#4 - Women in Cybersecurity - Neha Malhotra
“With the kind of security breaches and attacks that we are witnessing in this era, it becomes of prior importance that we prioritize security at the top.”
In this episode, I am joined by Neha Malhotra who has recently been awarded one of the Top 20 Women in Cybersecurity in Singapore 2020. Neha is deeply passionate about cybersecurity and has an extensive experience in driving initiatives across multiple cybersecurity domains. She is also very active in the cybersecurity community groups and kindly volunteers her time to promote cybersecurity awareness to more people and also to champion for women in cybersecurity and technology.
Listen out for:
- How Neha won the Top 20 Women in Cybersecurity in Singapore 2020 - [00:03:03]
- Some important security practices for one and all in the current digital world - [00:07:23]
- Why Neha is interested in cybersecurity - [00:10:45]
- How one can transition into cybersecurity - [00:15:16]
- Why Neha is active in doing community contribution and volunteering - [00:21:01]
- Neha’s message for women in technology - [00:23:08]
- Discussion on security trade-off, social media, and fake news - [00:31:27]
- Neha’s 3 Tech Lead Wisdom - [00:37:21]
_____
Neha Malhotra’s Bio
Neha Malhotra is a passionate information & cyber security enthusiast, and she has recently been recognized as one of the Top 20 Women in Cybersecurity in Singapore.
She works as a Cybersecurity Program Manager and volunteers to serve as a Communications Director on the Exco board of (ISC)²Singapore chapter, & is actively involved with the Singapore community across initiatives driven by Cybersecurity Agency of Singapore, (ISC)², WoSec Singapore, AISP (Association of Information Security Professionals), Division Zero, Cyber Risk Meetups, Google Developers Space. She was on the Judges Panel for The CyberSecurity Awards (TCA) 2019.
Neha holds CISSP, CISM, PMP certifications and is currently researching on cloud, container security, blockchain security and IoT security.
Follow Neha:
- LinkedIn – https://www.linkedin.com/in/nehamalhotrapm/
Mentions & Links:
- Top 20 Women In Cybersecurity in Singapore 2020 – https://www.asiapacificsecuritymagazine.com/top-20-women-in-cyber-security-in-singapore/
- Women of Security – https://www.meetup.com/WoSEC-Singapore-Women-of-Security/
- Cyber Security Agency of Singapore – https://www.csa.gov.sg/
- Go Safe Online – https://www.csa.gov.sg/gosafeonline
- Association of Information Security Professionals – https://www.aisp.sg/
- (ISC)² – https://www.isc2.org/
- ISACA – https://www.isaca.org/
- Cyber Risk Meetup – https://www.cyberriskmeetup.com/
- Div0 – https://www.div0.sg/
- Lean In – https://leanin.org/
- SG Women In Technology – https://www.sgwomenintech.sg/
- SheLeadsTech – https://oneintech.org/
- Girls in Tech – https://girlsintech.org/
- SG Cyber Women X 2020 – https://go.gov.sg/sgcyberwomenx0920
- Google Developers Space – https://sites.google.com/view/devspace-sg
- OWASP Top 10 – https://owasp.org/www-project-top-ten/
- OWASP Cheat Sheets – https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html
- Technical Information Security Officer – https://fortytwo.nl/three-types-ciso/
- CISSP – https://www.isc2.org/Certifications/CISSP
- National Institute of Standards and Technologies – https://www.nist.gov/
- NIST Cybersecurity Framework – https://www.nist.gov/cyberframework
- Center for Internet Security – https://www.cisecurity.org/
- CIS 20 – https://www.cisecurity.org/controls/cis-controls-list/
- Monetary Authority of Singapore – https://www.mas.gov.sg/
- MAS TRM – https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines
- Have I Been Pwned? – https://haveibeenpwned.com/
- edX – https://www.edx.org/
- Udemy – https://www.udemy.com/
- O’Reilly – https://learning.oreilly.com/home/
- Cybrary – https://www.cybrary.it/
- SANS – https://www.sans.org/security-resources/
- Sans Cyber Aces – https://www.cyberaces.org/
- Threatpost – https://threatpost.com/
- Hackernews – https://news.ycombinator.com/
- Cybersecurity Career Talks – https://www.youtube.com/channel/UCDu84xq4xEV70zoj8DKYM9Q
- RSA Conference APJ – https://www.rsaconference.com/apj
- Blackhat – https://www.blackhat.com/
- WannaCry – https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
- FactCheck.org – https://www.factcheck.org/
- EC-Council – https://blog.eccouncil.org/cyber-research/
- Threat Modelling – https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
- SIEM – https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM
- National Vulnerability Database – https://nvd.nist.gov/
On Top 20 Women in Cybersecurity in Singapore 2020
-
The winners of this award represent 2020 role models who have made significant contributions, advance the industry and shape the path for future generations of professionals among other vital contributions.
