Kinetic IT’S PROTECT+ is sponsoring and presenting at Perth’s CyberWest Summit this May. In the event’s lead-up, the West Coast Cyber podcast is spotlighting industry leaders who will be presenting at the Summit. West Coast Cyber is the first cyber security industry podcast in Western Australia and their latest episode featured our very own Director of Security, Vannessa Van Beek.
At the Summit, Vannessa and her team of PROTECT+ cyber security experts will discuss the ethical and operational considerations for leaders in ransomware strikes. They will also present a water model showing how they detect cyber threats targeting critical infrastructure operational control systems.
Vannessa sat down with the West Coast Cyber hosts, Caitriona Forde, Fadzayi Chiwandire and Ben Aylett, to chat about her work in cyber security and the crossover between cyber security and psychology. They also talked about the changing cyber security landscape, what you should study to kickstart your career in cyber security, and why you should attend the CyberWest Summit – even if you’re not a technical professional.
Watch the full West Coast Cyber podcast episode or read the transcript below.
West Coast Cyber Podcast: S3E6 CyberWest Special – Vannessa Van Beek
West Coast Cyber podcast episode transcript
0:00-0:55 – Introduction
Voiceover: This is West Coast Cyber.
Caitriona: So welcome back. We have another special guest with us in the studio today. We have Vannessa from Kinetic IT. Welcome aboard, Vannessa. How are you?
Vannessa: Great. Lovely to be here.
Caitriona: Yeah thanks for joining us. So, Vannessa and Kinetic IT is also a sponsor of the CyberWest Summit that is coming up very soon. And we have Vannessa here today to tell us a little bit about Kinetic IT, what her role is and what she’ll be speaking about at the summit, I believe. So, Vannessa, tell us a little bit about yourself and what you do and a wee bit about your history.
RELATED CONTENT: Kinetic IT’s PROTECT+ sponsors 2023 CyberWest Summit
0:55-2:46 – The crossover between cyber security and human psychology
Vannessa: Sure. I’m Director of Security at Kinetic IT. I look after security services that are provided from our brand PROTECT+. I’ve been in the role for a couple of years. My background and the role before this role was one in account management, relationship management, and sales management. I have a law degree, an MBA, and a certificate in organisational psychology. So, I come to this kind of background and this experience just you know, from that background, not particularly technical, though I’ve worked in IT for 20 years.
Ben: That’s awesome.
Caitriona: Yeah fantastic. Well, when I see on your bio, particularly the diploma in psychology, I was like oh that is such a neat skill in cyber security.
Caitriona: So, I’m sure that you put that to use quite a lot on your own.
Vannessa: Yeah, particularly managing people, getting the most out of teams, understanding our customers and what their needs are, listening well, but also understanding a bit more about the threat landscape and where threats come from and how they evolve and how they change and things like that. So yeah, really great skills.
Ben: That’s really cool. We do see a really interesting crossover between psychology and cyber security. So, like last season I think it was Oliver…
Caitriona: We had Oliver yes.
Ben: And it was just really, really fascinating to see how those two fields work together. It’s just fascinating.
Vannessa: Yeah, human behaviour is just so intriguing. It’s so unpredictable, in more ways than one. You know, like we think something as straightforward. We think it’s common sense. Often it isn’t. We think someone’s going to behave in a particular way and they don’t you know, one of the fascinating things I study was consumer behaviour and marketing. And, you know, you just cannot predict what people are going to buy. Similarly, you can’t predict how people are going to respond to cyber events as well, so it’s interesting.
RELATED CONTENT: The Women of Kinetic IT – Vannessa Van Beek
2:46-5:57: How the cyber security landscape is changing
Ben: Yeah, it would be nice to get that sort of insight now and then when it comes to sort of building a product and trying to pitch it. Yeah. So, look, speaking of products, can you explain what PROTECT+ is?
Vannessa: PROTECT+ is Kinetic IT’s brand for cyber security. So, it sits within Kinetic IT. We have about 1,500 IT professionals in Kinetic IT. And in PROTECT+, we have the capabilities that address all of the different capabilities in cyber. So we have a threat intelligence team, a team that writes advisories based on what’s happening in the cyber landscape. We have a threat response team who will respond and contain incidents. We have security assurance and security awareness as well. So people who educate, people who are sure, who test environments to make sure that they’re resilient.
