Innovate for Equity
Bringing diversity into cybersecurity to protect everyone.
In the month of February, I was part of a few events that were cybersecurity related. The first was a panel about “Women in Security”, hosted at Splunk. Another was my own talk at “Test Automation Day – Melbourne” on Test Automation and Cyber Security. And as a third, I had the opportunity to speak as a guest at the all hands meeting of SecurEyes. There was a general theme in these events about what kind of people can work in cyber security, as well as a broad curiosity about what space women in particular may have in this field. So here are some thoughts about the topic.
If you’re in Australia, you probably have heard of the “Hi Mum” scam, where people receive a text addressed to “Mum” saying the phone is broken and asking for money. Apparently people have lost $7.2 billion to this scam. I can imagine the eyerolls about the gullibility of people being taken in by such scams, and the shrugs accompanying statements that “people need to be more aware”. I have also recently heard the idea espoused that banks should not cover mistakes like this where people are “careless”. But is victim-blaming what we need here? What are we as the collective IT community, or specifically the cybersecurity community, really doing to address scams like this?
People as the vulnerability point
Cybersecurity education asserts that the primary objective of all cyber security efforts is to protect human lives and health. The security of systems, data, premises comes only after the people. However, the broader field of cybersecurity doesn’t really embody this particular value. While discussions on vulnerability acknowledge that people can be the biggest vulnerability for intrusions, I have not noticed a lot of actual effort spent on addressing this vulnerability – beyond messages about safe password practices and 2FA.
When cybersecurity is mentioned, there is an automatic picture in the mind of a hacker in a hoodie, working from somewhere in a basement, whose attempts are only being thwarted by another hacker (an ethical or “white hat” one this time) who is WFH in his own basement. Yes, “his”. Be honest, none of us pictured a 45 year old woman in either of these roles. Or even a 25 year old woman. But what if I told you that women have some unique skills and perspectives that can make them great cybersecurity professionals? And what if I told you that the biggest threats to cybersecurity today are not limited to sophisticated malware or zero-day exploits, but include something much more human: social engineering?
innovate for equity
Social engineering is the art of manipulating people into doing things they wouldn’t normally do, such as giving up their passwords, clicking on malicious links or downloading infected files. Social engineering attacks often rely on exploiting interpersonal relationships, emotions and trust. The “Hi Mum” scam is one example of this. Another common attack is sending urgent sounding emails to a (usually female) executive assistant, spoofing the identity of their boss who is a senior executive – asking to urgently pay an invoice, or purchase an expensive gift to be shipped to an employee as a surprise.
innovate for equity
Now imagine if you were a woman working in cybersecurity. You might have been more suspicious of the email – noticed some subtle clues that it was fake: maybe the tone was too formal or informal for your boss; maybe there were some spelling or grammar errors; maybe the account number was different from the usual one. You might have also been more aware of the psychological tricks that hackers use to manipulate their victims: creating urgency, invoking authority, appealing to greed or fear. You might have checked with your boss before making any transactions or reported the email to your IT department.
These are not just stereotypical feminine traits; these are essential cybersecurity skills that can give you an edge over hackers who rely on exploiting human weaknesses. Skills like these are needed to create a more comprehensive map of types of threats that a system may be vulnerable to. This wider understanding of threats can then help teams create effective strategies to protect against them – from creating effective awareness campaigns to fine tuning intrusion detection systems and email quarantine tools.
innovate for equity
Careers in Cybersecurity
So ladies (and gentlemen), if you’re interested in pursuing a career in cybersecurity (or advancing in one), don’t let anyone tell you that it’s not for you. Cybersecurity needs more minds from different fields – women with “stereotypical feminine traits”, testers who are trained to sniff out the weak spots in a system, people who can communicate and bring technology teams closer to the users of the systems – to bring diversity of thought and experience to this challenging and rewarding field.
This blog was wrriten by our Head of Quality Assurance Tanu Parial.