August 22, 2023

Shanna Daly (she/her) is the newest member of the Cosive team, bringing with her over two decades of experience in information security, digital forensics, and incident response.

In this interview Shanna talks about:

  • How to get started in cybersecurity and digital forensics
  • The challenges of remaining technical while taking on leadership roles
  • What drew Shanna to work with Cosive
  • How to build your profile in the InfoSec community
  • Emerging threats on the horizon
  • The thing that frustrates Shanna the most about incident response
  • Why horses are so special

Can you introduce yourself and tell us where you’re based?

I’m based in Sydney. I’ve been working in information security in Australia for over 20 years now. I’ve been part of every kind of security domain in that time, from auditing, GRC (Governance, Risk management, and Compliance), penetration testing and more recently I’ve focused on digital forensics and incident response. I’d built consulting teams within those realms and really needed a break from the intensity of incident response, which is what led me to look for a change.

I really enjoy doing the technical work and building out consulting teams and things like that, but there’s a lot of admin and a lot of overhead. I really just got burnt out. Getting to do more fun things again is a big part of why I joined Cosive.

How have you navigated the constant pull to become post-technical that happens to anyone who's worked in technology for a long time?

It's really hard because it just sort of happens. Especially when you're trying to build teams, because there's so many things around building a team that you need to take into consideration.

You have to think about profit and loss, how much work is incoming in terms of billable hours versus what the team's utilisation is and projecting that out. That becomes really difficult when it's incident response, because when you're doing reactive work you can't forecast that well.

As you start managing teams and managing practices, more and more of your time naturally ends up going towards admin and management. It’s pretty hard to avoid that and it does start to become hard if you are still doing client work as well. It’s a really difficult position for people to be in, trying to do both.

Shanna jointly presenting on digital forensics fundamentals at AusCERT.

How did you initially get into cybersecurity?

I was running a fire-twirling group in Newtown and I was working as a tech support specialist for a dial up ISP at the time. I was pretty bored and I was getting annoyed at people ringing up and saying, “I can’t connect with my modem.” It's like, well, is your modem even on? Some of the people didn't even have modems and they were like, “I can't connect to the internet.” Or they were trying to connect through their zip drive, or their modem wasn’t plugged in. I was getting annoyed at that.

After about two years doing that I met someone at my fire twirling group and they said “we're hiring someone, do you want to come and do an interview? And I was like, “Sure!” It was for an information security role in public key infrastructure (PKI). I had no idea what that was back then. I did the interview though, and got the job and just sort of winged it from there. And that was in 2001.

I was lucky to work in that big organisation for around 12 years. I went through five acquisitions in that time, but the business ended up being Verizon. I got to do a lot of different things through that, which was really, really great. I did security engineering, a lot of networking stuff, and then moved through to more consulting work. I got to do a little bit of everything, which I think was really great, especially for the first 10 years of my career.

I was getting to experience a whole lot of different areas of cybersecurity and then found incident response and digital forensics and really loved it. I’ve been stuck in that little area ever since!

Is your educational background in CompSci/IT? Or did you learn on the job?

I went to university to study Microbiology and Immunology in 1997. I dropped out in 1998 and worked in bars and band venues around Newtown for a few years. I didn't ever get any kind of computer science education at all. I went to an all girls school where we still did home economics, which was cooking and sewing. There were no computer classes when I went to high school.

In my last year of high school my best friend had a computer and the internet, so that's kind of where it all started. I did grow up playing with a Commodore 64 and an Atari. So I've always liked playing computer games and playing around on computers, but I didn't have any formal education.

I actually ended up doing a Master's in Information Security with a major in Digital Forensics via Charles Sturt University. I think I finished that around 2014. I was eventually able to do a Master's degree without a Bachelor's degree because I had over 10 years work experience.

Everything else has been either self-taught or learned on the job. I’ve had some great mentors along the way.

What appeals to you about cybersecurity over other technical fields?

You're battling an adversary all the time and you’re always behind. They’re figuring out a new way to get in. They’re finding holes or bugs or vulnerabilities in software applications and hardware. We’re having to find that after the fact, so every day you're learning something new. You’re looking for new ways to defend against what an adversary is doing.

I actually find it really exciting. It's a little bit like being a cyber James Bond, so to speak. Especially when working in incident response, I think, because I got to see firsthand what adversaries were doing and how they were doing it. I got to learn about the kinds of organisations and data that adversaries target, and about why they’re targeting those organisations. That makes it exciting. I like to learn and I don't like to be bored.

What's been the common thread running through your career?

