The changing profile of Women in Security: An Interview

An Interview with Lead Security Consultant, Jacqui Loustau

Meet Jacqui, Founder of AWSN (Australian Women for Security Network). This incredibly busy Security Lead and mother of two toddlers gave me a half an hour of her time to talk about AWSN, how being a mother has changed her life and career, and her unrelenting passion for security!

What is the mission of AWSN?

AWSN’s mission to network and connect women in security across Australia and abroad.

We have also connected up with WISECRA (Women in SECurity and Resilience Alliance) to build a more mature network. WISECRA is an international organisation of different women in security groups from 22 different countries. Some of the successes of AWSN include:

Sharing and Collaborating on security topics and ‘women in IT security’ subjects. Writing for books, journals and presenting at conferences. We have already completed a book project where 4 AWSN members have submitted content for an international Elsevier book on ‘Women in Security Profession’ which should be released later this year.

Mentoring women who are just starting within the industry and would like advice, guidance and support. Majority of members who attended the 3 Melbourne events are very keen to be either a mentor / mentoree both locally and internationally.

Campaigning for more women to be interested in pursuing a role in security. We plan to speak at universities, schools, write articles to generate more awareness of this field. To try and make more girls aware that a career in security can be interesting and rewarding.

Inspiring – we all need role models whose behaviour can emulate. We are in the process of creating a blog of different careers one can pursue and write truthfully what one can expect. We are also wanting to encourage those who are in industry to stay within the industry when they graduate and also after they start having a family, as this is when we lose many of the small number of women who are in security!

Informing and Blogging – We send out a quarterly newsletter to all members who sign up to our distribution list outlining what we have done so far and future events. We have already sent out our first Spring edition to members who have registered.

Tell us a bit about what you have worked on in the Security Field

I have now worked across Europe and Australia within most of the domains of security (Risk Assessment, ISO27001 assessments, Audit, implementation of IPS, IAM consulting, data security assessments, Security architecture, physical security design etc). She has provided consulting services to various high profile organisations within the Media, UK Government, European Commission, Energy, Financial and Telecommunications sectors.

I presented at the Information Security Forum (ISF) on ‘data protection, data correlation and data crime across borders in Washington. I have written several white papers on various topics of security.

Given that you specialize now in Identity and Access Management, would be interesting to hear from you what the biggest challenge surrounding a more successful Identity and Access Management is?

Identity and access management is a popular remediation solution to mitigate issues relating to unauthorised access. The concept is great. One identity for every person (employees, contractors, external third parties, joint ventures etc) needing access. When someone joins, they get an identity which will follow them throughout their working life in that organisation. They ask for access, change access and get access revoked through one central system. Sounds good right? Not always so easy to implement. Quite a challenge!

The 3 things I see as critical to a successful IAM implementation are:

  1. Business process analysis and business buy in.

    Although seen as a risk mitigating solution, IAM can also be seen as a huge risk to large enterprises when implemented too quickly. Often organisations have difficulty knowing where to place a programme of this size or who should own it. As IAM touches all parts of the organisation, and every user, it's political and can get quite messy. Frequently it's through an IAM implementation when organisations realise how processes are broken. IAM programmes then end up trying to fix fundamental on-boarding, access request and off boarding processes. They attempt to identify ownership of processes and assets which are critical dependencies to a successful IAM integration into an organisation.

    Therefore having good business analysts, knowing the as-is and to-be processes and finding owners to accept and own these new processes is important from the beginning.
  2. Starting with a reliable 'source of truth'. If you don't try and remove and clean non authorised users before putting them in the 'source of truth' which should show the true status and access roles of a user, then the source of truth gets littered with information that cannot be 'trusted'. You then lose the confidence of the people wanting to use it. Therefore it is vital to clean the user data beforehand. It is always put in the too hard bucket to deal with later, however organisations soon find it even messier to deal with this dirty data after.
  3. Change management and targeted early communications. Engaging and communicating with the business and relevant supporting teams throughout the programme. Providing sufficient training resources so everyone know what to do is important. Otherwise they won't be able to know what to do and the programme will be in a continuous state of fire fighting.

IAM implementations are always challenging but when up and running, it dramatically improves:

  • onboarding experience of all staff when they first join
  • increases productivity as user can gain access quicker and through one self service portal
  • improves security, as users are off-boarded and access removed when not required
  • keeps auditors happy, as organisations can provide compliance reports showing a positive status for access management.

Therefore for all these reasons, the challenges of IAM are welcomed and are worth it.

You returned back to the workplace two weeks ago from maternity leave and are now working part time for a new employer. That is quite an accomplishment finding a new job as a part time employee!

Yes I did. Basically I got in touch with someone I had worked with in the past and he recommended I join him! He said, “…we have really flexible hours, you can work at home, you can start with as many days as you want and ramp up…”. There are also many other women (and men) working part time at this large Australian bank. So it is family oriented for men as well as for women. The company also has a massive diversity program which was elaborated on during the recruitment program and the company invests in people.

How have you organized child care in order to work? And how hard was that?

It is hard, we could not initially find a solution. The hours of school do not fit the hours of working. One of us has to be at work at 10 and one of us has to be home at 3. So we are in the process of getting a live-in nanny (“au-pair”).

How has becoming a mother and working part time impacted your career?

I did work part time between my two kids: in Paris. It is harder if not impossible to have a managerial position in a part time role. At that time my employer was not so encouraging of my situation. Working part time and taking maternity leave has definitely had an impact on my career. That is also because you cannot work long hours, however, it is my choice and that of a lot of other women as well. I used to work like a maniac, long hours, and now at the end of the day I want to go home to see my kids.

What are your actually your career goals? Let us assume the family is taken care of, what would you ideally like to achieve?

I would definitely like to be the manager of a good sized team. Preferably on a topic similar to what I am doing today. It would have to be in security (we both giggle)! It is such an interesting area and there is so much more to do!

Assume you have become a manager of a good sized team, how would you do things differently compared to your previous employers?

I would ensure we have better communication within the team, support the career aspirations of my team members, not only asking them about their career goals, but helping them achieve it! Also I would ensure they get ample training, and I would believe in my team members so they are encouraged and get an opportunity to get out of their comfort zone so they truly learn and enrich their lives.