Destiny Bertucci always knew she had a different way of looking at things than the students around her. While her classmates were often reticent in class and waited until after it was finished to approach the teacher with questions, Bertucci was always ready to dive into discussions and ask the hard questions.
It was a sign of the inquisitive mind that has, over the years, guided her to her current role as head geek with IT management software vendor SolarWinds. It’s a mantle she wears with pride – and one that is becoming increasingly important given the increasing accessibility of malicious code and the growing security threat from poorly designed and executed Internet of Things (IoT) devices.
“I’ve always had a troubleshooting mindset,” Bertucci told CSO Australia. “I would be taking things apart and putting them back together. When I came to SolarWinds they would ask why I was doing that, and I said ‘because I need to know how it works’.”
While she has it in spades, the lack of such curiosity in many other environments is leaving many businesses exposed due to the inherently insecure design of many IoT devices. “When they first produce things that can do what the user needs, security is always on the back burner,” she explained.
“People are almost having a hypersensitivity to having the latest and greatest – but users aren’t necessarily thinking about how these things have a back end. A lot of people are trying to put security policies in place and aren’t starting with the basics. This lack of security policies is what absolutely scares me.”
Such devices often overlooked security for their functionality in v1.0 designs that were primarily focused on meeting surging demand. However, later iterations were slowly becoming more secure as “supply was answered by people buying the products and getting attacked”, Bertucci said.
This climate of attacks – fuelled by a growing climate of crimeware that Bertucci attributes to the ready availability of hacking tools used by often hobbyist hackers. “Most of the breaches that you’re seeing are low-hanging fruit,” she said “They’re easy password things, because they were able to access these tools from their home.”
Temptation was difficult for many young hackers, she continued: “There’s so much money tied to ransomware that it’s intriguing, especially to young people that may not have the necessary ethical right or wrong in their heads. To be able to have all these ransomware kits available to them, I feel that we’re going to continue to see an increase in ransomware.”
This rising threat, she believes, has slowly raised manufacturers’ awareness of IoT security and, over time, would focus attention on the need to make devices upgradeable to allow the iterative resolution of security bugs as they are discovered.
The trend towards better understanding of endpoint security vulnerabilities had been bolstered by the adoption of data breach notification laws, which were surfacing a growing number of examples of how devices had been compromised. This would, over time, drive vendors to have “more of a security front” in their approach to the market, which Bertucci believes will spill over into product marketing and see manufacturers actively seeking to differentiate their products based on perceptions of their security.
Introducing this introspective cultural shift amongst manufacturers requires a commitment to questioning the status quo – and driving continuous improvement – as Bertucci flagged during her schooling and subsequent career. It’s a skill that she not only applies to her own work, but encourages when teaching young women that, she often finds, lack the confidence to raise questions in groups.
“I have always engaged with kids to ask questions,” she said. “We don’t want them feeling like they can’t raise their hands – but there’s a confidence barrier there, and it’s something we have to get hold of.”
“If you’re not part of the conversation you’re not engaging with the subject,” Bertucci added. “And if you’re not engaging with the subject, it becomes obtuse to you. If we can help women and girls to be confident and asking questions, and being part of the conversation, that’s half the battle.”
Recruitment of women into ICT remains a key issue in the context of an overall ICT skills shortage, with the Australian Computer Society recently renewing calls to reverse a trend that has seen women’s university enrolments in ICT-related subjects dropping precipitously in recent years. The ongoing deficiency was a key reason for the government’s newly announced Academic Centres of Cyber Security Excellence (ACCSE) program, which will promote cybersecurity careers to young students and fund the establishment of post-graduate studies, research, and workforce training to improve Australia’s overall cybersecurity profile. Applications for that program will be open through April 17.