04.2022
WOMEN IN SECURITY MAGAZINE
143
WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 25
26
25. ANU KUKAR Associate Partner from the Cybersecurity – Cloud, Strategy & Risk Team at IBM A/NZ
26. SUMEET KUKAR CA (Chartered Accountant); CEO & Founder at Arascina
27
28
27. LAURA JIEW External Engagement from the UQ School of IT & Electrical Engineering
28. MEGAN KOUFOS AWSN Program Manager
29
30
29. DR SUSAN MCGINTY Director, Aya Leadership
30. MARTY MOLLOY Events, Marketing and Communications Coordinator, AusCERT
31
32
31. BEK CHEB Business Manager, AusCERT
32. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2 Male Champion of Change Special Recognition award winner at the 2021 Australian Women in Security Awards
33
34
33. QUEEN A AIGBEFO Research student, Macquarie University
34. ALEX NIXON Senior Vice President of Cyber Risk at Kroll
35
36
35. JOANNE COOPER CEO, Australian Data Exchange
36. MADHURI NANDI IT Security Manager at Till Payments
144
WOMEN IN SECURITY MAGAZINE
28.04.2022
37
38
37. ANNE GRAHN CISSP
38. CHARLOTTE KOHLER
39
40
Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime
39. ELENA SCIFLEET Senior Consultant | Cyber Capability, Education and Training at CyberCX
40. VALENTINA CORDA 41
42
Student of Cyber Criminology at the University of Queensland
41. ABIGAIL FITZGERALD Cert IV Cyber Security Student at Holmesglen Institute
42. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller
43
44
43. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum
45
46
44. AMIT GAUR Executive Consultant at IBM
45. JOSEPHINE VU Cyber Intern at IBM
46. AKIRA SINGH 47
Associate Consultant at IBM
47. SHANNA DALY Chief Trust Officer at ParaFlare
28.04.2022
WOMEN IN SECURITY MAGAZINE
145
THE LEARNING HUB
WIZER
CURRICULA
AWS SKILL BUILDER
Free Security Awareness Training
Free Security Awareness Training
The website has some great free security awareness content delivered through short 1-minute videos and storytelling. The videos cover various topics including internet safety for kids, security awareness training for employees, safety for families, work from home safety and so much more!
Curricula’s fun eLearning platform uses behavioural science-based techniques, such as storytelling, to fundamentally transform employee security awareness training programs. The free security awareness training is good for the whole company and can help meet the requirements of SOC 2 or ISO 27001.
AWS Skill Builder helps you build in-demand cloud skills for free. With learning plans and 500+ digital courses, you can own your career and achieve your goals when and where you want.
VISIT HERE
VISIT HERE
UDACITY
NOWSECURE ACADEMY
Udacity is where lifelong learners come to learn the skills they need, land the jobs they want, and build the lives they deserve. They offer a ton of free courses on technology, cloud computing, and cybersecurity.
NowSecure offers many free, on-demand mobile app security how-tos, demos, and courses for the community.
VISIT HERE
VISIT HERE
VISIT HERE
MICROSOFT CISO WORKSHOP SERIES The Chief Information Security Officer (CISO) is a free (no registration) workshop that contains a collection of security learnings, principles, and recommendations for modernizing security in your organization. This training workshop is a combination of experiences from Microsoft security teams and learnings from customers.
VISIT HERE
FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.
OVERTHEWIRE OverTheWire is a collection of command-line wargames. The wargames offered can help you to learn and practice security concepts in the form of fun-filled games.
VISIT HERE
WEB SECURITY ACADEMY BY PORTSWIGGER The “Web Security Academy” is a free online training centre for web application security. It includes content from PortSwigger’s inhouse research team, experienced academics, and Dafydd Stuttard - author of The Web Application Hacker’s Handbook.
VISIT HERE
ANTISYPHON INFOSEC TRAINING Antisyphon Information Security training is disrupting the traditional training industry by providing highquality and cutting-edge education to everyone, regardless of their financial position. They offer students the opportunity to learn skills, practice what is taught, and engage with their community in a fun and inclusive way.
