AusCERT2021 Information Security Excellence Winner

AusCERT2021 Information Security Excellence Winner

[A copy of this interview article is also featured on Edition 3 of the Women in Security Magazine, published by Source2Create.]

Jacqui is Founder and Executive Manager of the Australian Women in Security Network (AWSN) which aims to connect, support and inspire more people, in particular, women and female-identifying professionals to pursue a career in security. She is also co-author of the international book ‘Women in the security profession’.

In April 2021, Jacqui decided to take a leap of faith and is now devoting 100% of her time to building the AWSN as a not-for-profit organisation. In short, AWSN has been Jacqui’s “passion project” for close to 7 years. Today, AWSN is a national group of close to 2,500 members across Australia with linkages to a number of prominent sponsors. It is an open network of people aiming to grow the number of women and female-identifying professionals in the cyber security community.

AWSN’s mission is to support, inspire, and connect women and female-identifying professionals in the industry and those looking to enter the field with the tools, knowledge, a connected network and platforms they’ll need in order to build their confidence and cultivate their interest. 

Kudos to Jacqui for her tireless work in building the AWSN to where it is today, and with that – it is with great honour that we award her the Winner of Information Security Excellence in 2021. 

Tell us a little about your professional career?

My interest in technology started off when I worked at a help desk at Australia Post and in the area of  PC support at an insolvency company during uni where I studied a Bachelor of Information Systems.

I then graduated and became a unix adminstrator for a few years before then deciding that I wanted to see and travel the world!

When I was back-packing in Europe I ran out of money (as you do!) and got a job working on the helpdesk at Schlumberger. I got the opportunity to retrain to be a technical consultant. They put me through some really intensive technical networking and security training and at the end they asked what I wanted to do. I thought security was interesting, and this is pretty much how my security career journey began!

I then worked as a security consultant for multiple large scale projects where I’d worked on a variety of different areas such as implementing AV, PKI solutions, performing risk assessments and technical assessments, policy-writing, and basically anything that was thrown at me at the time.

I ended up spending 7 years in London and 7 years in Paris as a consultant working on many interesting projects which I loved.

When I came back to Australia, I continued to consult on different projects before then moving to the in-house security team at ANZ. I started in their Identity and Access Management (IAM) team, then moved on to designing the cybercrime controls for ANZ’s institutional banking arm; and finally moved to head the Security Education and Influence team in a job share role.

I then decided that I really wanted to help small businesses who I saw being affected by cybercrime and ended up spending a year in start-up land with the folks at Cynch Security.

You’re the founder of AWSN. Can you tell us more about how AWSN was born and what your mission is?

The idea of the AWSN (Australian Women in Security Network) was born when I returned from a 14-year stint overseas and came back to Melbourne.

I walked into a security event and was overwhelmed by being the only female in the room. It was something I had gotten used to in Europe; but it really hit me when I came back to my home country to see and experience  it, especially when I didn’t know anyone in the room.

I’d met one other female participant and she took me under her wing and introduced me to some people. We then brought together a number of female colleagues for casual breakfasts and met up before the start of security conferences.

We spoke about how much we enjoyed working in security and some talked about the challenges they faced with being the only females in their teams. After a while, I was thinking that there may be other women out there also feeling alone, so I started a LinkedIn group. This then grew organically over time and soon local state-based chapters started to pop up across Australia. These then grew into more formal events and now our community consists of around 2500 people.

The AWSN is an open network of people aiming to grow the number of women in the security community. We support, inspire, and act as role models. We connect women in the industry and those looking to enter the field with the tools, knowledge, network and platforms needed to build confidence and interest.

As a network, we know the diversity of online threats require diversity of thought on how to address them, and this is where our network thrives.We do this mainly through events, hand-on workshops, training, mentoring and speaking engagements through community groups, universities and high schools.

Congratulations on winning the Information Security Excellence award! What does winning this award mean to you?

