Women In Security Magazine 8

Page 1

08

MAY • JUNE

WHO RUNS the

WORLD W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M


FROM THE PUBLISHER

I

Who Runs The World? f you’re a fan of Beyonce, you already know the

President Bill Clinton, first female U.S. Secretary of

answer. It’s girls (girls) – but it’s no joke.

State and the highest-ranking woman in the history of the U.S. government.

“I’m repping for the girls who taking over the world,” she sings.

Then there are the legends of politics and industry – women like Joan Clarke, an English cryptanalyst

“Help me raise a glass for the college grads… I

known for her work as a code-breaker at Bletchley

work my nine to five, better cut my check!”

Park during the Second World War; ‘first lady of naval cryptology’ Agnes Meyer-Driscoll, an American

Beneath the catchy lyrics is an all-too-true point:

cryptographer who was known as ‘Miss Aggie’ or

women are hardworking, have career aspirations,

‘Madame X’; Ada Lovelace, an English mathematician

care about their appearances, and know what they

and writer, chiefly known for her work on Charles

want.

Babbage’s proposed mechanical general-purpose computer, the Analytical Engine.

They strive to seize it all, while holding down their families, their mental health, and their home life.

And don’t forget Rebecca “Becky” Gurley Bace, an American computer security expert and intrusion

(Yes, we see the many men that are doing the

detection pioneer who spent 12 years at the US

same – but I haven’t found a song yet that says it so

National Security Agency where she created the

eloquently).

Computer Misuse and Anomaly Detection research program. She was known as the “den mother of

While researching this issue’s theme, I was pleasantly

computer security”.

surprised to see just how true this is. All over the world, women are distinguishing themselves in ways

And for all the lamentation about the IT gender gap,

that would have never been possible 50 years ago or,

women are distinguishing themselves in IT areas

in many places, even 20 years ago.

such as cybersecurity, privacy, innovation, defence, and more. Consider Caroline Millar, deputy secretary

Women are running countries – consider female

for national security; Jen Easterly, recently promoted

presidents and prime ministers such as New

to lead the US Cybersecurity and Infrastructure

Zealand’s Jacinda Arden, Estonia’s Kaja Kallas,

Security Agency (CISA); Australian Signals Directorate

Iceland’s Katrin Jakobsdottir, Finland’s Sanna Martin,

director-general Rachel Noble; ‘security princess’

Denmark’s Mette Frederiksen, Norway’s Erna Solberg,

Parisa Tabriz, who serves as director of engineering

Nepal’s Bidhya Devi Bhandari, Chile’s Michelle

at Google; Electronic Frontier Foundation director of

Bachelet, Germany’s Angela Merkel, Namibia’s Saara

cybersecurity Eva Galperin; video-game designer and

Kuugongelwa, and Taiwan’s Tsai Ing-wen.

researcher Brenda Laurel; and so many more.

The world recently farewelled Madeleine Albright, an

I could go on for days, weeks, and months with lists

American diplomat and political scientist who served

of the amazing leading women helping us achieve

as the 64th United States secretary of state under

greatness in the world, but I think I have made my point.

2

WOMEN IN SECURITY MAGAZINE

28.04.2022


Abigail Swabey

Despite their achievements, however, these inspiring women don’t get near enough attention in the media. So why don’t they get the raves they deserve? I stumbled across a film that seeks to address the gap, called The Empowerment Project: Ordinary Women Doing Extraordinary Things. Directed by Sarah Moshman, the crew interviews extraordinary women to explore its core idea that women can do anything they aspire to – whether it be mathematician, pilot, astronaut, ballerina, chef, architect, or US Navy fourstar admiral. “There are so many amazing female role models out there, and the film is simply a way for us to share these stories with audiences all across America so they can be inspired to see possibility in these women’s realities,” said producer Dana Michelle Cook. “We want our next generation of women to believe there is no dream too big, no idea too grandiose, and that it’s our own unique journey of following a dream that makes us who we are and gives us purpose in our lives.” “On our personal journey of this film, we learned to say and live our dreams out loud – and there’s nothing more rewarding than that.”

We need to provide more than just one role model for the next generation to look up to, so they too can see that there are some really cool things that you can do in our industry. I hope this issue shines a light on this theme. And if I may be so bold, I encourage you to nominate for our Australia and New Zealand Women in Security Awards, so that we can share the stories of today’s achievers and make some more noise about the women working hard to rule their worlds. And, with that, I might let Queen B close out this column.

“This goes out to all the women getting it in, you on your grind To all the men that respect what I do, please accept my shine… Endless power / With our love we can devour My persuasion / Can build a nation”

Rewarding, indeed. We need to make more noise about the achievements of women in our industry – and not just on International Women’s Day, but every day. We need to make sure we don’t forget the names of the women that are distinguishing themselves every day by living their dreams out loud.

28.04.2022

Abigail Swabey PUBLISHER, and CEO of Source2Create www.linkedin.com/in/abigail-swabey-95145312/

aby@source2create.com.au

WOMEN IN SECURITY MAGAZINE

3


CONTENTS

2 PUBLISHER’S LETTER

CAREER PERSPECTIVES Diverse leadership perspectives

52

Certifications: What are they for?

54

Successful change starts with your brain’s wellbeing

WOMEN ARE DRIVING THE GLOBAL PRIVACY AGENDA

10

Navigating a cyber career

COLUMN Instagram based scams

62

and becoming a female leader 14

Don’t ask who runs cyber. Ask who should run cyber

84

Teaching through stories

108

64

What you can do in cyber security, with a degree that isn’t in it

66

Diversity-by-design: Pipelining cyber security talent, three practical ways to get involved

70

INDUSTRY PERSPECTIVES In cyber, language is the

TALENT 44 BOARD

WHAT’S HER JOURNEY?

REACH OUT NOW

Samantha Lengyel

18

Mel Migrino

20

Deepa Amrat-Bradley

22

Shrutirupa Banerjiee

26

Tayla Payne

28

Julia De Salvo

32

Natasha Hallett

weapon of choice

78

Better together: agency, advocacy, and being a good mentor in cyber security

80

Supportive communities help you run your world

82

Hedy lamarr - more than a

JOB BOARD APPLY NOW

56

famous actress

86

Preventing cybersecurity burnout: need of the hour

92

Let’s get more collaborators to solve the evolving cyber security puzzle

94

34

Who runs the world?

98

Vidya Murthy

36

Why supporting female emerging

Teena Hanson

38

Michelle Gatsi

40

Ela G. Ozdemir

42

146 THE LEARNING HUB VISIT HERE

leaders today is critical for the future 102 Who runs the world

106


MAY • JUNE 2022

74

WOMEN ARE SETTING THE CYBERSECURITY AGENDA

WOMEN ARE LOCKING DOWN GAINS IN PROTECTIVE SECURITY

48

FOUNDER & EDITOR Abigail Swabey

ADVERTISING Abigail Swabey Charlie-Mae Baker Vasudha Arora

TECHNOLOGY PERSPECTIVES 300 spartans security defenders 114 Sitting ducks

116

Harnessing a digitally democratic metaverse

118

Ransomware as a service

120

Gentlemen prefer Encryption:

WOMEN ARE TAKING THE FIGHT TO DEFENCE

88

JOURNALISTS David Braue Stuart Corner

SUB-EDITOR Stuart Corner

WOMEN ARE TEACHING AI HOW TO BE DIVERSE 110

DESIGNER Jihee Park

TURN IT UP

Protecting data in a post-pandemic world

122

148

Source2Create Pty Ltd is the publisher of this magazine and its website (www.womeninsecuritymagazine.com). AWSN is the official partner of Women in Security Magazine

STUDENT IN SECURITY SPOTLIGHT Charlotte Kohler

128

Elena Scifleet

130

Valentina Corda

132

Abigail Fitzgerald

134

OFF THE SHELF

150 ©Copyright 2021 Source2Create. All rights reserved. Reproduction in whole or part in any form or medium without express written permission of Source2Create is prohibited.

08

MAY • JUN E

WHO RUNS SURFING THE NET

138

152


ASSOCIATIONS & GROUPS SUPPORTING THE WOMEN IN SECURITY MAGAZINE 07

08

MARCH • APRIL

MAY • JUNE

WHO RUNS

IN 2022, YOU CAN NO LONGER TAKE SECURITY WORKERS FOR GRANTED P10-13 AS THE SECURITY THREAT MORPHS, DEFENSIVE TEAMS MUST CHANGE TOO P76-79

20 22 WORLD IF YOU CAN’T SPEND YOUR WAY TO GOOD SECURITY THIS YEAR, TRY FOCUSING ON YOUR PEOPLE P94-97

YEAR OF THE SECURITY WORKER

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M

the


OFFICIAL PARTNER

SUPPORTING ASSOCIATIONS


SUBSCRIBE TO OUR MAGAZINE Never miss an edition again! Subscribe to the magazine today for exclusive updates on upcoming events and future issues, along with bonus content.

SUBSCRIBE NOW

08

MAY • JUNE

WHO RUNS the

WORLD W W W. W O M E N I N S E C U R IT Y M A G A Z I N E . C O M


EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 Australian Women in Security Awards. Register your interest today for various sponsorship opportunities.

I’M INTERESTED!

#2022WISAWARDS

womeninsecurityawards.com.au


WOMEN ARE DRIVING THE GLOBAL PRIVACY AGENDA by David Braue

Privacy achieved gender parity years ago – and why wouldn’t it?

P

etruta Pirvan had something of a baptism

having that confusion and aren’t that enlightened

by fire after she began working as group

about privacy concepts and terminology. It’s

data privacy compliance officer at Moller-

very complicated for a company to see the

Maersk in late 2018, just a year after the

competitiveness element in data protection.”

global shipping giant was brought to a

standstill by the NotPetya cyberattack.

The privacy overhaul was a massive three-year undertaking that gave Pirvan, who had previously

As the company worked to right its operations and

worked in data privacy law with Accenture, a chance

clean up its data-security practices, Pirvan was

to apply her expertise at an industrial giant in

charged with creating a global data protection

desperate need of her help.

compliance program – including establishing an organisational privacy vision and mission statement,

Now working as a senior privacy consultant with

developing e-learning policies and guidance, and

Amsterdam-based Wrangu and an advisor at the

more – to embed a ‘privacy by default and design’

Institute of Operational Privacy Design, Pirvan

approach into the company’s DNA.

said small businesses often find it “much more straightforward” to understand the importance of

The data breach “was the point that enlightened

respecting customers’ data privacy – but larger

[Maersk] and its management, and that was the point

companies, long accustomed to B2B operations, still

where they decided to invest in data protection,”

struggle to approach privacy in a B2C way.

Pirvan told Women in Security Magazine. “It’s much more complicated to make the switch to

10

“While I was there, there was still a struggle for the

more enhanced data privacy and data protection,”

company to understand the value of protecting data

she said, “but they need that approach to survive and

and the value of privacy – and many companies are

compete in the market.”

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

A well-regarded privacy professional, Pirvan’s

That rare situation has not been replicated globally,

expertise has helped many companies make the

however, and the 2021 IAPP figures showed that men

transition – and she’s in great company within a

are earning 9% more than women globally, on average

field that has proven particularly welcoming and

– and 14% more in the US, where privacy remains a

accessible to women.

particularly fragmented and challenging environment.

A BALANCED PLAYING FIELD – BUT WHY?

But just what makes privacy so well suited for

Indeed, despite ongoing difficulties in closing

women?

the gender gap across cybersecurity and other technical areas, privacy practitioners have enjoyed

The fact that 90 per cent of privacy professionals

an industry with a remarkably level gender balance:

were working from home, as of March 2021, can’t

the International Association of Privacy Professionals

have hurt the appeal of privacy roles, with half of the

(IAPP) reported a 50:50 gender balance as early as

privacy professionals expecting to maintain a hybrid

2015.

work arrangement in the long term.

At that time, the rush towards GDPR compliance

Yet women’s strong showing in the privacy industry

actually saw European women out-earning their

likely stems from other factors, too – not the least by

male counterparts – earning a median salary of

reports that the work is interesting, driving an average

$US100,100 against $US92,600 for men.

satisfaction rating of 7.3 out of 10. Many privacy professionals came emerged from lesstechnical careers in law and consulting, where women often bring a conceptual framing that helps them apply privacy across a range of operations. Pirvan cited the strong examples set by women such as Margrethe Vestager – a former Danish education minister and Parliamentarian who is leading privacy and other digital policy formation as executive vice president of the European Commission – and US Federal Trade Commission chair Lina Khan, a former law professor spearheading complex efforts to find common ground between federal and state privacy obligations. “There is a good representation of women in privacy,” Pirvan said, “and these are powerful voices that prove we need women in privacy.”

ATTRACTING WOMEN TO PRIVACY More than in most industries, the strong position of women in privacy has created opportunities

28.04.2022

WOMEN IN SECURITY MAGAZINE

11


“When I started my career, information security was the sexy place to be, because the technology was starting to bloom.But now we’re seeing information security and privacy going hand in hand. You can have security without privacy, but you can’t have privacy without security.”

- Nicole Stephensen, Ground Up Consulting

to engage with potential new women colleagues – building mentorships and other relationships that often become recruitment opportunities. Relationship building “is probably the biggest skill in my role, and has allowed me to be successful,” said Talya Parker, a privacy engineer at Google who got into privacy a decade ago on the recommendation of a peer mentor. Parker quit her full-time job in banking and took a four-month internship in another city, learning everything she could in the privacy space before moving into a consulting role at Deloitte. Working in privacy, she explained during a recent SANS Institute International Women’s Day webinar, “opened up a world of opportunities for someone like me, with my skill set, to interject myself and provide some immediate value.” Yet visibility is crucial to attracting women to any industry, and Parker recognised the lack of minority women in similar roles meant “there was not a lot of awareness about what these roles look like because we typically see white males in these roles – and that’s not something minority women want to aspire to.”


F E AT U R E

Parker founded the diversity advocacy group Black

AUSTRALIAN OPPORTUNITIES

Girls in Cyber to address a yawning gap within the

Australia’s growing focus on privacy has created

industry – and has quickly discovered her talent for

similar opportunities on our shores, where federal

relationship building.

privacy commissioner Angelene Falk has proven so adept at balancing overwhelming privacy and other

Coaching sessions, casual lunch catchups,

responsibilities that she was recently described as a

mentorships, and ongoing efforts to maintain

“one-armed juggler”.

relationships that are more than “transactional” have helped Parker share her love of the field with women

With the increasing accumulation and analysis of

who, she said, “are more willing to open up… when

data creating new privacy challenges daily, the need

they see that you take their time very seriously.”

to temper new online services with clear privacy practices has made this “probably the most exciting

“Women are naturally introverted and I just kept my

time” to be in privacy, says Nicole Stephensen, a

head down,” she recalled, “but sometimes that’s not

privacy consultant with Brisbane-based Ground Up

enough: even if you do good work, you have to learn

Consulting who laughs that “I’ve been in this career

how to advocate for yourself – and I realised that no

that long because it’s just not boring.”

one else would be able to advocate for me, more than me.”

Increasing awareness in recent years means privacy “is no longer the poor cousin to information security,”

“We have a responsibility to look back to others to

said Stephensen, who is in high demand helping

share, to create awareness, and to bring as many

businesses whose privacy practices are often weak

people as we can with us.”

after spending years focused on cybersecurity.

Advocacy for privacy careers may indeed be crucial

“When I started my career, information security was

for women, given the privacy industry’s current

the sexy place to be, because the technology was

struggles with an expanding understaffing crisis.

starting to bloom,” she said, “but now we’re seeing information security and privacy going hand in hand.

Just 8% of privacy practitioners in ISACA’s recent

You can have security without privacy, but you can’t

Privacy in Practice 2022 survey said they have five

have privacy without security.”

or fewer years of experience in privacy, while the percentage of understaffed companies increasing

Privacy as an industry offers great opportunities for

significantly over the last year.

women from all kinds of careers, Stephensen said, noting that “you don’t have to be a lawyer to be a great

Fully 46% of companies this year said their legal/

privacy person; if you are trained in principle-based

compliance privacy teams don’t have enough staff

decision making, you can do privacy.”

and 55% said the same about their technical teams – up from 33% and 46%, respectively, in 2021.

“There is a difference with cybersecurity, which is much more male-dominated,” she continued, “but

Privacy responsibility was spread across a range of

I don’t feel that I’ve been disadvantaged in this

executives – and while 37% said privacy was handled

profession.”

by CIOs or CISOs, the remainder said privacy was delegated to non-technical executives such as CEOs,

“I’ve always been taken seriously, and – by not myself

board members, chief compliance officers, or the

treating privacy as something male-dominated –

chief privacy officers now found in 21% of companies.

I’ve been able to offer myself as a mentor and give women a great opportunity to explore privacy as a

There are clearly many roads to a privacy career –

career and to be very successful in it.”

and with companies falling so far behind the curve on privacy, the opportunities for interested women may never be greater.

28.04.2022

WOMEN IN SECURITY MAGAZINE

13


AMANDA-JANE TURNER Cybercrime is big business, thanks to technical advancement and interconnectivity creating more opportunities for cybercriminals. This regular column will explore various aspects of cybercrime in an easy to understand manner, to help everyone become more cyber safe.

C O L U M N

Instagram based scams Instagram is a popular way for individuals and businesses to share photos, videos and information with their followers. Thanks to its popularity, Instagram is also a popular target for cybercriminals. Look out for these scams that will allow criminals to take over your Instagram accounts, defraud you or

regularly comment on, or react to your photos, follow

disrupt your business.

you, then start to send direct messages to you. They will eventually share messages of affection

INSTAGRAM CREDENTIAL PHISHING

and romantic feelings with their targets and, once

This may take the form of emails that appear to

they have someone engaged with their fraudulent

be from Instagram, Instagram direct messages,

narrative, will start asking for money for a sick

or posts on Facebook that direct you to ‘log in’ to

relative, for an air ticket to visit or some other emotive

your Instagram account. The messages may say

reason.

your account is being deleted unless you verify it, that a friend needs help logging in or that you have breached someone’s copyright. Phishing posts on Facebook may urge you to click through the link to

HOW TO STAY SAFER USING INSTAGRAM • Enable multifactor authentication on your account.

see important information about your area of interest

• Use a unique and complex password.

or to log into Instagram via a provided link to view a

• Be cautious about messages from people you

photo.

do not know. • Check what third party applications have

INVESTMENT SCAMS

permission to connect to your Instagram

Criminals may create, or use, Instagram accounts

account.

they have compromised and share photos of themselves in expensive clothes or at exotic locations to convince people they are rich. They may share photos and comments about a new investment opportunity they are happy to share with you, their followers, so you can be rich like them. Once they

• Ensure the photos you upload do not show your address or other sensitive information. • Be cautious of what you are logging into: is it really Instagram, or is it a phishing page? • If something sounds too good to be true it probably is.

have a person on the hook they will ask for funds for the investment. Of course, once they have enough

Cybercrime is big business. We need to work together

money from their victims, or are close to being found

to stay safer from it.

out, they disappear with your money never to be seen again!

This column is dedicated to the memory of two very good men: my friend Kyle Maher (1989-2021), and my

ROMANCE FRAUD

Dad Gordon Turner (1925 – 2022)

Fraudsters will go to great lengths to build rapport and trust with their victims. On Instagram they may

14

WOMEN IN SECURITY MAGAZINE

www.demystifycyber.com.au/

28.04.2022


Rethink, Reskill, Reboot. 10 - 13 May 2022 The Star Hotel, Gold Coast

4

DAYS

50+

SPEAKERS

KEYNOTE SPEAKER

REGISTER NOW: conference.auscert.org.au

IN PERSON & VIRTUAL

KEYNOTE SPEAKER

+

MANY MORE Kath Koschel

THE KINDNESS FACTORY

Lesley Carhart DRAGOS

Adam Spencer MC


Source2Create Spotlight

Events Finding the right way to reach and approach your audience is key to success, that’s why we’re shining a light on our events. Our event services are readily available and used to deliver seamless experiences for both you and your audience. Our ‘Events-As-A-Service’ module allows you to break your event into modules and hand across the work you simply don’t have time to coordinate, or simply just want off your plate. S2C can do it all. We invest the time and energy into developing this strategy and plan, driven by data-based assumptions, to make your event a success. What are you waiting for?

REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

vasudha@source2create.com.au


WHAT’S HER JOURNEY?


But that experience became the inspiration for her company, Decoded.AI, which seeks to build a stronger connection between the creators of technology and

Samantha Lengyel CEO at Decoded.AI

those who use it. “It keeps us up at night that technology with the capacity to change the world is still behind walls, simply because teams cannot easily understand their work,” says Sam. Sam began to see the disconnect between AI and its users after asking a team to describe how its

“A

AI technology had calculated a particular result. It quickly became apparent the team was unable to ny woman trying to become a cyber

easily explain, audit and verify the trustworthiness of

security founder is already fighting

the results. An AI model could be outputting incorrect

against the odds.” That’s the candid

or unrepresentative results—a problem sometimes

truth from Samantha (Sam) Lengyel,

known as ‘AI bias’—and users would be unable to tell

CEO and co-founder of artificial

they had a problem.

intelligence (AI) integrity company, Decoded.AI. She’s not wrong. Women remain vastly underrepresented

“There was a fundamental need to ‘cross the chasm’:

in cyber security with less than one in four cyber

to connect artificial intelligence and machine learning

employees identifying as female.

technologies to the people they would affect,” she says.

Given those statistics, it is perhaps surprising that Sam is part of a thriving community of female

After being drawn to build artificial intelligence tools

business founders at CyRise, a cyber security venture

through a desire to connect and communicate, Sam

accelerator program backed by NTT and Deakin

quickly hit a wall. She did not know how to code and

University.

needed that skill to build the tools she envisaged. She set to work teaching herself and credits her

18

Sam argues her success as a cyber security founder

background in linguistics with giving her a useful

comes not only from being ‘good at tech’ but also

learning framework. “With a mission, learning to

from leveraging the set of diverse skills needed to

code is really not that different from learning a new

lead and manage a business.

language,” she says.

“I was never on the ‘tech track’: I fell into it by

Sam’s first taste of entrepreneurship was at the

necessity” she says. “Technology, coding, even cyber

Canberra CyRise cyber Bootcamp in 2019 which

security, were never described as career options for

encouraged aspiring founders to test their ideas.

me. I never played video games, so I wasn’t exposed

This whetted her appetite to develop her AI concept

to computers to have fun. Technology was presented

into a business and she was accepted into the Griffin

as a tool, not something to engage with.”

Accelerator, a three-month intensive coaching and

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

mentoring program with funding for selected ACT

are patterned with military and combat analogies,” she

businesses. Sam, along with CTO and co-founder

says. “That aggressive narrative will pull in a certain

Josh Fourie, got to work building a tool that could see

type of person but may make others more reluctant to

‘under the hood’ of AI/ML models. Two years later

try and pry open the door to the industry.”

their hard work paid off and Decoded.AI earned a highly sought-after place in the CyRise accelerator.

Being a cyber security founder involves sitting at the intersection of technology and business and often

Today, Decoded.AI’s technology makes artificial intelligence and machine learning computations easy to understand allowing businesses to get insights into how an algorithm is generating its results. Because AI is often deployed by businesses to make sensitive decisions such as how much a person

“I was never on the ‘tech track’: I fell into it by necessity.Technology, coding, even cyber security, were never described as career options for me. I never played video games, so I wasn’t exposed to computers to have fun. Technology was presented as a tool, not something to engage with.”

can borrow and their risk of committing a crime, understanding the inner workings of AI models has become a top priority for

demands a broad set of skills and experience. Sam

many policymakers.

argues that coming into the industry from outside the tech sector has given her unique tools for success.

Also, AI models sit behind many of today’s cyber security tools and can be trained to detect malware

“Decoded.AI is about bringing people together, making

and a variety of cyber threats, but their effectiveness

it easier to communicate across silos and building

depends on identifying any blind spots before those

trust in artificial intelligence by creating safer, better

can be exploited by an attacker.

models. I think being female actually gives me an advantage in this industry,” she says. “It’s also great to

Sam attributes her early success as a cyber security

be a part of a community of cyber security founders

startup founder to her creativity and desire to

focused on working together to build each other up.”

communicate skills that are increasingly recognised as critical for cyber security. She argues that by

Sam represents perhaps a model for cyber security

simply reframing the way we describe cyber security,

leaders of the future: insatiably curious, community-

we can encourage more women to get involved.

focussed and deeply committed to building technology with a purpose.

“I am not sure that cyber has ever escaped the warrior culture. When you read a cyber textbook or the marketing material of a lot of cyber companies, they

28.04.2022

www.linkedin.com/in/samantha-lengyel/

WOMEN IN SECURITY MAGAZINE

19


I made some good progress as an infosec auditor at the start and I eventually gained a lead role in an IT multinational but became bored and ventured into consulting where life was exciting, despite the extended working hours. I went into various security implementations in process and technology.

Mel Migrino

After almost six years I decided to go back to a user

VP and Group CISO, MERALCO

organisation where I assumed concurrent leadership roles as data privacy officer and chief information security officer for a fintech company heading the deployment of the SOC and various initiatives to secure a mobile application and its supporting infrastructure.

L

I also established the organisation’s compliance with ooking back on how I succeeded as a cyber

data privacy regulations and I was given the chance

security leader, I remember the challenges

to head enterprise risk management. Wearing three

that made me realise it was not only my

hats in the midst of transforming the business was

technical abilities but more about the life

not easy but worth the effort.

lessons that moulded me into a better

leader.

With these past roles in the consulting and fintech industries I saw diversity of gender, experience and

More than 15 years ago I started a career in an

capabilities could lead to better outcomes.

applications development team where I assumed a business analyst role then transitioned to software

My current stop on my career journey is with Meralco,

quality assurance and became a project manager

the largest power distribution utility in the Philippines,

implementing enterprise applications.

where I provide management oversight and direction for the parent company and all its subsidiaries. Being

Assuming a leadership role in tech at that time was a challenge because the majority of leaders were male and women were assuming mostly mid-level lead roles. I heard from some of my industry colleagues there was a niche career in the market, information security, that also covered security in applications

“To succeed in this profession you need to approach cyber security with great dedication, not to want the limelight, but you will be in the spotlight during crises. Cyber security is a career that makes you want to learn more and at the same time makes you more human.”

development. I got interested and ventured into that field.

20

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

in such a male-dominated industry is a different ball game. Influence is crucial to getting things done. I told myself gender disparity is present in every industry, but especially in the power sector where the gender gap still permeates management teams and boardrooms. According to Boston Consulting Group (BCG) and Singapore’s Infocomm Media Development Authority (IMDA), the number of women in tech in Southeast Asia exceeds the global average. Women account for 32 percent of the tech sector workforce, compared to 28 percent globally. It requires continuous effort to bridge the gender gap, but I persevered and demonstrated I was confident and fit for the job while exercising strong leadership that would promote gender inclusivity and deliver the results I was mandated to deliver. To me, knowledge is power regardless of your gender. If you project the right attitude and posture people will listen and follow you. We cannot discount the fact that women are innovative, have better agility and inspire and motivate others. These are important factors that contribute to the success of huge projects such as process and technology transformation in the energy industry. While I manage various teams locally and in Asia, I also need to keep myself sane. I have a male mentor. He taught me how to be a tough but fair leader and to be results-oriented. He taught me to persevere and continue my journey, despite the obstacles. He reminds me we can achieve great things by making the right choices and actions. To succeed in this profession you need to approach cyber security with great dedication, not to want the limelight, but you will be in the spotlight during crises. Cyber security is a career that makes you want to learn more and at the same time makes you more human.

www.linkedin.com/in/mel-migri%C3%B1o-b5464151/ www.linkedin.com/company/wisap-women-in-securityalliance-philippines/

28.04.2022

WOMEN IN SECURITY MAGAZINE

21


ambitious portfolio we manage under the security banner.” Amrat-Bradley says her greatest strengths are her ability to lead and facilitate dialogue between subject

Deepa Amrat-Bradley Global Transformation Executive - Cybersecurity Specialist

matter experts, technical teams and the business to produce collaborative and fit-for-purpose outcomes. Her team is facilitating the review and design of SEEK’s security strategy, operational plan and reporting framework and is working to build up its portfolio management capability. Amrat-Bradley has received several awards for her work over the last two decades. Most recently she

D

was the recipient of the AMCham Global Leadership Program Scholarship 2022. Deepa Amrat-Bradley specialised as a transformation and business turnaround

She has a wide range of program management and

director for 15 years before entering the

leadership credentials gained over the years and is

cyber security industry. Originally from

looking forward to her journey of continuous learning

England, she has worked with clients in

and growth and to nurturing and building highly

the United States, India, the Middle East and, most

capable teams and empowering them to excel.

recently, Australia. She joined the online employment service SEEK

FROM BUSINESS TRANSFORMATION TO CYBER SECURITY

in January 2021 in the security leadership team

She made the transition from business

where she was tasked with leading SEEK’s cyber

transformation to cyber security in 2017 when the

security strategy development and managing its

UK government commissioned her to support the

cyber security program to address the growth and

development of an SME team to design and deliver a

increased complexity of its workload as a result of

cyber security strategy.

COVID. “I wasn’t sure I’d be the right fit for such a role as I At SEEK she leads cyber security strategy and

didn’t have a deep and specialist technical capability

enables program governance to support teams

in Cyber Security,” she recalls. “However, what the

in their role to protect the SEEK Group from cyber

government wanted was someone with strong

security risks by staying at the forefront of emerging

leadership and strategy skills to support the design

cyber threats.

and management of a team to deliver global risk and compliance nationally, and that’s what I brought to

“Security is a high-pressure working space managing

the table.”

governance, risk and compliance and incident

22

response to enhance business resilience and enable

Amrat-Bradley has extensive leadership and program

business continuity,” she says. “My work supports the

management credentials gained over the last 20

efforts, contributions and delivery of the complex and

years and is boosting her cyber security knowledge

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

by studying to become an ISCA Certified Information Security Manager (CISM). Her current role is a long way from her childhood ambition: to be a pilot or an astronaut, and she says her school years played a significant role in her career development. “My early years were crucial, and I was lucky enough to be encouraged and inspired to think big by my teacher at school, Steve Jones, who was ahead of his time in ensuring a level playing field and supportive environment for all his students,” she says. “Steve created a safe and happy space for all – an early example of ‘Break the Bias’, which I feel has influenced my professional approach. We are still in touch, sharing inspiring dialogue and life lessons with me and my family.”

COURAGE TO TAKE LEAPS AND EMBRACE THE UNKNOWN… Like so many women, and possibly men, when presented with a challenging career opportunity Amrat-Bradley questioned her ability to fulfil such demanding roles. She describes one of the most important decisions shaping her career journey as being “The decision to take a leap into consulting and work with amazing leaders on high profile programs that required precision delivery to succeed was a huge turning point and took courage”. “Like so many of us, I doubted whether I was good enough, but having received good feedback for my work and recognition for my success in a

“My early years were crucial, and I was lucky enough to be encouraged and inspired to think big by my teacher at school, Steve Jones, who was ahead of his time in ensuring a level playing field and supportive environment for all his students. Steve created a safe and happy space for all – an early example of ‘Break the Bias’, which I feel has influenced my professional approach.”

traditionally male-dominated field with an award for Interim Consultant of the Year 2008 [Awarded by the

28.04.2022

WOMEN IN SECURITY MAGAZINE

23


UK’s HR Magazine to the youngest change-maker

so much and encouraged me to lead with courage

in the industry as voted for by interim executive

and compassion. She is a true icon in leadership and

appointment agencies and client testimonials] I was

consulting, and continues to be an amazing friend,

able to grow, accept opportunities with enthusiasm

mentor and advocate for delivering excellence and

and encourage others to do the same.”

growing talent.”

Amrat-Bradley has been fortunate in having great

And, of course, husband Rob. “He supports my

support throughout her career journey, from

journey like no other, to embrace all that fulfils me, is

her childhood onwards. She says, as an Indian

my rock and the person cheering me on each day.”

female, she felt invisible at times, but support and empowerment from “amazing leadership initiatives

However, one personal attribute she believes comes

and great leaders” have been invaluable over the

from within rather than from education is leadership

years.

skills. She says it cannot be taught. “Leadership is a lifelong journey of development and personal

A SUPPORTIVE FAMILY

growth, with a focus on seizing opportunities to do

“My family always encouraged me to reach for the

great things for, and with, the talent around you.

stars, and my mum is an amazing forward-thinking

Leadership for me is also about being responsible

advocate of women in leadership who empowered

and accountable for the decisions you make, seeking

me and all my friends to break the glass ceiling.

to add value, empower others and operate from a place of integrity.”

