Breaking the Code: Jacqui Loustau on Diversifying Australia's Cybersecurity

Cole Cornford:

Hi, I’m Cole Cornford, and this is Secured, the podcast that dives deep into the world of application security. After working as a cybersecurity consultant in Europe for over a decade, Jacqui Loustau was struck by how many cybersecurity professionals in Australia are men.

Jacqui Loustau:

I walked into my first Australia event in the industry and I was just hit with a sea of men. I was like, “Whoa, okay.” And I don’t know if you know what that feeling’s like, but you just walk in and go, “Oh, I don’t belong here. I feel really intimidated by this.”

Cole Cornford:

This led Jacqui to found the Australian Women in Security Network or AWSN a, not-for-profit, with the goal of increasing the number of women in the security industry. Had a great chat with her. We spoke about how businesses can change their approach to hiring to improve diversity, the importance of supporting kids and students of all backgrounds who have an interest in the field, as well as some of her thoughts on the future of our industry. So, let’s jump right on in.

And I’m joined here by Jacqui. How are you going?

Jacqui Loustau:

Yeah, good, thank you.

Cole Cornford:

Cool. Well, so with most guests I bring onto the podcast the first question I always ask them is, what kind of bird are you and why? And I usually ask that question because I run a company called Galah Cyber, and my bird is galah because they’re bright, colorful, and a bit obnoxious, which is pretty much the opposite of most cybersecurity professionals. And yeah. So, what kind of bird are you?

Jacqui Loustau:

It’s a really good question, and I love galahs. That’s my favorite bird actually, which is-

Cole Cornford:

Look, I love it. That’s so good. All right. Well, let’s talk after this.

Jacqui Loustau:

Exactly. We’ll talk all things galahs later, but after a bit of research, because it’s not something that people ask usually, I guess the bird that I came up with is the regent parakeet, so it’s an Australian bird. So, yes, I’m very much Australian. And one of the attributes of it that I really like is that it has to establish trust and loyalty really early, and it needs a lot of freedom to move and explore. And I find that that’s very much me. I need to have the ability to be able to explore and look at things, and I have quite a lot of energy and I need to be doing things all the time. And it’s also very social and affectionate, so I think that that’s pretty much a really good summary of, I guess, me.

Cole Cornford:

That’s a great one. I haven’t heard of a regent parakeet. I’ll have to look it up in my… On my desk somewhere I’ve got Birds of Australia. It’s just a big atlas where people tell me what bird it is. And sometimes they say that they’re like some kind of foreign one, and I’m just like, “Oh God, I’m not prepared for this.”

Jacqui Loustau:

It’s a yellow bird and I was trying to find one that was purple because my favorite color is purple, but I couldn’t find one that matched Australia, my attributes and purple. So, I went for a beautiful yellow one instead.

Cole Cornford:

Yeah, the yellow ones we usually see at are masked lapwings around where we are, but call them plovers because that’s the species of bird that they are, and they’re the ones that go and attack people repeatedly because they’re annoying and give you nightmares as a child. So, I’m sure that you are aware of those ones, with the yellow beak like this.

Jacqui Loustau:

Yeah. And yeah, I’m not like that, so I won’t be choosing that one.

Cole Cornford:

Friendly and needs to explore and try new things out.

Jacqui Loustau:

Yes, exactly. Yeah.

Cole Cornford:

And you need to build trust.

Jacqui Loustau:

Yes, and loyalty.

Cole Cornford:

So, that’s probably a good one. Trust. Trust can move us straight into cyber security. So, maybe tell the audience a bit about how you got into cyber security and where you are nowadays.

Jacqui Loustau:

Yeah, so I got into cyber security through a bit of a interesting route. So, since I was a young girl, I always really loved and was interested in technology. When I was really little, my parents made me do touch typing every single day. If I didn’t, then I was getting grounded. So, I became a really fast touch typer. And when it came to the point of asking, “Okay, what do you want to do when you graduate? What do you want to do when you get to university?” I said, “Well, actually, I can touch type really fast and I’m interested in computers because I got to be exposed to that at school.” I went, “Okay, well why don’t I get into IT?” So, I did the Bachelor of information systems at Monash and I really loved that.