It was an absolute honour to have received this award. This means so very much to me and I sometimes still pinch myself with disbelief! I believe that this is a community recognition award, as the AWSN couldn’t have got to where it is today without all the volunteers, sponsors, donors, mentors, coaches, speakers, writers and all the people supporting us over the years.

Receiving this award means that the Information Security industry in Australia recognises that what the AWSN is doing is important and meaningful work AND that we are on the right track with what we are trying to achieve.

It means that all the hard work and hours that myself and all our volunteers put in to make AWSN what it is today is worth it! Thank you to everyone who has contributed to our cause, you know who you are.

What do you see as some of the main cyber threats in today’s society and their accompanying risks? Are you seeing any trends of particular threats becoming more common?

Good question!

There are many and I could probably talk for hours on this topic. But if I were to choose two, which I think we as a society/community need to work together on a lot more are application vulnerabilities and supply chain risks.

As we continue to use technology and build systems, apps, software faster than ever – often security is something that is considered at the last minute or sometimes, never! We shouldn’t expect the users of our systems or apps to know what to look out for when it comes to a security breach. Hence, it is my personal belief that technology should really adopt a “secure-by-design” philosophy and make it easy for users to apply security updates when they are required.

When it comes to the topic of supply chain risk, some of these cyber threat issues stem from the fact that small businesses (which btw, constitutes 98% of all Australian businesses**) often cannot afford security consultants to help them with implementing secure processes or expensive security services and products to protect their company assets.

These businesses are particularly vulnerable to threats such as business email compromise (BEC), ransomware or data breaches which are increasingly becoming more and more common. These can have downstream implications on large corporations, critical infrastructure and Government agencies as it is very likely that at some point these smaller businesses are further down in their supply chain.

It’s cliche, but cyber security really IS in everyone’s interest – no matter the size of your workplace.

** figure obtained from the Australian Small Business and Family Enterprise Ombudsman (ASBFEO)

If you could give one piece of advice for organisations and IT/cyber security professionals, what would that be?

To stay humble and keep an open mind.

Remember and realise that most of our society don’t know what we know, and that no question should be considered a silly question. I don’t think that there is anyone in our sector who knows absolutely everything about security, so we shouldn’t treat/blame users like they should have known better in case of a breach or an incident.

There are many people out there (they could be your grandparents, friends, family members  and colleagues) who are confused and overwhelmed by what they know and what they don’t know about the topic of cyber security.

It is this stigma that cyber security is difficult and tricky which often makes many security departments feared or are perceived to be unapproachable. We, as a community therefore all have a responsibility to show them that we are keen to help them learn and have them join us on this journey.

We cannot fight this battle with just technology and largely rely on humans to report things that are suspicious, to consult with us before they are about to go live with a system and to sign off on our budgets. Therefore, we need everyone on our side and we need to show that we are open to listen and help. 

As a community, I think we need to communicate better, prioritise (based on known risks) and provide them with easy and accessible information, solutions and advice – so as not to confuse the general public further.

What’s one common challenge you find women and female-identifying professionals are facing in the cybersecurity industry and how can organisations continue to support them?

A common challenge I’ve personally found with women and female-identifying professionals in male-dominated teams is that they feel they are not heard or given the same opportunities as their male counterparts.

They are often questioned why they are there and instead of asking or referring to them as subject matter experts, they are sometimes asked to be referred to a male counterpart as it’s assumed they don’t know the answer or have anything to contribute to a particular security topic.

Everyone should be given an equal opportunity to contribute, and by this I don’t mean just females, but also young/elderly males, people of different ethnicities, people of different backgrounds who need a voice.

Organisations must address this better, it needs to be a fundamental yet important goal within all teams or we will continue to lose good talent! And when good talent is lost, it makes it hard for upcoming new talent to see people like themselves in a career path in security, and we absolutely need this new talent in order to fight the new security and technology challenges ahead.