-
How I have paved my way into cybersecurity was by self-learning and made the most of whatever opportunities I got and also my involvement with the community.
On Importance of Cybersecurity
-
With every new technology, there comes some benefit. It also has some security challenges, and tech innovations are going to happen all the time. There will always be an associated security challenge to be tackled.
-
Every technology brings in some kind of digital risk.
-
There’s so much to do within security. There’s the myth that security’s all about hacking, but it is not.
-
With the kind of security breaches and attacks that we are witnessing in this era, it becomes of prior importance that we prioritize security at the top.
-
Consequences of not following security best practices or security hygiene are way higher than some inconvenience that we have to go through.
-
How much value your data entails and then compare it to the kind of small price that you’re paying for it. Once that kind of mindset shift happens, it doesn’t really seem like a point of inconvenience anymore.
On Learning
-
Get to know the larger business purpose, to focus on what is the value that your applications are providing to the business.
-
If you have a learning appetite, no one can stop one to get to where they want to be.
-
There’s no end to learning, there’s just an attitude that is required. And the drive.
-
One has to just figure out which area is of interest, and then build up on that with all the valuable learning resources.
On Community Contribution
- We just do our day job and if that is all we are doing, I think it’s a real big gap in there. There has to be something out of your day job that you must be actively involved in, that keeps you active, that keeps you humane, that keeps you very grounded.
On Women in Cybersecurity and Tech
-
They should not just believe stereotypes, when people say that technology is all about coding or cybersecurity is all about hacking.
-
On the confidence part, they have to be more participative and more involved with the community.
-
No one out there is perfect, and we’re all learning.
-
If you do not know it all to begin with, just leverage on what you are really good at and find your strengths and speak out for yourself.
-
I think we all face challenges, but the key is to keep believing in yourself and, do not look at if at all there’s any criticism that comes across, you just move beyond it, move beyond self-doubt and perfectionism, because we all make mistakes. The point is just to keep improving.
-
Take charge, do not hold back, is what my advice would be for all women out there.
-
Build a network around with people who work in the area that you are interested in and just follow their posts.
On Social Media and Fake News
-
The information we are sharing out there is a lot more than we should ideally be doing so.
-
Always check the source and examine the evidences before you believe anything.
Neha’s 3 Tech Lead Wisdom
- Whenever we have any innovation that one tends to share with the community. It should make some business sense.
- Every technical implementation has to make business sense, even in cybersecurity for instance is to keep businesses secure and uninterrupted.
- Having the right communication skills.
- How to translate the strategy from your business into how it should work or look in terms of technology is something that has to be very clearly specified and well-communicated.
- Keep questioning the architectural goals.
Episode Introduction [00:00:46]
Henry Suryawirawan: Hello everyone. Welcome to a new episode of the Tech Lead Journal with me your host Henry Suryawirawan. Before we start today’s episode, if you would like to get notified for a new episode on your email inbox, you can now have it by subscribing to the Tech Lead Journal mailing lists. You can go to the techleadjournal.dev website and submit your email address. By being a subscriber, you also won’t miss any important news and updates from me, including potential giveaway contest in the upcoming week.
Also, if you are enjoying and benefiting from this podcast so much, consider becoming a patron of the Tech Lead Journal by visiting the techleadjournal.dev/patron. It is P A T R O N. I will sincerely appreciate your support so much. And your valuable support will help me to make the production of the upcoming episodes more sustainable and frequent. As a patron, you’ll also get exclusive access to patron-only contents, including direct personal access to me. So please pledge your support at techleadjournal.dev/patron.
So in this episode, I have the pleasure to have a conversation with Neha Malhotra. Neha just recently won the Top 20 Women in Cybersecurity in Singapore for 2020, which is an amazing accomplishment.
I saw her LinkedIn posts about her winning the award, and I decided to personally invite her to join me for this episode to share with us her journey for winning the award, and also importantly, to educate us on cybersecurity, including some of the resources where we can learn more about it further. Neha is also very active in the community and volunteering. And she’s passionate about championing women to thrive in cybersecurity and technology. It is very inspiring to hear what she has done. And I hope all of you can get inspired by her as well. So let’s jump right into the episode.
Introduction [00:02:45]
Henry Suryawirawan: Welcome to the Tech Lead Journal, Neha!
Neha Malhotra: [00:02:47] Thank you so much, Henry. I’m pleased to be here. Really thrilled.
Henry Suryawirawan: [00:02:51] I saw a LinkedIn post recently, in which that I saw you just recently won the Top 20 Women in Cybersecurity in Singapore for 2020. Congratulations for that!
Neha Malhotra: [00:03:02] Thank you so much.
Top 20 Women in Cybersecurity [00:03:03]
Henry Suryawirawan: [00:03:03] It seems like a major award. So can you probably share with the audience here? What is the award all about? What’s the background and then how did you actually win the award?
