Full interview transcript
Speaker: Please introduce yourself.
Ellen Brookes: Hi, I'm Ellen Brookes, I'm the Cyber Incident Management Team Lead for Canopius Group in Sydney, Australia.
Speaker: So, what originally sparked your interest in shifting from IT to cyber security?
Ellen Brookes: Previously, I was doing IT helpdesk in sysadmin and it was a help desk position. It was challenging in its own way, and it was with a global law firm which was fun. But I also had a weird time when I was working and had access to a lot of things I probably shouldn't have had? I was assisting on a lot more things, which were above my pay grade to do.
While I was doing that, I kind of felt, “OK, I actually really enjoy going into the back end, and making sure everyone's permissions are set correctly. I enjoy helping the data governance team in making sure people have access to the correct data, and making sure that all of our permissions are set correctly for sending that through,” and I just found that that really was something that I wanted to explore more. I’d already done a lot of stuff in cyber security so moving from IT to cyber security wasn't a big shift, but it was one that I kind of felt used my talents more.
Speaker: Were there any challenges you faced during that transition?
Ellen Brookes: Not so much. As is common with people moving into cyber security, a lot of us get help desk work first and then we move on, so it's a great foot in the door for people. But at the same time, it's really difficult to show your skills in the job you're doing if you're working help desk, unless you have opportunities like I had in that case, or unless you're doing things like taking Retrospect Labs’ lovely little sessions they do there. That was a big eye opener for me actually. So yeah, it was more about people wanting to give me a chance and I find that it's a little harder for women, especially, to have that and have someone willing to take that chance with them.
I just remember one of the first job interviews I got for a cyber security job, and they called me and the first thing they led off with when they did the scoping call before the initial interview was, “Hey, just so you know, this is a technical role” and I said, “Yeah, that's why I applied for it.” And they're like, “Oh, well, you're one of three female applicants and the other two have said that they didn't actually want technical, so we just thought we'd lead with that,” and I was thinking, “Maybe - maybe not the best lead in? Especially if you want people to stay and you want more female applicants?”
The transition’s been difficult overall just because cyber is a very different beast. Everything's always changing constantly, it's very different to a lot of IT things that are very much the same again and again, and you're solving the same problem in the same way. Otherwise, the challenges have been minimal for the rewards I get back.
Speaker: Fantastic, it’s great to hear that. What kind of advice would you have for someone who is in a similar position to yourself in the past, working outside of cyber security and looking to move into it?
Ellen Brookes: Prior to working in IT, I was actually working retail and prior to that, I was working as a teacher in Japan, so I have a very eclectic background. But honestly if someone were wanting to move into cyber, I'd say, “Do it. 110%, do it, you will not regret it.”
At the moment, I know there's a couple of programs going around that are helping people to make that switch. There’s Purple Team Australia, they're doing a great mentoring program and getting people through. Again, Retrospect Labs is great for teaching people about different aspects of cyber as well, not just the day-to-day, which is what we're used to seeing. You've got AWSN that's fantastic for getting people into the industry. There are so many different programs that are willing to help. It's fantastic to see.
There are government initiatives going through as well, I believe. I think my sister applied for one. She's in her mid-40s and she's looking to join cyber security, so she's been asking me for advice, which is hilarious. There are so many things, it doesn't matter if you're young or old.
I'm a mentor for the Purple Team Australia program that's currently running, and we have applicants from age 16 to, I think our oldest one is 63? Cyber isn't something that’s bound by age. You don't have to worry if you're the oldest or the youngest person in the room, it doesn't matter. Everyone will take you seriously. They're not going to diminish the fact that you want to join in.
Speaker: Can you please describe a day in a life for Ellen?
Ellen Brookes: Given the work in incident management, it's a little different day-to-day.
I'll give you an example of my worst day so far where we had, I think, three incidents notified. So I work in cyber insurance technically, where when an insured has a policy that is triggered by an event that's happening - usually a data breach of some shape or form - they should then call us, and we will then coordinate the response to that. Essentially, we get called before your incident response team moves in.
Again, a lot of our insureds are small to medium businesses, and they don't necessarily have business continuity plans in place that would detail exactly what they need to do. Sometimes we get called very much after the fact, so it could’ve been two to three weeks of them having this incident or an outage and we're trying to get them back online. Whereas some of our larger businesses, of course are able to go, “Oh, first thing, call your insurer” - which is fantastic.
When we get notified, we have a two-hour SLA. We have two hours to basically respond and begin triage, where we then figure out exactly which services need to be coordinated in which order.
