Women in Security: Improving cybersecurity engagement
- 04 September, 2019 11:52
A series of dynamic technical talks at the inaugural CSO Australia-AWSN Women in Security conference highlighted the innovative perspectives and problem-solving nous that women bring to cybersecurity roles.
Atlassian’s Brianna Malcomson, for one, talked through strategies for effective red-teaming and the importance of consent – making sure that the targets come along for the ride.
“Too often I see red-team exercises being restricted to upper management, and the fixes are just dictated out,” she said. “People have to deal with it and don’t get any explanation – but even small fixes might be multi-year projects. You need to be extremely aware of the capacity of the organisation to respond to what you do.”
Red-team managers also needed to make sure they are engaging productively with victims, Malcolmson said, advising them to “be humble and hire for empathy on your team. You don’t want the most brilliant jerk hacker; you want someone who knows how difficult it is to secure an enterprise.”
Fatemah Beydoun, who co-founded successful cybersecurity startup Secure Code Warrior and now serves as its vice president of customer success and operations, shared her self-doubt about her ability to be a new mother and a successful executive – but noted that the support of a strong team, including some de facto babysitting responsibilities, had made it possible.
“I felt like it was a decision to make whether I wanted to stay working and be part of this growing company that was doing so well, or did I have to stay home,” she said. “I didn’t want to have to make that choice, and now I truly believe it is possible to do both.”
Although it had been challenging finding female engineers – much less one who was willing to come work for a startup – the company has adopted a strategy of diversity and currently has 45 females out of 100 staff.
Diversity had been crucial in enriching Secure Code Warrior’s team and cultural structure, Beydoun said, noting that differences in male and female problem-solving meant that combining them provided “whole-brain thinking”.
“We can all leverage the different experiences and knowledge perspectives of the different people that come from such a diverse background,” she said. “The key is not being so strict on people’s day-to-day: great businesses are results driven and have that flexibility.”
“Diversity is key to making strong teams, then taking good ideas and turning them into great ideas.”
Getting the message across
Olivia Grandjean-Thomsen, communication and engagement manager with the Australian Cyber Security Growth Network (AustCyber), did a bang-up job on her first-ever presentation (as part of AWSN’s Project Friedman initiative) and highlighted the importance of plain English and clear communication in conveying cybersecurity messages.
Drawing on her previous experiences in developing public education campaigns around the My Health Record initiative, Grandjean-Thomsen highlighted the importance of storytelling and case studies. Visual communications methods, in particular, can be particularly useful in conveying information long after readers would have stopped paying attention to written information.
Plain English “is not about dumbing down information,” she said, “but keeping your audience in mind and making sure your communication is clear and precise. Plain language helps you communicate decisions so readers can engage with your brand and trust it. And using stories gives your audience something to remember you by.”
Melissa Wingard – another Project Friedman participant and senior commercial technology lawyer who currently works as regional counsel and contracts manager within a public-safety software company – shared her first-hand experiences helping set expectations and strategies with senior managers who were often quite reactive to cybersecurity issues.
Managers needed to focus on protection of personal information and engage their legal teams early to evaluate the risk it poses, Wingard explained, with a growing climate of compliance and fines adding to the urgency.
“Contrary to belief we can help out sometimes,” she laughed, noting that diversity of capabilities as important in teams just as diversity of gender. “We need to be getting everybody across this issue, and getting other support functions involved. Everyone needs to have a security mindset.”
Pushing that mindset to the senior executives, however, often poses its own challenges.
“It is a very inexact science because what resonates for every organisation is going to be different,” she said. “The worst-case scenario, particularly when talking about cyber attacks, is what your company does and what data it holds.”
“When it goes to the managing director, [the driver for change] really needs to be something that resonates with the organisation and its decision makers.”
Sarah Young, a Microsoft Azure cloud security and compliance specialist, wrapped up the lineup of speakers by sharing her experiences in cloud-based secrets management and the security structures of Kubernetes containers in the public-cloud environment.
Companies needed to implement controls over access-key management; avoid or limit root access to the containers; be careful about where container images are sourced from; and ensure they don’t rely heavily on defaults.
“When you’re doing such a big shift as changing up your architecture and going to cloud, you need to tidy up your application security,” she said.
Young noted, with some disappointment, her difficulties attracting cybercriminals to honeypots she had intentionally set up as exposed cloud containers – although she admitted that they may have been breached in a way she hadn’t detected yet.
Yet businesses needed to be aware of the many ways that cybercriminals were exploiting improperly secured cloud resources, she said, citing several “horror stories” where such containers had been compromised and were running cryptomining malware, unnoticed, for some time.
“There are worse things that can happen to your Kubernetes clusters,” she said, “and some people just say ‘if we get a massive bill we know there is a problem with it’. But your billing system is not a security control.”