There was only one subject in the whole three-year course on security. So, I really went through that very quickly, but I really enjoyed that as a degree. And I also worked at the same time. So, I was working at a help desk and doing some PC support while I was at university. When I graduated, I became UNIX administrator and I really loved that. It was a really interesting job and I really enjoyed that job, but I felt this itch to go to Europe. So, I booked my flight the next day, actually, after I had made this decision. One of those… I was stuck in traffic. I was like, “I don’t want to be in this traffic. I want to be in Europe.” So, I pretty much booked that flight and did a Contiki tour, loved it so much, ran out of money and went, “What can I do now?” I went, “Okay, well, I’ll apply for some help desk jobs.”

Got a help desk job and it just basically funded my travel for my time over there, which was really great. And then, they wanted to move the help desk to Ireland, and I didn’t want to move to Ireland because I went, “There’s no airport. I’m not going to be able to travel. what else have you got for me in London?” And they said, “Well, we could put you on this special program that we’ve just started where we’ve taken smart engineers from across the world and we put them into this high intense training program, and you can apply for that if you want to.” So, I go and apply for it. They say to me, “Okay. Well, why haven’t you got master’s? Why haven’t you got a PhD? And you’re not an engineer, but yeah, let’s give you a chance.”

So, they put me on this program, flew me to Houston. We learned everything to do with networking, project management, cyber security, which was called information security on the day, Microsoft as well. So, we had to learn all about Microsoft and UNIX. And because it was an oil and gas company, defensive driving, just to throw that in there too. So, this six weeks was the hardest six weeks of my life because we had to come out with all the certifications, so the CCNA, the MCSC and the SANS course, we had to study that.

Cole Cornford:

And working in confined spaces too?

Jacqui Loustau:

And working in confined spaces too. So, everyone said, “How was Houston?” And I went, “Well, I was just locked in a room, pretty much just studying a lot.”

Cole Cornford:

Definitely working in confined spaces.

Jacqui Loustau:

Definitely starting us early in that. And then they said at the end of that, “What would you like to do? Would you like to be working in networking or security?” And I went, “I didn’t really enjoy networking, so whatever this other thing is, security, I’ll take that.” So, that’s how I got into security. Sorry, that was a long story. I don’t know if you want me to-

Cole Cornford:

No, that’s all good.

Jacqui Loustau:

… re-tell it as a short story.

Cole Cornford:

No, it’s all good. I love when people are passionate about their backgrounds and stories. So, I mean, it’s funny to me because when I went to university, I had a pretty similar one. I ended up with a grad program and I ended up just falling into security, and then the whole security team left and they told me to kind of pick it up and learn security, and I did. And my uni only had one security course too. It was a data security. And you go into it and you’re like, “Ah, yes, this is Chinese remainder theorem and extended Euclidean algorithms.” And I’m like, “Oh, I don’t know what math is. I’m a programmer. I’m sorry.” I didn’t do so well on that one. But I loved it. I had a lot of fun with the cryptographic algorithms and breaking stuff.

And also, I am quite amused about the Top Deck Contiki thing because one time when I was working at Westpac, a mate of mine, James was sitting there reading a Top Deck book, and I’ve known James for one week because he played Monopoly Deal with me once at lunch, and I’m like, “What are you doing?” He’s like, “I’m going to go to Europe.” And I’m like, “Oh, okay, I’m coming.” He just looked at me like a stunned mullet. And then, he said, “Okay.” And then, we had the greatest free week forever. And everyone just laughed that he was my holiday boyfriend at that point because we just kept doing trips overseas together. So, we’re kind of twin parakeets in a way, right?

Jacqui Loustau:

Yeah. Love it. That’s so good. Okay, we definitely need to chat after this to compare stories.

Cole Cornford:

Yes, yes.

Jacqui Loustau:

I want to ask you 100 questions now.