Day-to-day for me is usually, I will start work at 9:00, assuming I didn't have meetings beforehand. On the particular day I want to tell you about though, I had a meeting from 7:30 in the morning with my boss in London and one of the responding teams who were actually based in the US, so it was a very international call that morning.
I started work at 9:00 and was like, “Cool, I'm going to go through my emails.” First e-mail I get is, “Hi, you know that incident we notified you about three weeks ago? It's become ransomware.” We're sitting there going, “OK, cool - ransomware. We will just deal with that. That's fine.”
I'm then coordinating, trying to get ransomware negotiators in - not necessarily to negotiate payment, because I think at that point in time, they'd already had all their backups restored and everything, so they didn't really need that. But we wanted to get the negotiators in to try and waste time a bit while they notified everyone that this had happened. We made sure legal was aware of what's going on, made sure all of the groups were in, made sure the personally identifiable information review we were running was all running smoothly, and getting everyone on board to just go with it, keep it going and keep all communications open.
We get to about midday, I'm like, “Cool, I'm going off for lunch, this will be awesome.” We get another incident in and I'm going, “Awesome, BEC (business email compromise) - that they found three months prior” and I was like, “It's taken you three months to call us, fantastic, that's all good.”
I delegate this one to one of my team. They then run with it and they're saying, “It's been three months. How do we get the forensics people in to find logs?” I’m like, “I don't know. I actually don't know. We'll figure something out.” Then it was mass calling with the forensics team saying, “Hey, we want to get you involved in this, but it's been this long. What can you do?”
We then try to come up ideas because, again, my whole team has technical knowledge. We're not insurance people, we are all cyber security trained. So, we're going, “Awesome, we'll just see exactly how we can extract some of these logs. Do they have backups? Where are they held? What's going on there?”
We then get legal on board where we're discussing GRC implications. Things like, is this part of the Privacy Act? Will they be covered? What's their annual turnover? What data were they storing? Was it medical data? Was it TFN – tax file number information? Was it personal information that could be available on the internet already? What was going into that? So that was a fun conversation.
I finally get lunch and then at 3:30 in the afternoon, we get another ransomware. So that was a fun day. I'm then coordinating that response late in the afternoon. I think I finished work about 7:00 PM and then I had a meeting at 9:00 with my counterparts globally.
So that's my worst day yet. But regular days are usually emails, checking in on what incidents I've got running, seeing if there are any new incidents that have come in, because we are mainly notified by hotline or e-mail. I do that, then any training that we need to do, or if we have any vendor catch ups, because again, I'm in charge of our vendor management here. A lot of my vendors are in Melbourne though, so it's like “Cool, we're going to have a Teams chat?”
Then, checking in with my team constantly to make sure that they're not overworking themselves, because as a manager of a team they are my most important asset. If they can't do their job, that hurts all of us. It's not just, you know, it's not just them, it's the whole team. I need them to be at top form and I need to make sure they're supported basically. They're the real MVP's at the end of the day, they're the ones doing all the work.
Speaker: So, you’re busy?
Ellen Brookes: Just a little bit.
Speaker: Has there been anything particularly rewarding - like a rewarding moment or an achievement in your journey thus far - that stands out to you?
Ellen Brookes: To be fair, everything’s a reward at the end of the day you — even if it goes horribly wrong, you still learn something. One of the best things I love about cyber is even if something goes wrong at the end of the day, you've got new knowledge that you didn't have before.
For me personally, I think probably the biggest thing I've done was actually the incident response competition, with AWSN, Retrospect Labs, and the other sponsors there. I came in guns blazing and was like, “Awesome! Let's get this team working,” because it was meant to be a team of about 5 people, I think.
My entire team - left. It was just me doing the whole competition by myself, until the last day when two people came back in. By that point, it was a little bit late. I’d already done all of the log analysis and pretty much drafted up all the papers and things that needed to be sent off.
I really enjoyed that competition. It was so much fun. I learned how to leverage a lot of my skills that I’d learned through the session that I'd done with Retrospect Labs earlier last year. So yeah, it was hectic trying to figure out what was going on. For me it was a bit odd because my team didn't communicate that they weren't going to be available until midway through, so by that point I already spent three days on the first task going, “Hey - can someone get back to me? We need to get moving on this,” and then they were like, “Oh, yeah, by the way, we're not here” - cool, I'm just going to run with it then.