Neha Malhotra: [00:03:13] Sure, I think that’s a very pleasant recognition and I feel very honored to have made it to the list of Top 20 Women in Cybersecurity in Singapore. About the award, just to quote, the winners of this award represent 2020 role models who have made significant contributions, advance the industry and shape the path for future generations of professionals among other vital contributions.
I think to the second part, what really helped me to get to this level and be recognized is my overall career journey, how I have paved my way into cybersecurity by self-learning and have made the most of whatever opportunities I got and also my involvement with the community. So I have this drive to better myself and always be on the quest to keep learning together with taking measured actions and, whether it was changing roles or to move up to learn cybersecurity to get to the level I could be trusted, to drive cybersecurity initiatives and programs with big banks, like BNP Paribas, Deutsche Bank and now Credit Suisse. So I think it’s very important to take charge. I worked on driving implementation of various cybersecurity initiatives, controls and processes with the firms that I just mentioned about. I’ve worked closely with audit, governance, risk and compliance as well, and have worked on several regulatory remediations, and, including MAS regulators that usually we deal with. And I’ve worked on using security frameworks as well as updating policies and standards. So over the years, in addition to application security, I got a great opportunity to work within Identity & Access Management, on privileged access management. And as part of my program manager role, I’ve worked also with different jobs. I got opportunities to work on driving encryption for data at rest, data in transit, then with logging and detection using Security Information and Event Management tools, I did some real time analysis on security alerts generated by applications and network hardware. So I worked within various kind of domains, including vulnerability management, network security, and to drive in various implementations of security tools, processes and controls.
And then about my various community activities, I really love volunteering. So I’ve been doing volunteering since several years in various forms, but specific to cybersecurity, for instance, I have been volunteering with a lot of communities within Singapore, including Cybersecurity Agency of Singapore. So last year they had a campaign called Go Safe Online. I was a cyber champion for the same, and the purpose was to raise cyber awareness and bring it to the ground to all the people, because at times we’re living in each individual across all age group need to have that basic cyber hygiene knowledge and should know the basics. For instance, about email and web browser protection, using antivirus, importance of two factor authentication, and setting the right kind of passwords, and recognizing phishing emails, not to fall prey to scams and you know, so on and so forth. So very basic for each individual that uses internet.
Also I try to get involved with the community like Association of Information Security Professionals, and I also volunteer with (ISC)² Singapore chapter as a communications director on their ExCo. So that’s the governing body for cybersecurity training and certifications. And I even brought security to Google Developers Space inaugural event that was focused on fostering a speaker culture amongst women. So the objective of my two minute speaker pitch was completely focused on application securities, since their audience was mostly from development background. So I thought, why not? And I’m a part of events from Women in Security in Singapore.
So, yeah, I’m trying to do my best learn and share as much as possible, in and out of my day job, just focusing on good work, irrespective of any expectations, but it feels great when the efforts get recognized.
Henry Suryawirawan: [00:07:15] Wow hearing what you’re sharing, so, so many contributions you have done the community and it’s really well-deserved I would say.
Important Security Practices [00:07:23]
Henry Suryawirawan: So I have few things from the things that you shared. The first one is about the Go Safe Online campaign, right, where you teach people about cybersecurity, cyber awareness. We all know due to this pandemic, I think the digital adoption somehow gets accelerated, and I think it’s very important for all of us to be more aware about cybersecurity. Can you share with us some of the tips or maybe some of the things that you normally share for people, especially those who are not really much aware of cybersecurity. What needs to be focused on or what needs to be implemented for them to be secure in their digital work life these days?
Neha Malhotra: [00:07:58] Yeah, definitely. That’s a great question. So as part of, for instance, the awareness campaign that we did, it was for everyone , those people who do not know technology, those from various backgrounds or those even who are retired, but they have to use, online banking, they have an email where they do receive emails or they do have a phone where they receive phone calls. Nowadays, phishing is not just limited to emails as we know. So just to have that awareness created, so what we did was, you know, have had games for all of those important things so that people can really get involved into and get to know what we are trying to convey. So for instance, we had games where in there were emails for them to recognize which one is a phishing email and what are the kinds of various factors that we can look into an email, for instance, who is the sender? Is there any urgency that it is implying upon? Is there a link? Is it asking you your bank details? Is this person whoever is decepting you trying to give you a free award or reward? So all of these factors, we try to bring in in the form of a game, and that was really a good eye opener for the masses, I would say.
Similar to that, as you mentioned, we all use phones so having a good secure application to detect any malwares and not to click on any links that we do not know about, checking each and every email ID where it is coming from, just the basic things at least to have an antivirus installed in your home computers. Having right kind of passwords. So people usually have smaller length passwords, but they think that if they make it complicated, it is difficult to break, but we have so many easy ways that can be used these days to have the passwords hacked within seconds or milliseconds. There are brute force attack or dictionary attacks, so there are so many other kind of password attacks. The only factor that helps with the passwords is the length. The length of the password has to be a 12 or 13 character long at least, and obviously a mix of characters and special characters and so on.