Cole Cornford:

Oh, all right. Well, we’ll do that later on. So, we’ll flip the script then you can ask me.

Jacqui Loustau:

Okay, sounds good.

Cole Cornford:

So, let’s move into the area that you are super good at, which is diversity in cybersecurity. So, why is this a particular interest area for you firstly?

Jacqui Loustau:

Yeah, so with that whole story, what I just talked about, about my background. So, I started working as a consultant around Europe. So, I worked in London for seven years, worked in Paris for seven years. I got to work on amazing projects with amazing teams. It was really, really diverse in terms of all the different things I got to work on. And I was really lucky, I think, with a lot of those projects that I got to work on. When I came back to Australia, I walked into my first Australia event in the industry and I was just hit with a sea of men. I was like, “Whoa, okay.” And I don’t know if you know what that feeling’s like, but you just walk in and go, “Oh, I don’t belong here. I feel really intimidated by this.” And it was interesting some of the things that I was thinking about in preparation for this podcast, I was trying to think back what it was like in Europe.

And I guess I never really thought about it so much. I never really felt like I was different, even though I was the only female in a lot of my teams now in reflection. But it wasn’t until that moment when I came back to my home country and went, “Really here? What’s going on here?” This is such an awesome area to work in. You can do it around the world. It’s so diverse in terms of the things that you can do. And it is such a great opportunity for women or different types of people to get involved in a up-and-coming industry. So, that’s where my passion came from and I went, “Do you know what? I think it’s just a matter of putting a bit of effort into it and trying to connect other women and try to understand what this problem was.” And so, that’s where the start of what is called the Australian Women’s Security Network, AWSN came from. And that’s where my passion for trying to get more diverse talent into our industry started.

Cole Cornford:

I mean, the industry is pretty male, pale and stale as a whole, so we need to be looking at doing something about that alliteration. Right. So, when did you start AWSN? How long ago was that?

Jacqui Loustau:

So, I started that in 2014 when I came back to Australia after my stint over in Europe.

Cole Cornford:

10 years. You must be celebrating, you’re going to have a big AWSN super 10 year event party thing soon?

Jacqui Loustau:

Didn’t even think of that. But yeah, we probably should actually, yes.

Cole Cornford:

Yeah, go ahead. Here’s the precursor is like, I was on Secure talking to Cole and he said, “We’re going to have a super party,” so we are. Let’s celebrate all the achievements that we’ve done.

Jacqui Loustau:

Great idea. I love that. I will. And I’ll mention that too.

Cole Cornford:

So, what have you been able to achieve with AWSN over the last 10 years? Because like you said, I remember even my early few roles in tech back then, were all basically just… I mean, I live in a mining town. Mining has a very similar problem with cybersecurity, with just universally men going FIFO work and having trouble attracting women into it. And they started running out of professionals in the area. So, they have started setting up houses for couples to live in and trying to get the female in the relationship to also participate in the mine as well as a way to get more talent in. But you must’ve been able to achieve a lot over the last 10 years. What are some things you’re proud about?

Jacqui Loustau:

Yeah, so one of the things that I’m proud about is that we’ve really built a really great support network for a lot of diverse talent that are coming into our industry. So, it really can help with that whole, not only the attraction, but also that retention and helping lots of different women and diverse talent elevate themselves in terms of leadership positions and become leaders in this industry. So, establishing the network through the events that we run in all of our different eight chapters across Australia. And also, I guess the other thing I’m proud about is the programs that we’re running in conjunction with the Australian Signals Directorate.

We’re running a series of different technical programs, leadership programs, mentoring program, and we also recently just did our first piece of research on gender dimensions. And I’ve been really proud about that because it’s really good to create a baseline of where we are at, so then we can kind of work out how we’ve progressed over time and benchmark and make sure that we continue to progress over time as well. And I guess one of the things that’s been good to see is that the rate of women entering our sector has increased over the last three years, which is a really good indicator that some of the work that we are doing, but also other industry groups that are really putting attention to this diversity element is working and is on the right track.