VISIT HERE
TRYHACKME
HACK THE BOX
EDUCATION ARCADE
TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. They have content for both complete beginners and seasoned hackers, incorporation guides and challenges to cater for different learning styles.
An online cybersecurity training platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through a fully gamified and engaging learning environment.
Education Arcade is focused on providing people with a memorable learning experience designed to help keep them safe online. They do this through the use of gamified e-Learning – a powerful tool that reshapes the learning experience by making it fun, interactive and educational.
VISIT HERE
VISIT HERE
VISIT HERE
TURN IT UP
CREATING SYNERGY PODCAST
SMART WOMAN, SMART POWER
By SynergyIQ
By CSIS | Center for Strategic and International Studies
CLICK TO LISTEN The Creating Synergy Podcast brings to life the journey of people who are achieving success in their fields, community, business or personal lives, and it deeps dive into their process, learnings and ups and downs.
CYBERPRESERVE By CyberPreserve
CLICK TO LISTEN CyberPreserve is a one-stop-shop for information on CyberSecurity trends, leadership journeys, attracting people into this sector, and, of course, Cyber Education!
148
WOMEN IN SECURITY MAGAZINE
CLICK TO LISTEN CSIS Smart Women, Smart Power is a speaker series on women in international business and global affairs. The biweekly podcast features leading women from the corporate, government, and national security worlds discussing top international issues.
ASIAL SECURITY INSIDER PODCAST By Australian Security Industry Association Limited
CLICK TO LISTEN ASIAL Security Insider podcast is brought to you by the Australian Security Industry Association Limited. This podcast discusses security trends, issues and news for security industry professionals
EDUCATION TALK RADIO By EDUCATION TALK RADIO PRE K -20
CLICK TO LISTEN The voice of the American Consortium for Equity in Education at ace-ed. org | Host Larry Jacobs facilitates rich discussions with innovative educators, thought leaders, authors and the leaders within the education industry to promote equity, access and opportunity for every student in every school.
RUN IT LIKE A GIRL By Bonnie Mouck
CLICK TO LISTEN Run it like a girl explores the inspiring stories of women leaders from a variety of fields and industries. You’ll hear energizing tales and career journeys from women who’ve made their marks as leading changemakers in their industries.
28.04.2022
WEST COAST CYBER By WestCoastCyber
CLICK TO LISTEN West Coast Cyber is Western Australia’s first-ever industry and current affair cyber security podcast. Powered by ECU and the Department of Jobs, Tourism, Science and Innovation WA, WCC provides its audience with the latest in the goings-on in Perth’s cyber scene.
KIM KOMANDO EXPLAINS By Kim Komando
CLICK TO LISTEN
WOMEN AMPLIFIED By The Conferences for Women
CLICK TO LISTEN
Award-winning radio show host, nationally syndicated columnist and digital lifestyle expert Kim Komando breaks down the hottest topics in tech. Get insider secrets to protect yourself online, make money from home, secure your devices, avoid scams and more.
Hosted by award-winning journalist Celeste Headlee, you can expect true stories and real-world advice from the most brilliant and successful women out there. They cover topics around leadership, career advancement, self-care, transitions and other relevant issues that women face.
HIRE POTENTIAL WITH INDEED
FRAUDOLOGY PODCAST
THE AZURE SECURITY PODCAST
By Indeed Australia
By Karisse Hendrick, Rolled Up Podcast Network
By Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos
CLICK TO LISTEN Hire Potential with Indeed explores what obstacles and opportunities companies of all sizes are currently facing to find and hire top talent, and how we can learn from each other to create the best opportunities for job seekers and our employees.
28.04.2022
CLICK TO LISTEN Fraudology is a podcast from the perspective of a fraud-fighter. With guests ranging from former cybercriminals to fraud-fighters at Fortune 500 companies. Karisse Hendrick will dive into all areas of Fraudology from the perspectives of an expert in the field.