“My dad showed me how hard work creates beautiful opportunities and he taught me about

ATTITUDE TRUMPS APTITUDE

smart discipline in business. Then my big brother,

When asked what advice she would give to anyone

a phenomenal athlete and now a successful

aspiring to a role similar to hers, she says: “I believe

entrepreneur, always championed me, encouraging

in attitude over aptitude. So I highly encourage people

me to shine and proudly highlighted my successes to

to get out there and work on delivering projects

keep me thinking outside the box.”

from inception to completion in their chosen field. Take advantage of opportunities to showcase your

Later, early in her career, there was Tom Bewick and

capabilities and interests, gain work experience by

then Bev Evans. “I had the pleasure of working with

spending your free time volunteering, or get a foot in

the incredibly well-respected and accomplished Tom

the door with a company that aligns with your end

Bewick, an executive Director consulting across

goal and then work out from this journey which key

Education, Business and Skills programs and advisor

credentials will add the most value and get you to

to prominent MPs. He was a leader who gave me a

where you want to go.”

springboard of opportunities in brand and project management, led by great example and allowed me

And she adds: “Whatever you study, I feel it has to

to really showcase my capabilities and grow.” Now

be a subject you enjoy, are invested in and try, if you

Tom is CEO of the Federation of Awarding Bodies UK

can, to gain placements that will give you hands-

and the top voice in leadership.

on industry experience and build your professional network. I follow Sai Honig and Nivedita Newar,

Bev Evans, partner at Carnall Farrar UK is a very

strong female leaders in technology. They share great

well-known and highly respected female leader

learning materials, and resources and write insightful

in the business improvement space and was the

articles for those interested in cyber security and are

accountable officer where she tasked me to deliver

great influential industry professionals.”

the NHS’s largest transformation program she says, “a leader who allowed me to shine brightly, taught me

24

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

For school leavers aspiring to a role in the security industry Amrat-Bradley offers the following advice. • Reach out to local businesses and meet with the CISO to have a career talk. • Attend security conferences to network and understand more about the industry. • Watch the amazing selection of free tutorials provided online around cyber security basics. • Join discussion forums about cyber security careers. • Reach out to a cyber security recruiter to gain a view from their lens about the industry. • Try to secure a simple role in a security space over school holidays and in your free time to support any aspect of work that they can offer to introduce you to the profession. • Write about and share your journey and interests in cyber security. • Persist! Don’t give up. “AI without a doubt in my view will play a leading And she is particularly upbeat about the opportunities

role in how we deal with threats in the future, and

for girls in cyber security. “Women have great skills

we will need to prioritise upskilling to manage this

and expertise to add value in all spaces, so it’s time to

space. The sophistication of AI offers capabilities that

help bring balance into this space. The opportunities

can present as ‘friend’ or ‘foe’. We need to continue

are available and women are being encouraged to

to invest in learning and development in the cyber

join, so don’t hesitate because of the traditional

security space to stay ahead of the game. I am proud

technology landscape.

to say, this is an investment that SEEK takes very seriously.”

“I envisage some great creative initiatives being launched to appeal to a broader, diverse and female

“The size of data is multiplying every day.

talent pool to close the skills gap and I encourage

Safeguarding digital data is another priority for SEEK,

more women into this exciting specialism.”

and we are keeping a watchful eye on the global trends around how this is regulated and managed,

From her perspective of cyber security, Amrat-Bradley

whilst also continuously monitoring and updating our

picks out a couple of issues she sees as major

approaches as needed.”

challenges: AI and the rapidly growing volume of data that must be protected.

28.04.2022

www.linkedin.com/in/deepa-bradley/

WOMEN IN SECURITY MAGAZINE

25


Undeterred she went on to study various topics in cybersecurity: cryptography, blockchain, vulnerability assessment and penetration testing (VAPT), malware analysis, RE, digital forensics and incident response (DFIR) and more. She also became a Certified Ethical

Shrutirupa Banerjiee Security Professional and Learner

Hacker (CEH) “to understand what cybersecurity is all about.”

A NATURAL STUDENT Studying, she says came naturally. “I have always been studious. Science and maths have been my all-time favourite subjects, but my enthusiasm for exploring and researching has always been the same regardless of the subject.”

S

Not surprisingly she is a strong advocate for hrutirupa Banerjiee is vice-chair and

continual learning. However, she is not a strong

the technical lead of Breaking Barriers

advocate for certifications. “The most important

Women in CyberSecurity (BBWIC), a new

thing, if you wish to be technically strong, is to

non-profit organisation based in Canada

keep learning and enhancing your skills. However, I

that aims to provide a safe space for

don’t necessarily recommend certifications unless

women to grow and evolve in the industry. It’s a role

your job or client has a requirement: I see people

she holds in addition to her day job working in web

with certifications and no knowledge. Many people

application firewall (WAF) research at cyber security

can’t afford those expensive certifications but have

company Qualys.

a fantastic skillset, which is what you should be focussing on.”

Her BBWIC role is not her first in the cyber security community, and she says these voluntary roles

And for those leaving school and contemplating a

have been important in shaping her career. “Joining

career in cyber security her advice is, rather than

several communities gave me opportunities to

focussing on the ‘what’ of cyber, focus on the ‘why’.

increase my network and communicate with different

“Understand what cybersecurity is all about: what

people about their journeys and struggles. I also got

kind of problems are we trying to solve? Once an

acquainted with opportunities by being part of the

individual understands the ‘whys’ of a subject,

right communities with vision and a mission.”

it gets easier to understand the ‘what’ and the ‘hows’.

Banerjiee’s own cyber journey has not been without

26

its struggles. After studying for a bachelor’s degree

THE USUAL CHALLENGES

in mathematics when she also studied computer

As to her own challenges, like so many women in

science. She was introduced to the basics of C

cybersecurity she has suffered from sexism, bullying

programming in her third year and went on to study

and gender discrimination in the workplace. “I am in

for an MSc in Computer Applications when “the only

a good environment now, but previously, especially

thing I knew about computers was how to turn them

when I was starting my career, there would be

on and some basic C programming.”

situations when I would not be given a specific task

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

because of my gender. These experiences were

Banerjiee has also been well-supported by family and

disheartening, but they also gave me a reality check,

friends. “They don’t understand what I am doing or

and I started focussing on myself and my career.”

talking about in a session or writing in my blogs, but they will not miss a chance to attend or read them.

Also, like most women who have shared their career

My partner kept motivating me to study, to participate

journeys, she says cyber security would benefit from a

in different conferences or challenges, and even start

more gender-diverse workforce.

a YouTube channel.”

Her advice to other women contemplating a cyber security career is to recognise they will face challenges and fight to overcome them. “A woman has to go through many struggles to pursue her

www.linkedin.com/in/shrutirupa-banerjiee/

twitter.com/freak_crypt

chosen career, but they must just keep moving ahead. There are good people out there who are supportive.”

28.04.2022

WOMEN IN SECURITY MAGAZINE

27


A VAST AND VARIED ROLE “As a cyber security consultant, my role is varied and vast. What makes the role so exciting is security is integral to securing the livelihoods and assets of our clients and without it there are severe implications.

Tayla Payne Associate Consultant at IBM

“Our teams are responsible for ensuring Australia’s and New Zealand’s critical infrastructure such as water corporations and energy suppliers remains secure from cyber attacks and threats that could potentially mean citizens going without power or water. If you’re into action movies, some days it

O

can almost feel like a real-life James Bond or Jason Bourne movie! ne of the greatest misconceptions about cyber security, says Tayla Payne,

“At the moment I am working on a complex cyber

is: “you have to be a seasoned technical

project for an Australian energy business that owns

expert to join this space.”

and operates more than $11 billion of electricity and gas network assets.”

And she is proof of the truth of

this statement. With two bachelor’s degrees, in

A CAREER SHAPED BY IKIGAI

psychology and developmental studies and in

As to the forces that have shaped her career journey,

political science and international relations from

Payne cites her parents, and the Japanese concept

Victoria University of Wellington, she gained a

‘Ikigai’.

Master’s in Political Economy from the University of Sydney and then went straight into a cyber security

“Ikigai describes your life purpose or your bliss and

role at IBM.

helps to determine what brings you joy and inspires you,” she explains. “The four components of this

“As my masters came to an end, I was looking for

being: What do you love? What are you good at? What

graduate roles in Sydney and came across IBM’s ad

does the world need? What can you get paid for?

to join their new cyber security team. While reading the job description, I knew I had to apply – it looked

“My parents instilled in me to do something you love.

like such an exciting role,” she says.

So I studied my passion at university and followed this into security.”

Payne is now an associate consultant in the cyber security – cloud, strategy and risk team with IBM in

Her parents, Payne says, had a huge influence on her

Sydney.

career journey “They taught me to appreciate and understand the importance of education, the pursuit

28

“We’re nested in IBM Consulting, which means we

of knowledge and leading with your heart. As my dad

focus on empowering and supporting our clients

always says, ‘The world is your oyster’. This led me

to digitally reinvent their business across cyber

to pursue anything I have a passion for, explore any

security, cloud, risk quantification, identity access

avenue I want to, then narrow it down, find what I am

management, vulnerability remediation and policy,”

good at, and then focus on becoming the best I can

she says.

be at it.

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

“While I didn’t know I was going to end up in cyber

failure to close the cyber security skills gap may pose

security specifically, I have continued into a role

a significant risk to the community if we do not have

shaped by my passions, interests and strengths.

the expertise to secure technology, especially critical

During school, I didn’t have a specific role in mind,

infrastructure.

but a general idea of where I wanted to end up. My advice is to be open-minded about what’s in store, as

“Organisations, universities, and government

opposed to locking in an exact role and specific title

departments must invest now in the younger

and be prepared for the industry to look different five

generations—as young as primary school age—and

years or even six months from now.”

even those who are considering a career move later on in life to assist with upskilling those who wish it,

POLITICS AND TECHNOLOGY DEFINING CYBER

into cyber security.”

From her political science/political economy perspective Payne sees the nexus between politics

And, not surprisingly, she sees getting more women

and technology as being one of the defining trends in

into cyber as part of the answer to the skills shortage.

cyber security over the next few years. “Cyber-attacks are becoming increasingly vast, disruptive and likely political,” she says. “The interplay between the political choices of state actors and cyber incidents should not be underestimated. New security concerns here

“As a female graduate working among incredibly talented individuals, in a male-dominated space (although this is changing), it can make you question if you have what it takes. However, supportive colleagues, managers and parents have helped reduce this feeling and reinforced my confidence.”

should be front and centre for governments and organisations, especially critical infrastructure. My perspective is that politics,

“I think the tech industry generally, including security,

economics, international relations and security will

requires more female representation across every

become more interconnected than ever before.”

single role, but particularly senior leadership,” Payne says.

If correct, her predictions will only exacerbate what she sees as the biggest issue facing cyber security:

“Forbes demonstrated that diversity generates

the skills shortage. “The skills shortage may be the

greater revenue, which is great for any business.

biggest challenge impacting security now and in

Women think differently, so this enables broader and

the future. Currently, the size of the workforce is 65

enhanced viewpoints leading to better outcomes for

percent below where it needs to be, with Asia-Pacific

all clients and female role models encourage more

having the most significant regional workforce gap,”

women to enter the security space.

she says. “There is an abundance of literature on the benefits

SKILLS SHORTAGE IS CRITICAL

that more women in a company can provide, so now

“As technology continues to provide more and more

is the time for businesses to take action and bring

immense benefits for society, it is also accompanied

more women into the security industry.”

by increasing threat surfaces and landscapes for all governments, organisations and individuals. I think

28.04.2022

WOMEN IN SECURITY MAGAZINE

29


And for school leavers eying cyber as a career, Payne says: “I would highly recommend reaching out to people in the industry and talking to as many people as you can and even see if you can find yourself a security mentor. The security network is close-knit and very welcoming. “Even if you reach out via LinkedIn, people are usually open to answering questions and offering industry advice. Talk to others already on their career path. They may offer advice and perspectives you may not get from reading about the industry online or learning about it in a university lecture.”

UNCONVENTIONAL PEOPLE WANTED And she says, rather than formal qualifications, what the industry needs is “entrants with unique and unconventional backgrounds because these offer unique perspectives to solve complex challenges for industry and government clients. Importantly, more diverse skill sets enable better interpretations of threat landscapes and better assist teams to deal with the ever-changing and advancing cyber-attacks. “The drive, passion and desire for life-long learning in this space are the most integral personal attributes, over and above any specific formal qualifications. However, I do highly recommend the AWS, Google Cloud and Azure trainings (some of which are free) to upskill, but also to allow you to try out different areas in technology and find what you may like the most.” Payne has impressive academic and career achievements, so it may come as a surprise that she cites imposter syndrome as her biggest career challenge. “As a female graduate working among incredibly talented individuals, in a male-dominated space (although this is changing), it can make you question if you have what it takes. However, supportive colleagues, managers and parents have helped reduce this feeling and reinforced my confidence.”

www.linkedin.com/in/tayla-payne-b619b6145

30

WOMEN IN SECURITY MAGAZINE

28.04.2022


STAY CONNECTED All the latest articles, industry news, job boards, latest books, podcasts and blogs at your fingertips. As well as the latest on our advertising, marketing, and event services.

FACEBOOK

LINKEDIN

INSTAGRAM

@wisms2c

@source2create

@womeninsecuritymagazine

TWITTER

DIGITAL

@Source2C

womeninsecuritymagazine.com

womeninsecuritymagazine.com


jumping into the deep end and learning as I go. I also question everything,” she says. “I don’t just do things because that’s how they have always been done. Working in this sector you must be dynamic and agile. I have never said that’s not my job,

Julia De Salvo Chief of Staff at Willyama Services

I just jump in and get it done or find the right person to get it done.”

CURIOSITY AND RELATIONSHIPS Her advice to others aspiring to a similar career is “be curious, don’t just accept things the way they are and always look to improve processes. Relationship building is key as you interact with everyone from

L

technical resources, CEOs, finance, vendors and of course customers.” ife tends to throw up curve balls that can radically disrupt the best-laid career

After gaining her diploma De Salvo started her

plans, but it was throwing up that radically

career as an executive assistant, worked her way

disrupted Julia De Salvo’s career plans.

up to managing business units then joined a cloud software startup where she ran its Australian

“When I left school I thought I was going to

operations. She has spent the last seven years

be a nurse or a dentist. However, vomiting over my

working for a global IT company “navigating my

first patient ended my dental career quick smart. I

way around complex operating environments within

decided to do a diploma in business and get straight

the cloud and cyber, which luckily, I found I was

into work,” she recalls.

surprisingly good at!” she says.

“My family are more in the medical field, so IT/

Today she is Chief of Staff at Willyama Services,

security is very foreign to them. I think it still surprises

a 100 per cent Aboriginal-owned information

them that I took a career in IT/security. I fell into it

technology and cyber professional services business

really and haven’t looked back!”

where she describes her role as “Overseeing all things people and business operations.”

One of the advantages of that unplanned career move was it suited her natural attributes. “I have been

SKILLS ARE THE BIG CHALLENGE

fortunate enough to have always been encouraged

In her role at Willyama, De Salvo is at the sharp end

to succeed and given room to take on whatever work

of the cyber security skills problem, which she cites

took my fancy. I think that is one of the greatest

as the biggest challenge facing the industry. “Salaries

benefits of working in the IT/security industry. I’m

are going up and not matching skill sets. Navigating

not sure I would have had so much freedom in other

salaries and careers with the right skills has become

industries.”

a big challenge.”

De Salvo sees the personal attribute that has

The ‘Willyama way’ to tackle this challenge, she says,

contributed most to her success as being inquisitive

is with internships, junior training programs and

and taking ownership. “I’m more of a doer. I love

other traineeship programs with Willyama’s industry partners.

32

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

“We love to hire juniors. Their passion, enthusiasm

“If you don’t love studying, at the minimum, do a Cert

and drive are contagious and it’s such a pleasure

III in Cyber. We take trainees and guide them up the

watching them grow into amazing security

ranks, but we look for personal attributes such as

professionals, particularly our females who start off

self-starters, quick learners and people with excellent

so quiet and unsure and become driven, confident

communication skills. These basic ‘soft’ skills are

leaders paving the way for future generations.”

necessary if you are to work effectively in a team and to have a future in front of customers.”

She adds: “I have had the privilege of managing young professionals’ careers for a few years now and I’m

THE BIG ISSUES

always amazed at the talent we hire. With a good

Many of Willyama’s clients are government bodies

internal program and support we can move staff up

and this perspective colours what De Salvo sees as

the ranks quickly and they are often outpacing the

other major upcoming issues for cyber security: the

seniors.

three-nation AUKUS nuclear-powered submarine agreement and the USCyber Security Maturity Model

THE ‘WILLYAMA WAY’

Certification (CMMC).

“And we have a great traineeship program for Indigenous staff and all juniors. We want to grow

“The security requirements around AUKUS for

our staff the ‘Willyama Way’ which means giving

Australia are yet unknown. However, given the work

them opportunities to grow in an interesting, safe

we do with Defence this is something that will impact

environment with clear training pathways.”

us and allow us to provide our services in support of it. CMMC has the potential to set the tone in

For young people contemplating a role in cyber De

government/defence cyber maturity.”

Salvo recommends first and foremost a non-technical In retrospect, De Salvo’s unfortunate nauseous dental debut has served her well.

“I have been fortunate enough to have always been encouraged to succeed and given room to take on whatever work took my fancy. I think that is one of the greatest benefits of working in the IT/security industry. I’m not sure I would have had so much freedom in other industries.”

She says not only is cyber a great career choice, but it’s also one where women are outpacing men. “I love IT/security because I love the people. I’m constantly surrounded by good, fun, smart people where women are encouraged to succeed. And women are succeeding, sometimes faster than the

qualification. “Finance, psychology, or an HR degree

men. Most of my female colleagues have moved to

would definitely set you up for success. IT/security

leadership roles after doing their time in technical

in general is made up of many different personalities

positions. Women tend to have more of the ‘get $hit

and as a manager, you need to have a high emotional

done’ gene, which means we churn out the work.”

intelligence quotient and a good understanding of what the business needs and how to navigate your staff to those outcomes whilst ensuring they are getting the right level of care.

28.04.2022

www.linkedin.com/in/juliadesalvo/

www.linkedin.com/company/willyama-services/

WOMEN IN SECURITY MAGAZINE

33


intelligence, regulatory, all of the government understanding and security. She holds a master’s degree in emergency

Natasha Hallett Senior Advisor, Maritime National Security

management but says overseas training was necessary for her current role because it is not available in New Zealand. “When I started at Maritime NZ I had no background in the industry. However, I made it a priority to understand the whole industry rather than just the security side of the business; understanding the bigger picture means you can do your role in

N

collaboration rather than in isolation. atasha Hallett is Senior Advisor,

“Conferences, readings and international relationships

Maritime National Security at Maritime

have taught me everything that the port security

New Zealand, which means she is

personnel haven’t, not because they don’t know but

responsible for ensuring New Zealand’s

because we are all still learning as this world and

ports and New Zealand registered

technology changes.

vessels are protected against security threats of all kinds.

“These are essential as we navigate our way through an ever-changing world, which includes new things

She is also the chairperson of an international port

like cyber, drones and other technological advances.”

security program for ports across the Pacific and has a voice across the government to ensure port security

In addition, Hallett says: “A key personal attribute

is considered a priority.

is the understanding and capability to build solid relationships. Without this skill, the job becomes a lot

She says her role crosses multiple areas: the national

harder.”

security system, intelligence, understanding of the government’s regulatory role and cyber security.

PORT SECURITY NEEDS CYBER SECURITY Increasingly, Hallett says, cyber security is becoming

Her role also extends to responding to significant

an important issue for ports, and having a big impact,

maritime incidents as a member of the Incident

especially with the automation of various aspects of

Management Team and to working with other port

port and vessel operations.

authorities in the Pacific and around the world. “The more ports become automated, the greater the

34

She has worked in emergency management since

need for robust cyber security policies and practices.

leaving school and has been a member of the New

Ports are critical infrastructure for New Zealand,

Zealand Police, where she says a variety of roles

and while physical security will always be needed,

prepared her for the one she now holds, which

advancing technology also needs to be considered

crosses multiple areas: the national security system,

and implemented. Measures need to be understood

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

not only by the information technology teams but also

who I get to mentor and help grow has championed

by those on the port. It is everyone’s role to help keep

me as much as I have championed her. It has been

ports secure.

awesome to watch her find herself in this industry.”

“Cyber security is starting to merge into physical

MORE WOMEN NEEDED

security. It is increasingly important to protect both

Hallett would like to see more women in her industry.

the physical assets and the digital assets. This needs

“The ability to develop relationships is essential in the

to be done in conjunction with the port’s in-house

port industry, from the port staff to the cruise vessel

information technology teams rather than in isolation.

interactions. Women do this more authentically.

Traditionally physical security and information

Women can also bring the compassion that helps

technology were very separate skill sets. Now they

address all components. They are inherently curious

need to work closely as technology and threats

multitaskers and this diversity is needed in this male-

continue to evolve.”

dominated industry.”

MALE DOMINANCE- NO PROBLEM Many women who have shared their security journeys have described dealing with male dominance as an unpleasant aspect of their experience. However, Hallett says: “It was the challenge of working in a male-dominated industry

“When I started at Maritime NZ I had no background in the industry. However, I made it a priority to understand the whole industry rather than just the security side of the business; understanding the bigger picture means you can do your role in collaboration rather than in isolation.”

that led me to love the security work I do. “My biggest challenge has been having a voice in the industry. Being female and younger than most when I started meant I had

Her advice to anyone considering a security career

to develop techniques to ensure I was heard. These

is: “Don’t limit yourself to one area of security. There

took time, and frustrations were there in truckloads.

are many areas not widely publicised that open you

However, by looking to the future with determination

up to limitless opportunities. At no point in my life

and building the right relationships I was able to

did I think there was a thing called port security,

overcome them.”

and that it would take me around the world working with international partners. Working with people and

During her career journey, Hallett says she has been

working with countries to help them enhance their

well-supported by colleagues and family.

port security measures is seriously satisfying.”

“My husband and kids have supported me even when it meant they did not see me for more than a week

www.linkedin.com/in/natasha-hallett-memergmgt282b7a122/

sometimes while I travelled. And my work colleague

28.04.2022

WOMEN IN SECURITY MAGAZINE

35


GLACIAL PROGRESS, OF A SORT Murthy’s time at Wharton gave her much more than an MBA, with extracurricular activities designed to

Vidya Murthy Chief Operating Officer at MedCrypt

test and foster leadership abilities, one being trekking and camping for a week on a glacier. “The underlying aim was to see if you had embodied the studied leadership abilities when you were at your physical weakest,” Murthy explains.

V

“When I didn’t think I could go another step, or make it up a peak, I was able to accomplish it because of idya Murthy is Chief Operating Officer at

my team and my mental fortitude. That was my ‘I got

medical device manufacturer MedCrypt,

this’ moment,’ that gave me the confidence to pursue

based in San Diego, California. She

anything I wanted to.”

describes her role as “all things outside of committing code, [helping] keep

Her time at Wharton was formative in other ways:

the company functioning so our people can keep

she says her classmates were inspirational. “It’s a

building what our customers need: from marketing to

program targeting working professionals. Everyone

customer strategy to health insurance renewal.”

was making real sacrifices to be part of the community, to learn, to apply something new every

It’s a long way from her university education—in

week.”

accounting and biology studies—but the move to cyber followed after graduation: while looking for

CLEAR CAREER ASPIRATIONS

her first post-degree job, Murthy found the most

The great thing about gaining an MBA, says Murthy,

interesting people she met were in cyber security, so

is “it makes you see a whole world of opportunities.”

she decided to join them.

She did not graduate with any specific career aspirations but “a clear desire on the scale of impact I

The transition came with some challenges “Not

wanted to have in my career going forward.”

having a technical background made me question whether I belonged and what my value was to an

After gaining her first degree, Murthy joined PwC

organisation,” Murthy says. “But learning to articulate

in California as a consultant and was given the

security into business value helped me overcome

opportunity to work for PwC in South Africa. “It

‘nay-sayers’ and advocate successfully for myself.”

opened my eyes to people and place that I had no exposure to previously where I only knew the person

When the company she worked for was acquired

who had hired me. It was incredible for my personal

Murthy decided the time was ripe to get an MBA,

and professional growth,” she says.

from the Wharton Business School, while continuing

36

to work full time. After graduating she joined a fellow

For Murthy, connections to people are one of the

graduate as employee number three in his startup,

most important priorities for aspiring cyber security

MedCrypt.

professionals.

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

changes impacting the cybersecurity landscape is likely to be desensitisation to the impacts of cyber security incidents. “Business, consumers and regulators need to maintain an understanding of the impact of incidents and of everything being connected.” And, like every other woman who has shared their “I would encourage connecting with folks early on and

career journey with Women in Security Magazine,

finding something that interests you beyond ‘keeping

Murthy points to diversity in ways of thinking as one

you busy’,” she says. “Go where you are seen and

of the most powerful arguments for having more

valued. Perhaps most importantly, always surround

women in cyber security.

yourself with people you can learn from and keep growing.”

“Security is a field that benefits from diverse opinions and perspectives because if everyone thinks the same

She adds: “There’s always more to learn and

when defending, your attacker’s job is that much

experience, especially in security. Just because

easier. There are real missed opportunities to build

someone is more seasoned, technical or faster than

defences that consider all users and ways of thinking.”

you, doesn’t mean you aren’t valuable in your own way.”

This lack of a women’s perspective, she believes, has impacts well beyond dealing with cyber security

BEWARE BURN-OUT

incidents: all the way to the design of global products.

And she offers some cautionary advice: “Guard your

“Countless facets of tech have been designed without

mental health; security has a high burn-out rate for

having a woman’s perspective, such as the design of

a reason. Don’t take the world’s problems onto your

smartphones, and as a result missed out on major

shoulders.”

use cases.”

The challenges facing cyber security professionals that result in burn-out are many, and growing, but Murthy singles out one in particular: increased connectivity in healthcare systems within hospitals. “Threats are proliferating, and medical device connectivity is going to expand the threat landscape

www.linkedin.com/in/vidyakmurthy/

twitter.com/vmurthy84

twitter.com/medcrypt

in healthcare faster than we’ve ever experienced.” While an elevated threat level will produce increased vigilance and concern, Murthy says one of the biggest

28.04.2022

WOMEN IN SECURITY MAGAZINE

37


THE BENEFITS OF BEING GENDER NEUTRAL Further career-boosting help came from a recruiter who advised her to be up front about her gender in job applications, rather than trying to be genderneutral. “This gave me confidence to apply for roles I might have excluded myself from, such as when I did

Teena Hanson Cyber Protective Services Manager at AMP Cyber Defence Centre

not meet all the criteria in a job description,” she says. During her time at the bank she built up her cyber and risk knowledge and moved through three internal positions, ending her time there as a security architect. She then joined AMP and gained the opportunity to

I

work on building the Cyber Defence Centre and to become the leader for the Cyber Protective Services f you want proof that formal qualifications are

team.

not a prerequisite for a successful career in cyber security, look no further than Teena Hanson, high

Her role involves leading a small internal team and

school leaver and now Cyber Protective Services

overseeing managed security services to ensure

Manager at AMP.

cyber operations continue effectively.

Hanson left school part way through year 11, before

“Within the Cyber Protective Services team we have

taking her HSC exams, started work in tech support

several key security domains we operate or have

and worked her way up to specialising in system

oversight of, including infrastructure, network, cloud

management. One thing she had going for her was

and email security, certificate and key management,

that her parents, rather than berating her for dropping

vulnerability scanning, application security and end

out, supported her.

user device security controls,” Hanson says.

“My parents were hugely influential. They allowed

She has been fortunate to have had helpful and

me to take my unusual path when I dropped out of

supportive managers in her career journey from the

high school and helped me in those initial years by

Commonwealth Bank to AMP.

encouraging me to take any job I was offered,” she says. In that first role she developed an interest in

SUPPORTIVE MANAGERS

cyber security because it embraced vulnerability

“One of my managers at Commonwealth Bank,

management and antimalware operations.

Ben Jones, really helped me grow my corporate confidence and encouraged me to take on work

However her first real cyber security role was when

and interact with people outside my comfort zone,”

she joined the Commonwealth Bank in 2015 on the

Hanson says. “My current and previous managers

invitation of a former NBN colleague. And Hanson

at AMP, Jonathan Cook and Steve Espino, also

says she needed this external validation of her

supported me as I moved into my first leadership role

security skills to make the leap from IT to cyber

at AMP.”

security specialist. “I had already built up sufficient

38

knowledge and skills but needed that external vote of

However, Hanson’s cyber journey has not always

confidence.”

moved forward. She spent several years working

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

towards becoming a security architect and 12 months

“In the next few years I anticipate a lot of

after achieving that goal, realised it was not a role

organisations will focus on cyber visibility. We’ve

she was happy to be in. It then took he a further six

seen a focus on our external suppliers in response

months to make a lateral move into a career path she

to regulation and to high profile supplier breaches.

was much happier with.

Over the next few years I believe we’ll see companies change course again in response to recent cyber

Given her career journey it is perhaps no surprise that

incidents. They will begin focusing on their code and

Hanson is not a fan of formal qualifications but says

their cloud workloads and getting deeper visibility into

they can provide value for people looking to change

those areas.”

careers or starting out in their career. To combat these threats she says a more proactive One rather less easily assessable personal attribute

approach to security is essential. “A lot of the

she does see as valuable in cyber security is curiosity.

organisational pivots are reactionary in nature.

“Cyber is constantly evolving and the ability to stay

There should be a lot more focus on predicting

curious, be interested and keep learning is key in this

major incidents and on a proactive strengthening of

landscape.”

controls.”

And she adds: “Also, IT experience outside of cyber is valuable because the cyber team interfaces with all other IT teams. Being able to bring in-depth or background knowledge into a cyber career helps when working with other teams. “And never be afraid to switch careers. What you

“One of my managers at Commonwealth Bank, Ben Jones, really helped me grow my corporate confidence and encouraged me to take on work and interact with people outside my comfort zone. My current and previous managers at AMP, Jonathan Cook and Steve Espino, also supported me as I moved into my first leadership role at AMP.”

decide today is not set in stone. You can find a way to apply any experience you have to a cyber security

More specifically, Hanson says there is a need for

career. Security is an extremely broad domain that

much greater emphasis on application security

allows people from all backgrounds to find a space in

(AppSec): the process of finding, fixing, and preventing

which to work and specialise.”

security vulnerabilities at the application level in hardware, software and development processes.

A DIVERSITY CHAMPION She says this broad domain needs a breadth of

“The vulnerability of Log4J showed what I believe is

approach that would be greater with more people

the tip of the iceberg in terms of library dependencies.

from more diverse backgrounds, not only women, in

It really highlighted the need for deeper visibility

the cyber security workforce to combat the growing

not only into our own code but also into the code

challenges.

of commercial off-the-shelf products. I believe organisations that have not yet begun their AppSec

“As a cyber security professional my biggest fear is

journey will find it gives them the impetus to

the things we don’t know about. How do we protect

investigate software composition analysis tools.”

against the things we don’t have awareness of: the unknown, the shadow IT, the code dependencies, the suppliers to our suppliers?

28.04.2022

www.linkedin.com/in/teenahanson/

WOMEN IN SECURITY MAGAZINE

39


A DIPLOMA AND DEGREE IN SOCIAL SCIENCE AND CRIMINOLOGY So Gatsi went on to study social science and criminology at university, expecting to pursue a career

Michelle Gatsi

in community corrections or policing. It was not to be.

Technology Consultant at EY

“Unbeknownst to me, my cyber stars were aligning behind the scenes. Over time, cybercrime was becoming more difficult to ignore, especially with advancements in technology. It became apparent to me traditional criminals were taking their activities online and finding new and improved ways to carry

T

out their campaigns.” hieves took some of Michelle Gatsi’s

It was at this point that Phillimon Zongo, CEO of the

childhood possessions but gave her

Cyber Leadership Institute, stepped in to play a key

inspiration for a career in cyber security.

role in shaping Gatsi’s career when she reached out to him for advice.

Just prior to Christmas 2010 thieves broke into Gatsi’s family home, stole

a number of the family’s possession but, strangely,

Zongo helped Gatsi create a plan to kickstart her cybersecurity career.

inflicted their greatest damage on Gatsi’s bedroom. • Register and pursue a relevant cybersecurity “What was initially a traumatic experience helped me

course. “I started with an eight-week intensive

to discover my career purpose and establish life-long

course provided by Harvard University called

friendships and mentors along the way,” she says. “As

Cybersecurity Risk Management: Managing Risk

a young girl, to discover that complete strangers had

in the Information Age.”

ravaged through some of my most personal items was a violating experience.” The event left her with one question: why? “It triggered a curiosity within me to learn more about the factors that lead certain people onto a path of deviant behaviour. Ultimately, I wanted to prevent others from having to experience the trauma my

“The way I see it, I am a conduit in helping people protect what is most precious to them, and this is where my passion for cyber security stems from. Whilst I am still fairly new, I have had the opportunity to get involved in some exciting initiatives such as a university lecture on zero trust, as well as my first client-facing project.”

family and I went through.”

40

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

• Use personal branding to help accelerate her career. “In other words, dust off my dormant LinkedIn account and start creating meaningful relationships.” • Expand her network by joining cybersecurity communities and attending events. • Start writing. Gatsi followed the plan and connected with many cyber security professionals including Anu Kukar, Associate Partner of Cyber Security Cloud, Strategy and Risk at IBM, and Jay Hira, Director of Cyber Transformation at EY. Later that year she was offered two entry positions in cyber security. She chose to join EY as a Technology Consulatant where one of her key responsibilities was to deliver practical cyber security initiatives for EY’s clients based on their communicated requirements. “The way I see it, I am a conduit in helping people protect what is most precious to them, and this is where my passion for cyber security stems from,” she says. “Whilst I am still fairly new, I have had the opportunity to get involved in some exciting initiatives such as a university lecture on zero trust, as well as my first client-facing project.”