Cole Cornford:

I mean, I’ve got two daughters and I really want them to have careers in, not necessarily security, but to have doors open if they want to go work in the coal mines or whatever the future mines are, I guess in this area, or if they want to be engineers, or they want to go be lollipop people, construction workers, areas that currently are purely dominated by men. I want them to have those pathways available to it. It’s really hard for them if they can’t see people in those roles as it is right now. Because they’re quite young, one of my daughters is nine. And she wants to be a programmer, like daddy. And I’m okay with that. I think that we’ve got to work really hard to do what we can to try to find ways to help people move into those senior leadership roles, because I see it quite commonly as people hit the ceiling and they’re like, “I don’t know where to go from here.” So, what can businesses do to try to have more women move into leadership positions and encourage them to take those roles?

Jacqui Loustau:

So, there’s a few things that they can do. So, one of them is about that whole exposure like you just mentioned. It’s really important that we started really young age to be those role models for the younger generation because you can’t be what you can’t see. And if they don’t know that a career in cybersecurity or technology or these other male-dominated areas exist, then it’s really, really difficult. And the same goes when it comes to leadership positions. If women don’t see other women that are the leaders or those leaders are there to help bring them up or to expose them to what happens in the leadership side of things, then it can be really difficult and taking a chance. So, one of my biggest mottos is about taking a chance. So, we do a lot of work with career changes. So, women that are moving from one area, they might have a long background in business, or in accounting, or marketing or something, and to encourage them to be able to transition into cyber security with obviously the right skills and things like that take a chance on that.

Same goes for when it comes to leadership. If you see somebody that has potential, bring them along to some of your meetings, or get them to do a report to the board or to speak to the board to get that exposure, get them to present at conferences and really encourage them to present at conferences, give them the opportunity to do more than what they actually doing to show that potential I think is really important. And I think that that’s one thing that I was really fortunate in Europe in some of the roles that I was in that I got the opportunity to work in this program called the High Flyers Network.

And what they allowed us to do was to work on a project with the executives to help with a strategy element, which was really great. I had a manager who was really fantastic and anything that I wanted to do, so for example, I said, “I would love to do a presentation in Washington.” And he encouraged me to then do some presentation training. And anything that I wanted to do that he was really encouraging me to do that. So, having the message to a lot of organizations is become that champion for those women that you see that has a really great potential.

Cole Cornford:

I also find that a lot of women self-select out of just lots of things. So, they’ll say, “I’m not the kind of person I have eight out of 10, so I’m missing two.” Whereas a lot of men would say, “oh, I’ve got three. That’s good enough. Let’s give it a go.” And doing what we can to try to, when we’re recruiting, to help create job descriptions or to create roles or to use referrals and networks to bring people in, that’s okay in a way. And I’ve had great success hiring people from non-[inaudible 00:17:00] backgrounds, and even the work I’m doing at the University of Newcastle right now to help restructure their masters of cyber, it was purely very, very network heavy and just very driven around technical brilliance.

And now, we’ve opened it up to allow people who are coming from different disciplines to come in and learn about cyber security and made it non- [inaudible 00:17:20]. And that’s, to me, one of the best ways we can do with attracting a more diverse workforce is if you’re only appealing to young men who just finished their bachelor of computer science and now want to go into cyber, then of course the industry’s going to be populated by people who know how to run Kali Linux and can’t communicate or write or have empathy for people.

Jacqui Loustau:

Absolutely, can’t agree more.

Cole Cornford:

So, there’s a lot of managers who are listening to the podcast, and I know you said that you need them to advocate and help for people and be a champion to support women to get opportunities. What kind of barriers do you think exist within organizations or inertia is there that we need to tackle systemically before we can actually start creating this space for people to thrive?

Jacqui Loustau:

Yeah. So, I think I always talk about the organization and the teams need to be ready or willing to make a conscious effort to change things. I am quite a believer in that it’s hard to push that onto a team, because otherwise, that makes it even harder for the diverse individuals to really thrive in that environment. Because if they’re considered kind of like that diverse hire, then that can be really tricky. So, hire on merit, but make a conscious effort to really find those people and to uplift and develop them, I think is an important element.

