Breaking into Cyber: Kiera Farrell on Growth, Networking & Early-Career Lessons

Cole Cornford
Hey everybody. Welcome to Secured, the podcast that dives deep into the world of application security.

Kiera Farrell
Every opportunity I got was because I made myself uncomfortable and took a big leap, which is great, but I also think there’s probably other opportunities I missed out on because I was too scared or afraid to be uncomfortable. And if there’s one piece of advice I could give to anyone starting their career, it’s just you have to do things you hate.

Cole Cornford
Today I have a special guest, Kiera Farrell. She’s really energetic, she’s very enthusiastic, and one of the more interesting things is that she’s actually reasonably new to her career in cybersecurity. She did a bunch of work previously in different FMCG businesses, and now works at David Jones under one of my previous guests, Sam Fariborz’s leadership. One of the things I really appreciate is that most of the people I bring onto the podcast are quite experienced, like 10, 15, maybe 20 years experience, and they have their niches that they’re extremely good about. But I wanted to kind of flip the script with this episode and say, Hey, as a hiring manager, what’s the best way for me to attract younger talent? Or how am I sucking at interviewing and attracting people? What can I do to make my jobs more interesting for younger people so I can keep them, retain them in my businesses?

Cole Cornford
Because most of my audience members tend to be senior managers up until CSO types, and so I felt that this is good to kind of flip the script and focus on working out rather than just how to be better at cybersecurity, how to just get more people into the industry and keep them here. So she’s great. Had a lot of fun talking to her and I hope you have a great time listening to her. Hello everyone. I’m joined here today by Kiera Farrell. And how are you doing, Kiera?

Kiera Farrell
I am lovely, thank you, Cole.

Cole Cornford
What’s the weather like? Were you at Melbourne [inaudible 01], is that right?

Kiera Farrell
Yes, it’s quite nice today, I guess been a hot summer, humid. Great, but not great.

Cole Cornford
Yeah, we’ve kind of swapped weather apparently at Newcastle, it’s just pouring rain and just being miserable and I thought that the whole point of living in Newcastle was so sunny beaches and smiley weather, but here we are. So I thought it would be good for you to give a bit of a background about your journey coming into security considering that you are reasonably new to the industry.

Kiera Farrell
Yes, I guess I am a baby still. Two years. I just hit my two-year mark the other day.

Cole Cornford
You’re a toddler.

Kiera Farrell
Toddler.

Cole Cornford
I have a baby, Monica. And yes, she is definitely a toddler and she runs around and always asks me to put wheels in the bus on.

Kiera Farrell
Okay. So I’m at wheels on the bus stage of my career, I guess.

Cole Cornford
That’s a good point.

Kiera Farrell
Yeah, two years. I studied a Bachelor of Cybersecurity, which it was reasonably new when I did it. I guess, it’s been a few years now, so it’s a bit older, a bit more mature, but definitely a newer type of bachelor. And then went into a grad job with cybersecurity and now I work at David Jones as a cyber analyst focusing on SecOps, bit of identity and a little bit of DevSecOps as well.

Cole Cornford
Yeah, cool. It’s not common that I hear people to get a Bachelor of Cybersecurity. I’m still a spring chicken, I’m pretty young. But when I did university I just did a bachelor of IT and that was back in 2000, I think I graduated 12 or 11, so 13 years ago. And there was a couple of smattering of cyber-related subjects like data security, which is just about the mathematics behind cryptographic algorithms, not so much the practical implementation or usage of them. So I think all I remember really from my entire degree was someone saying that buffer overflows are bad. It was like the only context over three and a half years of uni. So what’s a Bachelor of Cyber like? What do you cover in it? I haven’t really been able to look. I’ve always seen it as a master’s degree, building on of a core software engineering or computer science background. So what’s the distinction?

Kiera Farrell
Yes, like I said, very new. I think it was maybe two years old by the time I started it. And it has unsurprisingly already changed drastically since then. But I really liked it as a bachelor’s. It was very much IT focused, very similar to the bachelor of it, but you just did a lot of specialization in cyber-related subjects, so you learnt sort of about risk from day dot. Did a lot of ethical hacking, which everyone loved. And when you did programming, it was perhaps more focused on programming securely or how you would use this for say ethical hacking and building applications with a security focus.

