A standing room-only crowd of more than 150 attendees converged on Melbourne’s Park Hyatt this week to hear a dynamic roster of speakers at the inaugural Women in Security Conference and Awards.
Co-sponsored by CSO Australia and the Australian Women in Security Network (AWSN), the conference brought together more than 150 women and men for a day of sharing, learning, networking, and empowerment.
Rachael Leighton, the Victorian government’s principal advisor for cybersecurity strategy and engagement, set the tone for the day with an energetic call to arms.
Cybersecurity, she noted, represents an existential threat to Australia’s small businesses, with 60 percent of compromised businesses closing shop within 6 months – and that keeps her up at night.
As a direct threat to state productivity, the government has been working on strategies to improve awareness of cybersecurity issues – and Leighton believes many businesses are taking the wrong approach.
“Why do we bombard people with endless policies, guidelines, and instructions on a myriad of security related things that we assume they care about,” she asked during her conference address, “when in reality they don’t – until they do.”
Rather than being seen as a set of policies imposed on the organisation, she said, cybersecurity needs to become a part of the culture and looked at “through a different lens.”
“Cybersecurity is not a technical problem,” she explained. It’s an economic, psychological and human behaviour challenge all rolled into one.”
“By putting a robust, methodological change framework over the top, then defining the minimum viable behaviour change that we need – and explaining the whys and hows to the audience in a relevant way – would we change anything?”
Leighton, a former primary school teacher and self-professed “anti-tech”, described change as “uncomfortable” and the successful promotion of change management as her “happy place”.
Organisational cybersecurity responses also needed to change, she said, arguing that increasing diversity within business and security teams will strengthen a broad range of personal attributes in organisational decision-making
The issue is “who do we call at 4am when it’s all turned to custard?” she asked. “For women, this mantra when applied to cybersecurity is simply another way that we can apply our everyday skills” such as the ability to identify vulnerabilities and threats; remain calm in a crisis; identify options; explore multiple pathways; juggle all the moving parts; and understand potential impacts in and beyond the inner circle.
“We have been doing this for years and we have a natural advantage,” Leighton said. “We can’t lock everything down and completely stop incidents, but we can lessen the likelihood; get back to basics; and think about and have conversations with the right people at the right time.”
Forces for change
Change is nothing new for Manal al-Sharif, a senior manager in cybersecurity with EY who shared her experiences growing up amongst the jaw-dropping ignorance and institutionalised gender discrimination of Saudi Arabia.
A humble and happy childhood took on a much different timbre when al-Sharif reached the age of 12, at which point she was no longer allowed to climb trees and ride bikes with her cousins.
School became a segregated affair with blacked-out windows; women were served in separate areas of restaurants where they were forced to sit behind screens; libraries were forbidden; and grown women were being driven around by young boys because of a cultural ban on women driving.
“I was not allowed to use my voice because my voice was seductive,” she recalled. “I grew up to be an invisible woman.”
Naturally curious, al-Sharif pushed through to study engineering despite recriminations from family and friends, and ultimately found herself the only female engineer on a team of 39 at petroleum and natural-gas giant Saudi Aramco.
After getting her driver’s license at the age of 30 during a secondment to Boston, she ended up on the world stage after being arrested for the crime of “driving while female”. This sparked a worldwide social-media movement known as #Women2Drive, which culminated in a June 2017 government decree that women would be allowed to drive.
Al-Sharif’s experiences were a frontline account of the challenges women have faced in being allowed to participate normally in areas where systematic discrimination has marginalised them.
“For me, it wasn’t about the right to drive a car,” she told the audience. “It was about being in charge of my car and my own destiny.”
Her natural curiosity had helped her secure a position in Australia’s cybersecurity industry – although, she added, she faced more overt bullying and discrimination in Australia in her first 6 weeks here than she ever felt from her 38 male colleagues during the 10 years she worked at Saudi Aramco.
“I had never experienced bullying and didn’t have a name for it,” she recalled. “I had been in jail with murderers and thieves, and I didn’t cry. But I cried every morning when my [Australian] boss was bullying me.”