Cole Cornford:

I think zero to one is always the hardest one in my experience, because if you don’t see anyone in your team who is a girl or a woman who identifies as a woman, then you’re immediately going to be ostracized and you have no one to speak to. So, getting their first hire. And then after that, it gets a bit easier because you can build your little networks and stuff. But how can businesses and teams work from good zero to one? Because I know that’s personally where I struggled in the past, and I’m sure that there’d be plenty of other people willing to hear from you about how they can do that.

Jacqui Loustau:

So, one of the things that I always recommend is that instead of hiring one, hire two. So, if you have a team where it is predominantly one gender or one type of people, hire two of the other thing that you’re trying to increase in terms of diversity. So, the reason why I’m saying that is because, for example, if you have a really good team, but you want to hire in people that are neurodiverse or you want people that are from different backgrounds or different cultural backgrounds, et cetera, the same applies.

So, that has been quite successful. We’ve had a couple of companies that have done that. They’ve hired not even two, they’ve hired three or four into a team, which has been really good. It just means that those individuals have someone else that they can turn to if they need to. I know sometimes a lot of organizations say that they struggle to find one, let alone two, but do you know that talent is out there, it’s just you have to look for it.

Cole Cornford:

The people that say that they can’t find talent aren’t looking, that’s my view. There is a tremendous amount of talent out there. It’s just that people have these glasses and blinders on specifically what they’re looking for. And if it’s an OSEP, he’s got a computer science degree, that’s going to almost certainly, the demographic is 90% men, right? It’s just how it is. But if you have a more open mind, then maybe you can find some gems out there elsewhere.

Jacqui Loustau:

Absolutely. And just to really, as you mentioned earlier, it’s about that job description of, okay, what is the core of what you need to do in that particular job? And what are some of those attributes that you really want in that individual? Because you can always teach some of those technical skills and coach them through it and things like that. But some of that behavior, or like you mentioned before, the empathy and looking at things in a different way, the innovation or creative thinking or the analytical mindset, that stuff that’s you cannot teach. It’s an innate part of somebody. So, really have a look at, okay, what are the types of things that we’re doing in this particular role that is fundamental to it? So if there’s a lot of, for example, writing or report writing, look for somebody that loves writing and can write really well, for example.

Cole Cornford:

So, we’ve already talked about your motivation of wanting to come into the industry. Do you have any advice for parents or just people who have young kids, or teenagers, or just even nephews and cousins who are looking to get into technology, or just into a male-dominated industry and just have no idea about how to go about breaking down that barrier? And how can they support their kids, sort of family members?

Jacqui Loustau:

Yeah, so it’s about interest, I think. So, all the schools across Australia have access to several different platforms, which can expose you to the different areas of technology. For example, the Grok Academy is one that comes to mind where they have a lot of cyber security challenges, for example.

Cole Cornford:

I know Grok.

Jacqui Loustau:

Yeah.

Cole Cornford:

I was on that. I had a really bad beard.

Jacqui Loustau:

Oh, did you? I didn’t recognize you.

Cole Cornford:

Yeah, it made it disgusting. I’ve got this patchy hole here, I can’t even do it, but I was on that. It was back a few years ago. Hopefully, they’ve updated it. It was super cringe. I used to wear a leather jacket everywhere and think I was cool.

Jacqui Loustau:

So, everyone that’s listening, if you go into Grok, look for Cole.

Cole Cornford:

No, don’t do it, please. This was before I ran my podcast and started of business and decided to be bright pink and obnoxious. Back then, I thought it was cool to wear white pants and a brown leather top and tell people that I’m an elite hacker man, come do cybernetics stuff.

Jacqui Loustau:

Brilliant. Oh, gosh. I’m going to have to look now. So, that’s one thing I think-

Cole Cornford:

Yeah, going back to the question.