But there was a lot of overlap with IT, I guess a glorified IT degree, but it was really interesting. And in my last year they were already changing it so that they had majors in cybersecurity, which is probably a long cry from what cybersecurity used to be, where you’d do a master’s of IT with a major in cybersecurity. Now there’s a whole degree with cybersecurity majors. I didn’t get to pick any of them, but they definitely sound cool and I think the new cohort has a good opportunity to learn a lot about cybersecurity from their very first day in uni.

Cole Cornford
Yeah, because I helped my local university, Newcastle University with redesigning a master’s of cybersecurity. And we basically decided that there was going to be two kind of pathways, effectively a engineer stream and a professional stream, and which we wanted to kind of maybe delineate a little bit further down, but then what we kept finding is that access to talent to teach it and keeping the course material current would’ve been too much administrative overhead for the university.

And so having two major streams where people can say, “Yes, I am professional, my focus is on internal audit, external audit, on governance, on risk management, it’s on understanding compliance frameworks and building programs and so on.” That’s great. And then also having an engineering stream saying, “Oh yeah, here’s how to use, here’s how to do ethical hacking. Here’s how to set up a sock in a seam.” Just the kind of techie stuff. But I guess, the majors that you would’ve maybe seen would be something like maybe pen testing, maybe forensics, maybe GRC, I don’t know. What’s it kind look like?

Kiera Farrell
Let me look it up.

Cole Cornford
Yes, look it up. And you’re very intelligent, you already know. This is a podcast for doing sales for your university.

Kiera Farrell
Is it all right to name? It was Deakin.

Cole Cornford
Yeah, absolutely-

Cole Cornford
… because well, one thing you can do is then say, “Hey Deakin, I’m an ex whatever, student, look at this podcast I did where it just talked awesome about your university.” And then just shared to them and hopefully they like you.

Kiera Farrell
Yeah, so this was at Deakin University, but a lot of unis now have a Bachelor of Cybersecurity, I think I know La Trobe, RMIT, probably a few more, but they had a network security focus and a security management. So a lot of what you were saying and they sort of had their own electives you could pick up, but you can mix and match. They certainly haven’t struggled for teaching stuff nowadays. I think as security gets bigger and bigger, there’s more professionals that have an interest in academics and so it’s a good program, you can certainly tailor the bachelor to how you want to focus on security and as it gets more popular there’s just more choice.

Cole Cornford
Yeah, cool. What would you say were your favorite and least favorite parts of your university degree?

Kiera Farrell
It’s funny, because I really didn’t like learning about risk. Which is perhaps the core of cybersecurity. And as soon as I started working I thought, “Oh, GRC.” And then lo and behold I actually kind of fell in love with it once you see it in application. But it can be hard to learn about it abstractly. You might think, “I don’t really care about this.” And then you see it in a business, see what risk is like and how much money risk can cost a business and suddenly it gets a lot more interesting. But I’m very technical, so I really loved was ethical hacking, cryptography, anything maths related, all the programming subjects I just loved. And my uni definitely taught them in a very engaging way. I think it’s perhaps easier to see how those apply to the real world than something like risk. So that’s what I loved.

Cole Cornford
I think that those theoretical concepts can be extremely challenging for people at undergrad level. And it’s the same with someone doing a Bachelor of Business. Typically, they’ll go into some other business and say, “Hey, I have a B business, why can’t I run a business? I know how to run a company now because I’ve learned all about quick ratios and cashflow forecasting and all this kind of businessy business stuff.” And the answer is that they can’t apply any of that till 10 to 20 years later in their career.

Cole Cornford
And then suddenly it pops up and they’re like, “Oh yeah, I remember learning that at university. That was good theory back. Then and now I can actually practically use it.” And I guess, with the cybersecurity it’s quite nebulous when you think about risk because ultimately technical risk assessment, I’m sure you’ll get involved in that on a reasonable basis, but it’s quite unlikely that you’ll be able to aggregate cybersecurity risks into something that fits into your organization’s risk matrices and then also have any real involvement with the risk committees or having to suggest treatment options at a business level for quite a long time in your career.