DRIVE AND PASSION ARE KEY TO SUCCESS Gatsi sums up her career journey to date, saying: “I have learned that technical knowledge can be taught if you are willing to learn, but drive and passion from within are essential. I would encourage anyone seeking a career in security to start by asking themselves, why? It’s not an easy journey, but your passion will motivate you to never give up in your pursuit.”

www.linkedin.com/in/michellegatsi/

28.04.2022

WOMEN IN SECURITY MAGAZINE

41


course in Information Technology, Digital Media and Networking for one semester before transferring to a Certificate IV in cyber security.

LEVERAGING LINKEDIN

Ela G. Ozdemir Cyber Security Analyst at ParaFlare

And she got active on LinkedIn. “I expanded my LinkedIn network with professionals and recruiters across the cyber security domain during and after my studies,” she says. “My regular postings and articles on social media platforms about cyber security did not go unnoticed.

M

“Thanks to my activities on LinkedIn, I was approached by a LinkedIn friend with a role as a cyber any women who have shared their

security analyst at Verizon. After a successful round

stories of the cyber career journey

of interviews, I gained the position.”

have talked positively about the role of LinkedIn. If you need convincing

She was particularly fortunate. Most cyber security

about the power of LinkedIn to

jobs in Canberra require a security clearance,

progress your career, take note of Ela Ozdemir’s

which Ozdemir as a non-citizen could not obtain.

career journey.

Verizon offered her a position in which she would be responsible only for areas not requiring a security

She graduated with a bachelor’s degree in chemistry

clearance.

in her native Turkey in 2007, just before the Global Financial Crisis engulfed the world. She had difficulty

After her experience of gaining entry to the cyber

finding a job in chemistry and moved to the USA

security industry, it’s hardly surprising that Ozdemir’s

where she worked as an au-pair before returning to

advice for school leavers aspiring to roles in cyber

Turkey to take up a role in the chemical industry. She

security is very much LinkedIn focussed.

came to Australia in late 2016 and found work in 2018 as a Turkish language tutor in the Department

“I recommend they have a good LinkedIn network

of Foreign Affairs and Trade (DFAT).

of cyber security professionals and show their enthusiasm through posts, research, going for

Seeing few chemistry jobs available she turned her

projects and seeking feedback on their work in the

attention to cyber security, a move she describes

cyber security space. These activities will make them

as “probably the best decision in my life,” adding,

stand out from the crowd and definitely help them get

“although I was a little fearful of studying something

their foot in the door.”

new in a different language, I never doubted my decision, and more importantly never underestimated

And, reflecting on her own career path, she says

my potential to achieve something in an uncharted

lengthy study and “super tech skills” are not needed

territory.”

to break into the industry. “I didn’t have to undertake lengthy studies to get to where I am now. I would

42

She embarked on IT and cyber security training at

recommend that those wanting a career in cyber

Canberra Institute of Technology, initially taking a

security take baby steps. Even a basic course on IT

WOMEN IN SECURITY MAGAZINE

28.04.2022


W H AT ’ S

H E R

J O U R N E Y ?

would be a good start, followed by cyber security

mainly monitoring, triaging and responding to cyber

courses.”

security alerts and writing reports on incidents for customers,” and represents a realisation of career

She adds: “I think anyone with some level of curiosity

goals as a school leaver.

and a passion for problem-solving can consider a career in cyber security. I believe we women

“I envisaged working in a place where I could

especially possess the qualities that are essential to

contribute my skills and be enthusiastic and curious. I

unlock the door of cyber security.

am satisfied that my current role allows me to achieve all that I had wished for. As I move forward though, I

“I met so many hardworking, smart, and emotionally

would like to explore other areas of cyber security to

intelligent women that didn’t have the right education

venture into.”

or opportunity to have a career in the technology sector. It makes me wonder how these women

Since entering the cyber security industry Ozdemir

with such abilities would shape the future of cyber

has completed a number of security courses and

security.

gained several certifications. These include Splunk Fundamentals and Searching and Reporting,

“In my opinion, without role restrictions, a career in

Microsoft Ninja and Microsoft SC-200, the Verizon

cyber security where everyone can be a target to

Cyber Security Accreditation Program and the SANS

hackers requires different ways of solving problems,

FOR508 Threat Hunting and Digital Forensics course.

a lot of patience, resilience, multitasking and teaching skills that many women naturally possess.”

She also studied Critical Analysis in Business at the Australian Defence Force Academy for one semester

SOFT SKILLS ARE ESSENTIAL

as a prerequisite for a master’s degree course in cyber

Certainly, Ozdemir sees one of the biggest issues

security she plans to embark on down the track.

facing cyber security as having nothing to do with technology and one that could well benefit from more

THE POWER OF FAMILY SUPPORT

people with soft skills.

Throughout Ozdemir’s career, one influence has been constant and significant: her older brother. “He

“Miscommunications and lack of coordination

has been the most influential person not only in my

between the cyber security teams and customers

current profession but also in my education,” she

have also been a continuous challenge because they

says.

have caused delayed actions on cyber security threats resulting in loss of data, funds and reputation.”

“He particularly inspired me with his intelligence in science and methodological approach when he

Ozdemir’s role at Verizon was a good start in cyber,

tackled problems. His move to study computer

but not her ideal job. “The role involved 12-hour shift

engineering made me envious and I wanted to follow

work from 7 am to 7 pm and 7 pm to 7 am,” she says.

in his footsteps. Thanks to his homeschooling,

“Some people may find it enjoyable to work after

especially in maths, I have gained excellent

midnight, but I struggled to keep my focus. So now I

mathematical skills which were quite handy in my

know that working after midnight isn’t my cup of tea.”

cyber studies.”

Today, Ozdemir is a cyber security analyst working remotely for Sydney based ParaFlare, a provider of

www.linkedin.com/in/ela-gezerli-ozdemir-72b70048

managed detection and incident response services, where she says her role “involves a lot of things but

28.04.2022

WOMEN IN SECURITY MAGAZINE

43


TALENT BOARD Lynley Vinton STATE AVAILABLE QLD but would consider Auckland, NZ as well.

WHAT KIND OF ROLE GRC role has been recommended to me so that I can use my leadership and communication skills to ensure more people understand the risk of cyber security and what they can do to control it.

WHAT EXPERTISE Led physical security strategy and team for a large corporate, implemented a new property access management system, created the security risk profile and now looking to move into cyber security. Studying CISM right now and want a role where I can learn more.

WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED I’m experienced in the corporate world, working from the office and home.

DM ON LINKEDIN

Caitlin Sauza POSITION Full-time or Part-time

STATE AVAILABLE WITHIN ACT or Remote

WHAT KIND OF ROLE Marketing, Awareness, Diversity, Risk Management, Engagement, Consulting.

WHAT EXPERTISE Being able to interact with people is where my work flourishes. Human interaction, communication and interpersonal skills to me are above all else. I will be graduating with my Bachelor of Cyber Security from Deakin University this year, and I lean towards the non-technical side of Cyber. In saying this, I am always willing to take any learning opportunity offered to me, technical or non-technical.

WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED Hybrid, client-facing & non-technical / Ongoing professional development opportunities, Flexible working arrangements, Inclusive workplace, Employee benefits (e.g. Employee Assistance Program, Professional Memberships, Salary Sacrifice and Subsidised Parking).

DM ON LINKEDIN

44

WOMEN IN SECURITY MAGAZINE

28.04.2022


EACH ISSUE WE WILL LET YOU KNOW WHO IS LOOKING FOR A NEW ROLE, WHAT KIND OF EXPERTISE SO THAT IF YOU HAVE SUCH A JOB OPENING AND LIKE ONE OF THESE CANDIDATES, YOU CAN CONTACT THEM.

Yonitha Thava POSITION Full-time / Contract

STATE AVAILABLE WITHIN Victoria (preferred), however willing to relocate within Australia.

WHAT KIND OF ROLE Cybersecurity Consultant, Security Analyst/ Specialist, IT Support.

WHAT EXPERTISE I have experience working as a cybersecurity analyst and providing onsite technical support. I have experience of identifying security gaps within an organisation using analytical skills. I have worked on asset management and provided in-person IT support.

WHAT’S YOUR IDEAL WORKPLACE / OR BENEFITS REQUIRED I would like a workplace where growth and learning opportunities are present, e.g., the ability to attend workshops and practical sessions to help with upskilling and growth of myself and the organisation.

DM ON LINKEDIN

ARE YOU LOOKING FOR A NEW ROLE IN SECURITY, CYBER, PROTECTIVE, RESILIENCE OR GRC? Contact us today and we can publish your details in the next issue of the magazine to help you find your next role.

aby@source2create.com.au

28.04.2022

REACH OUT

vasudha@source2create.com.au

WOMEN IN SECURITY MAGAZINE

45


Women in Security Leadership

HAVE YOU BEEN LOOKING FOR A PROGRAM THAT HELPS YOU WITH A STEP UP IN YOUR SECURITY LEADERSHIP CAREER? WE UNDERSTAND THAT LEADERS COME FROM VARIOUS BACKGROUNDS

Applications are now open for our 2022 Women in Security Leadership Programs, including:

Emerging Leaders Aspiring Senior (C-Suite) Leaders Aspiring Global Leaders Leaders wanting to increase their technical knowledge Leaders wanting to increase the impact of their presenting

Sponsored by

To find out more, visit: awsn.org.au/initiatives/women-in-leadership/


CAREER PERSPECTIVES


WOMEN ARE SETTING THE CYBERSECURITY AGENDA by David Braue

Outnumbered by men overall, women are gunning for the roles that can drive real change

M

any were surprised when AustCyber

“We are absolutely at an inflection point in this

CEO Michelle Price announced

country,” she said during a recent AISA industry

in March that she was leaving

conference. “We do need to accelerate what we’ve

the organisation she had led

started – because what we’ve started has worked. It

since its inception in 2017 for a

has been fantastic.”

role as a partner in consulting giant EY’s Oceania cybersecurity, private and trusted technology

Referencing some of the cybersecurity innovators she

practice.

helped guide to commercial success, Price said, “We need to see more Cynches and more Pentens – and

Well known and respected in cybersecurity circles,

there are plenty of them in the pipeline. So this is the

Price spent the past five years helping Australia’s

time for us to double down – and it is being realised

cybersecurity industry pull itself up by its bootstraps

by all parts of the political spectrum, including at the

– supporting startups, advocating for the sector here

state, territory and local levels.”

and abroad, building bridges with industry, and raising the government’s perception of the cybersecurity

With the federal government recently committing

sector as it grew from a loosely-affiliated network of

$10 billion to expand its cybersecurity capabilities,

innovators into a core national-security interest.

Price was a transformative force for the industry she poured her heart and soul into.

Price’s boundless energy made her an omnipresent voice, her presence a rallying cry for an industry

Price “is probably the core reason why the Australian

that was struggling to find its identity and establish

cyber security industry is as vibrant as it is,” one

its critical mass – and has grown from modest

industry figure commented after her departure was

beginnings into a diverse commercial space with more than 600 companies.

48

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

announced. “The energy she’s given means we all owe her: defenders, vendors, startups, bureaucrats. Impossible shoes to fill.” As a dynamic leader, Price has been immensely successful in prosecuting her agenda and bringing an entire community along for the ride. But as a woman, she represents the kind of high-profile leadership that is helping reshape the cybersecurity industry – guiding it away from its roots in stereotypical male hacking culture to become a stronger, more inclusive discipline where gender diversity is no longer a mirage.

WOMEN LEADERS STEPPING UP

“We are absolutely at an inflection point in this country. We do need to accelerate what we’ve started – because what we’ve started has worked. It has been fantastic.”

-Michelle Price, Partner at EY

Indeed, in Australia and around the world, women leaders are charging into cybersecurity – often into leadership positions where they bring not only their exceptional knowledge but a breadth of experience that often provides a fresh approach to policy analysis and decision making. Price’s success in industry development, for example, was matched by the vision and support of women ministers like former Minister for Defence Linda Reynolds and current Home Affairs Minister Karen Andrews – under whose purview the cybersecurity sector has rapidly gained momentum, become a unified national capability, and answered a clarion call to unify Australia’s cybersecurity community against national-security threats.

28.04.2022

WOMEN IN SECURITY MAGAZINE

49


The United States Cybersecurity & Infrastructure

education, could prove instrumental in bolstering the

Security Agency (CISA) recently saw a similarly

industry’s ranks of women.

significant change as Jen Easterley – a former military cyber specialist with a host of high-level

“Our nation’s ability to attract and retain and promote

cyber, counter-terrorism, corporate cybersecurity and

women in the field is absolutely vital,” Easterley said.

other credentials – take the helm after the departure of maiden director Chris Krebs.

“We’re going to help close the gender gap, and bring more talented young women into the workforce to

Easterley – who announced a formal partnership with

prepare our nation to be able to defend ourselves

cybersecurity diversity organisation group Girls Who

against some of the most serious threats there are.”

Code at the recent CISA Cybersecurity Summit – has made advocacy of diversity a key part of her platform.

“Without women pursuing careers in cybersecurity, the industry is missing out on a huge talent pool. We

“We need to do everything we can to ensure a cyber

can build that next generation of cyber talent, where

workforce that reflects America and who we are,” she

young women everywhere can see themselves in

said during a recent conference session, “because we

cyber, see themselves in tech, and see themselves in

know it’s not just the right thing to do; it’s the smart

us.”

thing to do.”

PAYING IT FORWARD “I learned a long time ago that it takes a lot of good thinking to solve the hardest problems,” she continued – citing the influence of pioneering women like Ada Lovelace, Katherine Johnson, and Grace Hopper – “and technology and cybersecurity present some of those problems.” “When your team is comprised of people with different backgrounds, you get different perspectives

For all the progress made to date, however, the gender imbalance in cybersecurity has remained stubbornly persistent. Widely-cited figures from industry group (ISC)2’s Cybersecurity Workforce Study suggest that just 24% of the overall cybersecurity workforce is comprised of women – an improvement from 11% in 2017, but still far short of where proponents would like it to be.

– and the results are, of course, better.” Such high-profile commitments to diversity have helped set the stage for Easterley’s tenure heading the cybersecurity organisation protecting the world’s most frequently-targeted government and industrial complex. One of her aspirational goals is to increase the participation of women in cybersecurity – and her explicit support for a high-profile organisation like Girls Who Code, which has already engaged over 450,000 school-aged students in cybersecurity

50

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

There are positive signs, however, that increasing

“A big problem with cybersecurity is the cost of

representation of women in cybersecurity leadership

education,” she told Women in Security Magazine

positions could be laying foundations for a faster

– but with strong backing from a venture capital

righting of the imbalance in the future.

partner, Janca said, “we’d like to approach groups that specifically have underrepresented individuals, and

“Buoyed by higher levels of education and more certifications than their male counterparts, (ISC)

offer our courses for free.” 2

found, women cybersecurity professionals “are

Those courses have already been completed by

forging a path to management” –outpacing their

thousands of students, but opening them to larger

male counterparts in C-level/executive roles (28% of

numbers of high school students and university

which are held by women, compared to 19% men); IT

graduates would help Janca realise a long-held dream

director (18% vs 14%), vice president of IT (9% vs 5%),

of making cybersecurity more accessible.

and chief technology officer (7% vs 2%). In so doing, she hopes to help women pursue their Women cybersecurity professionals, the workforce

interests in cybersecurity without being limited by

survey found, are more likely than men to hold a

resources, or by the all-too-common fear that they

post-graduate degree – 52% compared with 44%

aren’t technical enough.

– and younger, with 45% of women cybersecurity professionals identifying as millennials compared

“I was a programmer and a pen tester, so obviously

with 33% of men.

I always want to take the dirty hands route, because that’s the part I like best,” Janca said, recalling a

Significantly, women reported having similar job

recent collaboration in which a male colleague

responsibilities and job satisfaction, while younger

handled all the less-technical aspects.

women reported less pay inequity than their older counterparts – suggesting that efforts to promote

“But there are all sorts of parts you can do in

equal pay are finally gaining traction.

application security without getting your hands super dirty. When people take our programs, they don’t have

All that remains is ensuring that there are enough

to be awesome at coding.”

women in cybersecurity to benefit from these improvements – and Tanya Janca is among the

The key to improving women’s access to

women fighting to make sure they get the chance.

opportunities in cyber, Janca says, is being able to take a leadership role where possible – and to build

A longtime IT and cybersecurity professional, Canada-

an organisation that reflects the diversity of everyday

based speaker and advocate Janca founded We

life.

Hack Purple with the goal of providing cybersecurity training for companies that want guidance in areas

“It’s so hard when you go into a meeting, look around

such as building security champions, developing

and no one looks like you,” she said. “But in starting

meaningful security metrics, and demystifying PCI

my own company, I get to decide who works there –

compliance, and more.

and I could hire a rainbow of people and find the best candidate, versus the candidate that reminds me of

The venture has been wildly successful, with a busy

me.”

roster of cybersecurity training and speaking helping her raise awareness about cybersecurity. Yet in the

“Canada is a rainbow when you look out, and you see

long term, she envisions partnering with another

every type of person. I didn’t use to see that at work –

organisation to address one particularly challenging

but things are improving, and I’m seeing it a lot more.

issue.

And to me, cybersecurity needs everyone.”

28.04.2022

WOMEN IN SECURITY MAGAZINE

51


NATASHA PASSLEY

DIVERSE LEADERSHIP PERSPECTIVES by Natasha Passley, Partner, Management Consulting - Technology, Risk and Cyber at KPMG Australia DIVERSE FEMALE LEADER

Part of being a leader is promoting yourself and the

As a partner in the cyber practice at KPMG and a

work you do to attract younger, aspiring leaders.

senior female with a diverse background I’m very

For young women in cyber, it helps to see women

aware of the role I play in cyber. And I’m pleased

succeed in a male-dominated world. If there are times

to represent an organisation that recognises the

when I do not feel like being out there, I remind myself

importance of diversity. My cultural background is

I want to do this for others seeking a role model who

British and Jamaican and I had a non-traditional route

resembles them and demonstrates they can achieve

into technology strategy and transformation. Diversity

success in life via various routes.

in leadership is of particular importance in the world of cyber where security threats are wide-ranging

SKILLS TRANSFERABLE INTO CYBER

and adversaries come from all walks of life. Threat

As a young girl at school I had no idea which route

actors think broadly, are unconstrained and willing to

I wanted to take. In those days, cyber security as

try anything to get results. Combatting their threats

a study subject did not exist. I chose a Bachelor of

requires diverse thinking, which is best provided by

Arts degree in German and French and entered the

people from differing backgrounds.

world of technology working on a European technical helpdesk before moving into technical support and

Over the course of my career I’ve had a variety of

project management.

roles, so I’m a good example of career transition. I believe my varied experiences have helped me get

Project management is a good entry point into

to where I am now. The one thing driving all my

cyber security because it allows you to have a

decisions has been my desire to be in a leadership

broad, holistic perspective on security and deliver in

position, because I wanted to be a role model for

areas relevant to your project. From there you can

others. When I was growing up I could count on

decide if you want to learn more about, or gain more

one hand the number of people of colour in senior

experience in, a particular area of cyber security.

positions, whether in large corporates or on the TV.

There are also many skills and qualities of project

I remember wishing there were more people who

management that can set you up for a leadership

looked like me I could aspire to emulate. So, I see it as

position. Project management, when done well,

my responsibility to be that visible, ethnically diverse

results in the individual being a skilled negotiator who

leader who can drive the change.

develops strong interpersonal skills that bring people together and drive collective, cross-functional teams

52

WOMEN IN SECURITY MAGAZINE

28.04.2022


C A R E E R

P E R S P E C T I V E S

to achieve outcomes. The ability to combine technical

things you can learn about yourself, whether they

skill or subject matter expertise with some of the

be through feedback from your team and peers or

softer skills is necessary for leadership roles.

through your own learning. Empathy and emotional intelligence are essential for a leader. They enable you

I’ve been pleased to observe several women in my

to read the room and understand the subtle nuances

team successfully grow and develop into other areas

and unspoken communications of others.

of cyber security from a starting point in project management. They had the desire to succeed, the

Adopting communication styles that suit the situation

willingness to learn and a growth mindset.

and the person helps to get the right message across and increase understanding. Understanding

I think it’s important as a leader to support and

how an individual best receives and interprets

encourage the people around you to grow. In the

information is helpful when conducting one-on-

words of Simon Sinek, “The true value of a leader is

ones and performance reviews. Knowing the type of

not measured by the work they do. A leader’s true

leader you are and want to be is important.

value is measured by the work they inspire others to

Some of my core values are learning and

do.”

growth, so I tend to attract people into my team who seek the same. Some positive

PERSONAL GROWTH AND DEVELOPMENT

feedback I’ve had from team members is that they

If you’re considering transitioning to a career path that

learnt a lot through working for me. They didn’t learn

requires skills different from your current skillset don’t

a lot because I have a great store of knowledge but

underestimate the importance of self-development.

because I encouraged them to regularly think of their

Don’t limit your learning to technical or subject matter

long-term career aspirations and goals.

expertise. Undertake self-reflection and introspection. Consider your key strengths, your areas of weakness

TOP FIVE TIPS

and what you like and don’t like about your current

1.

Define your long-term career aspirations and

role then build a plan to address those areas of

set goals for yourself every year, reflecting

weakness. Develop the areas that will take you to

regularly on your progress against them.

the next stage. Seek advice from others who are not afraid to point out where you need to develop.

2.

Spend time on personal development so you can

You may not have an official mentor, but if you

explore who you are and what is unique about

consider your peers and your friendship circle you’d

you. This helps you understand what you bring

be surprised at how many people you can turn to for

to the table and how you are different to other

advice, even though you don’t call them mentors.

leaders.

Nowadays, there are so many ways to learn and

3.

Get to know your leadership style and improve

develop personally through podcasts, articles, books

on it. Understanding your typical traits, your

or online sessions and events. You can learn and

strengths and your areas for development will

grow everywhere you go. I combine walking with

make you a better leader.

listening to development podcasts because it’s a great way to get some exercise while learning. At any

4.

Build a diverse team in terms of gender, culture,

one time, I like to be reading a development book, a

age and thinking. It’s important to have people

leadership book and something to extend my current

who think different from you.

knowledge. Your career development takes planning, determination and dedication.

5.

Mentor someone. It’s surprising how much you learn about yourself when you start listening to

GETTING TO KNOW YOURSELF

and helping others.

Leadership is like any skill in that it needs continued development. It’s not something you achieve one day and think “that’s it, I’m done now.” There are always

28.04.2022

www.linkedin.com/in/natashapassley/

WOMEN IN SECURITY MAGAZINE

53


SAI HONIG

CERTIFICATIONS WHAT ARE THEY FOR? by Sai Honig, CISSP, CCSP, Co-founder New Zealand Network for Women in Security The statements in this article are the opinions of the writer only.

The other day a woman said to me she could

I have seen many men in my career who have no

not apply for jobs because she did not have any

certifications and work in the same job and at the

certifications. This woman, with over a decade of

same level (or higher) as me. I don’t ask them why

experience in cybersecurity, was misguided. She

they do not have the appropriate certifications; that

was letting a misguided perception exclude her from

can be a touchy subject. But if men can get jobs

opportunities.

without certifications, why can’t women?

I once had the same misguided perception. I was

I have heard from many women who have said they

recommended to apply for a job and said the same

cannot get into cybersecurity without certifications.

thing. At that time, I had no certifications. The

I know where that idea comes from. Just look

individual who recommended me wrote a two-page

at job descriptions: many say certifications are

email explaining why I was qualified for the position.

recommended or required. The companies

I went ahead and applied. I was offered the job, and

posting such ads fail to understand the purpose of

I accepted. After the requisite years of experience, I

certification.

obtained certifications.

Gain knowledge and experience

54

WOMEN IN SECURITY MAGAZINE

Certify knowledge and experience

Continuously update knowledge and experience

28.04.2022


C A R E E R

P E R S P E C T I V E S

Certifications are part of a continuum. If employers

I saw one student who, outside of class work,

cannot identify a potential candidate based on

completed labs and projects about cybersecurity. She

experience, there are two possible issues:

showcased this extra work on a public website. She included a link to that website in her CV, and her cover

1. 2.

The candidate is not able to adequately express

letter described these projects. She received multiple

their knowledge, skills or experience.

interview requests after submitting her CV. Eventually,

The organisation is unable to assess a potential

she was offered a role in cybersecurity that required

candidate’s knowledge, skills or experience.

a certain level of knowledge and skills. At the time she did not have certifications.

Their failure to correctly assess a potential employee may be a combination of both.

I met another woman whose resumé was rejected by a company’s application tracking system. She reached

Let’s address the first issue. CVs and resumés

out to the cybersecurity team at that company, people

need to express the applicant’s knowledge, skills

she did not know personally. She actively networked..

and experience and how these pertain to the duties

Her conversations focused on her knowledge, skills

of the role. So, they need to be tailored to each

and experience (she had no certifications). After a few

job description. This may seem like a lot of work.

conversations and emails her resumé was submitted

However, there are many tools, including LinkedIn,

internally by one of her contacts, bypassing the

that can simplify the process.

application tracking system (and human resources). She gained interviews and eventually received a

In addition, a cover letter should explain how a

job offer. After accepting the offer she worked with

candidate’s knowledge, skills and experience meet the

human resources to improve the application process

position’s requirements, not simply summarize the

and find good candidates.

CV. Even volunteer work can be used to demonstrate suitability for a position

.

Obtaining certifications is the end of the job search process. Many certifications require continuing

Now let’s address the second issue. Many companies

education to maintain them. Some may require

rely on their human resources department to find

recertification through exams.

candidates. These personnel have neither the experience nor the knowledge of cybersecurity roles.

In summary, the processes to hire cybersecurity

Therefore, they rely on a candidate’s certifications to

staff at all levels are broken in many ways. There are

identify those that make the first cut.

many barriers to women entering cybersecurity. This magazine addresses many of them in each issue.

Mature organizations see certifications not as a bar

However, we women should not be putting up barriers

but as a barometer. Certification demonstrates the

of our own. Women shying away from even applying

candidate’s experience, but an assessment of the

for cyber security roles is just one of the barriers we

candidate is still necessary. This assessment may

need to tear down.

include technical reviews or interviews by hiring team members. There is very little a candidate can do if a company decides to require certifications. However, the candidate can still work to fully express their

www.linkedin.com/in/saihonig/

NZNWS www.newzealandnetworkforwomeninsecurity.wordpress.com

knowledge, skills and experience.

28.04.2022

WOMEN IN SECURITY MAGAZINE

55


JOB BOARD CYBER SECURITY SPECIALIST | SA POWER NETWORKS ADELAIDE

FULL TIME

DIVERSE & INCLUSIVE WORKPLACE FLEXIBLE WORKING

MIN 3 YEARS EXPERIENCE

SIEM - ENDPOINT DETECTION & RESPONSE \ VULNERABILITY MANAGEMENT

WHO WE ARE SA Power Networks delivers energy solutions to empower South Australia today and in the future. We are always seeking to build a more sustainable, efficient and innovative business that creates real value for our customers. As one of the State’s largest employers, we have a commitment to integrity and take pride in doing the right thing for our people, customers and community. Progress your career and help us in empowering South Australia. THE ROLE The Cyber Security Specialist is responsible for providing cyber security operational uplift and support across Information Technology (IT) and Operational Technology (OT) networks through execution and continuous improvement of SA Power Networks’ cyber security prevention and detection capabilities. The Cyber Security Specialist assists in ensuring that Cyber Security operations are aligned with business risks and policy and that appropriate security controls are in place and operating effectively.

APPLY NOW SECURITY ARCHITECT | ENDEAVOUR GROUP SYDNEY CBD, INNER WEST & EASTERN SUBURBS RISK MANAGEMENT

FULL TIME

SECURITY INFRASTRUCTURE KNOWLEDGE

DIVERSE & INCLUSIVE WORKPLACE

GOOGLE CLOUD

THE OPPORTUNITY As a member of the Security Architecture Team, you will be a critical part of the Endeavour cybersecurity team and a key driver of the Cyber Security strategy via engagement with the IT transformation and underlying projects. The complexity of the environment creates the opportunity for the successful candidate to establish a solid foundation for the organisation to traverse the required transformation over the coming years. The candidate will work closely with stakeholders both in the business and the Cyber Security team. They will be involved with an assortment of security projects that support the business. A DAY IN THE LIFE OF A CYBER SECURITY ARCHITECT AT ENDEAVOUR… You will be talking to project teams to provide security recommendations and explain what needs to be done to increase the systems' security posture. Your interactions will be mainly with developers, project managers and solution architects. You need to provide concise, clear and pragmatic recommendations to various stakeholders and be able to explain the rationale behind them. Your primary duties include: •

Work closely within the solution architecture team to ensure security requirements are accounted for at design time.

Produce security documentation and patterns

Seek endorsement from senior management on patterns or material decisions

Analyse the current state and propose or implement improvements

APPLY NOW 56

WOMEN IN SECURITY MAGAZINE

28.04.2022


SENIOR SECURITY CONSULTANT | LA TROBE UNIVERSITY LA TROBE UNIVERSITY BUNDOORA FULL-TIME

VICTORIA

AUSTRALIA ON-SITE

MID-SENIOR LEVEL

ABOUT THE JOB •

Full time, Fixed Term (18 months)

Flexible working arrangements offered including working for the City campus.

Attractive Remuneration Package

ABOUT THE POSITION The Senior Security Consultant has a key function in support of this goal by being responsible for the design and build of security processes and technology controls through a flexible and robust security architecture that promotes a security culture where controls are consistently and routinely designed and delivered by solutions. This role is responsible for engaging with projects and other Latrobe architecture functions to ensure compliance with La Trobe’s Security policies and standards and meet the growing needs of the business. Provision of subject matter expertise and high-level technical support ensuring that strict network access and intrusion prevention guidelines and policies are deployed within the University Network and associated services. With broad direction, resolve complex operational issues over the range of technologies employed across the University, and develop and implement strategies with a focus on client services and sustaining University operations across the University technology set. In conjunction with authorised University Officers, be responsible for projects and services that support the operations of the University Network.

APPLY NOW SECURITY ANALYST| CYBERCX PERTH

CBD, INNER & WESTERN SUBURBS

AUSTRALIAN CITIZEN OR PERMANENT RESIDENT

FULL TIME OPERATIONS OR AN ICT TECHNICAL TEAM

2 YEARS EXPERIENCE OR EQUIVALENT KNOWLEDGE IN SECURITY

SECURITY ANALYST CyberCX is Australia’s leading independent cyber security consultancy organisation. To support our rapid growth, we are looking for motivated and passionate Security Analysts to work in our Perth office. In this role, you’ll work with your team to deliver great client outcomes and grow your career rapidly as a cyber security professional. We’re looking for candidates that have a sound and relevant technical background. You don’t need extensive experience in security, but a passion to learn, a great attitude, and a keen interest in security are essential. You will receive formal and on the job training that will help you grow your career in the cyber security field. This role is part of our Managed Security Services team and will require participation in a rotating shift schedule. KEY RESPONSIBILITIES: •

Technical analysis of alerts and data from security products including (but not limited to) SIEMs, Intrusion detection and prevention systems, endpoint security solutions, web proxies and network security devices, and vulnerability scanning and management systems

Incident response, including liaising with customers and their ICT operations staff

Vulnerability analysis including triaging vulnerabilities and advising on associated remediation activities.

Taking on a wide variety of security operations tasks on an as-needed basis.

APPLY NOW 28.04.2022

WOMEN IN SECURITY MAGAZINE

57


JOB BOARD INFORMATION SECURITY ANALYST | AUSCERT THE UNIVERSITY OF QUEENSLAND BRISBANE, QUEENSLAND, AUSTRALIA ON-SITE FULL-TIME · ASSOCIATE

AUSCERT - BASED AT LONG POCKET CAMPUS

TOTAL SALARY PACKAGE NEGOTIABLE BASED ON INDIVIDUAL MERITS 2 YEAR FIXED-TERM POSITION

ABOUT THIS OPPORTUNITY The Information Security Analyst is responsible for technical and operational support within the Australian Cyber Emergency Response Team (AusCERT). The Information Security Analyst is responsible for technical and operational support within the Australian Cyber Emergency Response Team (AusCERT). Analyst staff operate a roster system across multiple roles, giving the successful candidate exposure to a wide and interesting spread of information security disciplines. Duties include triaging requests and incidents from members, researching vulnerabilities and publishing standardised bulletins, performing malware analysis and reverse engineering, and working on incidents with members and some minor documentation roles. The AusCERT Analyst team use a variety of open-source tools, tactical solutions and some in-house developed systems, and the successful candidate will participate in projects to improve the products and services AusCERT offers to members. Automation and scripting tasks are actively encouraged. The Analyst team actively participates in information security training, knowledge sharing and general discussion. Ideas for innovative and relevant products and services for AusCERT’s members are actively encouraged by all team members, and most products AusCERT delivers today have originated from ideas developed by past and current Senior Information Security Analysts. The role also actively contributes to the running of the world-class AusCERT Cyber Security Conference including speaker and paper reviews. In addition, AusCERT analyst staff are also actively supported to attend other information security events, as well as to interact with other CERTs and agencies within Australia and worldwide to maintain and develop relationships.

