Women in Security
From law to cyber security With Rachael Falk Director of Technology, Security & Strategy at .au Domain Administration Ltd Rachael practiced as a lawyer in Australian and overseas law firms before commencing with Telstra. Moving from legal to cyber security, Rachael had several roles in Telstra Security Operations, including National Security Advisor. Now in a new executive position, Rachael has a clear remit to shape auDA's role in the cyber security ecosystem both with Australia and internationally. ASM: How did you get into the security Industry? I have always liked solving problems and challenges and when I was at Telstra, I became more involved in data breach issues and it became clear to me that cyber security was regarded everywhere as more of an IT problem. I saw an opportunity to change this and help the business understand that cyber security was a risk that everyone from the board down should understand and manage. So, I was offered a one year secondment from Telstra Legal to Telstra Security Operations and it was a great move. Telstra hired a new CISO in 2013 who had a very strategic approach to cyber security and approached it as a business risk. Since then, I have never looked back. ASM: How did your current position come about? The .au Domain Authority (known as auDA) is both the regulator of and manages the .au domain zone and it has gone through a period of transition over the last 12 months. They wanted an innovative approach to security and to play their role in Australia’s cyber security eco system. I had left Telstra and was enjoying a long break but the opportunity to help shape a different cyber security narrative was too hard to refuse. ASM: What are some of the key challenges you think the industry is faced with and what difference do woman in leadership roles make to meeting these challenges? The key challenge is for leaders to understand that cyber security is a risk that can be effectively managed but the tone is set from the top. Leaders who demonstrate that they care about customer data, they invest in effective security outcomes and that they have thought about how they can recover from an incident is critical. I still think there is far too much reliance on a magical technology solution or for compliance frameworks to solve this issue. Compliance does not equal security and putting a whole bunch of tech toys in your SOC (Security Operations Centre) does not equal effective security. It has to be a combination of leadership, culture, good tech and awareness. I think women, no matter which industry they are in, bring diversity of thought. I see my key strength as not necessarily being female but being a former lawyer, who can think critically and can write in accessible English. So, I think we bring our backgrounds and a different perspective.
32 | Australian Security Magazine
ASM: Where do you see the industry heading and are women sufficiently or increasingly being recognised and respected? I see it heading towards hopefully a greater understanding that cyber security is a business risk. I think recent events have shown us that Australians are becoming more cyber aware and that they in turn should demand that anyone wanting to use and store their valuable data need to be accountable should it be lost or stolen. All of us (me included!) want to know that our valuable data is being protected at all times. And I want to know that the boards and Leadership Teams of all organisations that handle valuable data care about that data and build security into all that they do. I still see far too many conference flyers with all men in the photos and the fact that this seems to not be noticed by those conference organisers astounds me. But thankfully there are great men in the industry who share these views and go out of their way to promote women into leadership roles, recognize their talent and not attend those conferences. I think women to need to be confident and put themselves forward for events. ASM: Are you an active mentor or being mentored and how important has a mentoring framework been to you? I am a strong believer in mentoring both for me and for what I can give to others. There is nothing better than being able to bounce an issue or problem around with someone else. It is great therapy but also broadens your perspective. There are a range of very talented women I talk to within the industry. Some are still students right through to working in cyber security. I see my role as bringing others through with me and where I can connect them with other people in the industry or help create opportunities for them. I also like sharing information or ideas with them. As for me being mentored, I have a panel of advisors (not sure they all know they are on my panel!) because I do often ask for advice on a particular issue or situation but I am a strong believer in being open to different perspectives. I am very fortunate to have a wide range of people I can call on should I have an issue or question. ASM: Do you have a particular agenda or focus that you would like to highlight? I see great opportunity and challenges in cyber security. It is a great area to work in although when I was admitted to practice law 20 years ago, this role didn't even exist. The importance of cyber security is a leadership issue that needs to be addressed at a board level but also filter down an organisation. I also don't mean that boards should be bombarded with what I call ‘packs & stats’ which traditionally involve lots of ‘attack’ and ‘threats’ numbers in large packs. Do that with a board or leadership team and you are in eye glazing over territory. Engage all leaders with stories about the impact of losing valuable data both at a customer level and at a reputational level. You need to engage the hearts and minds so that the organisation understands that cyber security is a business essential and not an optional extra. My second point would be that diversity within the industry is key and we need to involve key men in the industry because those with strong voices pave the way for others as well. ASM: What do you do when you're not working? I work full time so far too much cleaning!! I enjoy cooking, reading, being with my kids (when I can get them off devices) and planning our next holiday (where no one seems to agree on any destination). I am afraid I'm not a good example of work life balance but having a good long break last year really made me appreciate the little things.