Ben: Yeah. Oh, very, very valuable.
Fadzayi: So, what is PROTECT+ noticing in security operations in our environment that we operating in now?
Vannessa: So, we run a 24/7 security operation. We’re noticing a real increase in incidents and we could map that to all of the breaches that were kind of going on last year, particularly a couple of things we noticed. We noticed with the Russia/Ukraine escalated action there we saw an increase in incidents. We also saw an increase in incidents around mid-part of last year where we saw a lot of the cyber crime, gangs and ransomware as a service becoming more prevalent. And then towards the later part of last year, we noticed an increase as well just around, you know, just Australia starting to be a target. And not only organisations, but individuals and just the increase in activity that was happening generally.
So, one, significantly more incidents are coming through our security operations centre. We also noticed that the kinds of rules and the kinds of testing that we need to put in place to mature those environments is changing. So we’re always talking to customers about making sure that we’re taking in more of their data, that we’ve got the right rules to test and fire alarms and to make sure that we’ve got the right incident response processes in place so that when we have a situation that requires immediate action, we’ve got really, you know, great processes to engage, to resolve, to contain incidents as well.
So that’s some of the things that we’ve seen, yeah. And lots of customers asking how do we prepare ourself, how do we respond? What kinds of processes do we need to have in place? I noticed particularly about 18 months ago as organisations approach approached Christmas, just a real change where they said to us, our IT department are going to be away. How do we make sure our employees are safe? What happens if all of our team take leave? Who’s there to detect something? Who’s there to contain something? So even really small organisations are starting to think that, that our people might need to take leave. How do we protect those organisations?
Ben: Yeah, how do we cover that gap?
RELATED CONTENT: Common cyber security mistakes and 3 simple ways to fix them
5:57-8:07 – The organisational response to the Security of Critical Infrastructure Act
Caitriona: It’s fantastic to see that change. And Vannessa, one of the streams of CyberWest is critical infrastructure. And I know it’s an area that you’re passionate about as well. So, with the security of the Critical Infrastructure Act, the SOCI Act, we do try to not have too many acronyms on this podcast. We have an acronym jar, so I would say I’m cautious. But what have you seen in the response from organisations around the SOCI Act?
Vannessa: Particularly we’ve noticed organisations now wanting to understand what their assets are and how do we protect and secure them. For many years we’ve done IT monitoring, more recently we’ve started doing OT monitoring, and we’re doing it for 18 water authorities actually over east. And that piece of work came about just at the same time as this new piece of legislation came in place where organisations now need to sort of really have things in place. So, we’re onboarding new customers, we’re helping them with their threat detection, threat response and also incident management for those services.
We also see a flow-on effect. So, it’s not just critical infrastructure. Theres other industries like Defence also included in that and more broadly, the supply chain. So many of us in business have relationships with organisations that are utilities or organisations that connect Defence. So, all of those organisations need to really increase their security posture as well. So, you sort of see a rising of the tides, a rising of awareness amongst organisations as they prepare and organisations actually helping each other with those checks and balances, like what is in place? Does it work? Can we test it? Things like that.
Caitriona: And I think that’s a very valid point, is that some people don’t really identify that they are part of that supply chain. And I think there’s a massive education piece still to be done around helping businesses understand that, yeah, they may fall under this legislation as well, even though they’re just not classified as critical infrastructure.
RELATED CONTENT: What the breach?! 4 ways to protect yourself in a data breach
8:07-9:34 – Why every organisation – big or small – needs a cyber security strategy
Vannessa: Yeah, we did our first couple of pen [penetration] tests for organisations that were in the water sector, and initially they said, oh look we don’t think that you’ll find anything, right.
Ben: Famous last words.
Vannessa: And the test results really showed there was quite a lot of exposure. And perhaps that sometimes the best place to start is to start with a bit of an external look at environments, work out where there might be gaps and that can then help inform a strategy. So that’s been some of the, you know, the more interesting engagements where organisations say, oh we think we’re okay, but maybe we’ll start with a penetration test to see how someone would think about approaching our environment. What they would do, how they would act, and would they be able to get in and what would they be able to do if they got in?