Kiera Farrell
Yeah, definitely. And I think when you learn about risk at university, it’s different for each organization you work in and it can be a bit hard to understand that conceptually, especially we did that, it was first year, first semester, so it probably wasn’t the best time to learn about it. But as I’m learning a bit more about risk now and doing risk assessments and seeing how my bosses handle risk and translate that to the board, I’m remembering concepts from that subject and I go, “Oh, it is helpful.”

Cole Cornford
It’s one of those things where the base education is relevant throughout the entirety of your degree. And so I think it makes sense that it’s the very first thing that you learn, because if you do risk and then later you learn about pen testing or operations or forensics or NetSec or whatever, there’s a good chance that you can say, well, the reason that we do pen testing is to help us have assurance, it’s effectively an audit process. But if you haven’t got that risk background, you may not understand, you’ll just be like, “All right, it’s hacking stuff. This is cool. I’m awesome.” Which I need a lot of hackers to think otherwise about. We’re here to protect people, not just point out all the flaws and walk away.

Kiera Farrell
Definitely. They left the ethical hacking unit to your last semester, which was probably by design, so you have to do everything else first and then you get rewarded with the fun subject. But-

Cole Cornford
I guess, that makes sense to me because, and also I like that they mentioned it ethical hacking. I know a lot of people who go into cybersecurity with the intention of just being pen testers basically, and a lot of them completely misunderstands that a lot of testing is effectively IT quality assurance. So you are testing to see that stuff that people should be doing correctly has been done correctly. And it could be not patching software or missing input validation, which is just bad test coverage or missing authentication authorization checks. Again, that’s just having bad smoke tests and bad manual testing approaches. That can be quite draining and gets rid of the honeymoon period pretty quickly for people. And so I think the other thing is that I imagine students over the course of a university, a bachelor’s degree, it builds a better sense of civics and ethics than they may have had when they were at high school.

Cole Cornford
And so giving people the tools to effectively commit crimes early in their degree when they don’t understand that that is what they are doing, it’s probably not the greatest idea. But towards the end of the degree when they’re in their early 20s instead of a 17 or 18-year-old, I think it makes a lot of sense to say, “Hey, well now that you’ve gone and done all of this stuff or we talk about, you’ve got a more well-rounded view of the world, hopefully you’re not going to go out there and joined some blackout organization, do bad things.”

Kiera Farrell
Definitely. And Deakin, and I think many other unions, from what I’ve talked to other people about, they in any IT degree have a big focus on ethics and professional behavior and there’s entire units dedicated to this. So it’s a big push on ethics and how you are doing things ethically and helping people not harming people.

Cole Cornford
I think it’s quite hard because as technologists a lot of the time we’re so often quite removed from what the impact of our actions are. Simple things could be improving retention of users on a website. Well, one way of doing that could be a dark pattern that makes it really challenging for people to stop signing up. Another approach could be to actually give them a good experience and make them want to come back to the website. More often than not, it’s easier to just introduce dark patterns and make it hard for them to leave, having to phone the bank or something during business hours to actually be able to go through. But it takes 10 seconds to be able to sign up. So there’s plenty of examples in the world that are, I guess security is not that much better. There’s a lot of aspects where someone is doing a penetration test and a customer says, “Hey, I’d like you to also include this part of the scope.” But that scope might be a third party organization.

Cole Cornford
And then a consultancy might say, “Hang on a second, I’ve either got to worry about my own cash flow to be able to do a pen test. And if the customer’s not happy with me doing the work, maybe they’ll just go to someone else who has different levels of integrity than me.” And so then they’re in an ethical quandary, where “Do I start to test something that’s outside the scope of what I’ve been engaged? Especially if it’s not, I don’t have permission to do so? Or do I stick with in the scope and annoy the customer?” And I think in cybersecurity we’ve got to have some very strong difficult conversations quite frequently. There are so many ugly babies and no one likes being told it.

Kiera Farrell
Definitely. And I’m glad they start giving you the foundation of how to handle those difficult conversations in uni and then that’s definitely a soft skill you bring with you to the workforce and build upon and it’s tested many times throughout your career, I’m sure.