Yeah, that was so much fun and, in the end, I think we placed eighth I believe? That was eight out of forty-eight teams competing, and that was almost a complete solo effort, bar like the last thing that we submitted so, I'm proud of myself for that.
Speaker: Well done. It was a tough one as well, that challenge.
Ellen Brookes: It was an interesting one, definitely.
Speaker: What do you think are some of the most common challenges facing incident responders?
Ellen Brookes: Common challenges - I'm going to say it's staffing at the moment, as probably the big one.
I know that there are so many people, like we have vendors we work with and a lot of them have been coming back lately saying, “We just don't have capacity to take this one right now,” and it's because people are moving. I think the median time someone is actually in a single job in cyber is about 0.8 years, so it's very low that someone will stay in an entry level job or just higher than that. People are moving so quickly and so a lot of incident responders are leaving as quickly as they're coming in, so they don't have capacity to assist.
They're also suffering from burnout because of the amount of work that's coming in. As people are becoming aware of cyber incidents as a whole, more people are reporting them and wanting people to investigate them further. So incident respondents are getting more work, getting burnt out and then also leaving incident response.
I feel that's probably it. In regards to technical stuff as well, ransomware isn't going away. It's getting more and more complex in its own way.
Also, just the fact that there's so many groups now that are going after cloud service providers. They're not going for the smallest part of the chain, they're going for the one that has all of the information and there are so many cloud service providers that do not partition data properly. So threat actors can get in and just take everything, and then DFIR (Digital Forensics and Incident Response) comes in trying to assist the little guy and they’re like, “Well, I need to get into the data held by this cloud server and they're not going to give me that. How do I investigate this for you?” Which, as an insurer, that's something that my team has to worry about.
There's lots of different things going on all the time, and threats are becoming more and more advanced. Incident responders are just constantly on their toes and I applaud them for that.
Speaker: So, eclectic start – teacher in Japan, IT service helpdesk through to incident responder. I wonder if you could talk a little bit about what gave you a) the skills and b) the confidence to make those changes in that transition?
I think for a lot of people the confidence and the skills are the biggest piece missing for them to jump into cyber. So, what would you say to other people that are thinking about it?
Ellen Brookes: Imposter syndrome is a thing. I have now started thinking of it as conman syndrome. I think of myself as a highly successful con man. If they believe me, it's cool, they can do that. It changes confidence completely, apparently.
Eclectic start, definitely. All of my undergrad, I was actually doing International Security as a major through that. So I did an undergraduate while I was living in Japan, went through university there, got my honors recognized by ANU here. Then I did masters in Canada where I was doing political science so that gave me some of the skills. I had all of the theory for security and a lot of my classes were cyber security related, but they weren't technical skills.
After I'd done all my teaching and retail work - well, still doing retail at the time - I was doing my PhD, and then COVID happened. My PhD was actually on international migration and the policing of that, but you can't really migrate while there's a pandemic, funnily enough.
I thought, “Look, I've got skills in academia, but I don't have any practical skills. Let's go and upskill that.” I did a six-month course through the University of Western Australia, got through that and thought, “I actually really like this. I think I can make this work.” So I was like, “Cool. Awesome. Let's get into that. Let's do that and leverage what I can there,” and then I ended up in help desk because that's always a great first place to start apparently.
I know that I've been incredibly lucky in that I've been in the right place at the right time, where people have been looking for the skills I had to offer. I know that I have been very lucky with that, and I know there are a ton of people who are not as lucky to do that. For that I say, “Keep trying, keep going. Nothing is a failure. Everything's just a stepping stone to the next success. You've just got to keep trying and keep putting yourself out there.” And confidence is a really hard one to build, especially when people keep telling you no. You are kind of like, “Oh actually, I don't think I can do this.”
Keep practicing, keep using all the tools in your toolbox to keep your skills relevant, and present. Some of the things I used to also like to do were, if I'd seen something on TV, being like, “Hey, that's a cyber security thing” - I would write something about it. I would try and I'd investigate as much as I could using what I had, using OSINT (Open-Source Intelligence) skills because they're always great. Just going through, I'd write something about it so if someone does invite me to a thing, I can actually show them that I've written an article, a blog post about this.
Sometimes that is something people want, sometimes that's what they're interested in, and so just keep using those skills. Keep making or running your own sort of capture the flag competitions, running your own internal exercises and sandbox, and writing up the reports that come from those, because that's what people look for. And just make sure you're adding to your GitHub repository, make sure adding to your LinkedIn, make sure you've got all the links in there for it.