Fadzayi: I mean, after all, we always find something in pen tests, it might be small, but I think the other issue that I have found when it comes to, especially company organisations that run critical infrastructure, they have a very primitive way of rating risk. So, it’s not critical until someone dies, you know, and I think that’s something that needs to change because, yeah, I mean, we had the digital aspect of our lives is actually an extension of our reality. And so, I think that is also something that I think really needs to be looked into and changed. Like, how are we rating our risks?
RELATED CONTENT: What is the most secure Multi-Factor Authentication method?
9:34-10:48 – Why Australia has been targeted so heavily by cyber attackers
Ben: Yeah. Alright well, changing gears a bit this year and also the tail end of last year, it’s pretty much been an epic time for breaches. What are your thoughts on this? I mean, what’s going on? What we need to do?
Vannessa: Yeah, I think when the ACSC released their threat report last year and we saw for the first time that Credit Suisse report showing that the average wealth of Australians was really high. And for first time I think we saw ourselves as being a target. Yeah, and cyber criminals knowing the value of, you know, Australians and actually targeting them through business, email, compromise and campaigns, individuals but also organisations.
So, I think that was the first thing the wakeup call for me was actually really understanding some of the data in that report and then actually making sure that we help organisations prepare. And organisations might think they’re prepared, but unless they actually test the plan, it’s just a theory right? So it’s a muscle, it has to be done regularly.
RELATED CONTENT: Cyber security awareness: Treat it like OHS
10:48-11:57 – How Australian culture influences our approach to cyber security
Vannessa: I think there’s something about the Australian culture. You know, we kind of oscillate between this kind of crisis mode and this mode that we’d rather be at the beach. And we would rather ignore it right? So, somewhere between the two, I think we were on high alert last year. We awoke from our slumber, but then we wanted to have Christmas. We want to have a barbecue and we wanted someone else to take care of it.
Caitriona: And it’s summer!
Vannessa: Yeah it’s summer! And we wanted things to be okay again until March. And. And it didn’t settle down.
Ben: No. Yeah and this is something we’ve talked about in the past. I mean, just this Australian culture, this mindset of she’ll be right, you know, won’t happen to me. It’s someone else’s problem. And yeah, the chickens are coming home to roost.
Vannessa: Yeah, yeah.
Caitriona: I remember when I came to Perth for the very first time nearly 12 years ago and I find it a much slower pace than what I was used to back in the UK. And I remember saying to somebody, especially because I came with a very strong IT background and back in the UK, I’d seen a lot of virtualisation and it was relatively new here. And I remember somebody said to me, you’ve come to WA, you wait a while for everything.
Ben: So true.
Fadzayi: Yeah, wait a while.
11:57-13:50 – How does Kinetic IT hire cyber security professionals and help fill the cyber security talent shortage?
Fadzayi: Yeah, so there has been a huge surge in cyber crimes, including things like ransomware, fraud, you know, data theft, the stuff that we’ve been experiencing within the past six months or so. And this is going to probably leave around about 30,000 cyber professionals short over the next four years or so. What is PROTECT+ doing to graft and grow talent to fill in the gaps that we are about to experience?
Vannessa: Yeah, that’s exactly what we’re doing, is we are grafting and growing. So Kinetic IT is a large organisation with a lot of IT professionals and a lot of people start their career in service desk. In their first 12 months we will put people into service desk will train them in ITIL and ITIL is really great because it teaches people how to handle a case, how to do problem management, change management and all of those sorts of things that are really important for managing incidents.
So, we draw our team for PROTECT+ from within the organisation. So, we advertise our roles internally. We often find people on service desk and they have cyber security qualifications, certifications and interest and so when we identify people who’ve got that really great customer service, teamwork, communication skills and they’re interested in cyber, we then bring them in to our security operations. We train them for about six weeks in the tools and the technology and the processes, and then they join our 24/7 roster.
So that’s one way that we are bringing in, sourcing, and growing our own talent. We also take a lot of mid-career professionals and grafting them, people like myself who are mid-career, who’ve got really great skills, who can lead teams, who can manage projects, who can, you know, write a proposal and who can articulate things well. We’re putting those people also into roles in cyber as well. So, there are a couple of things that we’re doing.