Cole Cornford
So speaking of going to the workforce, what was it like graduating and then having to go through a billion different grad program things? Because I remember my experience and having to do all sorts of weird shenanigans to be able to get a grad program 14, 15 years ago or whatever. And it was stuff like one-way video interviews, which I thought were completely inhumane and I didn’t like it. Because I like having conversations with people. I don’t want to sit there recording to a screen about something popping up and… I have a hard enough time doing a solo podcast when I own a format and I have to do it myself. What was your experience? What did you come across and find?

Kiera Farrell
It’s good and bad. From my experience, a lot of grad programs, I guess are willing to take chances on people. They expect you to come out of uni and almost have no knowledge, even though learnt a bunch of things in uni, they expect you to start from absolute ground zero, which is good and bad because then I think they expect you to prove your soft skills in roundabout ways, like one-way interviews, which do suck. I also just love having conversation with someone. And you can’t really have a conversation to staring at yourself and answering questions. But yeah, I applied for a few grad jobs. The one I ended up getting was with, it was a somewhat smaller grad cohort. There was about 12 of us and that was across the whole retail business. So not everyone was technology and only three of us were cyber.

Kiera Farrell
And this worked well for me. I think I really liked having a smaller cohort and we could have deeper connections with people. But some people like being one of many and that also works. You have a lot more resources in that case. But I think it’s worth knowing that you can be picky. In a job interview they always say you are interviewing them as much as they’re interviewing you. And that’s true even when you’re a grad. And yeah, I mean apply for quite a few, but some might not work out and you’re just not a good fit for each other. And I do think if you keep trying, you will find what’s good for you and everything works out. I do find, I think going through my cyber journey, I’m a strong believer in everything that’s meant to happen does. I didn’t get some jobs that I was really crushed about, but in the end I’m glad I didn’t get them because I really loved the grad job that I did get.

Cole Cornford
It’s funny how our paths diverged and what could have been at different points. I even think back to before I started Galah Cyber. I was intending to move over to the United States to go work for Change.org, but then I met my girlfriend who is now my wife who I have multiple kids with and running my business from my home. But I know that I could have been living in either San Francisco or in Victoria, Canada and I may have been dating a nice Canadian woman or a nice American woman. I don’t really know. So.

But there’s plenty of points where your career can diverge, and I’ve always been of the view that you should be opportunistic and set yourself up to have more opportunities. And that means speaking to more people, being kind to folk and taking risks when presented. And that’s been good for me. I moved to Canberra, I moved to Sydney and I was going to move overseas. I started a business. A lot of things that people say “That’s risky. Why the hell would you do that? That’s very silly.” But in those areas of risk, I think are the places where you have the most growth because uncomfortable and it’s different. And yeah, I encourage you to go and just try all sorts of new things as well.

Kiera Farrell
I have to agree. Stepping out of your comfort zone isn’t great. I think you get more used to it each time you do it, but when you are young and new to the workforce, you probably haven’t done it that much. And every opportunity I got was because I made myself uncomfortable and took a big leap, which is great. But I also think there’s probably other opportunities I missed out on because I was too scared or afraid to be uncomfortable. And if there’s one piece of advice I could give to anyone starting their career, it’s just you have to do things you hate. They will make you a better person and you’ll probably end up loving them, to be honest.

Cole Cornford
You’ve just jumped onto one of my next questions basically, which is when you’ve entered the workforce, what would you say it is the free lessons that you would encourage students or early career graduates to follow to be successful? Because at this point I feel like you’ve had a pretty quick move up the chain to be a cyber analyst with a broad scope of responsibilities in a very short period of time. So what would the three things that led you to get to that role?

Kiera Farrell
Well, take every opportunity like we’ve been saying. Yeah, I wouldn’t be where I am if I didn’t take the opportunity. This role when I was discussing it, it was scary. It was a lot more responsibility than I had at my previous role, but I just thought, “I got to do it. Got to try it. If I suck, if it doesn’t work out, then at least I’ve tried and I would’ve learned something either way.” So take your opportunities, meet people. Again, would not have this role if I had not met my boss. And networking, I think I know that a lot of young people don’t like it, but I suspect that perhaps a lot of people don’t actually like it. It can be scary meeting new people, and I do love meeting new people, but when you’re doing it for your career, it can be different and it can be hard, but you just got to take that opportunity, network.