So all of these, I think are the basic things that every individual should know about, not to use the same password for different accounts. Also never to use public wifi to login to bank accounts, always having backups of our hard disk or whatever data that is important to us. And then being vigilant on recognizing fake sites, you know, especially banking sites. Being aware of and recognizing HTTP, HTTPS the difference between those and not to click the link that comes from unknown sources and hover over the link to see what it is, you know, is it really what it claims to be?
So these are some of the important things for people who are not really aware of cybersecurity, but they must take care of.
On Why Cybersecurity [00:10:45]
Henry Suryawirawan: [00:10:45] Yeah, thanks for sharing. Hearing what you’re saying, it seems like you have dealt a lot with cybersecurity, throughout your career, maybe in your personal life even. So can you share with me what makes you interested in cybersecurity?
Neha Malhotra: [00:10:58] Yeah, sure. I think while I like to manage projects or programmes, working within cybersecurity industry is so exciting and a total game changer. We’re living in the times of digital transformation and more so in COVID times where everyone is now moving on to a digital platform. And while with every new technology there comes some benefit, it also has some security challenges and tech innovations are going to happen all the time. There will always be an associated security challenge to be tackled. So there is a no dull moment here, and that is what makes me so interested into cybersecurity.
I think my ingrained inquisitive and risk based approach in life in general, that is completely aligned with the cyber security challenges. It’s such a diverse field and there’s something for everyone to contribute to. It’s become so important today and it’s so evolving and there’s continuous changes and challenges and it’s become one of the things of very, very prime importance for all the businesses alike, right. I mean not just bigger banks or bigger organizations, even SMEs are getting affected so much with data breaches and so on that we look at in news every other day.
So a lot of action will happen in the next 10, 20, 30 years also. And I’m very blessed to be a part of this industry where we get to solve challenges posed by individuals. And also, I think I love to learn about emerging technologies. Every technology as I mentioned, it brings in some kind of digital risk and you name it and you have it. I have a security word attached to it these days. Right. You know, cloud security, container security, you talk of blockchain security or IOT ecosystem security. And so it’s kind of a field which keeps us always so excited with learning every new things every day. And, how to implement those, you know, in, into protecting, identifying, or detecting or even responding and recovering from the cyber attacks or the vulnerabilities that threaten the confidentiality or integrity or availability of the business or client data or triggers any misuse. So it’s really of prime importance more than ever before. And I guess I’m totally fascinated by this field altogether.
Henry Suryawirawan: [00:13:10] So many different fields, is there a point like where did you start initially? Which area that you start with in the beginning?
Neha Malhotra: [00:13:17] Oh, yeah. So quick flashback on my 15 years of career journey. I was a science student and I was very good in mathematics and I found coding pretty easy and scoring in my school. So I went on to complete my engineering degree in computer technology. And my first job in India was of a software developer. I transitioned between various technologies and jobs in the initial few years. And, gradually I took responsibilities more into business analysis and IT project management, because that gives us a holistic view of the business. So that’s something that I really liked doing. Finally, when I found myself within the identity and access management domain of information security, that was the time I realized I finally found the purpose and direction to my career.
Within the engineering team earlier, and even before I worked within security teams for security projects, I was in a way working on applications with focus on security as a developer as well. Like I was aware of many of the controls from OWASP top 10, like the Open Web Application Security Project and other aspects of secure configurations, etc.
I was also working like on remediations from time to time, like we had some initiative to remove all hard-coded passwords, very, very long back. And I knew the importance of backups, replicas and effective change management practices. And I used to work like to provide evidence to internal, external audit teams and working on regulatory compliance requirements from MAS or so on. And even within my role, with the identity and access management role that I had, I was TISO delegate. TISO is like Technical Information Security Officer. So for those applications, I was working on risk assessments and regulatory requirements and so on.
And gradually as I moved roles and jobs, I got opportunity to manage various cyber security projects. And then of course I accelerated my learning into this field and did some relevant certifications and the learning remains the way of life, especially in this industry.
Transitioning to Cybersecurity [00:15:16]
Henry Suryawirawan: [00:15:16] Yeah, the last point here, for those of listeners who are thinking of switching as well, like from engineering, you know, software development into other areas, specifically security, is there any tips for them that you can share? How did you do that?
Neha Malhotra: [00:15:29] I would say that, yes, I understand that sometimes when we are within the engineering, we are too focused just into the design architecture or development of applications, right. And, what I would suggest is to get to know the larger business purpose, to focus on what is the value that your applications are providing to the business. So for me, it’s so happened that when I moved on to BA role, even when I was within the engineering role, I was quite focused on security. But actually, if you want to make a transition, you can maybe try to get into a BA role, business analyst role, or a project manager role wherein you’d interact more with the business, more with the stakeholders and the internal auditors , and you are working on to get broader insights about the breadth and depth of some domain. And if you happen to be fortunate to be in an information security domain, I would definitely say you must leverage on it and if you are not into a cybersecurity domain, then definitely there are other ways. If you have a learning appetite, no one can stop one get to where they want to be.
