“Can you see my unicorn horn?” Accenture’s ANZ Security Director, Jacqui Kernot, talks about the people solution to solving the cyber security crisis.
- Women in cyber tech are a rarity but often have the most valuable insights
- Often cyber crime is seen as a failure of a technology platform, but that’s not usually the case
- Diversity in tech is not just the right thing to do, it makes for better cyber risk management
With cyber security breaches and misuse of customers’ personal data becoming increasingly common, Accenture Security Director ANZ Jacqui Kernot says companies should look at understanding their existing assets’ workplace culture before investing in unnecessary platforms to fix the problem.
First and foremost, “cybercrime is a people problem, not a technology problem”, Kernot says. To understand the risks, cyber security must be owned by the entire business, not just the technology department.
For Kernot – coming into the cyber world from a background in military and intelligence – she learned a lot about being “the only woman in the room” in cyber meetings. Having spent her career in two very male-dominated sectors, Kernot says she has learned a lot about the value women bring to the board table – especially in tech.
“Can you see my unicorn horn? In all seriousness – if you want to know how a team is going, ask the women.”Jacqui Kernot, Accenture ANZ Security Director
Kernot now has a mission to bring more women in tech into her team of around 150 people, plus cyber capabilities throughout the company. She says that greater diversity in cyber is crucial to properly mitigating cyber risks.
So far, Kernot has made some impressive senior female IT appointments, including the appointment of former Australian and NZ head of IBM’s cyber risk team, Anu Kukar, as Accenture Head of Cyber Risk. “Actually, we only have one man in our leadership team, so we are working from the top down!”
“You look in retrospect at your career, and you think, ‘I would never let that happen to a woman in my team these days.’ But in the Mad Men days of technology – the early 90s through the noughties – you just accepted things that were actually quite unacceptable.
Around two years into my job, I walked into a room, and there was another woman in there. I almost walked out. I was confused and said, ‘I must have the wrong room, sorry’, and she said ‘no, are you here for the authentication meeting?’ and I said, ‘yes’. There just weren’t any other women.”
Diversity in the workplace is changing for the good now, Kernot says; however, it has been a slow process.
The 2020 STEM Workforce Report commissioned by Australia’s-then Chief Scientist, Dr Alan Finkel, found that women accounted for just 29% of university-educated professionals working across the science, technology, engineering and mathematics fields. In Australia, that estimate for women in cyber technology specifically is even lower. According to RMIT and the Australian Women in Security Network, women in cyber hold between 11% to 24% of jobs in the sector.
Attracting more women to cyber security isn’t just about being inclusive; it makes good business sense, Kernot says. But it’s up to companies to attract the top talent by creating inclusive, “safe, comfortable working environments for them”.
“I’m thankful that I have had all the difficult experiences I’ve learned the hard way about ‘what not to do’.
When you’ve had to work in male-dominated industries, the idea now that as a leader, I can build diverse teams with awesome women in them and have other people see that as their daily working experience – I have this delight that I can do that.”
It’s the people, not the technology
To fully address the cyber threat facing companies, three points need to be addressed, Kernot says. Firstly, companies must examine organisational culture and break down the silos, so cyber security is owned by the business, not just the tech team; secondly, optimum processes and tight governance must be in place; and thirdly, cyber security leaders must gain visibility into all aspects of the supply chain. “If you can’t see it, you can’t protect it”.
Kernot says all the company boards she speaks to have one thing in common – they’re concerned about the future regarding cyber security.
“It doesn’t matter how much you spend; if you can’t get separate business units or projects to use it, it’s a problem,” Kernot says.
In a previous role with a former company, Kernot said a board director at an ASX20 company told her: “I think that when we move to the cyber platform from this version to that version, we should be much better than this.” She said instead of trying to understand the micro-details of different versions of software platforms, boards need to look closer at why teams aren’t properly using the security assets available to them.
“I just thought you are the board director of something with a billion-dollar-plus market cap on the ASX20 – what are you doing understanding the platform version of an access management system?” she said.
Another large client was found to use the same security software product the Australian military uses to find international terrorists. Kernot knew the product because she had used it in her previous military career. “It’s designed to do connection maps and work out how a person is connected to others – it’s for people hunting.
“The logical thing to do would have been to go and talk to the other business units and ask them what infrastructure they had – that would have been sufficient. Instead, they’re using this system that’s meant to be used with terrorists to understand their own network infrastructure,” Kernot says.
“These people are not terrorists, they’re your employees, and they should be able to tell you what assets they have.”
Look back on the week that was with hand-picked articles from Australia and around the world. Sign up to the Forbes Australia newsletter here.