APPLY NOW

SENIOR APPLICATION ENGINEER | ATLASSIAN GREAT PERKS & BENEFITS

SYDNEY

FULL-TIME

Atlassian can hire people in any country where we have a legal entity. Assuming you have eligible working rights and a sufficient time zone overlap with your team, you can choose to work remotely or return to an office as they reopen (unless it’s necessary for your role to be performed in the office). Interviews and onboarding are conducted virtually, a part of being a distributed-first company. The Product Security team is responsible for making sure Atlassian products and services are safe and secure. We are looking for a Senior Application Security Engineer who thrives on working with development teams to secure their products across the entire software development lifecycle. Your responsibilities will include source code auditing, performing threat models, reviewing new features and architectural designs, and finding ways to empower engineering teams to build secure software by default. You must have a strong ability to work with colleagues to understand our products and then come up with ways to improve existing security infrastructure. Since we work closely with our product engineering teams, the ability to read and understand code is very important. Our products are built using a number of different languages but Java, Go, and Python are the most common. As part of the focus on learning at Atlassian, you’ll be able to spend up to 20% of your time on independent research.

APPLY NOW 58

WOMEN IN SECURITY MAGAZINE

28.04.2022


LEAD CONSULTANT, DIGITAL FORENSICS AND INCIDENT RESPONSE (DFIR) | PARAFLARE FULL-TIME

MID-SENIOR LEVEL - AUSTRALIA (REMOTE)

Lead digital forensic investigations and incident response engagements by prioritising and allocating tasks and resources logically and efficiently.

Acquire (or guide others to acquire) data necessary to undertake an investigation from a variety of sources using appropriate tools and techniques.

Undertake forensic analysis tasks independently with a high level of accuracy and efficiency using both commercial and opensource tools.

Use endpoint detection and response tools already present in the client environment or assist with the selection and deployment of EDR and artefact collection tools as required.

Produce high quality technical and executive level reports, requiring minimal revision.

Support other team members in their professional development by providing guidance on the use software and accurate interpretation of artefacts.

Support the Director of DFIR with peer review of analyses and reports.

Strengthen internal and external awareness of cyber threats, investigative techniques, and other relevant topics in a format of your choice. This may include writing blog posts, presenting at conferences, or developing tools.

Assist with the delivery of proactive services as required.

Contribute to the development and improvement of DFIR services at ParaFlare.

APPLY NOW

DIRECTOR CYBERSECURITY | GRIFFITH UNIVERSITY FULL TIME

BRISBANE

APPLICATIONS CLOSE: 30TH APRIL 2022

ABOUT THE OPPORTUNITY Reporting directly to the Chief Digital Officer, the newly created position of Director, Cybersecurity is a highly visible and important leadership position within Digital Solutions and the broader University environment. Providing strategic direction, management and oversight of essential cybersecurity capabilities, the Director will: •

Develop and deliver the digital security strategy and program aligned to the Digital Masterplan, safeguarding the University’s strategic interests.

Work closely with key stakeholders, across academic and professional groups, as well as externally to implement security programs across all areas of the University.

Provide advice to the University’s senior leadership in relation to security direction, cyber risk position and resource investment.

For more about this opportuntiy, please click here https://www.griffith.edu.au/director-cybersecurity ABOUT YOU This role requires extensive experience developing and implementing a cyber security strategy and program in a large, multifaceted organisation. Demonstrated experience delivering a multi-year program of work to mature cybersecurity capability should be complemented by the ability to build trusted relationships, and effectively influence and collaborate to achieve strategic and operational outcomes. If you are seeking a new challenge and a leadership role in a collaborative environment where you can make a difference, then we would like to hear from you.

APPLY NOW 28.04.2022

WOMEN IN SECURITY MAGAZINE

59


JOB BOARD SECURITY AND NETWORK ARCHITECT | KORDIA AUCKLAND OR WELLINGTON, NZ

FULL-TIME

FULLY VACCINATED

NEW ZEALAND CITIZEN OR RESIDENT OR HOLD A VALID WORK VISA TO LEGALLY WORK IN NEW ZEALAND

Great opportunity for an experienced Security & Network Architect with a passion for NZISM and other security standards to join our growing Security Design and Operations team, reporting to the CISO. If you have security operations experience and possess a real passion for security– please apply today.

ABOUT YOU You will be responsible for carrying out Security Design and Operations functions including being responsible for the architecture and design of the Kordia Group’s internal networks and security systems, security operations, including vulnerability, threat and incident management, secure by design and security assurance activities. To be successful in this role, you will possess: •

A minimum of 3 years of experience in cyber security with hands-on experience with security compliance and assurance, ideally NZISM and/or ISO 27001

A broad understanding of security controls

Proven experience in providing excellent customer service

A positive attitude, open mind, highly analytical and enjoy working as part of a team

APPLY NOW

SENIOR IT & CYBER SECURITY ANALYST, SECURITY OPERATIONS, SENIOR SPECIALIST, BISO OT, RISK OFFICER TRANSPORT FOR NSW

DIVERSITY

ENTRY-LEVEL ROLES

Transport for NSW is creating more opportunities for young people from diverse backgrounds to kick start their careers in IT. Project Wahine was launched by their IT department for the Transport branch to provide a range of newly established entry-level roles, as well as clear career pathways, aiming to help a new generation of IT professionals begin long term careers with Transport. Ally Morgan, a recent program recruit who has secured a role with the Greater Sydney IT, Innovation and Capability team said, “As a young professional, I’ve been able to jump-start my career and I am excited about starting my role. I appreciate the opportunity to continue to make a difference in the Transport community.” Check out the latest IT opportunities at Transport and kick start your career today:

APPLY NOW

60

WOMEN IN SECURITY MAGAZINE

28.04.2022


TEAM LEADER ENTERPRISE SECURITY | GREATER WESTERN WATER LIMITED FOOTSCRAY, AU FLEXIBLE WORK

BEST PLACE TO WORK 2021 FOR WOMEN IN CYBER SECURITY HYBRID WORK ENVIRONMENT

LIFE INSURANCE & SALARY CONTINUANCE

LEARNING AND GROWTH OPPORTUNITIES

GREAT EMPLOYEE BENEFITS

ABOUT THE ROLE Greater Western Water (GWW) is seeking an experienced Enterprise Security professional to lead a high performing team of security specialists or an existing lead to take on the next challenge. Reporting to the IT & Security Operations Manager, the forward-thinking leader will manage and improve the day to day security operations by championing the information security capability across GWW. This position will provide security leadership to improve the security posture of the organisation and will work closely with the business and technology operational teams to help deliver innovative solutions that strengthen GWW customer and community trust.

DUTIES •

Lead threat detection, investigation and response activities to manage internal/ external threats and vulnerabilities.

Lead implementation of security controls to protect data, applications, and networks in cloud and hybrid environments.

Provide technical leadership to Security incidents, forensics investigations and the prioritization of actions during a declared incident.

Lead and manage a team of security specialists

Support the IT Controls and compliance function on the annual protective data security planning and OVIC reporting.

Collaborate with Internal Communication and Learning & development team to develop security awareness materials and manage cyber awareness campaign.

Monitor service delivery performance of security service providers and manage contractual obligations under scope.

APPLY NOW

DO YOU WANT YOUR COMPANY'S JOB LISTED IN THE NEXT ISSUE? Contact us today to find out how we can boost your job listing and help you find the top talent in the security industry aby@source2create.com.au

28.04.2022

REACH OUT

vasudha@source2create.com.au

WOMEN IN SECURITY MAGAZINE

61


VANNESSA MCCAMLEY

SUCCESSFUL CHANGE STARTS WITH YOUR BRAIN’S WELLBEING by Vannessa McCamley, Principal Consultant, Coach, Facilitator & Keynote Speaker

There’s potentially a ‘great resignation’ on Australia’s

new because it is the right thing to do versus seeking

horizon. Many have experienced burnt out during

change as an escape from total exhaustion. The latter

the pandemic, so it’s no surprise many of us are

situation will likely re-emerge in a new job if change is

considering a change of profession and lifestyle. A

only a band-aid for a deep problem.

new job is the modern version of the post-break-up haircut.

REASONS FOR CHANGE Good reasons for changing jobs include:

MY SITUATION

• Increased flexibility

Like many people, I have used downtime to reflect on

• Better work/life balance

my 27-year career. Over those years my professional

• Working for an inspiring leader

calling has pivoted several times. Before landing my

• A more enjoyable team environment

current gig, I was already feeling some discontent.

• Experiencing the personal satisfaction of making a difference.

By age 26 I had changed my profession and my study subjects twice. Working an average 80-hour week,

Burnout resulting from deep unrest is not a good

living on a diet of stress and immediacy to please

reason. Recommend taking a break to re-energise

everyone except for myself, will do that to you.

your brain and body before making important decisions like changing careers.

Change can be disruptive, and there is great value in

62

pivoting to find happiness and fulfilment. However,

WORK SHOULD COMPLEMENT YOUR LIFE

there is a difference between seeking something

Difficult times reveal the things we value most. And

WOMEN IN SECURITY MAGAZINE

28.04.2022


C A R E E R

P E R S P E C T I V E S

the challenges of the present create the impetus for

I was able to let go of the expectations of other

reinvention or a change of career path.

people that led me to becoming a perfectionist. The trials of pivoting taught me to be resilient. That

Over the last two years the wellbeing and mental

resilience led me to find what I love most: helping

stamina of many of us have been pushed to their

others to navigate obstacles in more brain-friendly

limits. And we’re feeling it.

and healthy ways.

Humans are social creatures. We require connection

IN CONCLUSION

and we gain stimulus from others. We also require

Finding a rewarding career is not always a walk

downtime, exercise and good food to function

in the park: there can be challenging times along

properly. In lockdown, few of those needs were fully

the journey. As scary as it sounds, there is nothing

met.

wrong with admitting your needs are not being met. I encourage you to first consider what those needs, and

Changing jobs can feel like the solution. However,

your purpose, really are.

once the adrenaline of a new gig passes, the underlying self-neglect that drives change will return unless that change is accompanied by a purposeful focus on wellbeing and on better professional outcomes.

“The cave you fear to enter holds the treasure you seek.” -Joseph Campbell

FINDING YOUR LIFE’S WORK

ABOUT VANNESSA MCCAMLEY

Through helping people understand their brain to

A leadership and performance expert, specialising

achieve more in the workplace, I’ve learnt that abrupt

in neuroscience practices to help individuals and

decisions and moves can often be a reaction to an

businesses grow in meaningful ways whilst delivering

adverse environment rather than a deep need for

measurable results in healthy ways.

change. With a passion for helping people and businesses The good news is that the latest neuroplasticity

to overcome obstacles allows them to reach their

research shows we never stop learning. When

strategic goals. Bringing over 20 years

enabled to succeed our brains can build new and

business experience working extensively

lasting behaviours that improve wellbeing and

with individuals at all levels and spanning

performance, regardless of age.

across several industries with a strong background within the IT Security Industry.

The key to changing your brain is to carve out space for a daily check-in, even when you have a lot on.

Vannessa is the book author of REWIRE

This allows you to better face known and unknown

for SUCCESS – An easy guide for using

obstacles, and to let go of behaviours that no longer

neuroscience to improve choices for

serve your purpose. This means ensuring you have:

work, life and wellbeing.

• Good diet • Movement • Sleep • Social connection • Gratitude

www.linkedin.com/in/vannessa-mccamley/ www.linksuccess.com.au/

• Relaxation and mindfulness

28.04.2022

WOMEN IN SECURITY MAGAZINE

63


RACHEL MAYNE

NAVIGATING A CYBER CAREER AND BECOMING A FEMALE LEADER by Rachel Mayne, Senior Associate, Cyber Security at u&u Recruitment Partners I’ve been lucky to have always had strong female role

I remember playing with computers when I was

models in my personal life, but at work I’ve always

young, starting with the Commodore 64. My year 6

been in a very male-dominated industry, recruiting in

teacher had a PC and I would spend hours playing

male-dominated markets. However, I am fortunate

Where in the world is Carmen Sandiego.

to have met some exceptional female leaders, one of

In my last year of high school, I discovered the

whom is Shanna Daly.

internet and live chat. I think that put an end to any chance of me having a career that did not involve the

I met Shanna a few years ago when she was

internet!

speaking at ParaFlare’s Women in Security event. I remember being very impressed with how she broke

However, when I went to university, I started out

through stereotypes and appeared to be completely

studying microbiology and immunology. I wanted to

unapologetic about who she was, no matter how

be a virologist. I guess I’m not far off that now, except

much society might expect her to be different.

I specialise in digital viruses instead!

So, for this piece I asked Shanna, now Chief Trust

I soon decided microbiology and virology were not

Officer and previously Director of Digital Forensics &

for me. I dropped out of university when I was 19

Incident Response at ParaFlare, to share her story in

and started working in hospitality. I still had a love

the hope it inspires others to follow in her footsteps.

of computers and hacking. So, when a role came up with a dial-up internet access provider, I moved into a

64

WHAT LED YOU INTO A CAREER IN CYBER SECURITY?

technical support role.

For me, getting into cyber security happened by pure

From then on, I was always quick to say yes to

chance. Although I had a passion for computers from

opportunities that came my way. I taught myself a lot

a young age, I did not grow up thinking they would be

but was also lucky to be surrounded by friends and

the focus of my career.

colleagues willing to show me the ropes.

WOMEN IN SECURITY MAGAZINE

28.04.2022


WHAT ARE YOUR THOUGHTS ON CERTIFICATIONS AND WHY DID YOU DECIDE TO OBTAIN THE SANS CERTIFICATION?

I wish I had backed myself more often, but despite not

Personally, I think any certifications you can gain

having done so, I’m pretty happy with where I am and

simply by studying a textbook will not help you in the

how I got here.

IS THERE ANYTHING YOU WOULD HAVE DONE DIFFERENTLY?

long term. However, certifications that require some hands-on, practical experience, such as SANS courses or some higher education courses, can be beneficial.

DO YOU HAVE ANY ADVICE FOR OTHER FEMALES IN THE INDUSTRY? Put your hand up for opportunities presented to you if

I was lucky enough to be offered the chance to obtain

you think you will enjoy them. Don’t wait to be handed

my first SANS certification through Verizon. Being a

them, and certainly don’t expect to know everything

US company, it was big on SANS courses, so I was

about a role before you start.

able to take several. I think finding a company that invests in training courses like this was a big plus.

SUMMARY Chatting with Shanna was very refreshing and I

WHAT LED YOU TO GAIN YOUR MASTER’S DEGREE?

could see from the exceptional female team she has

I decided to do a master’s because I wanted a degree

for women looking to break the mould and redefine

of some sort in case I ever wanted to gain an MBA or

expectations, not only around career paths but also

needed one for some other reason. At the time, it was

around appearance and behaviours.

built around her that she is a fantastic role model

mainly to confirm my skills. I graduated with honours, so I was pretty stoked.

My main takeaway from speaking with Shanna about her journey is you should seize any opportunity that

WHAT DIFFICULTIES HAVE YOU FACED WORKING IN THIS INDUSTRY?

excites you and be prepared for the consequences of not fitting in.

The biggest difficulty for me was feeling I needed to fit in and knowing I never would.

You’ll never regret giving something a go. Far worse to look back and think “what if?”

Unfortunately, when I started out it was rare to find another woman doing the same technical work as

I think, as women, we often limit ourselves because of

myself. Over the past 15 years, I’ve worked mostly as

others’ expectations and biases. Instead, we should

a consultant for vendors and that meant working in a

be reminding ourselves that being passionate about

macho sales culture where there was a lot of bullying.

something is far more important than appearance and background, and we should not let these define

I’ve always tended to dress on the ‘grunge’ side of style, which was often seen as inappropriate. So, I found it difficult to behave or appear, as society expected.

WHICH PARTS OF YOUR ROLE DO YOU ENJOY MOST? I love how I can be hyper-focused on the technical side of digital forensics and get lost for hours trying to work things out or following leads. I also really enjoy researching and building capabilities. I’ve had a great experience building an amazing consulting team at ParaFlare that has made me feel redundant, which is fantastic.

the path we take. www.linkedin.com/in/rachael-mayne/ www.linkedin.com/in/shannadaly/ www.uandu.com/team/rachael-mayne


WHAT YOU CAN DO IN CYBER SECURITY, WITH A DEGREE THAT ISN’T IN IT Josephine Vu, Cyber Intern | Akira Singh, Associate Consultant | Tayla Payne, Associate Consultant | Amit Gaur, Executive Consultant, Anu Kukar, Associate Partner from the Cybersecurity – Cloud, Strategy & Risk Team at IBM A/NZ

INTRODUCTION Did you know you can have a rewarding career and add value in cyber security without necessarily having a traditional technology and cyber security background? Cyber has become such a wide-ranging discipline that a diverse background can enable you to play a valuable role in any business. Skills and perspectives that complement the technical aspects of cyber security are now needed as organisations begin to seek new points of view to reshape,

This has been dubbed the ‘New Collar’ approach by IBM. Regardless of educational background candidates with the right mindset and qualities can be taught the skills necessary to succeed in cyber security. Cyber security has become multifaceted. There is a need not only for people with the traditional technical background but for people with experience in law, policy, data science, risk, governance or finance and

reorganise and rethink their cyber posture.

more. Research from Frost & Sullivan shows that

WHY SHOULD YOU GET INTO CYBER SECURITY?

industry come from non-IT disciplines. This means

In recent years there has been increasing demand

job. Furthermore, organisations are now looking for

from companies for cyber security professionals, but

those with non-technical perspectives to help bring a

their recruitment attempts have been hampered by a

holistic view to managing cyber security.

30 per cent of people working in the cyber security technical skills can be learnt and developed on the

shortage of talent. According to Mercer’s 2021 Total Remuneration Survey, over 2020-21 there was a 49 per cent rise in advertised cyber security roles and 17,

HOW CAN YOU CONTRIBUTE TO CYBER SECURITY?

000 cyber professionals will be needed by 2026. To meet this demand organisations are trying to boost the talent pool by introducing programs, training initiatives and certifications to cultivate cyber talent.

66

WOMEN IN SECURITY MAGAZINE

Law Law plays a huge role in cyber security. Most aspects of cyber and IT operate within a complex framework

28.04.2022


C A R E E R

P E R S P E C T I V E S

of laws and compliance requirements with new regulations introduced frequently. In consulting each client engagement will contain a legal compliance

• Statistics, modelling and running software tools; and • Research, analysis and drawing insights.

aspect and every team will require someone with a legal lens and an understanding of cyber to ensure

Accounting and finance professionals who have

deliverables and services are provided in accordance

backgrounds working with numbers, analysing

with relevant laws and regulations. Having someone

data and understanding business drivers can bring

with a legal background in a cyber team can ensure

these skills and experiences and contribute to cyber

the team’s work on a cyber project is compliant. A

security.

legal lens can provide a unique insight into business problems and solutions. Legal expertise is highly

Potential roles: cyber exposure advisor, cyber

valued in the cyberspace and those with legal

quantification analyst, business analyst, consultant.

qualifications have many opportunities in the field. Political economics For example, in 2021 all organisations in Australia with critical infrastructure assets were tasked with a major cyber security uplift by an amendment to the Security of Critical Infrastructure Act 2018. CISOs and CIOs turned to cyber consultants, like those in IBM, to ask questions about compliance, the impact on their organisation and the penalties imposed. Being able to answer these questions, assess client pain points and provide much needed legal information-enabled IBM’s cyber security team to provide trusted advisors to multiple industries.

In the past decade cyber attacks have become increasingly disruptive, diverse, critical and, in many instances, more political. Additionally, surveys, media and literature all suggest the international community is seriously, and increasingly, threatened by cyber attacks. Forty-nine percent of respondents to the World Economic Forum’s 2021 survey claim cyber security failure to be one of the top-10 threats globally. Cyber security, therefore, requires people who can collaborate globally on these global threats. The intersection between cyber security and political

Potential roles: cyber security lawyer, cyber

economics is vibrant and varied and is significantly

consultant, cyber compliance investigator, policy

enhanced by individuals who have interdisciplinary

advisor.

expertise, an understanding of the relevance to national and international policy and the ability

Accounting & finance Two key questions boards and CxOs are asking: 1.

What is our current cyber exposure?

2.

What is our RoI from our cyber security program?

to recognise the interplay between technological possibilities and the political choices of nation-state actors. For example, the Russian military attack launched on Ukraine in late February 2022 has left the West

Front of mind across all industries is the ability to

vulnerable to both physical and virtual attacks. The

quantify cyber risk exposure and ensure investments

international community, including Australia, has

in cyber security programs are effective in reducing

come together to defend Ukraine through a variety

cyber exposure.

of sanctions, bank exclusions and funding for humanitarian, security and military aid. Australia’s

To quantify cyber risk exposure requires, in addition to

support of Ukraine, in opposition to Russia, has meant

cyber security, several other activities, experiences or

all Australian critical infrastructure is at increased

knowledge such as:

risk from cyber-attacks, fuelling the requirement for organisations to urgently adopt enhanced cyber

• Facilitating workshops with diverse stakeholders;

security postures to protect against disruptive

• A curious mindset and asking open-ended

malware, etc.

questions;

28.04.2022

WOMEN IN SECURITY MAGAZINE

67


Potential roles: cyber security advisor/consultant,

For example, in recent years ransomware has grown

cyber risk quantification subject matter expert,

to be one of the largest cyber threats to organisations

policy analyst or advisor, researcher, threat analyst.

around the world, with many critical infrastructure industries at risk. People with the necessary

Psychology Psychology and cyber security can go hand-in-hand. By understanding the goals and motives of cyber criminals you can influence the protection of your organisation’s assets and infrastructure from a cyber security perspective. The ability to reduce cybercrime becomes easier when you can identify and become conscious of a criminal’s motives and what drives them to commit a cybercrime. Employee behaviour towards cyber security is also based on many psychological aspects. Telling employees cyber safety is essential but not taking the necessary measures to ensure cyber security rules are complied with can be detrimental. With the frequency of attacks, many employees can become desensitised to the importance of cyber security, with consequences for your organisation. As a psychologist, you can help to introduce cultural and behavioural shifts that encourage employees to develop a heightened sense of security.

68

WOMEN IN SECURITY MAGAZINE

psychological skills can help vulnerable organisations stay ahead of these criminals by identifying possible targets and, in some cases, even mitigating the ransomware attacks before they occur. Potential roles: cybersecurity policy advisor, threat analyst, ethical hacker, cyber consultant. Business IT projects are often dependent on gaining the necessary funding so there is a need to be able to communicate technical concepts simply and concisely. The business knowledge and strong communication skills you possess can complement the traditional technical skills IT professionals have and enable more effective communication with decision-makers and the board. This is where a business degree can confer many benefits: it helps to bridge the gap between business functions and cyber security.

28.04.2022


C A R E E R

P E R S P E C T I V E S

Some business skills desirable for a career in cyber

Sources

are:

https://www.mercer.com.au/what-we-do/workforce-rewards-andtalent/rewards-and-employee-experience/salary-benchmarking-

• The ability to communicate technical concepts to non-technical teams;

surveys/au-total-remuneration-survey.html https://www.ibm.com/blogs/ibm-training/new-collar-coursera/

• Strong project and resource management skills;

https://www.stu.edu/news/cybersecurity-law-top-career-

• An understanding of how organisations operate;

opportunities/

• Exceptional presentation skills and

https://www.optiv.com/insights/discover/blog/how-get-

communication skills;

cybersecurity-even-without-technical-background

• The ability to help organisations change their business; and • Good listening skills and the ability to understand issues. Business professionals who possess a humancentred approach to their work, project management experience and strong communication skills can go a

www.linkedin.com/in/jo-vu/ www.linkedin.com/in/akira-singh/ www.linkedin.com/in/tayla-payne-b619b6145/

long way in the cyber security space.

www.linkedin.com/in/amit-gaur-183907105/

Potential roles: business information security officer,

www.linkedin.com/in/cyberuntangler/

project manager, cyber security consultant, cyber security analyst.

KEY TAKEAWAY – JOIN US We hope to have demonstrated anyone with the right interest and a desire to learn can have a successful and rewarding career in cyber security. Both technical and non-technical professionals are needed. They complement each other and together can make a difference. As cyber threats continue to emerge and evolve the cyber security industry needs both technical and nontechnical skills and perspectives to combat them. The skills you have gained from your diverse background can be used to complement and uplift the capabilities of your organisation’s cyber security. If you come from a non-traditional cyber security background you should not consider this a limitation, but rather a significant asset to any team. If you’re ready for a career change, just starting your career, or wondering what you could do with your degree, think about making the move towards cyber security. There are no limitations to what you can do in the cyber industry.

28.04.2022

WOMEN IN SECURITY MAGAZINE

69


KATE BROUGHTON

DIVERSITY-BY-DESIGN: pipelining cyber security talent, three practical ways to get involved by Kate Broughton, Head of Delivery at Decipher Bureau The time for talking about the cyber talent shortage,

building a diverse team was designed, planned and

the lack of diversity and the gender pay gap is long

implemented.”

over. Even pre-Covid, senior leaders were pushing back, saying: “No, we really don’t want to sit on yet

And let’s be honest, in an industry that aims to build

another panel to merely talk about these same old

an ecosystem secure by design, diversity-by-design

issues. Now is the time for action.”

should be a given. So, what are some practical ways you can start today, no matter the size of your

Whilst quotas continue to be a contentious issue, I

organisation?

ask clients and the industry in general to focus on the end goal: what do you want your team and your

WOMEN IN STEM DECADAL PLAN

business to look like in 12 months? Let’s lose the

The Women in STEM Decadal Plan was developed by

word ‘quota’ and focus on diversity-by-design. Not

the Australian Academy of Science in collaboration

just for today, but for a successful economic future.

with the Australian Academy of Technology and Engineering. It argues that government, academia,

Setting targets and measuring progress towards

the education system, industry and the community

them is a fundamental part of any successful

have a shared responsibility to attract women and

business. So why, when looking at the heart of a

girls into STEM professions in general, and it sets out

business—its people—does designing targets seem

ways to help them achieve this.

complicated, become stigmatised or is simply overlooked?

It offers a vision and opportunities to 2030 to guide stakeholders as they identify and implement specific

With much research demonstrating how diverse

actions they must take to build the strongest STEM

teams positively impact the bottom line, diversity-by-

workforce possible and support Australia’s prosperity.

design should be seen as a smart business move. At

70

a recent AustCyber event, Ian Yip, founder and CEO of

The Tech Girls Movement Foundation, founded by

Australian cyber security software company Avertro,

STEM advocate Dr Jenine Beekhuyzen, is “a tribe of

said his business had done just that: “From inception,

young STEM leaders committed to solving real-world

WOMEN IN SECURITY MAGAZINE

28.04.2022


C A R E E R

P E R S P E C T I V E S

problems with technology across urban, regional and

opportunities for increasing diversity, just as they

rural Australia and New Zealand.”

forecast costs and other developments in a business.

The organisation is a Women in STEM Decadal Plan

Like any forecast, the diversity forecast should be

champion, committed to knowledge sharing and

reviewed quarterly and progress towards it measured

collaboration. It can help organisations large and

at the end of the year. The Decadal Plan can assist

small align their activities with the six opportunities in

with this task.

the Decadal Plan.

RE-IMAGINING GRADUATE PROGRAMS Tech Girls has been assisting its current partners,

Hiring university graduates is a common recruitment

including specialist cyber security recruiter, Decipher

tactic. However, today there are additional pathways

Bureau and software development company WK

for acquiring cyber skills. TAFE and a range of

Digital. Amanda Rodgers from WK Digital states: “My

certification providers assist people transitioning into

intention in publicly committing WK Digital to be a

cyber from another career path. To support these

Women in STEM Champion is to jumpstart active

people the creation of entry-level or junior roles must

commitment to gender equity in STEM by other

be a collective effort.

organisations. The economic future of Australia is too important to simply discuss big goals. We must

I do not claim to have all the answers. I have heard

actively plan for their realisation.”

time and time again from clients that they “don’t have time to train” or are “worried this person will get up to

The Decadal Plan aims to create a richly diverse

speed and then leave.” Most cyber professionals are

industry and Decipher Bureau has enjoyed working

already running at top speed, that situation will not

on its plan with Tech Girls, understanding where we

change unless we all take time to bring in and train up

are today, identifying opportunities for growth across

new talent.

our business and the wider cyber ecosystem and providing some accountability for our actions.

Decipher Bureau is working with three clients that are taking on entry-level candidates with the aim to train

PIPELINING TOP TALENT

and retain them. Through the interview process I have

Recruitment is reactive. That will not change.

seen candidates transitioning from a different career

However, firms that have strong policies to attract

often bringing extremely strong communication and

and retain diverse talent, and partner with specialist

leadership skills.

recruitment firms who engage with talent ‘off market’ on their behalf, are much better equipped to hire from

According to ISACA’s State of Cybersecurity 2021

a diverse pool of candidates.

Part 1, 56 percent of security professionals identified soft skills—including communication, flexibility and

Such an approach does not mean your recruitment

leadership—as those most lacking among today’s

agency will give you a 50/50 male/female shortlist

cyber talent.

for your pen testing role. However, having policies to attract and retain diverse talent means identifying

So, another benefit of tapping into this talent pool

the teams and/or roles where diversity is lacking

is that it will help ensure the next generation of

and building in the ability to create an opportunity

cyber professionals comes with well-developed

for the right person when the opportunity arises.

communication skills and its members will be more

Organisations need to forecast, to anticipate

than ready to be the leaders of tomorrow. www.linkedin.com/in/katebroughton/

twitter.com/DecipherBureau

28.04.2022

WOMEN IN SECURITY MAGAZINE

71


We’d like to say a special thanks to everyone who participated in the 2021 AWSN Women in Security Mentoring Program pilot! PROGRAM HIGHLIGHTS

99

Participants

53

Mentors

46

Mentees

172

Hours completed

207

Mentoring sessions

AWSN would like to recognise the outstanding contribution of the following mentors/mentees: Mentor of the Year Gyle dela Cruz Mentor Great Achievers Cath Wise and Liz B. Mentor Super Connector Lukasz Gogolkiewicz Mentee of the Year Cheryl Wong Mentee Great Achievers Aarati Pradhananga and Queen Aigbefo Mentee Super Connector Jocasta Norman First Mentoring Match Farrell Tirtadinata and Miranda Raffaele If you are interested in joining our 2022 mentoring programs, please register here: https://www.awsn.org.au/initiatives/mentoring/. If you are not yet a member join today! platform powered by

proudly sponsored by


INDUSTRY PERSPECTIVES


WOMEN ARE LOCKING DOWN GAINS IN PROTECTIVE SECURITY by David Braue

They come for different reasons, but changing culture is part of the reason they stay

P

rotective security can be a tough gig. Just

with them when they join the sector – and I think

ask Lisa Reilly, executive director of the

perhaps we don’t make enough of that.”

Global Interagency Security Forum (GISF), who for more than 16 years has been

“There are so many hidden factors that we have, and

working to provide and execute security

we need to create a culture where we’re comfortable

plans in support of humanitarian missions across

to bring all that to the table and to be able to bring our

Africa and Asia.

whole selves to work.”

The harsh realities that attract the need for

Yet bringing one’s self to work has been particularly

humanitarian support have also spawned a

challenging during the COVID-19 pandemic, when

“very macho culture,” Reilly said during a recent

conventional notions of physical security, asset

International Women’s Day webinar, “and I see this

protection, information security, reputation and risk

reflected in the security sector.”

management, and other related areas were cast in a completely different light – and security professionals

Like any woman in such an environment, Reilly

were forced to adapt accordingly.

admits that culture has shaped her experience of a job to which she was attracted by interest, but – like

“If there’s anything that COVID brought out, it is that

many in the security industry that came from other

security is something that needs to be taken very

fields – never expected to become her career path.

seriously,” said Monicah Kimeu, a Kenyan security training and communications consultant whose

74

“We need to have more women” in security to provide

company, Mo n’ More Concepts, has become a

a broader range of support for both men and women

leading voice for women’s security, diversity and

engaged in the industry, Reilly said. “Every woman is

inclusion, and the development of safe and secure

different and every person brings something different

working spaces.

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

The spectrum of security-related competencies “is

support from bodies like the UN recognising the value

critical in today’s business world,” Kimeu said, “and

of increasing women’s participation in peacekeeping

for anyone who would like to consider a career in

operations – recognition of the importance of

security, this is the future of the world.”

women’s perspectives in security has never been stronger.