Ben: Oh, that’s awesome.
RELATED CONTENT: Want a career in cyber security? Experts share 7 useful tips
13:50-15:37 – How to kickstart your career in cyber security
Caitriona: I really love that. I was listening to another podcast actually today when I was out for a walk. I have to listen to other ones Ben it’s okay, I’m not cheating on us. But that was a discussion that they had is for a CISO and you know, with non-technical background, should they go back and spend some time on the service desk to get an understanding of the grassroots of IT and help them with it, and I thought it was great.
Caitriona: I’ve come from a technical background, and I think that’s what’s helped me, even now I am in that human element of cyber. But I do think what Kinetic is doing with giving them that experience on the service desk is very valuable for any IT professional, no matter if you want to go into senior management, you want to go into what I’m doing, security awareness. I think having a small bit of experience in that technical side definitely goes a long way.
Ben: I think this is a really important message as well for the students out there studying cyber security. You know, be prepared to get on the service desk and just sort of deal with that front line support to get that sort of experience and that empathy for the people you’re trying to help. Because that really gives a good grasp of the context around the whole problem.
Vannessa: Yeah. Being able to troubleshoot, being able to understand networks and Active Directory and listen and really double click on things to investigate things. They’re really important. So we say to people early in their career, build broad skills, get that broad IT background and then choose some deep skills, T-shaped skills, choose something you’re really passionate about and dive into that and get some certifications in that. But start first broad and that will always help you, right? Network skills are so valuable in cyber, understanding how networks work, how IP networks work particularly is really critical.
15:37-18:18 – Why should you attend the CyberWest Summit, even if you’re not a technical professional?
Caitriona: I think that’s very sound advice, Vannessa, for any student that’s thinking about trying to get into cyber, no matter what age you are, you don’t have to be just leaving high school. You can be at any age and decide to pivot into cyber. To round up the episode, Vannessa, just this you know, obviously the purpose of this podcast is promoting the CyberWest summit, and the goal of the summit is to bring non-IT professionals to the summit to learn more about cyber. What could you say to attract people to come along to the summit, that’s maybe sitting on the fence thinking that it’s a cyber technical summit, when it’s not. How would you say, especially with your presentation, that you’re going to be giving?
Vannessa: Yeah so I always learn when I go to a conference, I learn because I meet people, I learn because I attend talks. I always come away with more knowledge than when I stepped in. So, this is a great opportunity to kind of really demystify what is cyber. We’re going to partner with Edith Cowan University and actually build a model of an environment that is like a water utility. And we’re actually going to try and show what a threat looks like, how it comes through, how it displays, and then how we might stop it. Just to give some examples of, you know, how valves might flow and how they might stop and how they might overflow and how that might look like in real life.
Caitriona: Oh wow.
Vannessa: Yeah, we also want to kind of do some work around incident management and response and what are some practical things that people can put into their communication strategies. So those first few communications say just the right amount of information that holds the trust between their stakeholders, their customers, and keeps the media happy. So, there’s some really practical tips that all of us can sharpen the saw and learn. And it’s not for cyber professionals, it’s more for people in small business, in local government, who are making decisions day to day. Like we all have families who are all asking us questions. My young teenagers are asking me questions. My mum is asking me questions.
Vannessa: So we can all learn something. And as a community, the stronger all of us get individually, the stronger we are to defend against those attacks coming in Australia.
Ben: Perfect. Well, look, thanks very much for coming on and joining us. And if anyone wants to find out more about Kinetic IT or PROTECT+, where can they go?
Vannessa: To start with the web page, the landing page is Kinetic IT. Also have a look at PROTECT+ website that will show our capabilities, the sort of customers we work with. It’s got some case studies and some stories in there. So start there.
Ben: Fantastic. All right, thanks very much.
Vannessa: Super, thanks.
Caitriona: Thanks, Vannessa.
Fadzayi: Thank you.
Thank you to the West Coast Cyber podcast for featuring Kinetic IT’s Vannessa Van Beek. You can head to the PROTECT+ page on the Kinetic IT website to find out more about our cyber security services.