There’s so much to do within security. There’s the myth that security’s all about hacking, but it is not, believe me. There is an entire area of security policies, governance, risk, and compliance, which is where we usually start with developing the frameworks, and so on. And then we have identity and access management, which is also crucial to cloud security, for instance. And then we have application security. People who are developers, who are working within applications should try to find out are there any vulnerabilities within the applications they are designing or developing. So there’s threat modeling that they can start with. I did a course in threat modeling last year, which was really insightful. There is a huge amount of data security, and prevention of breaches as well these days that is in huge demand. So if you are for instance into analytics, you can also work into security. There’s a huge demand of data scientists , because we have like huge events and data, you know, millions of events processed by organizations every day. So the data scientists, automation experts are in huge demand as well. And then there is like, other areas like the security awareness trainings, which are so important and also a part of driving campaigns against phishing and so on. So that is again, one area that someone can explore. If you are good into coding and you’re very good in problem solving, you can go into malware protection or analysis of malware. And then there is a huge domain called cryptography where we learn how do we protect our data by encryption, and so on so forth. I mean, there’s digital forensics, there’s cybersecurity, security operations, there’s so much for everyone to do in there. There’s threat hunting, a lot of things into authentication and risk management.
So you have to find what you’re good at and then leverage on it, build up from there, identify the gaps, read, or, you know, train on those, get into some online trainings, participate in networking events, the events that we have for awareness for cybersecurity. We also have a lot of technical workshops that are free, that you can attend within Singapore community. So there’s no end to learning, there’s just an attitude that is required, and the drive .
Henry Suryawirawan: [00:18:45] Right. Right. There are so many things we need to learn. Are there any favorite resources or maybe top people that you follow from the industry where you get the knowledge about the latest cybersecurity trends or maybe even threats?
Neha Malhotra: [00:18:57] Yes, for me to start with my learning, I started to read the NIST cyber security frameworks , and they have frameworks for everything, for risk management, and so on. NIST is a National Institute of Standards and Technologies. There are so many blogs out there that you can subscribe to, like information security magazine is for very basic information updates that if you want to have daily into your mailbox, then you can follow a lot of security enthusiasts on the Twitter, if you are on social media. And there are CIS controls, you know, CIS is Center for Internet Security that you can start with. CIS 20 is what they call their controls to be the basic ones. So it contains like basic foundational and organizational categories and they list all of these areas that I mentioned about in general.
So there are good courses on edX, Udemy, and there is Cybrary.it, and from Sans Institute as well. You know, there are many resources like cyberaces.org, and then for news in general you can subscribe with threatpost, then there is a hackernews, and then there are newsletters from various sources. And there are many times free courses available that you can just leverage on. You can even start reading with some white papers or some risk management guidelines like we have for MAS. MAS is Monetary Authority of Singapore. So we have a MAS TRM like Technology Risk Management guidelines, which is also something that’s a really good starting point for any individual who wants to explore more into risk management and cybersecurity.
Once a person has sufficient work experience that’s required for some certifications, you can build up, you know, from there to get, for instance, what I benefit from was the learning path to CISSP certification. I learned a lot about the very domains within the security and the exam also inculcates a kind of discipline more than anything else. So I think one has to just figure out which area is of interest and then they can build up on that with all the valuable learning resources.
On Community Contribution and Volunteering [00:21:01]
Henry Suryawirawan: [00:21:01] Wow. There’s so many place that we can all start to learn about this cybersecurity. In the beginning you shared a lot about your community contribution, volunteering, right, and also working in the industry. So what makes you so interested in doing a lot of volunteering and community contributions?
Neha Malhotra: [00:21:19] Yeah, I think that’s something that comes from within. I kind of like to get involved with the community and to give back is something that’s inherent in me. I mean if it was not for cybersecurity or technology, I used to do other volunteering work with other associations in Singapore. I really like to add value and encourage people, and specially, you know, the younger generation to leverage on their skills and to build up from there. I also try to mentor a few women in specific because, as we know that women are usually lack that kind of confidence, even if they possess the skills. So I think, getting there and helping out people is something that’s kind of really, good way even to learn ourselves because even with the kind of campaign that I mentioned about, it gave me so much happiness and it was such a great opportunity for me to connect with individuals on the ground level, as in, we just do our day job and if that is all we are doing, I think it’s a real big gap in there. There has to be something out of your day job that you must be actively involved in, that keeps you active, that keeps you humane, that keeps you very grounded. And I think some of these also come from my core values and being a spiritually inclined person that I am.