The protective security industry won’t reach its full potential, she said, until long-established masculine

The UN Action for Peacekeeping initiative, for

culture makes way for the capabilities that women

example, flags the importance of “full, equal and

bring to the table.

meaningful participation of women in all stages of peace processes, as well as the integration of

“This paradigm shift requires a synergy of

a gender perspective into all stages of analysis,

competencies from both men and women to be

planning, implementation and reporting.”

able to come up with solutions for the world,” she explained. “Women are bringing in soft skills to the

In this context, one might believe that the experience

space that are required in terms of critical thinking

in Australia was far more progressive – yet despite

and multi-tasking in the boardroom.”

the successes of many individual women working in protective security, the Australian industry remains

“We are going beyond the cultural thinking of security.”

less focused on bolstering gender diversity and more focused on improving the professionalism

UPPING THE GAME IN AUSTRALIA

of an industry that has changed rapidly with the

With women fighting to expand the acceptance of the

convergence of physical and cyber security.

talents they bring to security in some of the world’s most difficult security environments – and strong

Security 2025, an industry-wide assessment and strategic guide released late in 2021 by the Australian Security Industry Association Limited (ASIAL), weighs

“We just need to have open conversations and equal conversations, and involve as many people as possible to ensure that we have that diverse perspective – and that if we are making changes, that we’re including everyone in that process.” -Krissy Waley, Project Manager at Arup

28.04.2022

WOMEN IN SECURITY MAGAZINE

75


in at nearly 100 pages but does not mention gender diversity once. For an industry where women are still generally outnumbered – in one recent survey of webinar participants, 41% said women comprised between 0 and 20% of their employees, while 47% said the same about their company leadership – those women that are engaged with the industry are wasting no time making waves. Consider the likes of Amanda Pitrans, a protective security specialist for intelligence and operations with IAG whose work in managing the company’s COVID-19 response to protect its nearly 13,000 employees – and her tireless mentorship of students and engagement with security industry organisations – earned her recognition at the AWSN Women in Security Awards as the Most Promising Newcomer in Any Area of Protective Security/Resilience.

PLANTING THE SEEDS OF DIVERSITY Engagement with peers and the next generation are crucial to building the momentum that will normalise the role of women in protective security, said Kate Bright, CEO of UK-based protective security firm UMBRA International Group. “Is security seen as a career by young females?” she asked. “Not necessarily – but it’s up to us women who are prepared to talk and be visible about what we’re doing, to help the younger generations to raise their hands.” By engaging with younger workers at an early age, Bright added, it becomes possible to “demystify these places that we occupy. We won’t be asking that question in a few years’ time, because security will just be a career path for both younger men and women.” Tireless advocacy has already produced wins for the likes of Christina Rose, a more than 20-year industry veteran security consultant who was named Most Outstanding Woman in Protective Security/Resilience at the awards.

76

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

“I lead by example,” said Rose, whose work improving the engagement of women has driven a 50:50 gender split across more than 100 people from over 60 nations. “Watching my team grow and learn and gain more confidence in the work they do, is very satisfying and a pleasure to be a part of.” Facing systemic gender inequities across the protective security industry, women taking advantage of the broad range of opportunities often report a high degree of initiative and determination to succeed. Yet many others still need a helping hand – and that, AV sales manager and founder of Women in AV Australia Toni McAllister noted, will be crucial for driving organic growth in the numbers of women in Australia’s protective security industry. “We have come a long way already in the industry but we can’t sit back and rely on that,” McAllister said. “I don’t think people understand how difficult it is for a female to build the same support networks as it is for a male, and I think that’s where women need to champion each other as well.” “Having a really good male mentor and female mentor gives you that balance – and it gives you the ability to build those networks. You just can’t do it in isolation either way.” Ultimately, says Krissy Waley, project manager with built environmental consultancy Arup, greater engagement with women will make mentorship redundant: “it is a necessity, but the goal is that it won’t be needed at all” as women are normalised in every part of the industry, she explained. “We just need to have open conversations and equal conversations, and involve as many people as possible to ensure that we have that diverse perspective – and that if we are making changes, that we’re including everyone in that process.”

28.04.2022

WOMEN IN SECURITY MAGAZINE

77


SIMON CARABETTA

IN CYBER, LANGUAGE IS THE WEAPON OF CHOICE by Simon Carabetta, Cyber Communications Specialist

In February of 2000 I stepped into the wide, scary,

Yes, you know what I’m talking about.

intimidating world of tertiary education. “Prepare to have your mind blown,” quipped the lecturer of one of

The old guard love them! Nothing better than

my first units where we were introduced to an equally

unsheathing a finely forged HMAC or wielding a

scary, intimidating concept known as Semiotics.

couple of SQLs. Hell, I’ve even seen those WMDs

For those who have retained their sanity and did

(weapons of mass destruction) known as OWASP

not complete a bachelor’s in communication, a bit

used on a few occasions in front of unsuspecting

of background. Semiotics, in a nutshell, is the study

individuals.

of signs, symbols and signifiers and the meaning they give us based on cultural understandings and

The point I’m trying to make here (in a very

context.

roundabout way but how else am I going to get the message across?) is that acronyms in cyber security

You’re still with me, right? Okay.

are a great way for people to assert their expertise, their vast knowledge and their profound wisdom of

I may or may not have slightly skewed that definition.

all things cyber and IT. However, we’re all forgetting

It’s been 22 years so I can be forgiven for being a

one very important thing here: not everyone in cyber

little loose with the finer details, but you get the point.

security has a technical background.

Anyway, one thing stood out for me during the blur of my entire first semester and that was language

Now, I’m not saying it took a communications major

is power. In fact, language is bloody powerful.

who had to sit through one too many screenings of

So powerful I began to understand how it can be

Battleship Potemkin to point that out, because it is

wielded, manipulated and fashioned into weapons.

common knowledge, and has been for quite some time. However, what I am saying is, despite this being

In cyber security that weapon of choice is the

common knowledge, there are still far too many

notorious acronym.

people who are handing out acronyms like candy at a fifth birthday party. Simply put, it is difficult for

78

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

CARTA

ISO 2FA SIEM

SQL WAF

many people who have transitioned into cyber from non-technical roles to keep track of general workplace

NIST

OWASP DDoS

WAP IPSec MitM

conversations if most of what is being said sounds like a foreign language. I’m going to credit a good friend and former colleague

UTM

CSPM

APT SQLi DoS SSO IDS AES

of mine, the formidable Caitriona Forde, with the

BAS

inspiration for this article because she has spoken

CTI

CVSS

DLP EDR APWG

BCP

about it at length many times. Caitriona is one of the most talented cyber security professionals I know. I have tremendous respect for her knowledge and the impeccably clear way in which she speaks about cyber security. Caitriona has been in IT for years, yet she is always ready to call out someone else’s BS when they overuse or misuse an acronym, to give the impression they understand more of what they are talking about than is the case. A similar issue arises from the way in which many men in the industry use cyber language to talk down or ‘mansplain’ to women, sometimes forgetting those women may in fact be more knowledgeable on the subject than they are.

“Language is power, life and the instrument of culture, the instrument of domination and liberation”

– Angela Carter

Now, with all this being said, there are also many exceptionally talented and supportive people working

to explain after I found my feet (and my voice) and

in cyber who overuse acronyms and technical jargon,

began taking those opportunities.

but not on purpose. That’s just how they speak. That’s their world, and that’s completely fine in

I urge any newcomer to cyber to find their voice and

their professional circles. On the flip side, it is also

ask questions. Call out the use of acronyms and

important as a graduate or someone coming from

complicated jargon on occasions when it would be far

another field to take some responsibility for your own

easier to ‘speak human’ and tone down the language.

development and get to know the language of cyber.

Learn the language for your own sake, but be mindful:

However, a newcomer cannot be expected to know

working in cyber security should not mean having to

everything (and who really knows EVERYTHING about

decode every conversation you are a part of. Working

cyber?) and the game must be played fairly by all.

in cyber security should not mean having to analyse every email you receive. Working in cyber security

Newcomers to the industry, much like myself in

should mean plain, simple human communication.

2019, feel intimidated and suffer from imposter

Otherwise, you may as well sit through three years of

syndrome (see my article from Issue 7). When I

a communications degree.

began my first job in cyber as the security awareness trainer for Water Corporation in WA I did not take the

www.linkedin.com/in/simoncarabetta/

opportunities to have particular acronyms or terms explained to me. Luckily, I worked with an inclusive

twitter.com/carabettasimon

and supportive team whose members were happy

28.04.2022

WOMEN IN SECURITY MAGAZINE

79


TRAVIS QUINN

BETTER TOGETHER: AGENCY, ADVOCACY, AND BEING A GOOD MENTOR IN CYBER SECURITY by Travis Quinn, Principal Security Advisor at Trustwave

Agency is a concept in sociology that describes the

Mentoring is a proven way to empower women in

ability of a person to make independent decisions

cyber security. A good mentor can be an advocate

and to have an impact on their environment. The

and an enabler, helping to create opportunities for

capacity to do both is derived from their influence

professional and personal development for their

and access to resources. The lack of either reduces

mentees. Similarly, a proactive mentee can take

their agency and this can be very disempowering for

advantage of the experience, connections, etc. of

an individual. Agency is also important in establishing

their mentors. Through this relationship, challenges

how egalitarian a community is, particularly with

to the agency of women in the cyber security industry

respect to gender identity.

can be reduced and we can support them effectively in their careers.

The cyber security community is no different. The agency of women in our field is a significant issue

However, not all mentoring is constructive. The

and we see evidence of its absence in practically

dynamic between a mentor and a mentee can be

every domain of cyber security. The most glaring

mutually beneficial, but the focus must remain on the

example is at the senior leadership level where the

mentee and their needs. In the age of social media,

agency of the individual is naturally at its zenith, but

we are exposed to visible forms of appropriation

gender diversity is chronically poor: only 24 per cent

in which high profile organisations and individuals

of senior leadership roles in IT are held by women,

espouse their mentoring initiatives, events, etc. but

according to a 2019 report from International Data

fail to really empower the participants. Genuine

Corporation (IDC).

80

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

mentoring cannot be used as an opportunity for self-

benefits the organisation more than the participants.

promotion at the expense of the mentee.

It fails to provide an open, supportive environment for the mentee and creates a dichotomy between their

Fortunately, there are many examples of mentoring

mentorship and their performance management.

done well in cyber security. For example, the

In this dynamic, one of these drivers will invariably

Australian Computer Society (ACS) runs a structured

trump the other. Ideally, organisations should create

mentoring program out of its state and territory

separate channels for mentoring staff that are

branches. The mentor and mentee jointly develop

disconnected from any performance considerations.

a mentoring work plan with clear outcomes and

An appropriate workplace mentor is one that

timeframes. The program also uses the Skills

understands the organisation, whose experience

Framework for the Information Age (SFIA) model to

and skills are relevant, and who is removed from the

identify opportunities for the mentee’s professional

hierarchy of the mentee.

development. Returning to the concept of agency: mentoring The AWSN also runs an excellent mentoring program

remains one of the best ways we can empower

that takes advantage of the OK RDY mobile platform

women in cyber security. When you share your advice

to streamline the process of matching mentors to

and perspectives as a mentor you are enabling your

mentees. While these two programs differ greatly in

mentee(s) to profit from your experiences, in much

their approaches they share some key features such

the same way you have learnt from your experiences.

as their explicit expectations of participants and their

All experience has value and if you’ve been in the

earnest focus on the mentoring outcomes. Together,

industry for any length of time you should earnestly

the ACS and AWSN programs set the standard for

consider being a mentor, whether in your workplace

mentoring in IT and cyber security.

or through a mentoring program. In this way, you can help to make cyber security a more positive and

Mentoring in the workplace can be effective. However,

inclusive industry.

in large organisations it is often incorporated into the performance management process, i.e. your performance manager is expected to act as your

www.linkedin.com/in/travis-quinn1/

mentor. This is a practical approach. However, it

28.04.2022

WOMEN IN SECURITY MAGAZINE

81


MEGHAN JACQUOT

SUPPORTIVE COMMUNITIES HELP YOU RUN YOUR WORLD by Meghan Jacquot, Cyber Threat Intelligence Analyst at Recorded Future

Maybe you are new to cyber or maybe you’ve been

in the line for registration they are joyous and

in cyber security for some time. Either way, you may

friendly. Imagine sessions that pique your interest

have noticed there are many groups for those in cyber

and imagine finding groups to join at different times

security. Some such as the Cloud Security Alliance

throughout the conference. I went from meeting new

focus on specific topics. Some like BlackGirlsHack,

people to hanging out with a group of women who

focus on bringing underrepresented groups into

had decided to name themselves after a restaurant:

the industry. Still others like BSides and DefCon are

Chicken Biscuit Krewe. We supported each other,

focused on conferences.

cheered each other on, and we still hangout together online about once a month.

Wherever you are in your cyber security journey there will be a group for you. I’d like to share the story of my

Several of us were able to go to the WiCyS conference

experience with a few such organisations.

in 2022 from March 17-19. We attended each other’s talks, had meals together and shared our joy with

Women in CyberSecurity (WiCyS) was the first cyber

others. We now even have our own swag. We have

organisation I joined in 2020. The following year

become a community within a community, and the

I applied to attend the 2021 conference and was

larger WiCyS community exhibits these supportive

accepted. Since the start of the pandemic, I had met

traits too. Over time I have become more involved in

many people online but never in person. I made plans

WiCyS and am now an affiliate chapter president in

to meet some of them in person, and in September

the Mid-Atlantic area of the USA. If you ever get the

2021 those plans became reality.

chance to attend a WiCyS conference or to become involved with the organisation I can recommend it.

82

What’s the WiCyS conference like? Imagine entering

Here are some other cyber security focussed

a large conference centre and as you meet people

organisations I can recommend.

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

help because they support you, are where you can share your struggles, and will cheer you on. I have had many opportunities arise because of these communities and I have also been able to give back. For example, by participating in the SANS community I was able to meet one of the main designers of their capture the flag programs. I shared an idea I had and he encouraged me to try my hand at writing a section of the CTF. If I had not been involved in the community I would not have had the chance to work on this project, learn more about CTF creation, and see my work become part of a BBWIC Foundation is focused on breaking barriers

challenge. Communities help us rule our world.

of entry to cyber and within the industry, such as It is a community of supportive individuals who will

WHY AM I A MEMBER OF MULTIPLE COMMUNITIES?

celebrate you in your journey. There are monthly

In different settings, I focus on different things. I find

meetings that provide opportunities for learning and

it helpful to have a variety of communities to meet

mentoring. Members share out projects in a Slack

these different needs.

barriers to moving laterally or forward in one’s career.

group in the #dream-big channel, encourage each other and offer help. I help as the research advisory

HOW DO YOU START?

chair on the board. Its focus is to help members who

• Find a group that is of interest to you.

want to conduct a study and to help find conference

• Figure out how to join the group and do so.

presenters and papers on topics of interest.

• Be active in the group. This can be as simple as adding a resource to the group’s platform and

SANS has multiple summits every year that are

then building up to interacting with members.

completely free and usually virtual. During these

Often, the more you share the more you will

summits, a Slack group is created and a sense of community emerges as people network, ask questions and share pet photos and details of their home set-up. I decided to get more involved with the

become known and gain a sense of community. • Experiment and try different communities to those that have the best fit for you. • Enjoy, and know I will also be celebrating you!

SANS community. I became a call-for-papers reviewer, helped mentor new speakers and developed a section of the capture the flag challenge for the New2Cyber

www.linkedin.com/in/meghan-jacquot-carpe-diem/

summit. This group focuses on different aspects of cyber security for each summit and allows people to share their learnings.

twitter.com/CarpeDiemT3ch www.youtube.com/c/CarpeDiemT3ch

HOW DOES HAVING A COMMUNITY HELP? There will be times when imposter syndrome creeps in and you think you cannot do something. I’ve had this happen and so have many others. Communities

28.04.2022

WOMEN IN SECURITY MAGAZINE

83


KAREN STEPHENS Karen is CEO and co-founder of BCyber, an agile, innovative group who works with SMEs to protect and grow their business, by demystifying the technical and helping them to identify and address cybersecurity and governance risk gaps. Karen has recently graduated from both the TechReady Woman Accelerator graduate and CLP program with the Cyber Leadership Institute in 2021.

C O L U M N

Don’t ask who runs cyber. Ask who should run cyber The way we work has changed thanks to the

a small business) that makes the ultimate decision

pandemic. We are now all doing some variation of

around spending, delicately balancing “How much

the work from home/work from the office two-step. So, it makes sense to rethink how we view

risk is the business willing to accept?” versus “How much security can the business afford?” It is IT that provides

cybersecurity: its ownership

each business with the ability to

and responsibilities.

make the most appropriate decision.

So “who runs cyber?” is not the real question, it’s more a question of “who should be running cyber?” The answer is: a business/IT hybrid team - the ultimate symbiotic relationship. Want to know why? The lines between IT and business

Silos are so old school Cyber security cuts across every department and through every level of an SMB. Hoping to “keep the cybercriminals out” is not the sole responsibility of IT. Everyone in a business — whether it be large or small — needs to be cyber aware because everybody has

are becoming increasingly blurred as SMB owners

something of value. For example, HR is responsible

become the default “inhouse technical experts”

for personally identifiable information; Finance for

Recent statistics have small businesses and family enterprises representing 97% of businesses in Australia. Traditionally, they are left behind when it comes to cyber security. They are considered too small by the big consultants or are unable to afford the measures and staff available to big businesses.

client invoicing details; Compliance for all corporate activities; Operations for insurance policy terms and conditions, etc. In an SMB all those business units may be just one or two individuals. A single machine or server going down can mean the loss overnight of a business that has taken years to build.

This means they often end up with a mish-mash of

A business, its IT and its cyber security need to be in

cyber security measures made up of ‘do-it-yourself’

lock step. No cyber security can mean no business.

plus ‘outsource some’ plus ‘what free stuff I can find to make do with?’ There is no clear coordinated

www.linkedin.com/in/karen-stephens-bcyber/

strategy. As a result, the delineation between technical and business becomes blurred.

www.bcyber.com.au karen@bcyber.com.au

There are no blank cheques Securing an entire business is an unrealistic goal but it is the business and not IT (the IT department in a big business or the external service provider to

84

WOMEN IN SECURITY MAGAZINE

twitter.com/bcyber2 youtube.bcyber.com.au/2mux

28.04.2022


Easy Reliable Resourceful No job is too big or too small. We look after your marketing & content needs so you can get on with what you do best. GET CONNECTED AND TAKE CONTROL OF YOUR BUSINESS SUCCESS TODAY! REACH OUT TODAY

charlie@source2create.com.au

aby@source2create.com.au

vasudha@source2create.com.au


MARISE ALPHONSO

HEDY LAMARR MORE THAN A FAMOUS ACTRESS by Marise Alphonso, Information Security Lead at Infoxchange

Over the past decades many women have contributed

The young Lamarr was recognised for her beauty.

to developments in science and information security.

Aged 19 she married Fritz Mandl, a rich Austrian

One of those women was Hedy Lamarr, widely known

munitions dealer. A few years into the marriage

for her acting roles and her on-screen beauty but little

she felt imprisoned and had more to give the world,

recognised for her ingenious, inventive streak, kept

and could not bear being seen simply as a doll. She

hidden for most of her life.

made her way to Hollywood where she acted in Metro-Goldwyn-Mayer (MGM) films alongside movie

Hedy Lamarr (originally Hedwig Eva Maria Kiesler)

legends such as Clarke Gable and Spencer Tracy.

was an Austrian-American actress born in 1914. As

She had two sides to her life: to the public she was a

an only child, Lamarr was exposed to music, the arts

beautiful actress, in private she was an inventor.

and the sciences by her parents at an early age. In the documentary Bombshell: The Hedy Lamarr story

Years later, while in Hollywood, Lamarr was

(2017) Lamarr gave credit to her father for explaining

introduced to Howard Hughes, an aviation tycoon

how things such as the trams on the streets of

working to make faster planes for the military. She

Vienna worked and she mentioned her love of

was given access to Hughes’ team of scientists

chemistry at school. When she was five years old she

and was able to experiment and innovate as a

took apart her music box toy and reassembled it to

hobby. She had an invention table in her home and a

understand how it worked.

smaller version in her trailer she used between movie takes. To assist Hughes with his aviation goals, she suggested redesigning the plane’s wings to mimic those of fast birds and fish. Hughes told her she was

“All creative people want to do the - Hedy Lamarr unexpected.”

a genius. In 1940 Lamarr met George Antheil, a quirky music composer. Both were keen to do something about the impending war and help combat the Nazis.

86

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

Photo by United Artists, Kobal, Shutterstock / Source: Pinterest

Antheil had experience with synchronising piano

They perhaps provide some insight into her life

music and Lamarr had knowledge of munitions

principles:

learned from dinner party conversations during her first marriage. With the intention of developing a means to guide torpedoes to their targets, Lamarr and Antheil combined their knowledge and developed a communication system that used frequency hopping to reduce interference and prevent signals being jammed or intercepted. It was patented with US patent number 2,292,387 in 1942. Lamarr and Antheil passed their patent to the US Navy where it was marked ‘Top Secret’ and shelved. Lamarr was told to set science aside and instead focus on selling war bonds to finance US military operations! It was only years later that this technology was put

People are illogical, unreasonable, and selfcentered. Love them anyway. If you do good, people will accuse you of selfish ulterior motives. Do good anyway. The biggest people with the biggest ideas can be shot down by the smallest people with the smallest minds. Think big anyway.

escalation of the Cuban missile crisis. Lamarr’s

What you spend years building may be destroyed overnight.

invention now forms the basis of the spread spectrum

Build anyway.

to use when it became instrumental in preventing

communication technology that has given the world Sadly, at the time, Lamarr and Antheil were not given

Give the world the best you have and you’ll get kicked in the teeth.

any compensation for the patent.

Give the world the best you have anyway.

In recognition of her contributions to the world of

Thank you Hedy Lamarr for being a source of

film and science, Lamarr has a star on the Hollywood

inspiration and for the encouragement to do the

Walk of Fame (1960). She received the Electronic

unexpected and think big.

secure GPS, WiFi and Bluetooth communications.

Frontier Foundation’s Pioneer Award (1997), was the first woman to receive the BULBIE Gnass Spirit of

References:

Achievement Award, known as the ‘Oscar of Inventing’

Bombshell: The Hedy Lamarr Story (2017) - IMDb

(1997) and was posthumously inducted into the National Inventors Hall of Fame (2014). The 2017 documentary Bombshell concludes with

Hedy Lamarr (1914 - 2000) US Patents and Trademarks Office (US patent number 2,292,387) The Paradoxical Commandments

Lamarr reciting these lines from Kent M Keith’s poem, “The Paradoxical Commandments.”

28.04.2022

www.linkedin.com/in/marise-alphonso/

WOMEN IN SECURITY MAGAZINE

87


WOMEN ARE TAKING THE FIGHT TO DEFENCE by David Braue

But despite real progress to date, there’s still much to be done on diversity

I

t was not too long ago that the idea of including

“We now have a system where you’re mixing

women in military combat roles was a flight of

graduates and non-graduates, 18 to 28-year-olds in

fancy.

the training platoon systems, different races, different backgrounds. That diversity is a real strength, and it’s

When Colonel Lucy Giles enlisted back in the early

reflective of our society.”

1990s, she said, “I was only able to be employed

in certain roles, there was no flexible working, and my

“There is still some work to go, but from my lived

training was segregated from the men.”

experience we have come on leaps and bounds.”

That has changed rapidly in intervening decades,

That’s a significant stamp of approval for the diversity

Giles – who climbed through the ranks to become

efforts of the British Armed Forces, whose 148,000

president of the Army Officer Selection Board and

personnel are more diverse than ever after years of

the first female College Commander at the UK’s

proactive policymaking that has enabled women

prestigious Royal Military Academy Sandhurst – told

like Giles to take their careers in directions that prior

a recent International Women’s Day webinar.

policies would never have allowed them to imagine.

“Three decades later,” she continued, “all of that has

FIGHTING CULTURAL INERTIA

completely changed. The journey has been slow at

Since it lifted all formal restrictions on women’s

times – but in the last five years, it has been pretty

military service in 2013, the Australian Defence Force

impressive.”

(ADF) has similarly been undergoing a modernisation of its diversity policies – engaging with and

88

“The training has completely changed,” she

accommodating women in new ways, recruiting more

explained, noting new policies that not only include

flexibly with an eye on work/life balance, and opening

maternity and paternity leave but include dedicated

up around 88% of ADF employment categories to

breastfeeding facilities for new mums.

women.

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

When the United Nations codified the importance

the Navy and Air Force are aiming to have 25%

of women in combat in 2000 within UN Security

women and the Army, 15% – progress towards which

Council Resolution 1325, women comprised 12.8%

is benchmarked in the annual Women in the ADF

of permanent ADF workers – including 15.1% in

Report.

the Royal Australian Air Force, 14.6% in the Royal Australian Navy, and 10.6% in the Australian Army.

A key goal of this initiative is to create an environment that will encourage women to aim for leadership

Those branches are working to significantly increase

positions that would have been out of reach for them

the proportion of enlisted women by next year when

in the past. “For a very, very long time, especially in an environment like Defence, in the absence of visible female leaders, a certain type of male leader

28.04.2022

WOMEN IN SECURITY MAGAZINE

89


stereotype has been reinforced promoted, and

Despite progress, however, that review identified an

deferred to – and there was little imagination or

issue that has plagued the ADF and other militaries:

courage for any other possibilities,” said former

because women often leave military roles to start

Defence Minister Linda Reynolds.

their families, they have often been concentrated in lower-level roles – leaving only a small number of

Reynolds, who reached the government front bench

women to stay long enough to be promoted to senior

after a 29-year career in the Army Reserves, started

positions.

her military career at the age of 19, eventually graduating as Second Lieutenant in the Royal Australian Corps of Transport. “I stuck it out, and learned just how resilient I am,” she said, “but I also learned how to lead.” Reynolds recalls many of

“We now have a system where you’re mixing graduates and non-graduates, 18 to 28-year-olds in the training platoon systems, different races, different backgrounds. That diversity is a real strength, and it’s reflective of our society.”

-Colonel Lucy Giles

her peers fighting hard to deny their woman-ness, believing they could only be taken seriously if they could de-gender their identity

For all its support for an increased role for women

within the military. It was an epiphany for Reynolds,

both before and after motherhood, the analysis noted,

who became acutely aware of how much the military

the ADF faces significant inertia that has slowed

needed to change its approach to engaging with

down the pace of change.

women. “Past implementation of well-intentioned policies and “Of course, women are likely to lead a bit differently

strategies for change has been met with significant

from men,” she said, “because we’re different and

resistance,” the report notes, “even where there has

that is something to be celebrated and not talked

been support from leadership. It will therefore be

down. So why don’t we as an organisation and as a

necessary to present policies as fair and beneficial

society embrace that difference as a strength and an

for service members to ensure buy-in from personnel

opportunity? If Australia is truly to be the world leader

at all levels.”

on women, peace and security that it can be, it’s a journey that has to begin here at home.”

DRIVING ENDURING CHANGE Defence, then, faces many of the same challenges

By all accounts, that journey has paid dividends –

around change as its private-sector counterparts

with one recent UNSW Canberra benchmarking study

when working to improve gender equality within its

noting that the ADF “compares favourably” with other

ranks.

Five Eyes nations and NATO militaries in terms of

90

attracting, recruiting, and retaining women – and that

And while women continue to penetrate the highest

the Army and Air Force are on track to achieve their

realms of ADF command – think of standouts like

2023 participation targets.

Command Sergeant Major - Forces Command Kim

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

Felmingham, Warrant Officer of the Air Force Fiona

Cybersecurity, critically, could prove to be another

Grasby, and Commanding Officer of the Australian

bridge that infuses the defence community with many

Army 2nd General Health Battalion, Lieutenant Colonel

of the diversity, equity and inclusion efforts that are

Anna Reinhardt – a significant opportunity for cultural

being adopted to improve participation in the cyber

change may well come as Defence institutions

sector.

increasingly engage with private-sector organisations that have doubled down on diversity as a way of

“It is still the case that women have more challenges

attracting and keeping the best leaders and the best

as a result of their gender than men do,” said Lindy

talents.

Cameron, a longtime international development consultant who graduated from the UK Ministry of

“You have to wonder why we’re continuing to have

Defence’s Royal College of Defence Studies before

this difficulty having women at some of the most

serving in a variety of conflict zones and, most

senior roles regularly, so that we don’t have to have

recently, being appointed as CEO of the UK’s National

a conversation about it,” said Leanne Caret, CEO of

Cyber Security Centre (NCSC).

Boeing Defense, Space & Security (DSS), a privatesector defence contractor that has worked hard to

As one of the most important leaders in that country’s

improve options for its women employees to improve

storied GCHQ Bletchley Park cryptography and

retention and advancement.

cybersecurity operation, Cameron pointed to the “astonishing” legacy of significant women at Bletchley

The Boeing division has implemented a range of

Park as a reminder that improving the standing of

policies and programs providing support for time-

women requires constant commitment.

pressured mothers including childcare and eldercare, as well as implementing policies that let women

“When we look at the workforce that we have now

resume their careers when they return after taking a

– which is male, to be honest, across cybersecurity

break for any number of reasons.

in general and national security specifically – I am confident that those female role models of early days

“It’s about how we let them have their career when

teach us that is not a given,” she said during a recent

they decide to step back,” Caret said during a recent

WiCyS webinar.

interview, “and get recognition for the time they’ve already done… so they don’t walk away and lose

Like Giles, Cameron recalls being the only woman

everything they’ve achieved.”

in her course – something that she describes as “a really powerful experience [and] real moments of

There is significant work to be done, she added,

understanding the power of a diverse voice in a room

noting that the DSS workforce is just 23% women; “we

of people with very similar experiences.”

have made some progress, but we’re not where we need to be,” she said.

Through initiatives such as running hackathons for school-aged girls and mandating equal representation

“We have to make certain that we don’t forget

of women in panel presentations, Cameron’s NCSC is

that there is a constant pipeline that needs to be

drawing out those voices – and channelling them into

filled, and we need to nurture it and we need to

a growing pipeline to shore up critical cybersecurity

give opportunities and chances – so it is really

defences for the long term.

important to make sure that we are continuing to create opportunities for women at all levels of the

Cybersecurity “is not just the web security threats, but

organisation.”

about massive potential prosperity,” she said. “And, therefore, we think it is vital to ensure that women are not just represented – but celebrated, and leading.”

28.04.2022

WOMEN IN SECURITY MAGAZINE

91


NEHA DHYANI

PREVENTING CYBERSECURITY BURNOUT: NEED OF THE HOUR by Neha Dhyani, Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender). Senior Security Consultant at Nokia Solutions & Networks

The World Health Organization (WHO) defines

defence systems — all to reach their ultimate goal:

burnout as a syndrome resulting from chronic

your data.

workplace stress that has not been successfully managed. It is characterised by three dimensions:

These threats mean the SOC team is constantly in a state of hyper vigilance and research shows this

• feelings of energy depletion or exhaustion;

has adverse impacts on wellbeing, quality of life

• increased mental distance from one’s job, or

and relationships. According to VMware’s Global

feelings of negativism or cynicism related to

Incident Response Threat Report, 51 percent of cyber

one’s job; and

security professionals self-identify as burnt out,

• reduced professional efficacy.

and of that group, 67 percent had lost work hours because of stress. Cyber security skills are already

It is evident the intensity and scale of cyber attacks

in short supply, so the prospect of losing additional

has increased greatly. So, it should come as no

workers is troubling, especially in the era of the Great

surprise that cyber defenders, despite their best

Resignation.

efforts, are struggling to counter these complex attacks and gain visibility into new environments

Strain on security teams was further amplified

such as the cloud, containers and business

towards the end of 2021 when the ubiquitous

communication applications.

Log4Shell vulnerability threatened a complete security meltdown. Social platforms were flooded

92

Threat actors continue to exploit vulnerabilities

with popular #log4j memes suggesting the Internet

across endpoints, workloads and cloud environments

was on fire and cyber defenders were struggling to

and are ramping up innovation to bypass legacy

contain the blaze.

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

When burnout is considered disgraceful and people

Actions needed by cyber defenders

see no way to fix it, it becomes the epitome of suffering. That is why people leave and hence why it

1.

Make self-care a priority. This is often neglected.

is the ‘need of the hour’ to identify signs of burnout

There is research showing taking care of

and combat it effectively.

ourselves not only improves our relationships with ourselves, but also with others. For me,

There are many good practices managers and cyber

taking long evening walks and practicing deep

defenders can implement to help each other stay

breathing without any gadgets works like magic

healthy in this high-stress profession. The best way to

and helps me relax. Find your magic mantra to

address burnout is via personal care, empowerment

connect with your inner self.

and compassion. From a people and organisational development perspective, here’s what I believe

2.

Identify early symptoms of burnout. These can include being cynical and short-fused, a loss of

leadership and all individuals can do to beat burnout.

empathy, lack of energy, having trouble sleeping What needs to be done by team leads/security

and increased absenteeism or presenteeism.

managers

After identifying any such symptoms, remember it’s time to refocus priorities and seek support

1.

Practice active listening, which makes team

from mentors, coaches and health professionals.

members feel heard and valued. It is important team leaders and managers express empathy

3.

Be open and brave enough to share concerns

during team meetings and create a safe zone

over work pressure and ask for help when you

where employees can be confident they will not

need it. Managers can then be flexible, share

be shamed, criticised, blamed or otherwise put

workloads between the team and temporarily

down. This helps prevent emotional exhaustion.

cover for a team member who might not be at their best.

2.

Encourage ‘Me Time’ by creating flexible workforce policies (remote working, enforced

4.