CLICK TO LISTEN A twice-monthly podcast dedicated to all things relating to Security, Privacy, Compliance and Reliability on the Microsoft Cloud Platform.
WOMEN IN SECURITY MAGAZINE
149
OFF THE SHELF
CYBER MAYDAY AND THE DAY AFTER: A LEADER’S GUIDE TO PREPARING, MANAGING AND RECOVERING FROM INEVITABLE BUSINESS DISRUPTIONS Author // Daniel Lohrmann and Shamane Tan Cyber Mayday and the Day After offers readers a roadmap to leading organisations through dramatic emergencies by mining the wisdom of C-level executives from around the globe. It’s loaded with interviews with managers and leaders who’ve been through the crucible and survived to tell the tale. From former FBI agents to Chief Information Security Officers, these leaders led their companies and agencies through the worst of times and shared their hands-on wisdom. In this book, you’ll find out: •
What leaders wish they’d known before an emergency and how they’ve created a crisis game plan for future situations
•
How executive-level media responses can maintain – or shatter – consumer and public trust in your firm
•
How to use communication, coordination, teamwork, and partnerships with vendors and law enforcement to implement your crisis response
BUY THE BOOK
150
WOMEN IN SECURITY MAGAZINE
ESSENTIAL SECURITY FUNDAMENTALS: SECURITY IS A PROCESS; NOT A SINGLE PRODUCT Author // Uma Rajagopal Demystifying the complexity often associated with information assurance, Cyber Security Essentials provides a clear understanding of the fundamentals to how to protect the organisation. This book walks through Mary, a small business owner on how she safeguarded her business from intruders and insider threats. This book breaks down: •
Data and Production
•
Security fundamentals
•
The threats to cyber security
•
What must be the next step
•
Closing thoughts
It provides a good introduction for those new to the field and a refresher for the more seasoned practitioner. It is for those who are tasked with creating, leading, supporting or improving an organisation’s cyber security program. The goal is to help clear some of the fog that can get in the way of implementing cyber security best practices in your organisation.
BUY THE BOOK
THE CYBERSECURITY PLAYBOOK: HOW EVERY LEADER AND EMPLOYEE CAN CONTRIBUTE TO A CULTURE OF SECURITY Author // Allison Cerra The Cybersecurity Playbook is the step-by-step guide to protecting your organisation from unknown threats and integrating good security habits into everyday business situations. This book provides clear guidance on how to identify weaknesses, assess possible threats, and implement effective policies. Drawing from her experience as CMO of one of the world’s largest cybersecurity companies, author Allison Cerra incorporates straightforward assessments, adaptable action plans, and many current examples to provide practical recommendations for cybersecurity policies. By demystifying cybersecurity and applying the central concepts to real-world business scenarios, this book will help you: •
Deploy cybersecurity measures using easy-to-follow methods and proven techniques
•
Develop a practical security plan tailor-made for your specific needs
•
Incorporate vital security practices into your everyday workflow quickly and efficiently
BUY THE BOOK
28.04.2022
BUILDING EFFECTIVE CYBERSECURITY PROGRAMS: A SECURITY MANAGER’S HANDBOOK Author // Tari Schreider, SSCP, CISM, CCISO, ITIL Foundation Building Effective Cybersecurity Programs: A Security Manager’s Handbook is organized around the six main steps on the roadmap that will put your cybersecurity program in place: 1.
Design a Cybersecurity Program
2.
Establish a Foundation of Governance
3.
Build a Threat, Vulnerability Detection, and Intelligence Capability
4.
Build a Cyber Risk Management Capability
5.
Implement a Defense-in-Depth Strategy
6.
Apply Service Management to Cybersecurity Programs
Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. He sets you up for success by talking to you directly as a friend and colleague, using practical examples. In addition, the book provides hundreds of citations and references that allow you to dig deeper as you explore specific topics relevant to your organization or your studies.
