How did you end up in your current role, and what attracted you to the industry?
It’s a long story! I grew up in the bush but after I moved to Sydney I took on a temp receptionist role so I could pay my bills. I attended an advanced Excel training course and the trainer said “Hey, you pick this up pretty quickly. Have you ever considered a career in IT?” My response…“What’s IT?”
Fast forward a little and I quit my temp job to undertake a 6-month TAFE course in IT. After I finished I wrote over 300 letters to companies in Sydney asking for a job in their IT department. But in the end one company I temped for months beforehand contacted me and asked if I could come back to take on a full-time receptionist role. I said ‘Sorry, I really want to get into IT instead – would you have any roles in IT?’ And – they offered me a role as PC support officer.
My transition into security as a specialty took longer. I remember one time when I was in my early 20s I was working in technology infrastructure design and implementation, I asked one of the security consulting guys what they did in security. But the focus on configuring firewalls and switches didn’t interest me.
Since then I’ve worked for several consulting companies, for Microsoft and as a contract CEO for a technology not for profit organisation. But it was while I was running my own project management and business analysis company I got really interested in security. I managed a security project and that set off other security specific engagements. I got so interested in security by that point I decided I wanted to pivot, close my business and focus solely on security. An opportunity came up to take on a permanent role at IAG, Australia’s largest general insurer, to develop and manage a new security education and awareness team and I jumped at it. Three years later I now manage the Cyber Security Consulting team in IAG.
A few things attracted me to security – the ever-changing landscape (I am a changemaker and lifelong learner); the fact that security has matured from ‘just firewalls’ to a holistic enterprise of its own with a broad range of skillsets and diverse teams; and the intersection between crime and computing (I am a crime buff).
What security-related behaviour or policy have you noticed change the most in the past year?
Across many industries there has been an increase in supplier cyber risk assessment with large breaches revealing them as a key threat vector. And in regulated industries like insurance, introducing CPS234 has increased this focus further.
What security threats do you see as most problematic over the next year?
One area I have been studying lately is security futurism – how will technologies of our fourth industrial revolution impact security as we know it today, and which ones provide a security opportunity? Which ones will create whole new crimes? But some of these technologies are further out than a year, in terms of mass adoption (and therefore mass impact).
More in the immediate future, you can put human-based threats on top of the list. Humans are an interesting and highly dynamic threat vector because they don’t work to a set of coded instructions, they have their own motivations and they have feelings. For hundreds, if not thousands, of years people have influenced, coerced or forced people into undertaking a desired action – we’re seeing the digital effect now with threats like ransomware through phishing continuing to rise.
What impact do you think intensive skills-training programs will have on closing the cybersecurity skills gap?
There are people out there who can be re-trained into cyber security and besides skills they need to get practical experience – nothing beats learning something from doing. But attitude counts for a lot, regardless of technical skill.
You need to look at the ‘base level set’ of skills you want people to have for roles you need – these aren’t technical skills, they are attitudes that reflect who they are. You need to understand what people are naturally good at and amplify these in a suitable role. Not everyone will be a threat hunter or like coding but everyone is good at something.
Do you see diversity in IT/security teams as a priority? How do you think diversification can assist within an evolving threat landscape?
Diversity is important from multiple angles – over the past 20 years we have gone from having very ‘tech’ people in security to having a much broader range of skills. For example, in my last team I hired a graphic designer, a university graduate and a writer and this brought a fantastic range of views and skills to our team.
What is the hardest thing about defending against data breaches?
Lacking a better word, the ‘innovation’ of cybercriminals; the current lack of smarts in technology to adapt on the fly; and human nature.
What is the best way to win over employees so they help cybersecurity efforts rather than hinder them?
Understanding motivational factors is a key element to designing programs that change risky behaviour. We’ve trialled a number of different engagement methods at IAG including gamification, rewards and ‘the stick’ and essentially all three methods are valid at different times. Which method you use can vary per campaign, per target group, per risk type and even per individual. Analysing your audience, the topic, the desired outcomes and the delivery channels when you develop the engagement campaigns will help you identify what will work.
You have undertaken training in criminal profiling. What inspired you to do this?
As I mentioned, I am very interested in the human side of cyber security so I wanted to better understand motivations behind crime and learn some of the basic psychology. The training itself was very focused on traditional crime such as profiling serial killers and other violent crimes, which was eye opening.
Many of these traditional methods are well-suited to traditional crimes - for example, the Canter model which helps identify criminals based on geographic location – but these same methods would not work for cybercrime. There is also a book called ‘Profiling Hackers’ by a team at the United Nations Interregional Crime and Justice Research Institute (UNICRI) and that is a good start but unfortunately they don’t have any more funding available to continue their research. Since that book was published ten years ago, I think advances in technologies such as machine learning could potentially be an option to help identify and correlate data in cybercrime activities to help identify people, or groups responsible.
Could you describe an average day as Manager of Cyber at IAG? Do you have a particular routine for the start and end of day?
One thing I like about my job is that every day is different, and my employer offers flexible working so some days I work from home and others I am in the office or travelling. Although I like and encourage change, I also like some structure as this ensures the whole day isn’t reactive and my goals are achieved.
First up, I check for any new emails and classify them in terms of urgency and importance (I use the classic ‘Eisenhower Matrix’). I use my mailbox as a to-do list so anytime of the day you can catch me sending emails to myself. I am not someone who keeps all their emails in their inbox – everything gets filed or deleted once complete.
If I am in the office usually I have meetings lined up with team members and stakeholders. I try to ‘chunk’ my work for efficiency, so I have blocks of meetings and blocks of focus time.
Last thing of the day is to repeat the first thing of the day – do a final check on emails and classify them ready for the coming day so I can hit the ground running.