Everyone in this industry that I have met so far is lovely. I’ve never had a bad experience with someone. So meet new people. And then on meeting new people, make lasting connections. You have to put in an effort to maintain a relationship, but they’re always worth it. And you’ll find you can help people and they can help you. And I’ve made a lot of good connections in this industry and they’ve all been really worthwhile. If you can, backing onto that, find a mentor, they are very helpful in just even answering silly, stupid questions you have. I think everyone that has a mentor benefits from them greatly.

Cole Cornford
Yeah. So shifting away from this content that’s good for some more junior people, I want to jump up to some more managers because, well, I mean I’m a hiring manager and I would love to be providing more opportunities and attracting more junior staff members to come and work at Galah. I guess I have two questions, is probably one, what makes an employer attractive for a graduate? Why would they want to choose to go somewhere? And probably number two, how would you be a mentor to someone who’s early in that career? What is effective? Because the mentorship I receive is usually from chairman, CEOs established business owners. And it’s very different when I talk to them about the scaling workforce headcount or cashflow or. Whereas, the mentorship that I would obviously be giving to more junior people is just, do the hard work and learn more techie stuff. But yes, going back to two questions again, one, how do I make my business more attractive for graduates? And two, as a mentor, what can I do to support young people’s careers?

Kiera Farrell
So to make your business attractive, I suppose there’s no real answer. Lots of people find different things attractive, but what I love is seeing that a business is clearly a place that will foster talent and allow you to grow. And certainly, that they have a respect for what foundational skills you have, but perhaps finding in people that they can learn skills, I think understanding and knowing that you don’t have to know everything, but you will have an opportunity to learn almost everything here. That’s certainly what I find attractive. I think it’s what a lot of people find attractive. Not everyone’s a guru, not everyone can be a guru, but we want to try. So yeah, when I’m looking for places to go, it’s more about the people who work there and knowing that they can and will support you. Of course, it’s hard to convey that in an interview, but I think the vibes are always there and people usually know if they’ll get along with someone and be able to grow in a place with someone as their boss.

So it’s a bit of a holistic answer. But yeah, I think different people like different things, and it’s sort of all about how you connect with someone. And for mentors, it’s probably the same. I think I have a lot of dumb questions, and I don’t have one mentor, I have quite a few people that I like to talk to about things, and I will go ask them these dumb questions and there’s no judgment whatsoever. I’m perhaps not focusing on how to present to a board, but I am focusing on how do I get out there present more small scale and they can help. And just things my mentors have done have been like, “What do you want to improve on? And then how do we get there for you? And what would you be willing to try?”

And pushing you, pushing you out of your comfort zone. Is hard to do on your own, but a mentor can sort of give you a good nudge and then let you fly into the world, but they just got to push you off the edge. And that’s certainly what mentors have done for me. It’s a lot of, here’s an opportunity, would you like it? I think it would be good for you. And yeah, that’s sort of what I look for in a mentor. And I think what a lot of young people like to look for, it’s just someone they can lean on and help them achieve their goals, even if they have to push them a little bit harder.

Cole Cornford
I think that’s good. Having a quorum of people that you can to. Because one person’s experience may not be the same as someone else’s, and having a variety of perspectives can be really useful for you to make an informed decision. I think where people get stuck a lot of the time is, they end up with one super mentor who does everything and teaches them everything, and then they end up trying to copy that person’s career path, which that may have been useful 20 years ago. It may not be as useful today. And some of the stuff that they suggest may be dead on accurate, amazing, but then other stuff could be completely so wrong. So I like that you have basically a “Tribe of mentors,” is the way I would, I guess describe it.

So if we quote a Tim Ferriss book from 12 years ago, look at me. But the other thing that I thought was interesting was not so much the comfort zone, but the lack of judgment. I think that at least how I live, and when people approach me and ask me questions about either cybersecurity or business or whatever, I don’t go to, firstly, I try to never solution. I’m not solving their problems for them, I want them to work through the problems themselves. And it doesn’t matter how stupid a situation they’ve ended up in themselves, I’ve got to take a step back and say, “Hey, hang on. I’ve done some tremendously stupid stuff before.” And the people I’ve spoken to have said, “No judgment. That’s okay. Let’s move forward.”