But also, for me personally, gathering that confidence, it actually came from the incident response competition, specifically for me. That was the big thing where I was like, “Oh, actually I can do this.” It was difficult, but it wasn't so challenging that I didn't feel like I couldn't do it. It was at the point where I thought, “Oh, I can do this. It wasn't easy, but I enjoyed it, so this is actually where I'm meant to be and what I need to be doing.”
And when you find something that helps you kind of build that level of confidence in yourself where you're thinking, “Actually, the people who are judging this are in the industry. They know what they're looking for and they deemed me good enough to do this, so why can't I think I'm good enough to do this?” It's just validating your skills and having other people validate them is also very helpful.
Speaker: Truly inspiring. With the AWSN incident response competition, what did you enjoy most about it?
Ellen Brookes: Oh, that is so hard. I enjoyed every minute of it. To be fair, I think the number of times I was chatting - and chatting with you Jason actually - at like 10:00 at night being like, “How do I get this to work?” Or just being terrible and being like, “I found the answer. I don't know how I found the answer, I just found it though.” That was quite funny.
My favorite bit was the networking that could happen as well. I didn't get to experience that too much with my team, but I know some of the other teams did and they absolutely adored it. For me, really it was getting to test my technical skills. The first part of the competition with inject one and inject two were the biggest points for the technical part and I was like, “You know what? I'm going to do this. This is going to be my thing.” Because pretty much my entire team had said, “Oh, we're all report trained. We all do auditing and consulting and GRC stuff,” and I'm like, “Cool. Am I the only one who knows the technical side? Awesome, I guess I'll do that. I only really learned how to do this through the Retrospect Labs session that I did in September, but you know, this is fine.” Turns out, I was pretty good at it.
I know going through extracting those logs was really fun and going back through them all, making sure that I'm searching the correct parts of it and then having to write about how I'd found those. I found that really solidified my knowledge and how I was able to do it. Then when I did show members of my team, I’d be like, “Hey, this is what I've written, this is how I found it. Here's how you can find it if you go back through it.” I wanted to teach them because it's a learning exercise at the end of the day. It's competition, but it's also learning new skills and I knew that they didn't have the technical skills, so I went back and said, “This is how you extract this log. This is how you do this. This is how you find the answer.”
I don't know if they listened to it, or if they came back to view it at all, but at least I felt I was giving something back to them while they weren't able to join me in the competition.
Speaker: Do you use the skills that you gained in the competition, in your job at the moment?
Ellen Brookes: The amount of report writing, oh my god. I think it was the end part of that competition where we have to communicate with CEOs, C suites and just trying to translate that between, “We're talking to the media now, we're talking to legal people, we're talking to C Suites, we're talking to the tech team, we're talking to their finance officer, who has no idea what a data breach is if it bit them.” Fantastic, we have to translate this.
My job is a lot of that sort of vendor management where I'm communicating between your digital forensics team who use IT jargon, communicating that to your legal team who use legal jargon, communicating that to the CEO of the company, working for their finance officer, the person who notified them of the incident, who sometimes has no idea what's going on. Also talking to their broker, who again, might not have any knowledge in any of these areas. We also talk to PR groups to get them involved as well, so sometimes we're trying to explain to them what's being said by both sides so that they're able to do their job as efficiently as possible. Then, translating all of that back to the insurers.
It's a lot of fun and I feel like we're playing a game of telephone or something - we’re getting the message, then trying to pass it on without losing any of the impact of the message and getting that message across. It's really fun, but that and the report writing where we have to write to certain levels at times - I am flexing that muscle so hard. Really, really do want more technical though, but you know it, it'll come, it'll come.
Speaker: Last question - what would you say to someone that was on the fence about doing the competition this year who might be asking themselves, “Should I, shouldn't I? Have I got the right skills? Am I technical enough?”
Ellen Brookes: Do it. 100% do it. Honestly, I think I'm pretty sure last year we had high schoolers in that competition, so any level of skill is welcome there and we do that lovely placement test beforehand to make sure that the teams are evenly balanced. Though to be fair, we all are terrible at rating our own skills. I think the highest technical skill in the entire competition was rated a three out of five, which was a lie, clearly.
It's one of those competitions that is open to everyone to give it a shot and at the end of the day, it's a learning exercise. Yeah, if you win, it's cool. But even if you don't, you come out of with a ton of stuff that you didn't have before - like skills, you come out of it with networks, you possibly come out of it with people who may actually consider being mentors or mentees in the future, you come out of it with a lot more opportunities, or at least a more positive outlook on where you want to go next, so I highly recommend.