Be mindful that your professional excellence is

vacation, etc). This helps busy brains unplug and

one of several areas of your life essential to your

unwind. In doing so we relieve stress which helps

wellbeing. There are many other major areas

us sleep better, gives us more control over our

including your family, relationships, physical

moods and increases our productivity level after

health, supporting community and spirituality.

the extended intensity and pressure of incident

It is really important to set specific and realistic

response.

goals for all areas of your life so when you are not working you truly feel great about your progress

3.

Adopt automation (AI/ML) to reduce repetitive

in all aspects of life.

tasks so the team can focus on more complex threats and attack analysis. This allows

As a cyber leader for more than a decade I feel cyber

cyber defenders to use human intelligence to

security professionals have one of the best and most

proactively hunt for adversaries that get past the

exciting jobs in the world. Burnout is a professional

first line of defence.

hazard and it is more important than ever for everyone to recognise and manage it effectively. With

4.

Foster a culture of continuous learning and a

collective efforts I am sure we can successfully beat

growth mindset that enables teams to gain new

burnout and create healthy work environments for

skills. The threat landscape is evolving so rapidly

everyone to enjoy.

that even the most senior threat hunters will need to dedicate time to stay up to date. Hence

www.linkedin.com/in/neha-dhyani-7274941/

investing in training to advance skills is crucial to empowering security teams.

28.04.2022

twitter.com/Neha_dhyani1

WOMEN IN SECURITY MAGAZINE

93


JAY HIRA

LET’S GET MORE COLLABORATORS TO SOLVE THE EVOLVING CYBER SECURITY PUZZLE by Jay Hira, Director of Cyber Transformation at EY

94

My journey in cyber security began in 2006 when it

connecting the blocks, falling awkwardly silent when

was known simply as ‘security’. Despite the variety of

they finished. One of the organically formed all-girl

confused and disbelieving responses I have received

groups soon realised their individual creations meant

when I tell people what my profession is, my passion

little but, when brought together with the others,

for learning about the cyber world continues to grow.

formed a bridge.

You must be wondering where my love for cyber

Inspired by this fantastic puzzle game we present

security comes from. For starters, there are no

three loosely connected stories. We’re not going

two days alike and there is a constant need for

to conclude and/or summarise but leave you, the

practitioners to learn and adapt. Cyber security is a

readers, with the fun task of connecting the dots: no

constantly evolving puzzle with layers of complexity,

instructions, no time limits, just you and your diverse

leaving you both curious and motivated.

perspectives.

Thinking of puzzles reminds me of a birthday party

UNFAIR FIGHT

we recently attended. Kids were divided into three

The harsh reality of our working day as cyber security

groups and each group was given twelve building

practitioners is that we’re fighting an unfair fight.

blocks. The groups assumed they were competing

As a boxing enthusiast, every time I get into a ring

against each other and got straight to work

to practice the skills acquired through months of

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

training I witness how fair the sport is. In the boxing ring both opponents get equal opportunities to attack and defend, unlike cyber security where we’re constantly on the back foot defending against the oncoming punches from threat actors. To add to that disadvantage, the threat actors continue to collaborate and innovate faster while we continue to protect from our silos.

POWER OF COLLABORATION

and competent leadership style, one that informed

We’ve all experienced the

my own leadership journey. Despite research from the

power of collaboration. In the

OECD suggesting women are excellent collaborators

race to find a safe and effective

and strong community builders they continue to be

vaccine for COVID-19 we witnessed the global

underrepresented in certain fields and make up only

science community come together. In case you’re

11-20 percent of the global cyber security workforce.

wondering, there is no commonality between the current pandemic and emerging cyber threats.

I invite you to picture one of the most influential

Borders may constrain humans, but they don’t

leaders who successfully led her country through the

command any respect from transmissible diseases

current pandemic. While you do so I’m going to wrap

and cyber criminals.

up with one of her quotes. “Leadership is not about necessarily being the loudest in the room, but instead

We’re at an inflection point where we have realised

being the bridge.”

cyber crime needs to be treated as a global issue deserving both local and international collaboration

References:

between cyber security communities. With the

Are school systems ready to develop students’

various parts of our world becoming increasingly

social skills? - OECD Education and Skills Today

interconnected and interdependent there is greater

(oecdedutoday.com)

need than ever for collaborators and orchestrators. Women are better at collaborative work than men -

WHO RUNS THE WORLD?

Digital Journal

I was brought up in an extended family in India with my grandmother as the matriarch. I experienced and appreciated her collaborative, empathetic, authentic

28.04.2022

www.linkedin.com/in/jayhira/

WOMEN IN SECURITY MAGAZINE

95


THE CYBER SIBLINGS TACKLING THE GLOBAL CYBER SKILLS SHORTAGE Can professionals from a diverse skills background contribute to the cyber industry? Meet Anu Kukar and Sumeet Kukar, the cyber siblings from Australia, and read about the global campaign #Switch2Cyber, which aims to do just that.

lightning-fast. He is a Chartered Accountant and Certified Ethical Hacker, yet has built cyber and risk capabilities as an interim Chief Risk Officer and also taught four disciplines of Science at the University. Formerly awarded Australia’s Emerging Leader of the Year.

BACKGROUND Anu is known as the Cyber Untangler™. She brings diverse skills to solve problems using her 20 years of experience working across both industry and consulting. Having done five career switches, she was awarded Australia’s IT Security Champion 2021 and Global Power 100 Women in Cyber 2022. Her journey into cyber came from a diverse background. Anu started as a tax accountant before moving into audit and then governance, risk and compliance. This then paved a way into supply chain, risk innovation, data, artificial intelligence and machine learning. She now specialises in cybersecurity and cloud strategy, risk and technology. Sumeet is known as the Learning Nibbler™. He finds bite-sized learning in everyday things to help build capabilities in cyber - short, sharp and

96

WOMEN IN SECURITY MAGAZINE

THE CYBER SKILLS SHORTAGE The global cyber skills shortage is front of mind for all organisations. Cyber attacks are increasing exponentially. The recent statistics from the World Economic Forum (WEF) and other major industry publications show:

151%

the increase in cyber ransomware attacks globally in the first half of 2021

270

the number of times, on average, that an organisation was attacked in 2021

$1.8m

the predicted cyber workforce skills shortage in 2022

28.04.2022


THE URGENCY TO ACT NOW The current workforce has called out an increasing workload and a high burnout rate on their cybersecurity teams due to the current skills shortage. The recent WEF Report Cyber Security Outlook 2022 showed that 59% of all respondents in their global survey would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team. The demand is only increasing for these cyber skills and there is a great opportunity for professionals with non-traditional or diverse backgrounds to contribute to the cyber industry.

skills gap through helping professionals with diverse backgrounds switch to cyber. The objectives are twofold: 1.

Opportunity: Raise awareness to give opportunities to professionals with diverse backgrounds, such as accounting, finance, marketing, legal, communications, risk and compliance, a chance to grow and contribute in the cyber industry; and

2.

Support: Provide a network of support to professionals on the journey of switching careers into cyber.

THE #Switch2Cyber CAMPAIGN IS BORN At the end of 2021, Anu was awarded Australia’s IT Security Champion of the Year. In her acceptance speech she shared how she was humbled with the opportunity to have been able to join and contribute to the cyber industry and proceeded to give the room of cyber professionals a challenge to take two diverse professionals under their wing and help them switch into cyber by next year’s award ceremony. From there the global campaign took off. Given her own journey into cybersecurity, Anu is passionate about paving a way for others to have the same opportunity. The aim of the campaign is to reduce the cyber

Anu Kukar, CA

28.04.2022

CURRENT SUPPORTERS We have had over 20 organisations from across the world so far, including USA, Australia, New Zealand, UK, South Africa and Canada, with more expressing interest to join.

HOW CAN YOU GET INVOLVED? For more information on the campaign: 1.

Visit and read at https://www.cyberuntangler.com/switch2cyber

2.

Follow #Switch2Cyber on socials, share and support the cause

3.

Connect with Anu Kukar

Sumeet Kukar, CA

WOMEN IN SECURITY MAGAZINE

97


LAURA JIEW

WHO RUNS THE WORLD? by Laura Jiew, External Engagement from the UQ School of IT & Electrical Engineering

Here are some outstanding achievements from the University of Queensland computing community.

Cyber security and

Data science:

software engineering:

Dr Yadan Luo

Dr Abigail Koay Dr Abigail Koay is a research fellow in the School of

Dr Yadan Luo is a postdoctoral research fellow in

Information Technology and Electrical Engineering.

the School of Information Technology and Electrical

Her research interests include applied machine

Engineering. Her research interests include domain

learning, cyber security and critical infrastructure

adaptation, few-shot learning in computer vision

security. Originally from Malaysia, Abigail pursued

and multimedia data analysis. She was awarded a

university studies in computer systems and

Google PhD Fellowship In 2020 and won a Women

networking, a study field in which female students are

in Technology (WiT) ICT Young Achiever’s Award

typically not well-represented in her home country.

in 2018 under the supervision of Professor Helen Huang.

After graduating and working in the industry for several years Abigail emigrated to New Zealand to

She has led multiple AI-oriented collaborative projects

pursue her PhD at Victoria University of Wellington. In

with local governments and industries. RoadAtlas, a

2021 she relocated to Brisbane where she has been

derived vision-based road defect analysis system, has

an active contributor to cyber security and software

been adopted by the Logan City Council. A sample of

engineering. In 2021 she received a grant from the

her work can be found here.

Department of Defence’s Artificial Intelligence for Decision-making’ initiative.

98

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

Power, energy and control

Human-centred computing:

engineering:

Dr Jess Korte

Dr Feifei Bai

Dr Jess Korte is an Advance Queensland TAS Defence CRC Fellow based in the School of Information Technology and Electrical Engineering. Jess is passionate about the ways good technology can improve lives. In her work Jess advocates involving end users in the design process, especially when those people belong to ‘difficult’ user groups, a term which usually translates to ‘minority’ user groups. She has been awarded a fellowship to create an Auslan Communication Technologies Pipeline, a modular, AI-based Auslan-in, Auslan-out system capable of recognising, processing and producing Auslan signing. Jess recently blogged about her work here. By working with members of marginalised groups in the design of new technologies Jess has set an awesome example of overcoming bias.

Dr Feifei Bai is an Advance Queensland Industry Research Fellow based in the School of Information Technology and Electrical Engineering. Her research interests include renewable energy integration, phasor measurement unit (PMU) applications in smart grids, power system oscillation detection and damping control and energy storage for frequency control. She is also an active representative of the Women in Power (WiP) special interest group for the IEEE Power and Engineering Society Queensland section. Originally from China, Feifei has also lived and studied for a PhD at the University of Tennessee in Knoxville, USA. In 2020, one of the projects Feifei is involved with as a lead researcher received an Australian Engineering

Imaging, sensing and biomedical engineering:

Excellence Award. In 2021 she was a recipient of funding under the UQ Amplify Women’s Academic

Dr Tina Xiaoqiong Qi UQ AI Collaboratory: Dr Tina Xiaoqiong Qi is an Advance Queensland Industry research fellow based in the School of

Dr Alina Bialkowski

Information Technology and Electrical Engineering. Her research interests include terahertz sensing, imaging and laser dynamics in semiconductor lasers. Research Equity (AWARE) Program. Tina joined the School of Information Technology and Electrical Engineering through the University of Queensland Fellowship in 2015. In 2017 she received funding from the Advance Queensland Maternity academic funding scheme. In 2020, Tina was the recipient of a mid-career Advance Queensland Industry Research Fellowship. Her fellowship was awarded to develop terahertz imaging technology for skin cancer detection and to investigate the contrast mechanisms in terahertz images for skin cancer through close collaboration with Princess Alexandra

Dr Alina Bialkowski is a lecturer in Computer Science in the School of Information Technology and Electrical Engineering. She specialises in computer vision and machine learning. Her research interests include quantifying and extracting actionable knowledge from data to solve real-world problems and giving human understanding to AI models through feature visualisation and attribution methods. Alina plays an integral role in the UQ AI Collaboratory

Hospital and industry.

28.04.2022

WOMEN IN SECURITY MAGAZINE

99


and is the Student Experience lead in this hub. She has been leading the student internship program as part of the Student Experience initiative within UQ AI Collaboratory. To date she has successfully coordinated the 2021 UQ-wide workshop on artificial intelligence as well as the inaugural AI Showcase event. In addition to high impact journals and conferences her work has resulted in six international patents filed with Disney Research, Toyota Motor Europe, University College London and the University of Queensland.

CIRES:

PhD candidate, Daisy Xu Daisy Xu was recently recruited as a PhD candidate in The Centre for Information Resilience (CIRES), one of many interdisciplinary research initiatives led by the School of Information Technology and Electrical Engineering. Her research interests are in data monetisation and data science. Daisy is a seasoned business analytics professional and management consultant and founder and CEO of a boutique consultancy providing software programs that enable organisations to rapidly assess their workforce productivity. Daisy is a UQ MBA alumna and looks forward to her PhD journey with the CIRES team. www.linkedin.com/in/laurajiew/

www.linkedin.com/school/university-of-queensland/

100

WOMEN IN SECURITY MAGAZINE

28.04.2022


EXPRESSION OF INTEREST SPONSORSHIP We invite your organisation to join with Source2Create and our partners to sponsor the 2022 New Zealand Women in Security Awards. Register your interest today for various sponsorship opportunities.

I’M INTERESTED!

#2022WISAWARDS

womeninsecurityawards.co.nz


MEGAN KOUFOS

DR SUSAN MCGINTY

WHY SUPPORTING FEMALE EMERGING LEADERS TODAY IS CRITICAL FOR THE FUTURE by Megan Koufos, AWSN Program Manager and Dr Susan McGinty, Director, Aya Leadership

It is no secret women in security account for less than a quarter of professionals in the sector, and the numbers in leadership positions are even lower. The reasons are not unique to our sector and include: • The toxic culture of an organisation

opportunity to grow into a role; • Building a company culture where different forms of leadership are recognised. On the importance of nurturing emerging leaders and setting them up for success

• Burn-out and stress • Life changes

Tailored leadership development is critical for

• Lack of role models/support/mentors

women at all levels and in male-dominated industries

• Lack of opportunities/confidence/recognition

like security is a key contributor to their career satisfaction and retention. But it’s particularly

Ways to tackle this problem include:

important for emerging female leaders.

• Early recognition of emerging leaders and exposing them to leadership opportunities; • Mentoring programs (both within and outside an organisation);

102

Women who are passionate in their field of expertise can lack confidence in their own leadership abilities and as a result, forego opportunities that give them

• Training tailored to their development needs;

leadership experience and pathways to a leadership

• Promotion based on merit and creating the

role. They often try to understand how to develop

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

their own leadership style and struggle to find role

The program is informed by neuroscience, leadership

models for the type of leader they want to be. They

research and best practice. It gives participants

often have not articulated their leadership purpose or

the right foundations to set them on a leadership

do not know how to apply their strengths as a leader.

growth trajectory and unlocks the self-exploration that will shape their leadership journey. Participants

Tailored leadership development at this stage can

are nurtured by qualified coaches and experienced

help build a strong foundation for the journey ahead

educators with a passion for resilience and leadership

by providing the self-reflection, self-knowledge,

in the STEM and security professions.

skills and frameworks that will give a woman the confidence to realise her leadership potential and

They are equipped with practical leadership resources,

develop her own leadership style. Tailored leadership

strategies and tools for workplace application. The

development puts emerging leaders on the right path

coaching approach supports individual learning,

to gaining leadership experience, and finding the right

builds confidence and sets the path for ongoing,

role models, mentors and networks to support them

focused leadership growth.

in becoming leaders. Networking is recognised as a key leadership This is why the AWSN Emerging Leaders program

development practice for women to access senior

was developed. It is part of a broader Women in

leader role models, peers and resources and gain

Security Leadership initiative sponsored by the

confidence in themselves as leaders. It is particularly

Australian Signals Directorate and delivered by our

valuable in male-dominated professions such as

training partner, Aya Leadership.

security.

Together, our goal is to increase the number of

As well as a focus on networking strategies, the

women in leadership roles. The Emerging Leaders

program’s small group setting enables participants

program focuses on supporting 55 early-career

to build a strong peer network and learn through the

women in security professions to build strong

real-world experience of their peers.

leadership foundations. It is for women who want to define, influence and develop their leadership style,

Through the Women in Security Emerging Leaders

mindset and skills with conviction.

Program, participants develop a strong foundation for future leadership through:

AWSN recognises that leadership takes many forms, including informal leadership, where the real work gets done. Emerging leaders are often already sharing their knowledge by mentoring others, working on collaborative projects and leading others in work. This program supports them to become the leaders they want to be with confidence in their strengths and with the tools and techniques to continue growing on their leadership journeys.

• Understanding purpose-driven and authentic leadership; • Understanding of self, identification of leadership motivations and self as a leader, and strategies for growing a leadership mindset; • Building confidence, resilience and emotional resilience; • Learning how to amplify their impact as formal and informal leaders through effective

The Women in Security Emerging Leaders Program assists women in the early stages of their security career to develop a foundation for future enduring

communication, influence and maximising their own performance. • Understanding the purpose and utility of

leadership through a focus on transformation, insight,

mentoring and networking, and applying

resources, growth and networks.

associated strategies;

28.04.2022

WOMEN IN SECURITY MAGAZINE

103


• Considering career goals and potential pathways; • Coaching and goal setting.

• More than three years in security and want to apply for a leadership position in the next 2-3 years, or • One to three or more years as a leader/manager

The Women in Security Emerging Leaders Program

(in any field) and have recently moved into a

takes a unique approach to the development of

security role, or want to move into a security role,

female leaders by emphasising the development of:

or • Have returned from a career break (either in

• Compassion: strong leadership that unites and inspires;

security or leadership) and want to refresh and update their leadership skills.

• Coping strategies: tools and strategies to manage change and adversity; • Clarity of vision, the self-awareness and clear

Participants may have a desire to move into a leadership role now or be wanting to get their

goals to propel forward with purpose;

leadership journey on the right track for the future.

• Courageous action that is considered,

This program can help them understand the type of

appropriate and bold; and • Capacity: the strength to commit and see things

leader they want to be and connect them with other emerging leaders in the industry.

through. For more information and to put in your application The program focuses on empowering emerging

head to https://www.awsn.org.au/initiatives/women-

leaders in security professions to navigate the

in-leadership/emerging-leaders-application-form/

gender-biased barriers that can exist for them, through leveraging the specific protective factors that can reduce the negative impacts of these

www.linkedin.com/in/megankoufos/

barriers. The program amplifies and leverages the inherent strengths of women to deepen participants’ motivation, mindset and skills around developing

www.linkedin.com/in/susanmcginty-ayaleadership/

their leadership.

www.linkedin.com/company/australian-women-insecurity-network-awsn/

This includes a focus on expanding participants’

twitter.com/awsn_au

awareness and understanding of their own emotional intelligence via the MSCEIT emotional intelligence

www.awsn.org.au/

assessment, coupled with learning how to apply their emotional intelligence more purposefully and effectively in the workplace. The program’s coaching foundation further magnifies its impact. In addition to theory and tools for foundational leadership development, the program is underpinned by coaching techniques to ensure the learning is targeted to the needs and motivations of the individual and supports the application of theories into practice through targeted goal setting. The course is best suited for women who have:

104

WOMEN IN SECURITY MAGAZINE

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

What past participants have had to say: “The program has given me a new perspective

“I recently participated in the first AWSN Emerging

about being a leader that is fresh, sustainable and

Leaders program. Not only did I meet and make

allows future growth. Having some management

new connections with a cohort of incredible women

background, I thought I understood leadership but

from diverse professional backgrounds, but I learned

this program has given me a better perspective

far more about myself than I expected from the

about being one, starting from understanding my

incredibly impressive and highly personable Dr

own core values. I am so glad to have joined the

Susan McGinty. The course contained a wealth of

program and I look forward to applying the learning

practical information that identified things I wanted

in my career and in my everyday dealings.”

to understand about myself but didn’t know how to. Being exposed to frameworks that put shape and

Meidi van der Lee – Security Analyst (REA Group)

meaning to unconscious thought meant I could immediately apply the techniques presented to better understand myself and the people I engage with professionally and personally on a daily basis.

“The Emerging Leaders Program helped me to

The course was invaluable and something I will

unpack what it means to be a female leader in

continue to revisit.”

an often male-dominated industry. Each session included practical and tangible discussions and

Leigh - Senior Cyber Security Professional

exercises on growing leadership skills that are both effective in the workplace and authentic to who I am as a person. After completing it, I feel more confident in my leadership style, because it has emphasised how so many of the traits and skills I already hold can be used to consciously help me be a more successful leader. I would recommend this program for any woman who is unsure of taking on leadership roles or uncertain of how you become a leader (spoiler alert, you probably already are!).” Caroline Faulder

“After participating in the AWSN Emerging Leaders program I feel more confident in articulating and applying my strengths, values and purpose. I now have practical frameworks and tools to continue developing my leadership capabilities, including communication, resilience, and career planning and management. I would recommend this program to any aspiring leader in security, or anyone seeking a greater understanding of the leadership mindset.” Simone - Public Sector Cyber Security Professional

28.04.2022

WOMEN IN SECURITY MAGAZINE

105


MARTY MOLLOY

BEK CHEB

WHO RUNS THE WORLD by Marty Molloy, Events, Marketing and Communications Coordinator, AusCERT. Bek Cheb, Business Manager, AusCERT

“I’m not going to limit myself just because people won’t accept the fact that I can do something else.” — Dolly Parton As true and inspiring as Dolly Parton’s words are,

At AusCERT we use the call for presentations to

often the absence of opportunity can hinder the

encourage women to provide submissions. These

pursuit of goals.

are then evaluated by industry peers and selected on merit, not just because they were submitted by

Having worked on the AusCERT Cyber Security

females.

Conference for seventeen years, ten of those directly with AusCERT, Bek Cheb has witnessed much change

By working with organisations like UQ Cyber, AWSN,

in the industry. Greater diversity of gender, age and

Source2Create/Women in Security Magazine

culture have influenced those in the field and created

and WomenSpeakCyber we’re able to keep the

new opportunities.

conversation going to sustain and grow awareness all year round.

One change AusCERT has been proud to see has been the growth in the number of women speakers at

Consequently we have seen steady growth in the

the AusCERT Cyber Security Conference.

number of submissions from women and in those selected to present.

I chatted with Bek to understand why this was important and overdue.

Bek, this year’s line-up of speakers includes many more women than previous years. Was that intentional or perhaps a by-product of this year’s conference theme?

106

WOMEN IN SECURITY MAGAZINE

Can you share some details of female speakers at this year’s conference and why they were chosen? Absolutely! We have already seen some excitement around one of our keynote speakers, Lesley Carhart.

28.04.2022


I N D U S T R Y

P E R S P E C T I V E S

advisor graduate with Trustwave.

There has been a lot of discussion about the imbalance in the numbers of men and women working in cyber security. Do you feel this can be improved by showcasing more women already working in the industry? You can’t be who you can’t see. We have tried for several years to get Lesley to

As we improve the gender balance, I think it will show

present at the conference but there were some

more women the opportunities that exist for them.

restrictions with Lesley being able to present only within the USA.

Is there anyone you have on your ‘dream list’ of possible speakers for future conferences?

She is also known by her Twitter handle, @

I am still building my dream list and it is forever being

Hacks4Pancakes, and is a high profile figure in the

added to.

world of cyber. She was named a “Top Woman in Cybersecurity” by CyberScoop and has been in the IT

We talk to some speakers for several years before

industry for more than twenty years.

things fall into place and they’re available at the time our conference is held.

Lesley is the Director of Incident Response for North America at industrial cybersecurity company Dragos

I would like to think there are women working in cyber

leading the response to, and proactively hunting for,

who are honing their skills and mustering the courage

threats in customers’ ICS environments.

to speak, and perhaps others not yet in the industry who will one day have something they want to share

We are also excited to allow individuals to speak for

we can showcase at the conference.

the first time, including Jasmine Woolley. Jasmine was one of only 20 Australian women selected as

Wouldn’t it be fantastic to one day soon be spoilt for

part of Project Friedman, a scholarship program

choice of engaging, talented, skilled and motivated

supporting women working in the cyber security

women wanting to educate and elevate others in the

industry and wanting to speak at a cyber security

field?

conference for the first time.

Thanks Bek!

Jasmine is also a member of WomenSpeakCyber, an initiative formed to combat the lack of gender diversity in speakers at cyber security conferences in

www.linkedin.com/in/marty-molloy-14100932/

Australia. Jasmine is planning to study for a Master of National

www.linkedin.com/in/bek-cheb-39546554/

Security Policy Studies at and is currently a security

28.04.2022

WOMEN IN SECURITY MAGAZINE

107


CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2, Male Champion of Change Special Recognition award winner at 2021 Australian Women in Security Awards

C O L U M N

Teaching through stories As many of you would know, I like to tell a good

and businesses face. Stories can teach children

story to get my point across. I do it with my A Hacker

about the dangers of the internet and online gaming

I Am books, my regular articles here, and I have

without all the boring textbook-style information.

taken this even further with my upcoming novel series, starting with Foresight, to be released in June

If the stories are entertaining these lessons will

2022. Storytelling is not a new concept. It has been

sink in and readers will enjoy and remember the

practiced for thousands of years by many indigenous

experience. They may even read the story more than

cultures around the world; in legends or stories

once and share it with friends and family. This would

passed down through generations. Mine do not have

be a huge success.

the importance of those intergenerational stories, but they do have something in common.

To recap, a story gets people to read and enjoy the content, to learn an important lesson and then spread

All these legends or stories (mine included) aim

the word about it. If we change our approach to cyber

to impart meaning or a message. They are told to

awareness and help people understand the topic in

teach the listeners, or readers in my case, something

a fun and enjoyable way we will have a much better

of value: something of importance they can take

chance of succeeding in the constant fight to both

away and apply in their own lives. I love this style of

protect systems and help people to help themselves

teaching and writing. It is my default style and I feel it

be more secure and safer online.

to be a very effective way to impart learning. My point is simple: next time you are thinking about Why? Have you ever read a textbook? Almost all of

teaching someone about cyber security consider

us have at some point in our lives. They suck. They

my approach. Consider telling a story, embedding a

are usually big, bulky books. They offer extremely dry

message, and making it easier for your audience to

reading, and a good cure for insomnia. Textbooks

understand. It will be a win-win situation. I know from

are horrible, but they have a purpose: they effectively

experience it works, so let’s do this together. Let’s tell

cram in a lot of information and have been the go-to

the world in a new way. Let’s talk about security in

means of delivering information for universities and

a better way, the way indigenous people have been

schools for at least as long as I have been on this

doing for millennia.

earth. However, I am not sure they represent the best way to teach, especially to teach cybersecurity. It can be a complicated and confusing topic for anyone trying to learn how to better protect themselves against the

Go tell your stories. www.linkedin.com/in/craig-ford-cybersecurity www.amazon.com/Craig-Ford/e/B07XNMMV8R

continual threats in the digital world.

www.facebook.com/pg/AHackerIam/

Stories are fun. They can be easily read, and in many

twitter.com/CraigFord_Cyber

cases are very entertaining. An author can use humour, pain, love; anything they want to help weave a web, one that not only draws a reader into their world but can teach subtle lessons, such as why IoT devices must be secured, and the threats individuals

108

WOMEN IN SECURITY MAGAZINE

28.04.2022


TECHNOLOGY PERSPECTIVES


WOMEN ARE TEACHING AI HOW TO BE DIVERSE by David Braue

Writing algorithms without women builds a society that ignores them

D

110

r Nandita Sharma recalls how strange

operations, which are leaning heavily on AI-driven

it was to walk into her first-ever

data analytics to streamline one of the government’s

engineering lecture at university, to find

most important agencies.

around 200 students in a lecture theatre – and not one other woman.

“AI is quite pivotal in what we do by 2025,” she told a recent IWD webinar. “We’re modernising our data

“I looked around and I couldn’t find a single female,”

analytics capability for service delivering, using cloud

she recalls. “It was slightly daunting at that moment…

computing and AI to meet the growing demand….We

it got me thinking that none of my school friends

need to be doing more to be leveraging automation

were doing what I was doing, and it was a bit of a

and AI to deliver better client and staff experiences

strange thing to be doing.”

and business outcomes.”

“But having that goal and focus in mind as well,

As a data-science leader in a high-profile public role,

because I was completely interested in taking a

Sharma is one of the numerous women who have

career path in the space of computer science, and

defied stereotypes, pursuing their love of STEM

more so in software engineering – that set my

and engineering topics to build up the skills and

motivation. And my interest in engineering and

experience necessary to play in the tech-heavy AI

technology kept me going throughout.”

industry.

More than 15 years later, Sharma – who has

They are, lamentably, still among a small minority

worked as an ABS analyst, CSIRO researcher,

in an industry that is continuing to struggle from a

artificial intelligence (AI) data scientist, and fraud

pervasive gender gap that is even larger than the one

analyst – has spent over six years as director of

plaguing the cybersecurity field – and, in many ways,

the Australian Taxation Office (ATO)’s data-science

harder to fill because senior data science positions

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

often require advanced degrees that require years of rarefied study.

HITTING A MOVING TARGET Investments such as the Australian Government’s

A recent Deloitte report noted that women comprise

AI Action Plan, a broad $124.1m commitment

47% of the US workforce but just 26% of data

to commercial development, skills development

and AI roles, but a 2018 World Economic Forum

and business AI capability, have crystallised

analysis pegged the global participation rate at 22%

the commitment to building out the ranks of AI

– reflecting not just the above-average results in

specialists.

countries like the US but the below-average results in countries like Germany, which is known as a

That said, it’s a long way from committing money to

global engineering power but has an AI talent pool

producing qualified graduates with the specialised

comprised of just 16% women.

skills necessary to drive AI innovation and adoption.

The persistence of the talent gap “suggests a

Post-graduate pipelines may struggle to change the

hardened talent gap that will require focused

situation any time soon, with Stanford University’s

intervention,” the WEF said, noting that industries like

2021 AI Index Report finding that just 18.3% of

manufacturing, energy and mining, and hardware and

AI-related PhD graduates in the past decade were

networking were struggling with the biggest gaps in

women – and that women comprise just 16.1% of

the availability of AI skills.

tenure-track faculty who are primarily focused on AI.

28.04.2022

WOMEN IN SECURITY MAGAZINE

111


And while other fields suffering a shortage of women

Dr Catherine Ball, an associate professor within the

are actively recruiting women from other fields, data

Australian National University School of Engineering,

science is advancing so quickly that can be a moving

highlighted the impact of poor gender representation

target for those wanting to get involved.

in the development of the Health app loaded onto every iPhone.

“We need to invest in these specialist skillsets… [but] it’s very hard to look into a crystal ball and project

Despite including a broad range of functionality, the

exactly what specialist skills you need,” noted Dr

app failed to include a period tracker – a feature, Ball

Erika Duan, a data scientist with the Department of

told the recent ADMA Global Forum 2022, that would

Employment, Skills, Small and Family Business.

have been relevant to half of the phones’ user base but was ignored.

“It absolutely takes time to upskill,” she continued, “especially in a career path like a data scientist. You

“There probably wasn’t a single woman around

have to be really, really good at everything – at maths

the table” when the app was designed, she said.

and statistical thinking, and you have to program well

“It’s all about calories in, calories out, your macros,

or you’ll introduce technical debt.”

your protein, how much you lift. It wasn’t aimed at everybody.”

That said, she added, “it is possible” for women interested in analytics to upskill into data pathways by focusing on one area that really engages them. “There’s always a need to look at data, analyse it, and communicate it to someone else,” she said, “so if you find yourself really interested in finding the right questions

“At the end of the day, you don’t need thousands and thousands of AI researchers,” she said, “but you need technicians for future jobs. It’s a matter of how to link the right curriculums and write programs so we can really support the new generation with more education.” -Angela Kim, Director of Data Analytics and AI at Deloitte

to ask and the best way to answer it, I recommend that you just pick up one extra skillset that you can work in on the side. Over

“So when we talk about AI for good,” Ball continued,

time you’ll be able to use your incredible domain

“[consider] who is building that AI? When you have

knowledge, but also see the different types of tasks

meetings, look around the table to see if you have

that can be done in the data analysis space.”

a diversity of people around that table. Whoever’s building AI really is controlling how we see that data.

GETTING THE BIAS OUT OF AI

When it comes to AI, it really is that way – and what

Persistent skills shortages in AI pose challenges for

you put in is what you get out.”

other reasons, however: because the very nature of

112

AI involves using data to shape company policies and

Fixing this issue requires rebalancing the gender mix

practices, data scientists have become increasingly

around AI’s development and its application – but

concerned that the low representation of women

with university researchers dramatically skewed

is poisoning AI models against women – often in

against gender parity, what hope is there for the

unexpected ways.

industry?

WOMEN IN SECURITY MAGAZINE

28.04.2022


F E AT U R E

Angela Kim, director of data analytics and AI with

engagement and internship opportunities with data-

Deloitte who serves as Women in AI Australia

driven companies.

Ambassador, believes the key is outreach – highlighting the potential applications of AI to young

After a recent boot camp for high school-aged girls,

girls, and encouraging them to look outside of

Kim noted, some high-achieving students ultimately

conventional career paths to consider data science

opted to pursue data-related courses of study at

and AI as a long-term option.

university.