So yeah, I think it really gives me a great deal of happiness. I have also always volunteered within organizations CSR programs. At present also I volunteer as a mentor for Halogen foundation that our firm supports. It is basically to support building young leaders and entrepreneurs. It is very important to help and collaborate with the community. And Henry, you also do so much collaboration yourself. I mean, I’m truly amazed by your initiatives. So we definitely get further inspiration when we look at our peers and it’s really great that more people follow the path.
Women in Technology [00:23:08]
Henry Suryawirawan: [00:23:08] Right. Thanks for sharing all that. So I want to pick out one thing that you mentioned just now about women lacking confidence in the industry. What do you think are some of the probably root causes of this lack of confidence?
Neha Malhotra: [00:23:21] I think there can be multiple reasons for it. Maybe they do not have the time to devote or they somehow do not believe that they can make a difference. Maybe they have all the skillsets, but they think that technology or cybersecurity is not for them. So there can be multiple reasons. As of now, you know, if I were to give you statistics just for cybersecurity , in 2013, there were only 11% in cybersecurity workforce globally that accounted for women counterparts. And this number though is reported like 20% in 2019 and 24% in 2020. So I think we’re still very far from the perfect situation, but we are definitely on the right track in trying to improve the awareness and taking all these initiatives.
So, I guess they should not just believe stereotypes, when people say that technology is all about coding or cybersecurity is all about hacking, and they shouldn’t lose their confidence there. They should research. They should take things on their hands and to find out and explore what it is really all about. What are the domains areas and things that really need contribution to, and would also give them a great career opportunity.
Also on the confidence part, I think, they have to be more participative and more involved with the community. When I attend events, to be honest, I usually find only two, three, or maybe maximum 10 women participants around. It’s, it’s really something that I would want to change. And even for women who attend these events, they are shy to speak out. So I think that the lack of confidence might be coming from thinking that “Oh, we are in such a huge group out there. And what if we fail, what if we are not accepted?” You know. And also maybe we, we all tried to be perfect in some way or the other. But I guess no one out there is perfect and we’re all learning. So, if you do not know it all to begin with, just leverage on what you are really good at and find your strengths and speak out for yourself, either it is to pave a path on your career journey or to speak in an event that you are passionate about. There would always be a time where you feel I’m not well prepared, you know, like what happens when we have an exam, we never feel fully ready, but when we go to the exam and we have done enough preparation for it, I think we will do well and we would pass it.
So I think we all face challenges, but the key is to keep believing in yourself and, do not look at if at all there’s any criticism that comes across, you just move beyond it, move beyond self doubt, perfectionism also, you know, because we all make mistakes. The point is just to keep improving. For instance, you know, just for me as an example, I would say I’ve never spoken in any event. But I have taken the challenge and I would be speaking on a cybersecurity topic next month. So there’s a first time for a lot of things, out in our career. But one thing leads to the next. So take charge, do not hold back, is what my advice would be for all women out there.
Henry Suryawirawan: [00:26:18] Hmm. Thank you for your message. There are so many good tips you mentioned. Speaking out, don’t be too perfectionist, don’t criticize yourself. I think that’s all are very good suggestions.
So is there any community for cybersecurity or women inside the security in Singapore or maybe around the world that people can probably participate?
Neha Malhotra: [00:26:37] Oh, yes, there are so many communities. And over the current COVID times, while everything is virtual, we are not confined to even the boundaries of cities or countries.
You know, we can participate in global events. I do all the time. And it’s really admirable that people are coming forward to volunteer, to conduct workshops and events, and most of these are free of cost. So there’s something for people at all levels in cybersecurity. To start with people can join a great meetup group that’s pioneered by an amazing lady in the US, it’s called Cybersecurity Career Talks. They conduct livestreams, so there are multiple videos available on YouTube by this channel. Then there are conferences like RSA APJ that is Asia Pacific Japan, which was, in July this year. And it was free to attend for anyone who registers. And then there’s Blackhat and various conferences coming up as well. There are many security summits that happened, and you can register free of cost and you have access to a lot of events and keynote sessions. There are focused talks as well, organized by various communities and organizations, for instance, for cloud security, IOT security. And within Singapore itself, we have Association of Security Professionals AISP, Division Zero, Cyber Risk Meetups, and those are specific to cybersecurity. And there are specific groups that focus on bringing forward women in security. So there is Women of Security in Singapore, and there are sub-chapters from Division Zero, ISACA, like SheLeadsTech, and there’s no end to, I think, to meetup groups. And, it’s similar to, as we have it for various technologies, like you conduct events for Google Developers Space, and then there are Agile, DevOps, AI, Blockchain forums. For people who hold a certification like CISSP, for instance, they can be a part of (ISC)² chapter where we have been conducting so many knowledge sharing webinars all through.
And there are women focus groups as well, which are for generic technology, something like Lean In, Girls in Tech. And just that one has to figure out his or her area of interest and then actively register or get involved, and get into that roller coaster learning path.