Jacqui Loustau:

Going back to the question, experimenting with that, even with the kids and stuff, would be a really great way of getting them exposed to it, get them excited, because it’s very much about challenges. And I think a lot of people don’t realize that a lot of what cyber security is about analyzing and puzzles and things like that, and it’s very different. And also, I think they do videos as we’ve seen of different careers in cyber security with Cole talking about what his role was in cyber security at that time.

Cole Cornford:

Yeah. That was, instead of being a weird founding feather and podcast host, I guess. Back then, I was doing AppSec at Westpac and just telling people, “Learn a bit of software engineering and tell people to write better code.” Yeah, I still do that nowadays, but with nicer language.

Jacqui Loustau:

I was about to say, the message has not changed. So, yeah.

Cole Cornford:

No, it hasn’t changed.

Well, we’ll move onto some rapid-fire questions for you now. What’s one big cyber security misconception that you would like to debunk?

Jacqui Loustau:

Yes. So, the one that I would like to debunk is the fact that you have to be super technical. You need to be able to code. And you spend your life in the dungeon wearing a hoodie. It is not the case.

Cole Cornford:

Yep. I hate it. A few months ago at Parliament House, I said that the cyber industry needs to kind of change because we are very good at patting ourselves on the back. The way that we evaluate ourselves is on our CVEs, our write ups, our presentations at black hat events, but none of these matter in context of helping people solve problems. Being an empathetic and kind person, speaking in plain language and being approachable and friendly. And I feel like those kind of things are really missing from the conversation when, honestly, they’re the game-changers. And if we’re always focused on being technically brilliant and have all of our pen testing certs and have our CCNAs and stuff, that’s not necessarily going to help shift the needle, right?

Jacqui Loustau:

Yes. And I think we need to remind people that the reason why a lot of people got into cyber security is that they want to help protect people as well. That’s the objective of what we’re trying to do. Protect people, protect organizations and help. And I think that it’s important to remember where that is. And yes, technical knowledge is super important, but it isn’t for every single aspect. You don’t have to be an expert in all elements of cyber security, because it’s frankly impossible to be an expert in all domains. And that perception that that’s what it is, and you have to wear the hoodie and you have to be super technical, I think that scares off a lot of people as well.

Cole Cornford:

I hate the hoodies so much. I wear bright pink business shirts and white pants. I look like I belong on a golf course, not in a dark room. So, I mean, I think it works for me. It’s fun. And people just look at you as a normal professional. And to be totally frank, what we’re doing is providing professional services and advice about a discipline people don’t understand. Are we different to lawyers and doctors? Not that much. All right. That was that one. Here’s another one. So, now we’re moving into 2024, what do you think the big theme for cyber this year is going to be?

Jacqui Loustau:

The big theme for 2024? So, I think it’s going to be AI and quantum. That is just a big thing. In terms of not only a threat, but it’s also an opportunity. So, as security software and professionals use it, I think it’s a really great opportunity. It is also a threat because the hackers and the cyber criminals are using those tools just as quickly as we are as well. So, I think that that’s going to be a huge thing this year.

Cole Cornford:

Yep. And what do you hope to see change over the next couple of years? So, with your work for the AWSN, what are you hoping to achieve for the next 10 years? Let’s go with that.

Jacqui Loustau:

Next 10 years? I hope that when it comes to diversity or this industry, no matter who you are, what you look like, what your background is, if you’re the right person for the job, you will be considered and you’ll be valued, and you will be able to contribute to this industry that is ever-changing and has so many opportunities.

Cole Cornford:

So, let’s break those barriers.

Jacqui Loustau:

Break those barriers. Yes.

Cole Cornford:

Yeah. No wall building. We’re going to break all the walls. There’s no firewalls anymore.

Jacqui Loustau:

Yes, exactly.

Cole Cornford:

That’s it. All right, Jacqui, look, it’s been an absolute pleasure to have you on. Thank you so much. Is there anything you’d like to say before we wrap up?

Jacqui Loustau:

No, that’s it. Thank you so much for having me. I really appreciate it.

Cole Cornford:

Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.