“At the end of the day, not everybody has to create

TAFEs haven’t often been engaged in the push to

algorithms,” she told Women in Security Magazine,

improve women’s participation in the AI industry,

noting the availability of half-baked systems that

but Kim believes a more coherent narrative across

“mean you don’t have to code. But you do need to

learning institutions would serve the industry well.

know how to push the button. To do that, you have to be tech and AI literate – and that can be learned. It’s

“At the end of the day, you don’t need thousands

not rocket science.”

and thousands of AI researchers,” she said, “but you need technicians for future jobs. It’s a matter of how

Often, institutions’ entrenched habits are exacerbating

to link the right curriculums and write programs so

the problem: unless students are studying computer

we can really support the new generation with more

science, Kim said, many top business and other

education.”

students are learning little more than Excel capabilities. Once exposed to more-capable tools like Power BI and Visual Analytics through targeted workshops, Kim said, “the girls loved it” – paving the way for ongoing

28.04.2022

WOMEN IN SECURITY MAGAZINE

113


QUEEN AIGBEFO

300 SPARTANS SECURITY DEFENDERS by Queen A Aigbefo, Research student, Macquarie University The Battle of Thermopylae famously fought

every move from the dispatch of Greek ships to

between an ancient Greek city-state, Sparta, and

intercept the Persian fleet to choosing the narrow

the Achaemenid Empire has spawned several

Thermopylae location for the battle.

Hollywood movies, especially the 2006 rendition: 300. The Persian Achaemenid Empire had a vast

In 2019 Gartner forecast global spending on

army estimated to have numbered between 150,000

information security would hit $170 billion in 2022.

and one million including allies. At a million the army

The actual figure may turn out to be double that,

would have accounted for about 40 per cent of the

given the global pandemic of the last two years.

world’s estimated population in that era. How could

Purchasing the next hot security product might

a handful of Spartan soldiers hold out against such

not guarantee the protection of your organisation’s

a force for three days? I was curious to know what

network and assets. Products and tools must be

gave the Spartans the audacity to take on King

implemented and used strategically to effectively

Xerxes’ army and, more importantly, what the security

ward off cyber-attacks.

industry can learn from these brave Spartans. Reduce the attack surface - Building on strategy, the Early initiatives - The ancient Spartan nation laid

Greeks focussed on reducing the Persian’s attack

great emphasis on military fitness and strength. Boys

surface as much as possible when faced with the

began military training at a very early age and by the

much larger Persian army. By forcing the Persians

time they were integrated into the broader society,

to attack them at Thermopylae, a narrow alley, the

they were equipped with a military mindset to defend

Greeks could control their attack against the Persians

their nation. Today there is a growing skill-shortage

at any given time.

in the security industry. So perhaps some early STEM initiatives would assist in strengthening the cyber

Limiting the organisation’s attack surface means

defence force in a few years.

having fewer internet-facing points or devices. Organisations also need to maintain an inventory of

Strategy over strength - In the Battle of Thermopylae

decommissioned assets when newer technologies

some 4000 Greek soldiers were facing more than

and products are acquired and plugged into the

70,000 Persian soldiers. Yet, it was a clear case of

network.

strategy trumping numbers. The Greeks planned

114

WOMEN IN SECURITY MAGAZINE

28.04.2022


T E C H N O L O G Y

P E R S P E C T I V E S

Adaptability breeds resilience - It is interesting to

but algorithms can be fooled if a malicious actor is

note that, the Spartans were quite resilient on the

sufficiently knowledgeable. Human security defenders

battlefield. Despite its small size the Spartan army

are still vital to gather intel and test the algorithms

easily adapted to the various tactics employed by the

with the right datasets to improve organisational

Persian army.

defensive security

The cyberattack landscape keeps evolving so security

Watch out for the malicious insider - Unfortunately

professionals must also evolve and adapt their

for the Greeks, their well-trained soldiers, their

defence tactics and mechanisms to protect their

strategy, their knowledge, and their adaptability

crown jewels. Taking a hint from Sun Tzu, “the art

could not save them because Ephialtes showed the

of war (security defence) teaches us to rely not on

Persians a back door.

the likelihood of the enemy’s not coming, but on our readiness to receive him; not on the chance of his not

There is no hard and fast technique for detecting

attacking, but rather on the fact that we have made

who a potential malicious insider might be. However,

our position unassailable.”

proper organisational security hygiene could limit the access of a potential malicious insider. For example,

Use your ‘intel’ - The Spartans were more

using the principle of least privilege and conducting

knowledgeable about the Persian army’s resources,

frequent access audits could restrict unnecessary

routes and battlefield. The Persian army was too

employee access to information assets. Additionally,

large, it took days to move from one point to another.

employees can be trained to spot malicious insiders.

These sluggish movements favoured the Greeks

Remember they are one of the most important

because they used every intelligence report received

sources of threat intel.

to launch strategic attacks when the Persians arrived at a battle location.

There is a lot the security industry can learn from the Battle of Thermopylae, or the Hollywood rendition

The people within your organisation represent one of

(300). History provides us with an arsenal of tactics

your best intelligence weapons. Regular and targeted

and strategies that we can harness and refine to deal

security awareness and training equip them with

with the issues we face.

the knowledge to report suspicious activities they encounter, activities that often slips past technical defences. Artificial Intelligence (AI) and Machine Learning (ML) can help guard against cyberattacks,

28.04.2022

www.linkedin.com/in/queenaigbefo/

twitter.com/queenaigbefo

WOMEN IN SECURITY MAGAZINE

115


ALEX NIXON

SITTING DUCKS By Alex Nixon, Senior Vice President of Cyber Risk at Kroll

Q: What do sitting ducks say?

our extensive exposure to incidents globally (Kroll dealt with over 3,200 incidents in 2021 alone) shows

A: Probably not “Gee, what a great vulnerability

the use of phishing attacks as an infection vector

remediation program we run.”

increased 122 per cent from January to February of 2022. The only other time I have personally seen an

I’m sure I’m not the only one having regular

increase of this magnitude was at the very beginning

conversations about what the Russian-Ukrainian

of the COVID-19 pandemic.

crisis means for domestic Australian organisations. I think it is at once a very rational position and an

So, how do you fortify your organisation’s resilience?

innately primal response to view world events and

Based on the threat intelligence we’re seeing at

consider what they mean on a micro-level. In this

Kroll, there are a couple of areas I think are worth

specific instance the question I’m fielding is: what can

tightening up.

an organisation do to increase resilience in the face of heightened geopolitical, and therefore cyber, risk?

First, perhaps unsurprisingly, is email security. The growth we’ve seen in phishing emails, coupled with

I believe we need to accept there is no such thing

the increase in zero-day exploits, makes this the

as ‘secure’. ‘Secure’ is a qualitative expression that

perfect time for a freshen-up of your anti-phishing

means different things to different people, and the

defences. The only potential downside of this is you

relevance of their answers can change by the (zero-)

may find more legitimate emails being caught in

day. Accepting that we may be breached, in spite of

your spam filters. This trend can be countered with

our best efforts, can shift the conversation from a

communication. The pandemic may have made us

repetitive cycle of ‘how do we prevent an attack?’ to

all a little less friendly and gregarious, but people

‘how do we recover from an attack?’ Whilst the latter

are perfectly reasonable when we provide them with

takes the former into account, the same cannot be

clear reasons for tightening security controls. That

said vice versa.

communication is also a perfect moment to remind them of how to spot a phishing email. With a little

116

And I think this mindset in which we accept the

investment, you can turn your employees into another

worst may happen is entirely practical in the current

security control, rather than viewing them as another

environment. Proprietary data gathered by Kroll from

attack vector. With business email compromise

WOMEN IN SECURITY MAGAZINE

28.04.2022


T E C H N O L O G Y

P E R S P E C T I V E S

assessments, but these costs pale in comparison to the costs resulting from exploitation of a lingering vulnerability and the associated mop-up. From a risk management perspective, it’s an absolute no-brainer. However, not everyone is ready and willing to build security into their budget in the same way as those of us who live and breathe it. This is where I recommend contextualising your approach. In an ideal world, you would be running enterprisewide security assessments frequently, but your organisation may not have the budget (or inclination) to do so. If that’s the position you find yourself in, this is where business context is key. Communicating where making up a third of the incidents our team observed

you reasonably assume your

in February, having your employees on heightened

greatest risks reside, such as

alert for phishing attacks is a necessary part of your

your internet-facing applications,

cyber security strategy.

can help when there’s a tough call to be made on the scope.

The second is having a strong vulnerability detection and remediation program in place. I know, penetration

We agree to trade-offs every day,

testing alone is not enough (who would’ve thought?),

consciously or otherwise. Some are

but whilst we may know this in theory, in practice it is

as simple as 10 more minutes with the

very easy to allow your remediation timelines to slip,

snooze button versus a barista-made

especially in smaller organisations where it would

coffee in the morning (for me it’s the

not be cost-effective to have a dedicated resource

snooze. I haven’t been a Melburnian long

to oversee this. However, I cannot stress strongly

enough to pick coffee to oversleep). Others are

enough the importance of prioritising vulnerability

more complex with greater consequences.

remediation. When I talk to people hesitant to make the investment Kroll analysed the National Vulnerability Database

case for greater vigilance over security controls

and the Common Vulnerability Database of the US

amidst ongoing geopolitical risk, I am reminded of the

National Institute of Standards and Technology

Parmenides Fallacy, the human tendency to assume

(NIST) and observed that 2021 was a record-breaking

the present situation will remain the same. Inaction

year for vulnerabilities logged by researchers. In Q4,

will not increase your organisation’s resilience in the

Kroll witnessed a 356 per cent increase from Q3 in

face of increased cyber attacks, only make you more

common vulnerabilities and exposures (CVEs), or

likely to be breached, less likely to know when you’re

zero-days, being exploited to gain initial access.

breached and less able to respond quickly. Knowledge of our control gaps may make it a little less easy to

To combat threat actors organisations need an agile

sleep well and enjoy that morning snooze trouble-free,

vulnerability detection and remediation program. This

but I’d rather go without my snooze than be a sitting

is a must-have rather than a nice-to-have. Seeking

security duck.

buy-in from management may be necessary because there could be additional costs associated with

www.linkedin.com/in/alexlnixon/

more regular penetration testing and vulnerability

28.04.2022

WOMEN IN SECURITY MAGAZINE

117


JOANNE COOPER

HARNESSING A DIGITALLY DEMOCRATIC METAVERSE By Joanne Cooper, CEO, Australian Data Exchange

Data privacy is a strange and unique subject that

Having got their attention I continue, “because

can mean very different things to each and every one

ignoring privacy in a digital world is like giving

of us. In a digital world, or in the future ‘Metaverse’

yourself no levels of self-protection. You are inviting

we are all seemingly moving rapidly towards, data

cybercriminals, data predators and information

privacy and information holdings are taking on a

thieves to walk into the ‘home’ of your personal data

completely new and very powerful aspect.

and take whatever they like. They can then trade/sell this information (which might be sensitive) on black

Far greater education on this subject is needed

markets or potentially use it to harm you.

in society so individuals are well prepared to dive into their digital selves and understand why their

Some intruders might only analyse what your data

individual privacy rights and data footprints matter.

reflects, appraise from your information assets what

With the digital realm moving towards the new

you do, your habits, choices, tastes or culture, or just

Internet 3.0 and its decentralised models each of us

observe you with predictive modelling machines.” The

will need to consider how our personal information

question is: do you want companies to access your

is rightfully and ethically used. Our personal data is

data when you believe no one is watching?

valuable and as consumers, we typically do not like it to be traded unknowingly behind our backs.

This conversation is often met with an awkward body shuffle. I understand only too well no one likes to be

For me, as a leader in privacy-enhancing

told they are willingly putting themself at risk, but

technologies, when people say to me: “I don’t care

my frankness is not designed to cause distress. It

about who has my personal data,” claiming it is all too

is important. There is an immediate need to rapidly

hard and too late to get a handle on data privacy, my

educate people to care about, and take action to

retort is often, “well I guess then, when you go home

understand, the risks associated with personal

tonight you should start embracing another non-

information.

privacy practice by leaving all your doors, windows and gates open, permanently.”

118

WOMEN IN SECURITY MAGAZINE

28.04.2022


T E C H N O L O G Y

P E R S P E C T I V E S

Digital overreach for personal observation without

My company, Australian Data Exchange, is all about

your knowledge is unsettling. That said, individuals

privacy, protection and power. We want to give every

also need to understand the types of services and

individual the ability to easily take stock of how their

tools available to best mobilise digital identity,

data is used, to make sure it does not cause them to

consent and privacy in our connected world. There are

harm and empower them to maintain their unique,

consumer technologies specifically designed to help

individual digital rights.

you comprehensively protect yourself during data exchange. It is not too late to do so.

At a corporate level, ethical data sharing infrastructure is now an imperative that has increased the appetite

Privacy in the Metaverse is really important. It is a

for B2B2C-compliant infrastructure that promotes

human right for everyone to have the ability to self-

transparent and ethical data exchange. Developing

determine permissions around personal data use.

consent technologies with self-sovereign identity and verifiable credentials allows companies to optimise

The good news is that privacy advocates globally

artificial intelligence and machine learning practices

are working extremely hard to enhance regulation,

with full user transparen cy and to engender trust.

policies and law in favour of citizens so effective data

This enables an exciting new breed of trusted hyper-

privacy, transparency and implicit consent controls

personalised services through value exchanges that

are required to be in place for data holders, recipients

people consent to and desire.

and users. Others are fighting against government surveillance overreach that infringes our civil liberties

www.linkedin.com/in/joanne-cooper-50369734/

and undermines democracy. twitter.com/idexchange_me

For me, it’s about forming new grass roots consents that put the consumer in control of their data so

www.idexchange.me/

they have a clear auditable record of personal data transactions that specifies what personal data is used, when, by whom and how.

28.04.2022

WOMEN IN SECURITY MAGAZINE

119


MADHURI NANDI

RANSOMWARE AS A SERVICE By Madhuri Nandi, IT Security Manager at Till Payments

Most of you may have started to hear about a

Any hacker’s dream is to bypass security controls and

new threat to cybersecurity: the proliferation of

break into a network. Most new hackers make use of

ransomware-as-a-service (RaaS). If you think it is not

IABs to enable them to achieve this goal. Most IABs

real, I suggest you check out the Dark Web.

sell their accesses to the highest bidder.

Who would use this service? Anyone: for taking

Accessing the Dark Web is not difficult.

your business down, for testing the strength or your controls, or even just for fun.

Download a dark web browser like Tor, SubgraphOS, Waterfox or Invisible Internet Project (IIP). Once

In the past, to be successful, a hacker required coding

installed type the URL for the website you want and

skills. Now, with RaaS all they need to do is search

you will get there. But searching is not as simple as

the Dark Web and submit a bid.

searching the normal web, because the Dark Web is not indexable.

So, what is the most used attack vector for launching these attacks? It’s none other than phishing. These

Now, let’s look at another dimension of ransomware:

days phishing attacks are common and most

cyber insurance. Does cyber insurance help you to get

organisations have counter measures in place.

protection from ransomware?

However, it is not easy to block all phishing emails

It’s a double-edged sword. It helps to cover costs

and even the most sophisticated security systems

in the event of an attack but at the same time, an

can fall victim to vulnerabilities. But even if you

insured organisation attracts more ransomware

can block all phishing emails there are other ways

attacks.

for RaaS to get through your defences. There is

120

something new gaining popularity and aiding RaaS:

The Australian Government’s strongly advices

initial access brokers (IABs).

organisations against paying ransoms to cyber

WOMEN IN SECURITY MAGAZINE

28.04.2022


T E C H N O L O G Y

criminals but banning insurance cover against ransomware would not prevent attacks. Ultimately, ransomware is here to stay, so let’s shift

P E R S P E C T I V E S

- Religious patch management across all environments. - Slicing and dicing your network with segmentation.

the focus to prevention strategies. Finally, employees are your human firewalls. They are • If your business is based in Australia, consider implementing the Essential Eight Maturity Model. • Focus on

your first line of defence. Invest in educating them on the necessary controls and make clear that security is everyone’s responsibility.

- Endpoint protection. - Backups, backups, backups. Have regular and more frequent backups and get them tested regularly.

www.linkedin.com/in/madhurinandi/ www.itsecurityawareness.com/

28.04.2022

WOMEN IN SECURITY MAGAZINE

121


ANNE GRAHN

GENTLEMEN PREFER ENCRYPTION: PROTECTING DATA IN A POST-PANDEMIC WORLD By Anne Grahn, CISSP

They say diamonds are a girl’s best friend. Diamonds

Cryptography is the science of secret

are gorgeous. They’re brilliant. They’ve fascinated

communication. Its fundamental objective is to

men and women alike for centuries.

enable communication over an insecure channel in such a way that unintended recipients cannot

“Better a diamond with a flaw than a pebble without.” – Confucius

understand what is being said. Accelerated digital transformation initiatives and cybercrime amid the pandemic have led one component of cryptography—encryption—to become

But we’re living on the edge of a post-pandemic world

critical in the effort to safeguard data.

filled with cyber threats, where protecting data is top of mind. Diamonds can’t scramble content. They can’t

THE IMPACT OF COVID-19

make sensitive data more secure. And as stunning as

In the early months of the pandemic, millions of

they are, they can’t help you achieve your goals as a

people transformed their homes into virtual offices

security professional. You need cryptography for that.

or classrooms. A sudden surge in the use of videoconferencing tools such as Zoom led to privacy

Why? Because the world is run on codes and

concerns and disruptive ‘Zoombombs’ that left

ciphers. From emails and texts to entertainment and

organisations scrambling.

shopping online, cryptography inhabits our every waking moment. In fact, life as we know it would be

Major incidents unfolded as opportunistic threat

impossible without it.

actors ramped up their efforts. The SolarWinds supply chain attack provided hackers with access to

122

WOMEN IN SECURITY MAGAZINE

28.04.2022


T E C H N O L O G Y

P E R S P E C T I V E S

as many as 18,000 government entities and Fortune

Encryption is a process based on a mathematical

500 companies and set the stage for the Microsoft

algorithm (known as a cipher) that makes information

Exchange server hack, the five-day shutdown of the

hidden or secret. Unencrypted data is called plain

Colonial Pipeline in the US, the disruption of the Irish

text; encrypted data is referred to as ciphertext. For

health service and more.

encryption to work a code (or key) is required to make the information accessible to intended recipients.

OFFICIALS HAVE HAD ENOUGH Governments are increasing regulation to guard

Encrypting sensitive data can add to an organisation’s

against future breaches and protect personal data.

RoI in security by rendering data useless in the event

Numerous global privacy laws and regulations

of a breach. However, organisations without a mature

have recently come into force, including China’s

understanding of security often think traditional full-

Personal Information Protection Law, South Africa’s

disk encryption that protects data at rest is “good

Data Protection Act, and the UAE’s Personal Data

enough” to keep information secure.

Protection Law.

MEETING TODAY’S CHALLENGES In Australia, revision of the Privacy Act 1988 is

As we chart a course through 2022 and beyond, good

expected by the end of this year, with the introduction

enough is no longer enough. The world has changed,

of the Privacy Legislation Amendment (Enhancing

and cybersecurity needs to catch up.

Online Privacy and Other Measures) Bill 2021 to Parliament. Enforcement of Thailand’s Personal Data Protection Act B.E. 2562 (PDPA) is set to begin in June, and next year we’re likely to see changes to Europe’s General Data Protection Regulation (GDPR), Canada’s

36%

Personal Information Protection and Electronic Documents Act (PIPEDA), and Hong Kong’s Personal Data (Privacy) Ordinance.

HOW ENCRYPTION CAN HELP There is no magic wand for security, but encryption is an essential part of a multi-layered approach

$1.2 BILLION

of organisations are using multicloud, with adoption expected to reach 64 percent within three years -Nutanix Enterprise Cloud Index

worth of fines were issued against organisations in 2021 for violations of the GDPR Global law firm DLA Piper

to data privacy and protection that incorporates data classification, key management, and access management controls.

“Encryption...is a powerful defensive

90%

of organisations worldwide say data privacy has become mission-critical -2022 Cisco Data Privacy Benchmark Study

weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government… It’s hard to think

Using multiple types of encryption can advance your efforts to secure sensitive and regulated data

of a more powerful, less dangerous tool for

throughout its lifecycle (data at rest, data in transit

liberty.”

and data in use).

– Swiss-born American investor, journalist and author Esther Dyson

28.04.2022

• Encryption at rest: Encrypts stored data. If data is exfiltrated or systems are compromised, it remains encrypted. Example: Advanced

WOMEN IN SECURITY MAGAZINE

123


encryption standard (AES) • Encryption in transit: Encrypts traffic between two entities or systems. Even if the communication is intercepted it will be

undecipherable. Additionally, authorities will consider the use of encryption in decisions regarding fines. • Protecting data in the cloud: Leading cloud

undecipherable. Upon receiving the message the

service providers (CSPs) provide native

endpoint is authenticated, and data is decrypted

encryption and key management capabilities,

and verified. Example: HTTPS/Transport Layer

but many organisations struggle to effectively

Security (TLS)

manage workload encryption across multi-

• Encryption in use: Protects data while it’s being

cloud environments. Deploying cloud encryption

used to run analytics or computation. Example:

products helps secure multi-cloud workloads

Format-preserving encryption (FPE)

across different infrastructures—including onpremises—and with the leading cloud platforms.

The Cost of a Data Breach Report 2021 by IBM

• Supporting incident response: Responding

Security and the Ponemon Institute found encryption

effectively to security incidents is critical to

can dramatically reduce the total cost of a data

minimising damage. Use of enterprise-grade

breach. Organisations using high-standard encryption

secure collaboration tools that leverage end-to-

methods (at least 256 AES encryption) had an

end encryption (E2EE)—which prevents anyone

average breach cost of $US3.62 million, whereas

except those communicating from accessing

those using a low standard encryption method, or

or reading the content of messages, including

no encryption, had an average data breach cost of

vendors themselves—enable private out-of-band

$US4.87 million.

communications for security teams, even on a compromised network.

Multiple encryption use cases have come to the forefront during the pandemic:

IT’S TIME TO SHINE As surely as diamonds will endure, so will the efforts

• Accommodating privacy laws: Regulations like

of malicious hackers. While there is no cybersecurity

the GDPR—which continues to set the standard

silver bullet, encryption is critical to protecting your

for emerging requirements—stress encryption

most valuable asset—your data. Recognising that

as an “appropriate technical measure.”

baseline security efforts are no longer enough and

Encrypting personal data may

aiming high to encrypt data at rest, data in motion

exempt you from the 72-hour

and data in use will better position your organisation

breach notification requirement

to combat cyber threats, maintain regulatory

because data has technically

compliance, and build customer trust in a post-

not been “breached” if it is

pandemic world. www.linkedin.com/in/annegrahn/

twitter.com/anne_grahn

124

WOMEN IN SECURITY MAGAZINE

28.04.2022


Connecting - Supporting - Inspiring

AS A FORMAL MEMBER, YOUR CONTRIBUTION ENABLES US TO BUILD AND SUSTAIN A STRONGER FUTURE FOR OUR INDUSTRY Memberships are now a 12-month cycle Corporate packages available Learn more at awsn.org.au/members/join/

Thank you to all our amazing sponsors for their generosity and for helping us to CONNECT, SUPPORT and INSPIRE our members! For further sponsorship opportunities in 2022, please get in touch! awsn.org.au/supportus/sponsors/


# TOP WOME N IN S E CURITYAS E AN

NOMINATIONS CLOSE 30TH MAY 2022 This initiative has been established to recognize women who have advanced the security industry within the ten countries of the Association of Southeast Asia Nations (ASEAN). Nominations were opened on Tuesday March 8th, 2022, coordinating with International Women’s Day.

SPONSORS

SUPPORTERS

ASEAN REGION

WOMEN IN SECURITY NETWORK

MEDIA PARTNERS


STUDENT IN SECURITY SPOTLIGHT


Charlotte Kohler recently completed a bachelor’s degree in Security Studies at Macquarie University and is now studying online at Charles Sturt University for a graduate diploma in Fraud and Financial Crime. She grew up in the Hills District of Sydney, New South Wales.

CHARLOTTE KOHLER

Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime

What first piqued your interest in security? I wanted to undertake a course with practical applications that would give me a variety of career options. At the same time, I wanted to study subjects for which I had a natural curiosity. The more I learned about security the more I saw it as an interesting area of study from a theoretical perspective. At the same time, it is very relevant to the modern world. Studying security also gave me diverse career options in both the public and private sectors.

high school. Tutors would often give us very useful advice on how to make the most of our time at university, as well as the best way to approach job searching when we graduated. I would like to have seen the career fairs for those interested in working in the security studies field done differently. Almost all careers advertised were within the public sector, but there are also plenty of opportunities for security students in the private sector.

Were you doing something else before you started studying security?

What did you find:

I became involved in security studies straight from

- most rewarding or fulfilling about your course?

high school. However, in my opinion any experience gained in other areas would be beneficial because

One of the most fulfilling aspects of my course was

security is a career that requires general knowledge in

the exposure it gave to a range of individuals who had

addition to particular expertise.

the same interests as myself. I was able to learn a lot from people who already had experience. Discussing

Can you briefly summarise your security career to date: how did you get into your current study program?

a variety of security issues with likeminded individuals

I have just completed my degree so I am still in the

- most challenging or unsatisfying about your

early stages of exploring my career options. I am

course?

helps you to better understand complex issues from different perspectives.

involving myself in a wide variety of security-related activities. This will give me the opportunity to explore

The most challenging aspect of the course was

numerous career options in a dynamic and rapidly-

having to complete a substantial part of it online

changing industry.

because of COVID-19 when I was supposed to attend classes on campus.

To what extent have (a) the course and (b) the institution met your expectations?

Had I been able to spend more time physically in class with other students and meet them in person,

- What do you like most?

I think I would have had a more enjoyable university

- What would you like to see done differently?

experience.

One of the things I liked most about my bachelor’s

What is your approach to studying (time management, etc)? Any tips for other students?

degree was that many of the tutors had real world practical experience. I would say the majority of students in my degree course were straight out of

128

WOMEN IN SECURITY MAGAZINE

28.04.2022


S T U D E N T

S E C U R I T Y

S P O T L I G H T

Start work on your assignments early. This will allow

I don’t like to say I have one specific role in mind. I

you to undertake detailed research and formulate

think the early stages of anyone’s career are a time

your ideas and arguments long before the due date.

to take chances and explore a variety of experiences.

Doing this also provides you with a buffer in the

I think having such a perspective increases the

event of unforeseen disruptions to your studies.

likelihood that, when you decide to specialise in one

I also recommend attending classes, even when

particular area, it will be one you are passionate

attendance is not compulsory. You will learn much

about. Making the most of every opportunity gives

more by doing so and will meet other students.

you the best chance for success.

Networking is an important part of positioning yourself for a career in the security industry.

What subject(s) do you find most interesting and/or do you expect to be most useful?

How do you gain general information about the security industry? - From your university? - From friends and colleagues?

I think all the subjects I completed at university will

- From mentor(s)?

be useful down the track because of the content or

- From online sources?

because of what I learnt from the people teaching those subjects. One of the things I found the most

I would say all of these. Having a combination of

interesting was how important security is for modern

all four means you are open to the largest possible

businesses, particularly those heavily dependent on

range of opportunities and can learn about different

information technology. This is an area that interests

areas of work in the security industry.

me greatly, hence why I have undertaken further study of fraud and financial crime.

If you could spend a day with a security expert to learn about their role, what role would you choose?

What are your longer-term - 5 to10 years career aspirations? I think it is important to keep one’s options open. At this stage I don’t see the need to specialise in any particular area of the security industry. The next five

I would definitely be interested in learning more about

to 10 years will be an opportunity to experience as

cyber security. For example, it would be interesting to

many different aspects of the industry as possible.

spend the day with a penetration tester, learn more

I am very open to working overseas in either the

about the various techniques used to identify security

private or public sector. What is important is to

vulnerabilities in a system and use that knowledge to

experience as many new things and learn as much as

build overall system resilience. I see pen testing as

I can. By working hard and being open to new ideas I

a uniquely challenging role given the ever-increasing

believe I will have the greatest opportunity to grow as

threats to cyber security.

a person and build a rewarding career.

What are your aspirations when you graduate? - What roles(s) would you like to take?

www.linkedin.com/in/charlotte-kohler-504905199/

- What kind of organisation would you most like to work for?

28.04.2022

WOMEN IN SECURITY MAGAZINE

129


Elena Scifleet is in the final year of studying remotely for a master’s in cyber security through Charles Sturt University. She grew up in Ukraine and New Zealand.

ELENA SCIFLEET

Senior Consultant | Cyber Capability, Education and Training at CyberCX

What first piqued your interest in security? I first learnt about cyber security when I heard a presenter at a conference speak about the current threat landscape. I found the combination of technical skills and psychology in the subject really interesting.

What do you find most rewarding or fulfilling about your course? The course gives me the opportunity to learn from the lecturers, share ideas and build industry connections

I would choose a threat intelligence role. I absolutely love the fast-paced environment and investigative nature of this role. I also speak several languages so that role would provide me with broader research opportunities. Cyber security is a great profession for people with multiple skills: it gives them opportunities to put those skills to good use.

What involvement do you have in security outside your course?

with my fellow students. Because it is a postgraduate

I am a strong believer in self-growth and in supporting

course most of the students already have valuable

the people around me. I participate in many cyber

experience in different aspects of cyber security to

security initiatives outside my course.

share.

• I volunteer my time as a cyber security

I also love that CSU has partnered with IT Masters.

ambassador in NSW. This role provides me with

This gives us access to industry experts who

opportunities to speak to high school students

deliver our lectures. Having lecturers with industry

about cyber security and encourage them to

backgrounds greatly enriches the learning and gives students a real-world perspective.

consider it as a career. • I was one of the founders of, and run, a Discord server for all the cyber security students in CSU

What do you find most challenging or unsatisfying about your course? Online studies can be very isolating. Unlike oncampus studies where you get to interact with fellow students and staff members and attend different functions, studying online you see staff members only during lectures and most of the time you have limited interaction with students. I would like to recommend all online students to

to help overcome the isolation of online study. This has grown into an online community of almost 700 students where we talk, share ideas and support each other in our studies. • Recently I have also started a cyber security society in CSU to provide a platform for students to present their ideas, join capture the flag teams and work to improve cyber security awareness in the CSU student body. • I am also starting a new Australian Women in

look for a likeminded community and groups. If you

Security Network (AWSN) chapter in Newcastle.

can’t find anything in your university, there is a great

I come from a regional location and I really want

opportunity to start something. Connecting with

to create an opportunity for women in security to

other people who study with you will support you and

network closer to home in the Newcastle area.

provide more opportunities.

What are your aspirations when you graduate? If you could spend a day with a security expert to learn about their role, what role would you choose?

My study is at postgraduate level and I am already working fulltime at CyberCX. Working fulltime in a cyber security role provides me with practical realworld knowledge that compliments my studies very

130

WOMEN IN SECURITY MAGAZINE

28.04.2022


S T U D E N T

S E C U R I T Y

S P O T L I G H T

well. CyberCX is an amazing company to work for: I get to learn from and collaborate with many leaders.

What are your longer term - 5 to 10 years career aspirations? I plan to work in a technical cyber security role. I have not yet chosen my specialisation because I enjoy many aspects of cyber security. My career aspiration is to work in the area that provides me with learning opportunities and growth. I love the journey as much as working towards my goals. www.linkedin.com/in/elena-scifleet-605911164/

28.04.2022

WOMEN IN SECURITY MAGAZINE

131


Valentina Corda is enrolled in a Master of Cyber Security at the University of Queensland, with a focus on cybercriminology. She was born in Italy where she gained a bachelor’s degree in Investigation and Security Sciences. She is now based in Brisbane.

VALENTINA CORDA

Student of Cyber Criminology at the University of Queensland

What first piqued your interest in security?

What do you find

I have always been interested in criminology and in

- most rewarding or fulfilling about your course?

ways to investigate crime. As a child, I read only crime novels. When I had to choose my university pathway I

requires a multiplicity of professional approaches.

selected a criminology-related course.

Therefore, I am glad I am able to contribute without

Can you briefly summarise your security career to date: how did you get into your current study program?

- most challenging or unsatisfying about your

I do not yet have practical experience in cybercriminology. I graduated in Italy in February 2019 and arrived in Australia in October 2019 to do a master’s degree in a related area. It took me a couple of years

having a technical background.

course? My weakness is my computer science knowledge so the purely technical subjects in the course make me feel a little uncomfortable.

postgraduate courses in criminology in Queensland

What is your approach to studying (time management, etc)? Any tips for other students?

where I am based.

My best personal attributes are determination,

to familiarise myself with the language and save some money. I then started researching possible

One day I came across the University of Queensland website and the opportunity to choose from four fields of studies within the master’s degree in cyber security. One of them was cyber-criminology. I had never thought of doing a study related to cyber security because my background is in social science and I have no particular technical skills. However, that program seemed to be exactly what I had been looking for.

To what extent have (a) the course and (b) the institution met your expectations?

precision, self-motivation, time management and organisation. They have always guided me as a student and as an employee. To other students, I would suggest planning in advance the amount of time to dedicate to each assignment based on its type and its importance. In addition, starting earlier is always an advantage because it helps to reduce mental pressure and if an unforeseen event happens you have your job already done.