In fact, Women of Security Singapore is launching Cyber Women X series event just upcoming in September. And that’s also supported by Cybersecurity Agency of Singapore, AISP, and other associations. So there are multiple workshops, CTF, a number of great talks lined up. So there’s always something or the other happening. In fact, LinkedIn is another great source, you know. Build a network around with people who work in the area that you are interested in and just follow their posts. There are so many announcements for events that you can register for free, and, you know, take it from there.
On Security Trade-off [00:29:26]
Henry Suryawirawan: [00:29:26] I have also personal question. I mean, like, obviously implementing the best security is a trade off, right? Sometimes it’s about convenience as well. I mean, sometimes even personally myself about changing password or making the password secure. Or even like making sure that everything that I use is fully secure, your data, your application, your version, updates, patches, and things like that. There are so many things, right. And sometimes, you probably kind of lose your convenience. So my question here is where is the balance between convenience versus security? Is there any, somewhere in the middle or one should probably opt more about security rather than anything else? What’s your take on that?
Neha Malhotra: [00:30:02] Yeah, there has to be balance, you’re right. But I think of with the kind of security breaches and attacks that we are witnessing in this era, it becomes of prior importance, that we prioritize security at the top. Though it is I understand not very convenient when organizations have to patch for instance thousands of their infrastructure assets overnight or within three or five days. But we have all seen examples. It started, I think, big on awareness with the WannaCry ransomware attack somewhere in 2017, right, which had more than 300,000 computers infected and the vulnerability that was exploited was a Windows Server message block protocol. And while Microsoft had already released patches, there were not yet applied. The point I’m trying to make is that consequences of not following security best practices or security hygiene are way higher than some inconvenience that we have to go through. Even installing an antivirus solution is something that people question, right, that the machine would get slower or maybe some of the other thing. How do we keep paying $30, maybe a year for it. But just imagine how valuable or how much value your data entails and then compare it to the kind of small price that you’re paying for it. So I think once that kind of mindset shift happens, it doesn’t really seem like a point of inconvenience anymore.
On Social Media and Fake News [00:31:27]
Henry Suryawirawan: [00:31:27] Right. So moving to the next big topic, obviously these days we are exposed to social media and your data and privacy, right. What’s your take on using social media and about the security risks of using that?
Neha Malhotra: [00:31:40] Oh, yes. Everyone is so intrigued by the social media these days, and the information we are sharing out there is a lot more than we should ideally be doing so, right. People do share where they are, what they’re doing and everything else. There has to be again a kind of awareness that we do not go make it public. I think it’s good to share some things with our friends and family, so that’s the reason the privacy settings exist in the first place.
So making use of those and really, really being aware of what our social media interactions can lead to. I think it’s a very important topic to pay attention to. I think I remember one of the incidents where a person posted something publicly on Facebook about his children’s studying wherever. And, you know, there was some kidnapping incident that took place due to the coordinates of the child that were released via the social media unintentionally just, you know, for the sake of fun or for the sake of just sharing the information around.
So things can lead to really disastrous endings, I guess, if at all we are not aware of what social media handles we’re using and how do we use our privacy settings in the better way.
Then what I believe in, while we do have different passwords, hopefully everyone follows this basic practice, so we also should have separate email IDs for sharing and putting out there, because we register to many webinars, we are required to provide an email ID on many occasions, like we book flights, hotels. So to keep those IDs separate from the ones we use for our banking or important transactions. That is important as well, because we all are aware of so many data breaches that happen. And we do not know who’s using those email IDs and how. And we all have examples of Marriott data breach, which had impacted millions of users and Yahoo data breach that had affected like 3 billion users. So, it’s always a good practice as well to follow, I would say.
Henry Suryawirawan: [00:33:39] And how about fake news, which is another big topic in the recent years, because how much influence it could make, seeing in so many different places in the world, right, where people generate fake news. For us as a normal people, how should we go about fake news? How do we identify them and how do we avoid them?
Neha Malhotra: [00:33:59] Yeah, fake news is a, is a big deal these days. And we must be practicing some awareness and common sense, to detect the sources that this news is coming to us from. For instance, just to believe any WhatsApp forward or any post on Facebook is not an ideal way to deal, or, you know, go ahead in this world. Even for COVID-19 I think there were so many fake news coming across, right from how different countries are dealing with and what are the best solutions or even up till this medicines that people should consume or, things like that.
So false information is dangerous because of its ability to affect public opinion, and that can lead to dire consequences sometimes. You know fake stories are amplified and news are disseminated quickly through false accounts as well. These are like sometimes automated bots. And most bots are benign in nature, and some major sites like Facebook, they ban bots and seek to remove them. But there are social bots that are malicious entities, you know, designed specifically with the purpose to harm. And these bots mislead, exploit, and manipulate social media discourse with rumors, malware, misinformation or just even noise. And in some countries, they started regulating false news. For Facebook since 2018, it has been actively shutting down accounts that are responsible for spreading hoaxes in some countries, especially those holding general elections. So Facebook’s measures include removing fake accounts and reducing the reach of articles that have been debunked by independent third party fact checkers. And there are initiatives with a lot of organizations otherwise as well.