BUY THE BOOK
28.04.2022
THE LANGUAGE OF CYBERSECURITY Author // Maria Antonieta Flores The Language of Cybersecurity defines 52 terms that every business professional should know about cybersecurity, even professionals who are not specialists. Anyone who uses any kind of computing device needs to understand the importance of cybersecurity, and every business professional also needs to be able to speak intelligently with cybersecurity professionals. The Language of Cybersecurity introduces the world of cybersecurity through the terminology that defines the field. Each of the 52 main terms contains a definition, a statement of why the term is important, and an essay that explains why a business professional should know about the term.
CYBERSECURITY ABCS: DELIVERING AWARENESS, BEHAVIOURS AND CULTURE CHANGE Author // Jessica Barker, Adrian Davis, Bruce Hallas and Ciarán Mc Mahon Cybersecurity issues, problems and incidents don’t always relate to technological faults. Many can be avoided or mitigated through improved cybersecurity awareness, behaviour and culture change (ABCs). This book guides organisations looking to create an enhanced security culture through improved understanding and practice of cybersecurity at an individual level. Key awareness, behaviour and culture concepts are covered from the ground up, alongside practical tips and examples.
The Language of Cybersecurity looks at vulnerabilities, exploits, defences, planning, and compliance. In addition, there is a glossary that defines more than 80 additional. For those who want to dig deeper, there are more than 150 references for further exploration.
BUY THE BOOK
BUY THE BOOK
WOMEN IN SECURITY MAGAZINE
151
SURFING THE NET
DEEPMIND BLOG By DeepMind Read the latest articles and stories from DeepMind and find out more about our latest breakthroughs in cutting-edge AI research.
READ BLOG
GREAT LEARNING BLOG
TOWARDS DATA SCIENCE
By Great learning
By towards data science
Great Learning provides a knowledge base that also offers upskilling. The site has heaps of free tutorials and courses, often targeted at beginners, including cloud foundations, Python for ML, introduction to R, or data visualization.
Towards Data Science is a Medium publication that helps specialists exchange ideas and expand the general understanding of data science. The site invites independent writers to publish articles. It’s a solid resource for data scientists at any level.
READ BLOG 152
WOMEN IN SECURITY MAGAZINE
READ BLOG
GET SMARTER BLOG By Get Smarter Equip yourself with the latest industry news, thought leadership, insightful data-driven research, access key insights, career guides, resources, and all of the practical advice to fully prepare for your career.
READ BLOG 28.04.2022
BERKELEY ARTIFICIAL INTELLIGENCE RESEARCH (BAIR) BLOG By Berkeley Artificial Intelligence Research (BAIR) Blog The blog of the Berkeley Artificial Intelligence Research (BAIR) Lab, brings together researchers from across machine learning, computer vision, and natural language processing. The blog helps people stay up to speed with the latest goings-on in AI research.
READ BLOG
TOTAL DEFENSE SECURITY BLOG
DIGITAL SHADOWS BLOG
By Total Defense
By Digital Shadows
Total Defense created the Internet Security and Safety Resource Center — an area that includes information, helpful tips, and resources that are intended to inform people about today’s current internet threats and how to stay safe and secure.
Read from security experts and analysts about cyber threats, threat actor groups, and cyber threat intelligence and learn how to protect your business against risks on the open, deep, and dark web.
READ BLOG
LEADING NOW BLOG
AVAST BLOG
By Leading NOW
By Avast
Leading NOW’s blog features insights from Leading Forward, Leading Women, the Center for Diversity & Inclusion, and the Gender Dynamics Institute.
Read about the latest security news, trends, career advice, cyber safety tips and much more.
READ BLOG 28.04.2022
READ BLOG
READ BLOG
DIVERSITY AUSTRALIA BLOG By Diversity Australia Blog Diversity Australia’s Blog talks about the latest research, workplace diversity and inclusion, discrimination, how to cope with it, leadership, women in the industry, and so much more.
READ BLOG WOMEN IN SECURITY MAGAZINE
153
womeninsecurityawards.com.au
THE 2022 WOMEN IN SECURITY AWARDS
Don’t miss the largest security awards of the year!
womeninsecurityawards.co.nz
Want to be part of it? Register your interest today by contacting aby@source2create.com.au