What subject(s) do you find most interesting and/or do you expect to be most useful? Obviously, given my background, I am interested more

I would say that both the course and the institution

in subjects focused on the human factors of the cyber

have exceeded my expectations.

world, such as those concerning offenders, ways of

- What do you like most?

offending, victimisation and prevention/investigative

I love watching cybercrime from a criminological/

practices.

social science perspective.

I would perhaps have preferred starting my work

If you could spend a day with a security expert to learn about their role, what role would you choose?

placement in my second semester to gain expertise

I would love to learn about digital forensics and the

- What would you like to see done differently?

as soon as possible.

132

The course makes me understand that cyber security

WOMEN IN SECURITY MAGAZINE

different tools needed to collect digital evidence.

28.04.2022


S T U D E N T

S E C U R I T Y

S P O T L I G H T

What involvement do you have in security outside your course? I am an Australian Women in Security Network (AWSN) member.

What are your aspirations when you graduate? - What roles(s) would you like to take? - What kind of organisation would you most like to work for? I would like to work investigating online child exploitation and protecting children from sexual abuse on the internet. Ideally, I would like to work for the National Centre for Missing and Exploited Children (NCMEC).

How do you gain general information about the security industry? At the moment, from my university and online sources.

What are your longer-term - 5 to 10 years career aspirations? I do not have grand career ambitions. I would like to see my work help people and produce concrete outcomes, rather than simply giving me an income. www.linkedin.com/in/valentina-corda

28.04.2022

WOMEN IN SECURITY MAGAZINE

133


Abigail Fitzgerald is studying, part-time and online, at the Holmesglen Institute in Victoria for a Cert IV in Cyber Security. She grew up in the Philippines where, she says, the IT industry is male-dominated.

ABIGAIL FITZGERALD

Cert IV Cyber Security Student at Holmesglen Institute

What first piqued your interest in security? I’ve always been fascinated by technology, even during my primary school days when we had only a dial-up internet connection. I remember waiting patiently for the pinging followed by the sound of static as it tried to establish the connection. It was music to my ears.

- Are there any skills you have carried from your previous roles/studies? Yes, but they were mostly soft skills. From my bachelor’s degree, I brought business relations, business systems and designs and presentation skills, and from my past roles, customer service and customer education skills.

My interest in security was piqued about four years ago while I was working in a small real estate agency

- What advice would you give someone thinking of

in Bayside after being a stay-at-home mum for almost

entering this industry from a different background?

a year. I witnessed how the thriving conveyancing

I found joining groups and organisations in the

business’ Outlook email was compromised by a

industry to be essential for getting my start in cyber

malicious actor who then started sending forged

security and navigating my way through the industry.

emails to all the real estate agencies the conveyancer

Secondly, education, training, and certification

was dealing with. I believe their aim was to divert

are important. There are a number of TAFEs and

deposit payments.

universities offering free certifications, training, mentoring programs and educational webinars

I learned later that these online attacks are

offered by security organisations. I found these

widespread globally and there is a profession in IT

in AWSN, AISA, AustCyber, Microsoft Education,

that helps keep these online adversities at bay. I also

Holmesglen TAFE, etc.

read stories of people working in the information security industry raving about how every day in

There are also webinars and podcasts that talk a

their job was different: how there were always new

lot about people entering cyber security. Two, in

security measures to implement and businesses

particular, are one from OzCyber titled Students-

to protect. I knew I had found my passion: security

jumpstart your cyber security career in 2022 and

implementation, or cyber security.

Cyber Hacker from CTRL Group which talks a lot about the importance of diversity in the cyber security

Were you doing something else before you started studying security? Yes, I completed my bachelor’s degree in office management and worked in a number of financial institutions and in retail banking in The Philippines and Dubai. - If so, what made you transition to the security industry? I’ve always imagined myself making the online world a better and much safer place for individuals and businesses, especially vulnerable members of the community: old people and young children.

134

WOMEN IN SECURITY MAGAZINE

industry.

Can you briefly summarise your security career to date: how did you get into your current study program? I started my study program, Cert IV in Cyber Security, at Holmesglen TAFE. I wanted to start something somewhere and learn about cyber security. I started researching universities and financial assistance programs. However, because I am only a permanent resident of Australia pending my citizenship application confirmation, I am not eligible for such

28.04.2022


S T U D E N T

S E C U R I T Y

programs. Then, I found TAFE certifications and I chose an online course from Holmesglen TAFE because it was close to my home in case I needed to

S P O T L I G H T

Nothing really. However, I would like to see more discussion of current events in the industry.

go to the library or decided to do an in-person class.

What do you find

I’m now in my 16th month of part-time study and I’m

- most rewarding or fulfilling about your course?

loving every bit of it. One of my favourite subjects

That sense of accomplishment after successfully

so far has been python programming. I was able

finishing every assessment in each unit and getting

to successfully create a basic CRM with a login

good results, and something I had never imagined

validation program, incident response plan and

I would be able to do: writes a basic customer

security network infrastructure.

relationship management program with login validation.

It would be an understatement to say I find it very rewarding. When I successfully finish a subject my

- most challenging or unsatisfying about your

sense of accomplishment absolutely makes the hard

course?

work I put in—the time, logistics and the juggling

Everything was very satisfying and challenging.

between full-time work, kids, and family—worth the

Every course unit was well-created, planned and

effort. These subjects are all new to me and I’m

interconnected.

pretty much starting from scratch.

To what extent have (a) the course and (b) the institution met your expectations?

What is your approach to studying (time management, etc)? Any tips for other students?

The course and institution have met my expectations

It’s all about planning the week. I’ve always been

in terms of providing the basic learning, resources

spontaneous but since becoming a mother I have

and support when needed. I believe they will give me

learnt to plan and have become obsessed with

the baseline experience and knowledge to get into

planning. However, I am still spontaneous at times.

the cyber security industry.

If you’re a mother, set a reasonable goal each day or

However, I wish the institution could provide

night after work and kids’ bedtime, such as reading

consistent support online along with in-person

for an hour, or reading a chapter or two. Then

support from the educators and information on

increase that to an hour and a half or two hours

events and resources in Australia, such as the

depending on time and situation. Just remember,

Essential Eight Maturity Model, endpoint detection,

every bit of study effort matters, be it reading,

etc.

research, programming or watching a webinar related to your units.

- What do you like most? I like programming because I was challenged and

Mix activities to make your study more interesting,

had to work hard and think outside the box. I think I

either by reading about a hack or current malware,

got smarter as a result.

listening to a cyber security podcast, or watching a YouTube episode about hacking, phishing etc.

- What would you like to see done differently?

28.04.2022

It’s also important to know what’s happening in the

WOMEN IN SECURITY MAGAZINE

135


security industry because that’s how you can relate

I used to work for a global vendor of network

all your learnings to the real world.

infrastructure.

Finally, remove distractions to ensure you focus

- Member of security organisations?

on your study for the time allocated. If your phone,

I’m a member of AWSN, AISA, and an ACSC individual

friends, kids or pets are distracting you then put your

partner

phone into a silent or ‘do not disturb’ mode to block any notifications. Tell your loved ones what you’re doing and tell them to support you by not distracting you. With a pet, I’m sure you can ask your friends or family to look after it for a while or take it for a walk for however long is needed to sap its energy in the hope it will sleep or rest while you’re studying.

What are your aspirations when you graduate? I’d like to collaborate with businesses and enterprises to fortify their cyber security postures and create an engaging and interactive platform that will educate businesses and individuals, particularly the young and the vulnerable, on how to be safe online.

Keep in mind that work, study, friends, family and life

- What roles(s) would you like to take?

balance are all important. If you are starting to feel

Because one of my passions is people, I’d like a role

study fatigue, step back and take a break. Either go

talking to people and businesses about security and

for a walk or other exercise, meditate or just have a

presenting to boards on risks and what they can do

rest. Whatever you do, take things one step at a time.

to protect their assets. I’m also interested in doing

It’s very easy to become overwhelmed with a lot of

incident response planning and governance risk and

stimulation, information, certifications and to-do lists.

compliance.

We want to make sure we don’t lose momentum and motivation by getting too stimulated and fatigued. So

- What kind of organisation would you most like to

it is essential to take a break once in a while.

work for? Ideally, an organisation that shares my goal and

What subject(s) do you find most interesting and/or do you expect to be most useful? The subjects I find most interesting are programming, monitoring and managing security, and networking

passion to help people secure their digital portfolios and is supportive, respectful and understanding of my trajectory in the security industry.

essentials. These cover the basic aspects of security.

How do you gain general information about the security industry?

If you could spend a day with a security expert to learn about their role, what role would you choose?

As mentioned above, I’ve gained a lot since I started studying cyber security by joining security organisations and surrounding myself with people

Very good question. First and foremost, I’ve always

who share the same passions and goals.

wondered about and been interested in the SOC analyst role, followed by the responsibilities of a CISO

I’m also a member of a mentees and mentor program

and what a CISO’s day looks like.

initiated by AWSN where I’ve met many good and highly experienced mentors.

What involvement do you have in security outside your course?

I also register for AISA webinars where they have many well-known and highly experienced security

- Part-time job?

people talking about current events, etc.

’ve recently started a full-time job in an MSP company focusing on security collaboration with our partners.

136

WOMEN IN SECURITY MAGAZINE

28.04.2022


S T U D E N T

S E C U R I T Y

S P O T L I G H T

And I use online resources such as AustCyber, Dark Reading, TryHackMe and ZDNet.

What are your longer-term—five or 10 year— career aspirations? Five years from now I want to be in a senior role continuously making a difference and helping people, enterprises and businesses fortify and protect their assets. Ten years from now I will be in the development phase of a security platform I’ll be creating with my partners.

Is there anything else you would like to tell us about your journey or story that’s not mentioned in the questions? I just want to say that one of the things I learnt from this experience is that, regardless of who or where you are, once you discover your passion it is yours to fulfil. I had a learning difficulty from grade school up to high school, but I strived to overcome it. It has taken me many years to discover what I want to do and be in my career, but I’m getting there with flying colours. www.linkedin.com/in/abigail-fitzgerald-3563a049

28.04.2022

WOMEN IN SECURITY MAGAZINE

137


LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

Olivia and Jack’s Technology Contract – with the Cyber Safety Tech Mum Olivia and Jack have had their devices for

technology is going to be used in your home

a little while now and during the recent

means the whole family is on the same page

lockdowns with extended time spent at home,

about safe device use.”

their parents noticed they had been using their devices more than they should. Olivia had been spending a lot more time playing coding games and Jack had been spending more time playing basketball boomers. Their Mum was concerned they had both been on their devices too much and were not spending as much time riding their bikes and hanging out with friends. Their Dad was concerned they had fallen into some bad habits during lockdown and felt it was time to set some more boundaries, especially because they would soon have laptop computers for school. Mum and Dad asked their friend the Cyber Safety Tech Mum to help.

They all spent some time talking together about ways they could make using technology safer in their home. Olivia and Jack knew being safe with devices was very important. Mum and Dad thought this was a great idea and were excited to get started. Olivia wasn’t so sure because she was really enjoying spending time on her coding game. Jack was curious to see how it would work and said, “Let’s give it a go Olivia, it might be fun to do.” So together they decided to create their own family technology contract. Jack and Olivia suggested they use their

The next day the Cyber Safety Tech Mum zoomed in and spoke to Olivia, Jack, Mum and Dad about a technology contract, what it should contain and why it was important. She said, “Agreeing on how

devices on the comfy bean bags in their bedrooms, but Mum and Dad explained keeping them safe would be much easier if they used the devices in the lounge room where Mum and Dad could see and what they were doing. Jack said, “Let’s move the bean bags into the lounge

hear


NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

room.” Dad said, “That’s a great idea, Jack,

home, it would be helpful to add some tips

that way we can supervise you.”

about privacy and sharing so Olivia and Jack

Olivia and Jack’s Mum were worried about when the devices should be used. After discussing what they normally did each day it was decided Olivia and Jack could use their devices after showing their completed homework to their parents. They also agreed to have “Total Tech Blackouts”—times when they knew devices could not be used. The whole family sits together at the dinner table each night, so this was the first Tech Blackout time to go on the list. This was followed by a rule that devices would not be used when visitors were at the house or when friends came over to hang out. By putting their tech down during

would be constantly reminded to be careful when online. They created a list that included information they would not share, such as their full names, age, address, school and sporting clubs and friends’ names. They also made a note not to add friends or request friends without their parents’ permission, and to make sure it was someone they knew in real life. A few weeks later the Cyber Safety Tech Mum zoomed in to check on how everybody was feeling about the family technology contract. Jack and Olivia said, “it’s great to have the list on the fridge to remind us of the rules if we forget them.”

these times, Jack and Olivia would be able to

Mum and Dad said it was very handy to always

focus on their family and friends.

have devices charged when needed and they

They also learnt it is very important to agree on where devices would ‘sleep’ for the night. The Cyber Safety Tech Mum suggested central charging stations located in a common area of the home or Mum and Dad’s bedroom was a good idea. Charging cables would live there and devices would be put on charge in the

felt comfortable that Olivia and Jack were using their devices safely. Lisa Rothfield-Kirschner www.linkedin.com/company/how-we-got-cyber-smart/

www.facebook.com/howwegotcybersmart

twitter.com/howwegotcybers1

evening and left overnight. Olivia and Jack’s family already had their charging cables set up in a corner of the kitchen bench. As a family they agreed all devices would be put on charge at the charging station by 6.30 pm each evening, and they would always stay there when not in use.

Nicole embra www.linkedin.com/in/nicolle-embra-804259122/ www.thetechmum.com www.facebook.com/TheTechMum www.pinterest.com.au/thetechmum

The Cyber Safety Tech Mum also suggested, because the family technology contract

www.linkedin.com/company/the-cyber-safety-tech-mum/

would be displayed in a common part of the 28.04.2022

WOMEN IN SECURITY MAGAZINE

139


Family

TECHNOLOGY

CONTRACT

Devices may be used in these rooms •

Lounge Room

___________________________

Devices must be placed on charge at the CENTRAL CHARGING STATION at:

The following are TECH FREE ZONES •

Bedrooms

Toilet/Bathroom

___________________________

Devices may be used when:

_____________________________________

TOTAL TECH BLACKOUT Times are:

____________________________________

Meal Times

____________________________________

____________________________________

____________________________________

____________________________________

____________________________________

____________________________________

REMINDER: We do not share private details online.

CONSEQUENCES for not following the contract are:

STRATEGY for if we see something inappropriate:

__________________________________________ __________________________________________

__________________________________________

__________________________________________

__________________________________________

__________________________________________

Signatures:


Recom mend ed by F amily zone

How We Got Cyber Smart addresses cyber safety, cyber bullying and online safety for elementary school-aged children.

READ NOW


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 01

02

1. AMANDA-JANE TURNER Author of the Demystifying Cybercrime series and Women in Tech books Conference Speaker and Cybercrime specialist

2. SAMANTHA LENGYEL

CEO at Decoded.AI

03

04

3. MEL MIGRINO VP and Group CISO, MERALCO

4. DEEPA AMRAT-BRADLEY Global Transformation Executive Cybersecurity Specialist

05

06

5. SHRUTIRUPA BANERJIEE Security Professional and Learner

6. TAYLA PAYNE Associate Consultant at IBM

07

08

7. JULIA DE SALVO Chief of Staff at Willyama Services

8. NATASHA HALLETT Senior Advisor, Maritime National Security

9. VIDYA MURTHY 09

10

Vidya Murthy, Chief Operating Officer at MedCrypt

10. TEENA HANSON Cyber Protective Services Manager at AMP Cyber Defence Centre

11. MICHELLE GATSI 11

12

Graduate Technology Consultant at EY

12. ELA G. OZDEMIR Cyber Security Analyst at ParaFlare

142

WOMEN IN SECURITY MAGAZINE

28.04.2022


13

14

13. NATASHA PASSLEY Partner, Management Consulting - Technology, Risk and Cyber at KPMG Australia

14. SAI HONIG CISSP, CCSP, Co-founder New Zealand Network for Women in Security

15

16

15. VANNESSA MCCAMLEY Principal Consultant, Coach, Facilitator & Keynote Speaker

16. RACHEL MAYNE Senior Associate, Cyber Security at u&u Recruitment Partners

17

18

17. KATE BROUGHTON Head of Delivery at Decipher Bureau

18. SIMON CARABETTA Cyber Communications Specialist

19

20

19. TRAVIS QUINN Principal Security Advisor at Trustwave

20. MEGHAN JACQUOT Cyber Threat Intelligence Analyst at Recorded Future

21

22

21. KAREN STEPHENS Karen is CEO and co-founder of BCyber

22. MARISE ALPHONSO Information Security Lead at Infoxchange

23

24

23. NEHA DHYANI Cyber Security Leader (CISSP, CCSP, CISM, MITRE ATT&CK Certified Defender). Senior Security Consultant at Nokia Solutions & Networks

24. JAY HIRA Director of Cyber Transformation at EY 28.04.2022

WOMEN IN SECURITY MAGAZINE

143


WOMEN IN SECURITY MAGAZINE CONTRIBUTORS 25

26

25. ANU KUKAR Associate Partner from the Cybersecurity – Cloud, Strategy & Risk Team at IBM A/NZ

26. SUMEET KUKAR CA (Chartered Accountant); CEO & Founder at Arascina

27

28

27. LAURA JIEW External Engagement from the UQ School of IT & Electrical Engineering

28. MEGAN KOUFOS AWSN Program Manager

29

30

29. DR SUSAN MCGINTY Director, Aya Leadership

30. MARTY MOLLOY Events, Marketing and Communications Coordinator, AusCERT

31

32

31. BEK CHEB Business Manager, AusCERT

32. CRAIG FORD Cyber Enthusiast, Ethical Hacker, Author of A hacker I am vol1 & vol2 Male Champion of Change Special Recognition award winner at the 2021 Australian Women in Security Awards

33

34

33. QUEEN A AIGBEFO Research student, Macquarie University

34. ALEX NIXON Senior Vice President of Cyber Risk at Kroll

35

36

35. JOANNE COOPER CEO, Australian Data Exchange

36. MADHURI NANDI IT Security Manager at Till Payments

144

WOMEN IN SECURITY MAGAZINE

28.04.2022


37

38

37. ANNE GRAHN CISSP

38. CHARLOTTE KOHLER

39

40

Aspiring Security Professional, Bachelor of Security Studies and currently studying a Graduate Diploma of Fraud and Financial Crime

39. ELENA SCIFLEET Senior Consultant | Cyber Capability, Education and Training at CyberCX

40. VALENTINA CORDA 41

42

Student of Cyber Criminology at the University of Queensland

41. ABIGAIL FITZGERALD Cert IV Cyber Security Student at Holmesglen Institute

42. LISA ROTHFIELD-KIRSCHNER Author of How We Got Cyber Smart | Amazon Bestseller

43

44

43. NICOLLE EMBRA Cyber Safety Expert, The Cyber Safety Tech Mum

45

46

44. AMIT GAUR Executive Consultant at IBM

45. JOSEPHINE VU Cyber Intern at IBM

46. AKIRA SINGH 47

Associate Consultant at IBM

47. SHANNA DALY Chief Trust Officer at ParaFlare

28.04.2022

WOMEN IN SECURITY MAGAZINE

145


THE LEARNING HUB

WIZER

CURRICULA

AWS SKILL BUILDER

Free Security Awareness Training

Free Security Awareness Training

The website has some great free security awareness content delivered through short 1-minute videos and storytelling. The videos cover various topics including internet safety for kids, security awareness training for employees, safety for families, work from home safety and so much more!

Curricula’s fun eLearning platform uses behavioural science-based techniques, such as storytelling, to fundamentally transform employee security awareness training programs. The free security awareness training is good for the whole company and can help meet the requirements of SOC 2 or ISO 27001.

AWS Skill Builder helps you build in-demand cloud skills for free. With learning plans and 500+ digital courses, you can own your career and achieve your goals when and where you want.

VISIT HERE

VISIT HERE

UDACITY

NOWSECURE ACADEMY

Udacity is where lifelong learners come to learn the skills they need, land the jobs they want, and build the lives they deserve. They offer a ton of free courses on technology, cloud computing, and cybersecurity.

NowSecure offers many free, on-demand mobile app security how-tos, demos, and courses for the community.

VISIT HERE

VISIT HERE

VISIT HERE

MICROSOFT CISO WORKSHOP SERIES The Chief Information Security Officer (CISO) is a free (no registration) workshop that contains a collection of security learnings, principles, and recommendations for modernizing security in your organization. This training workshop is a combination of experiences from Microsoft security teams and learnings from customers.

VISIT HERE


FEATURING FREE SECURITY TRAINING RESOURCES THAT ARE AIMED AT INCREASING SECURITY AWARENESS AND HELPING PEOPLE BUILD AND UPSKILL THEIR SECURITY SKILLS.

OVERTHEWIRE OverTheWire is a collection of command-line wargames. The wargames offered can help you to learn and practice security concepts in the form of fun-filled games.

VISIT HERE

WEB SECURITY ACADEMY BY PORTSWIGGER The “Web Security Academy” is a free online training centre for web application security. It includes content from PortSwigger’s inhouse research team, experienced academics, and Dafydd Stuttard - author of The Web Application Hacker’s Handbook.

VISIT HERE

ANTISYPHON INFOSEC TRAINING Antisyphon Information Security training is disrupting the traditional training industry by providing highquality and cutting-edge education to everyone, regardless of their financial position. They offer students the opportunity to learn skills, practice what is taught, and engage with their community in a fun and inclusive way.

VISIT HERE

TRYHACKME

HACK THE BOX

EDUCATION ARCADE

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. They have content for both complete beginners and seasoned hackers, incorporation guides and challenges to cater for different learning styles.

An online cybersecurity training platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through a fully gamified and engaging learning environment.

Education Arcade is focused on providing people with a memorable learning experience designed to help keep them safe online. They do this through the use of gamified e-Learning – a powerful tool that reshapes the learning experience by making it fun, interactive and educational.

VISIT HERE

VISIT HERE

VISIT HERE


TURN IT UP

CREATING SYNERGY PODCAST

SMART WOMAN, SMART POWER

By SynergyIQ

By CSIS | Center for Strategic and International Studies

CLICK TO LISTEN The Creating Synergy Podcast brings to life the journey of people who are achieving success in their fields, community, business or personal lives, and it deeps dive into their process, learnings and ups and downs.

CYBERPRESERVE By CyberPreserve

CLICK TO LISTEN CyberPreserve is a one-stop-shop for information on CyberSecurity trends, leadership journeys, attracting people into this sector, and, of course, Cyber Education!

148

WOMEN IN SECURITY MAGAZINE

CLICK TO LISTEN CSIS Smart Women, Smart Power is a speaker series on women in international business and global affairs. The biweekly podcast features leading women from the corporate, government, and national security worlds discussing top international issues.

ASIAL SECURITY INSIDER PODCAST By Australian Security Industry Association Limited

CLICK TO LISTEN ASIAL Security Insider podcast is brought to you by the Australian Security Industry Association Limited. This podcast discusses security trends, issues and news for security industry professionals

EDUCATION TALK RADIO By EDUCATION TALK RADIO PRE K -20

CLICK TO LISTEN The voice of the American Consortium for Equity in Education at ace-ed. org | Host Larry Jacobs facilitates rich discussions with innovative educators, thought leaders, authors and the leaders within the education industry to promote equity, access and opportunity for every student in every school.

RUN IT LIKE A GIRL By Bonnie Mouck

CLICK TO LISTEN Run it like a girl explores the inspiring stories of women leaders from a variety of fields and industries. You’ll hear energizing tales and career journeys from women who’ve made their marks as leading changemakers in their industries.

28.04.2022


WEST COAST CYBER By WestCoastCyber

CLICK TO LISTEN West Coast Cyber is Western Australia’s first-ever industry and current affair cyber security podcast. Powered by ECU and the Department of Jobs, Tourism, Science and Innovation WA, WCC provides its audience with the latest in the goings-on in Perth’s cyber scene.

KIM KOMANDO EXPLAINS By Kim Komando

CLICK TO LISTEN

WOMEN AMPLIFIED By The Conferences for Women

CLICK TO LISTEN

Award-winning radio show host, nationally syndicated columnist and digital lifestyle expert Kim Komando breaks down the hottest topics in tech. Get insider secrets to protect yourself online, make money from home, secure your devices, avoid scams and more.

Hosted by award-winning journalist Celeste Headlee, you can expect true stories and real-world advice from the most brilliant and successful women out there. They cover topics around leadership, career advancement, self-care, transitions and other relevant issues that women face.

HIRE POTENTIAL WITH INDEED

FRAUDOLOGY PODCAST

THE AZURE SECURITY PODCAST

By Indeed Australia

By Karisse Hendrick, Rolled Up Podcast Network

By Michael Howard, Sarah Young, Gladys Rodriguez and Mark Simos

CLICK TO LISTEN Hire Potential with Indeed explores what obstacles and opportunities companies of all sizes are currently facing to find and hire top talent, and how we can learn from each other to create the best opportunities for job seekers and our employees.

28.04.2022

CLICK TO LISTEN Fraudology is a podcast from the perspective of a fraud-fighter. With guests ranging from former cybercriminals to fraud-fighters at Fortune 500 companies. Karisse Hendrick will dive into all areas of Fraudology from the perspectives of an expert in the field.

CLICK TO LISTEN A twice-monthly podcast dedicated to all things relating to Security, Privacy, Compliance and Reliability on the Microsoft Cloud Platform.

WOMEN IN SECURITY MAGAZINE

149


OFF THE SHELF

CYBER MAYDAY AND THE DAY AFTER: A LEADER’S GUIDE TO PREPARING, MANAGING AND RECOVERING FROM INEVITABLE BUSINESS DISRUPTIONS Author // Daniel Lohrmann and Shamane Tan Cyber Mayday and the Day After offers readers a roadmap to leading organisations through dramatic emergencies by mining the wisdom of C-level executives from around the globe. It’s loaded with interviews with managers and leaders who’ve been through the crucible and survived to tell the tale. From former FBI agents to Chief Information Security Officers, these leaders led their companies and agencies through the worst of times and shared their hands-on wisdom. In this book, you’ll find out: •

What leaders wish they’d known before an emergency and how they’ve created a crisis game plan for future situations

How executive-level media responses can maintain – or shatter – consumer and public trust in your firm

How to use communication, coordination, teamwork, and partnerships with vendors and law enforcement to implement your crisis response

BUY THE BOOK

150

WOMEN IN SECURITY MAGAZINE

ESSENTIAL SECURITY FUNDAMENTALS: SECURITY IS A PROCESS; NOT A SINGLE PRODUCT Author // Uma Rajagopal Demystifying the complexity often associated with information assurance, Cyber Security Essentials provides a clear understanding of the fundamentals to how to protect the organisation. This book walks through Mary, a small business owner on how she safeguarded her business from intruders and insider threats. This book breaks down: •

Data and Production

Security fundamentals

The threats to cyber security

What must be the next step

Closing thoughts

It provides a good introduction for those new to the field and a refresher for the more seasoned practitioner. It is for those who are tasked with creating, leading, supporting or improving an organisation’s cyber security program. The goal is to help clear some of the fog that can get in the way of implementing cyber security best practices in your organisation.

BUY THE BOOK

THE CYBERSECURITY PLAYBOOK: HOW EVERY LEADER AND EMPLOYEE CAN CONTRIBUTE TO A CULTURE OF SECURITY Author // Allison Cerra The Cybersecurity Playbook is the step-by-step guide to protecting your organisation from unknown threats and integrating good security habits into everyday business situations. This book provides clear guidance on how to identify weaknesses, assess possible threats, and implement effective policies. Drawing from her experience as CMO of one of the world’s largest cybersecurity companies, author Allison Cerra incorporates straightforward assessments, adaptable action plans, and many current examples to provide practical recommendations for cybersecurity policies. By demystifying cybersecurity and applying the central concepts to real-world business scenarios, this book will help you: •

Deploy cybersecurity measures using easy-to-follow methods and proven techniques

Develop a practical security plan tailor-made for your specific needs

Incorporate vital security practices into your everyday workflow quickly and efficiently

BUY THE BOOK

28.04.2022


BUILDING EFFECTIVE CYBERSECURITY PROGRAMS: A SECURITY MANAGER’S HANDBOOK Author // Tari Schreider, SSCP, CISM, CCISO, ITIL Foundation Building Effective Cybersecurity Programs: A Security Manager’s Handbook is organized around the six main steps on the roadmap that will put your cybersecurity program in place: 1.

Design a Cybersecurity Program

2.

Establish a Foundation of Governance

3.

Build a Threat, Vulnerability Detection, and Intelligence Capability

4.

Build a Cyber Risk Management Capability

5.

Implement a Defense-in-Depth Strategy

6.

Apply Service Management to Cybersecurity Programs

Because Schreider has researched and analyzed over 150 cybersecurity architectures, frameworks, and models, he has saved you hundreds of hours of research. He sets you up for success by talking to you directly as a friend and colleague, using practical examples. In addition, the book provides hundreds of citations and references that allow you to dig deeper as you explore specific topics relevant to your organization or your studies.

BUY THE BOOK

28.04.2022

THE LANGUAGE OF CYBERSECURITY Author // Maria Antonieta Flores The Language of Cybersecurity defines 52 terms that every business professional should know about cybersecurity, even professionals who are not specialists. Anyone who uses any kind of computing device needs to understand the importance of cybersecurity, and every business professional also needs to be able to speak intelligently with cybersecurity professionals. The Language of Cybersecurity introduces the world of cybersecurity through the terminology that defines the field. Each of the 52 main terms contains a definition, a statement of why the term is important, and an essay that explains why a business professional should know about the term.

CYBERSECURITY ABCS: DELIVERING AWARENESS, BEHAVIOURS AND CULTURE CHANGE Author // Jessica Barker, Adrian Davis, Bruce Hallas and Ciarán Mc Mahon Cybersecurity issues, problems and incidents don’t always relate to technological faults. Many can be avoided or mitigated through improved cybersecurity awareness, behaviour and culture change (ABCs). This book guides organisations looking to create an enhanced security culture through improved understanding and practice of cybersecurity at an individual level. Key awareness, behaviour and culture concepts are covered from the ground up, alongside practical tips and examples.

The Language of Cybersecurity looks at vulnerabilities, exploits, defences, planning, and compliance. In addition, there is a glossary that defines more than 80 additional. For those who want to dig deeper, there are more than 150 references for further exploration.

BUY THE BOOK

BUY THE BOOK

WOMEN IN SECURITY MAGAZINE

151


SURFING THE NET

DEEPMIND BLOG By DeepMind Read the latest articles and stories from DeepMind and find out more about our latest breakthroughs in cutting-edge AI research.

READ BLOG

GREAT LEARNING BLOG

TOWARDS DATA SCIENCE

By Great learning

By towards data science

Great Learning provides a knowledge base that also offers upskilling. The site has heaps of free tutorials and courses, often targeted at beginners, including cloud foundations, Python for ML, introduction to R, or data visualization.

Towards Data Science is a Medium publication that helps specialists exchange ideas and expand the general understanding of data science. The site invites independent writers to publish articles. It’s a solid resource for data scientists at any level.

READ BLOG 152

WOMEN IN SECURITY MAGAZINE

READ BLOG

GET SMARTER BLOG By Get Smarter Equip yourself with the latest industry news, thought leadership, insightful data-driven research, access key insights, career guides, resources, and all of the practical advice to fully prepare for your career.

READ BLOG 28.04.2022


BERKELEY ARTIFICIAL INTELLIGENCE RESEARCH (BAIR) BLOG By Berkeley Artificial Intelligence Research (BAIR) Blog The blog of the Berkeley Artificial Intelligence Research (BAIR) Lab, brings together researchers from across machine learning, computer vision, and natural language processing. The blog helps people stay up to speed with the latest goings-on in AI research.

READ BLOG

TOTAL DEFENSE SECURITY BLOG

DIGITAL SHADOWS BLOG

By Total Defense

By Digital Shadows

Total Defense created the Internet Security and Safety Resource Center — an area that includes information, helpful tips, and resources that are intended to inform people about today’s current internet threats and how to stay safe and secure.

Read from security experts and analysts about cyber threats, threat actor groups, and cyber threat intelligence and learn how to protect your business against risks on the open, deep, and dark web.

READ BLOG

LEADING NOW BLOG

AVAST BLOG

By Leading NOW

By Avast

Leading NOW’s blog features insights from Leading Forward, Leading Women, the Center for Diversity & Inclusion, and the Gender Dynamics Institute.

Read about the latest security news, trends, career advice, cyber safety tips and much more.

READ BLOG 28.04.2022

READ BLOG

READ BLOG

DIVERSITY AUSTRALIA BLOG By Diversity Australia Blog Diversity Australia’s Blog talks about the latest research, workplace diversity and inclusion, discrimination, how to cope with it, leadership, women in the industry, and so much more.

READ BLOG WOMEN IN SECURITY MAGAZINE

153


womeninsecurityawards.com.au

THE 2022 WOMEN IN SECURITY AWARDS

Don’t miss the largest security awards of the year!

womeninsecurityawards.co.nz

Want to be part of it? Register your interest today by contacting aby@source2create.com.au


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.