WhatsApp has recently in August 2020, has rolled out a new fact check feature to step up the fight against disinformation and fake news. So this feature allows users to check the contents of viral messages as they call these messages to be. So how can we figure this out? While we see a forward sign, like mostly on all the forwards that we send and receive, another fact check feature appears as a magnifying glass icon just next to the message forwarded. The criteria is that message has already been forwarded to five or more people. So if you click on this magnifying glass, it would prompt like, would you like to search this on the web? And then this would upload the message to Google. For instances, if it’s a COVID-19 related news, it would reflect the MythBusters section from WHO, and so on. Also in Singapore, the government agencies debunked about like 40 instances of speculation, rumors, spam, and outright falsehoods about COVID-19 in specific, over all social media platforms in just about first five months of 2020. So you can also go directly to factcheck.org to verify information. Of course always check the source, and examine the evidences before you believe anything.
Henry Suryawirawan: [00:36:51] Thank you for sharing that because I myself sometimes also, you know, trying to verify, oh, is this news true or not? Especially if it’s shared on the messaging applications like WhatsApp, Telegram, just like what you mentioned, right. Sometimes it also takes effort, like to key in, oh, this is news that I’m reading, find it on the the right sources. And I mean it takes time sometimes and people sometimes tend to like forward the message straight away without actually thinking. And that probably could create even more fake news the next phase, right.
Neha Malhotra: [00:37:20] Absolutely.
3 Tech Lead Wisdom [00:37:21]
Henry Suryawirawan: [00:37:22] So, I mean we can talk all day long about security, but I guess before we wrap up here, I would like to ask a question, which I normally ask for every guest that I have in this podcast. So can you share with us what are your three technical leadership wisdom for the audience to learn from?
Neha Malhotra: [00:37:37] Sure. Let me think. I think a technical leader fosters a technical and innovation and understands the technology life cycle well. So to start with the first wisdom I would like to share would be whenever we have any innovation that one tends to share with the community. It should make some business sense. Implementing a technology just because it gets someone excited wouldn’t work. I think leader initiates and steers the commercialization of technological advances, right. So if one is building services and technologies that are incredibly useful that create impact, that is a clear sign of being in the right direction. So I think every technical implementation has to make business sense, even in cybersecurity for instance is to keep businesses secure and uninterrupted. So there is a purpose to it and there’s a business sense to it.
The second great and important skill I would say is having the right communication skills. Because the tech leader is a someone who links the business and technology strategies. And the tech leader is a bridge between the business teams and technical teams working on the ground. So how to translate that strategy from your business into how it should really work or look in terms of technology is something that has to be very, very clearly specified and well-communicated. So that is an important crucial part of being a tech leader. And I think beyond this, there are subtle aspects of communication that are way beyond just the basics, the way a leader communicates with the team and specially in challenging times how stable, positive, and calm the leader can be, you know, that actually goes in for a communication with their own self. So how much positivity one has and how one takes feedback and how much grit and persistence one has to continue to have that positive communication with oneself and with others in times of challenges, being timely and effective in communication with the teams, with being transparent and confident about your decisions, so that the shareholders or the stakeholders do have that confidence as well on a high level. And also I think giving you credit recognition and respect to the team all is a part of communication.
And then thirdly, I guess a leader has to keep questioning the architectural goals. They’re paramount. It’s like laying down foundation for building scalable apps in future. So this doesn’t mean that they don’t trust the technical team or so. It reflects that involvement and their experience and expertise that they bring to the picture, especially when they have that strategic vision, and they just have to get inquisitive about how the architecture is being laid down because they are the ones who understand the technological revolutions, they are supposed to be the ones who know the scale and the performance and so on so forth, the criteria is that’s around the technology further down the line. So I think these three are the core according to me.
Henry Suryawirawan: [00:40:37] Right. Great wisdoms indeed for all the technical leaders out there. Thank you for your time Neha. It’s been a great pleasure talking about security. I myself am not like a super security aware kind of person. Definitely there are many things that I learned today from you, and also a big message to all the people out there, right. There are so many security things that you need to be aware of. There are so many communities that you can get started with, so many trainings as well if you want to know more about security yourself and specifically for women, I think just like what Neha mentioned, there are so many avenues where you can participate in the industry and in this cybersecurity as well.
So lastly Neha, is there a place where people can find you online?
Neha Malhotra: [00:41:18] Oh yes, I’m very much on LinkedIn, so please feel free to connect with me. I’m happy to mentor as well share anything that you need from my end in terms of information. Yeah, I’d be pleased to connecting.
Henry Suryawirawan: [00:41:30] Alright. That’s very kind of you. Thanks for your time, Neha.
Neha Malhotra: [00:41:33] Thank you so much for having me Henry and it was a great pleasure speaking with you. Thank you.
– End –