Because if as a mentor you criticize and make people feel upset about their work, they’ll never come back to you, they’ll never open up and they won’t… It means that your mentorship is now going to be ineffective moving forward. So yeah, judgment, don’t be judgmental of other people because we’ve all made mistakes and we just need to smile and do the miles.

Kiera Farrell
Definitely. And it’s been said a million times, and it is very true that you make a mistake and you learn from it. So your most learning is done when you do something stupid because then you do not do that again.

Cole Cornford
I was listening to an episode of another podcast called Modern Wisdom the other day, where he mentioned that there’s this concept of unteachable lessons where everybody knows that you have to do it, but then they’ll never do it until it becomes too late. And then they have to learn from the experience. Things like, oh, don’t date at work, or you can leave toxic relationships, or you can quit your job. And people are, “I can do that anytime.” Or “I go to the gym, get healthy.” That’s a good one. That’s something I need to focus on because surprisingly, I’m not backing on the kilos. I had a little bit too much beer over the Christmas break. I have been reverting and getting away from my Mountain Culture endeavors. But yes, highly recommends, this show is now sponsored by Mountain Culture. But anyway, going back to the main thing. Yeah, mentorship, I think really important for early career professionals.

Kiera Farrell
Definitely. And yeah, my quorum, I have people that I go to for technical help and people that I go to for mentorship. How do I learn some leadership skills for perhaps a future career goal of mine? And yeah, they’re very helpful to get a wide range of perspectives.

Cole Cornford
So going to your second point about helping younger people, which was about networking and growing your network, and did you find conferences or meet up communities or online forums or? What was effective for you to be able to build your professional network?

Kiera Farrell
Yes, conferences and going to meetups, that was something that I had to really force myself to do. I think going somewhere where you know no one and you just have to meet people is really scary. But every time I’ve gone, I have met really great people and they have been very helpful. Some of them have joined my mentorship quorum. And conferences have been really cool. I’ve definitely met some interesting people there. And you meet someone, they introduce you to someone else, and suddenly you have a big network of people that you can rely on and talk to and ask for help as well as they might ask you for help.

Cole Cornford
Yeah, okay. Well, given that, look, I’ve had an absolute pleasure having you on the show. I know we’re getting close to time. Is there anything that you would recommend for people who are seeking their first couple of roles in security or maybe who are struggling at university? What would you suggest?

Kiera Farrell
Yeah, I definitely suggest reaching out to people. You can reach out to me. I’m not sure how much help I’ll be, but I’ll certainly try. And trying to go to events. Some can be pricey, but there are a lot of free cyber events in Melbourne. You just have to look around on LinkedIn and you’ll find some good ones. But I think you just got to keep trying. I do like the grad jobs and there are a lot of grad jobs that go, you just keep your eyes peeled and if you miss out on this year, there’s always next year. And there is always another way into the industry. I did it very traditionally through a grad job, but there are heaps of career paths that you can take that may work better for you. So it’s just all about taking chances, grabbing opportunities when they show up and making the most of your time.

Cole Cornford
Yeah. And with those pricey events, it’s always worth reaching out to someone like a recruiter because they typically have a few extra tickets to give away or to some of the bigger businesses or to just like some of your mentors, because maybe they’re willing to invest in you and your career. So-

Kiera Farrell
Definitely.

Cole Cornford
… you don’t know. The worst thing you can do is self-select out and say, “Hey, ACES cyber conference. The student top price is $400 or something. Look, I can’t afford that. No matter what I do.” The best thing you can do is message about 20 ish people and say, “Hey, I’m a student. It would be lovely if I could go to this. Can I volunteer? Can I do something? What can I do to go to this kind of event?” And you’ll be surprised how many people say, “I remember what it was like, and I’m willing to help you out.”

Kiera Farrell
Definitely. I have found people to be really helpful in this industry and willing to take chances on people. And it’s always worth a shot. The worst they can say is no, sorry.

Cole Cornford
So thank you so much, Kiera. Kiera is a DevSecOps engineer over at David Jones. It’s been an absolute pleasure for you to come into the podcast.

Kiera Farrell
Thank you, Cole. It’s been lovely.

Cole Cornford
Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secure, go to galahcyber.com.au.