I think it's probably the desire to learn more and know more and keep progressing. I’ve always taken opportunities that have been handed to me, for the most part. I'm not afraid to give something a try and I think that's really helped my career and my success in cybersecurity, because someone will say, “Do you want to give this a try?” And I’ll say “Sure, why not?”

I could probably fail, but you know, generally I've had a good team around me at all times that won’t let me fail. As long as you say yes, and you give it a shot, there're people around you for the most part that are going to help you and they're not going to let you fail.

You touched on it a little bit earlier, but what appealed to you about joining Cosive?

I've known a lot of the Cosive team for a number of years and I just really like the way that the company is set up. Everybody works together. It sort of feels a bit more like a co-op than a company, if that makes sense. Everybody does a little bit of everything and everybody does the work that they want to do, for the most part. That means you can go, “well, I like doing this kind of work so I'm going to bring in that kind of work” and everybody benefits.

Everyone seems to be on the same level. There’s not a lot of hierarchy. It's really that whole co-op feel for me. It’s a bit hippy, but I like that everyone's pulling in the same direction.

For the most part the leadership team are all part of the projects that are happening and a part of doing things. And that's exactly like me. I could be CEO and I would still probably want to work on customer engagements rather than spending all my time running a business.

Shanna speaking at AusCERT.

You’ve built up a profile in the cybersecurity community. What drives you to get involved in the community side of things?

Again, it's just having fun. It might sound weird, but it is really just having fun. I really enjoy it. I'm one of those introverted extroverts, or whatever they call it, where I love getting out and meeting people, but in small doses. I love going to conferences and meeting new people and hanging out and making those connections. I do that side of it because I enjoy it and I learn a lot. I've met really good mentors that way and got great opportunities, but mainly it's just been because it's quite enjoyable for me.

And hey, I mean, maybe I can become rich and famous one day, who knows? It was funny, when I joined Cosive and we put it up on LinkedIn, Chris (Cosive’s CTO) got a text message from someone that said “I hear you've hired someone famous!”

It is really just about the fun and giving back a little bit. I’ve been given a lot of opportunities throughout my career, so I want to give back to the community. I try to get out there and do presentations and training and things for free, as much as I can. I write up technical blog posts to help educate other people or give other people resources that can help them get into the industry, or help them get better at doing things like digital forensics and incident response.

It's not easy to learn digital forensics. It can be really difficult to find the time to teach people on the fly. So you've got to work at quite a large organisation to be able to get in at a more junior level and have someone that can actually mentor you. So I created my blog Fancy4n6 to give people more resources online on how you can get started, and some exercises to do, and CTF (Capture the Flag) walkthroughs.

It's about providing people with a bit of guidance so that when they're looking for those jobs, they can say, look, I don't have any firsthand experience in digital forensics. But for the last six months I've been working on these capture the flag challenges. And here is my GitHub of write-ups or here's my write-up in a PDF. And so at least the hiring team can see that they've got the skills and the aptitude to do the work, even if they don't have the work experience.

I have to say, I think the people that shine out as the most successful in the industry globally are the ones that do this because they love it. Not to say that everybody in the industry loves it. There are a lot of people who do this just as a job, but when you look at a lot of the SANS instructors–SANS being the quintessential training organisation for cybersecurity–they've got really, really good people and trainers and really good content. Those people are doing that training in their spare time. Most of them have a full-time job as well. And then they're training at SANS and creating content on top of that. And they do it because they really enjoy it and they love the industry and they love training people and giving back.

So I think doing those extra bits is worthwhile. You don't have to do the CTF to get the job.

But I think in the end, those people that are doing those CTFs show that they're actually passionate about the industry and what they're doing. Those are the ones that I think stick around in the end.

You talked about it a little bit already, but what would you suggest to someone who wants to build their profile in the cybersecurity community?

Try to get out to conferences. Even if you don't speak at conferences, just look at networking at conferences. If you’re doing an IT degree, for example, or you're currently working as a systems engineer or an IT admin or things like that, and you want to get into something specific in cybersecurity, conferences are a great place to start building your network.

One caveat is that I'm in that mindset that when we talk about cybersecurity, it's like saying, I want to join the “building” industry. You don't go to TAFE to learn building, right? You go to TAFE and you become a plumber, or you become an electrician or a carpenter, or you do surveying. There are so many parts that go into what we know as the building industry. And it's very similar in cybersecurity.

So it's really hard when someone goes, “I want to get into cybersecurity”. That's great, but what part of cybersecurity? I think from that perspective, we're not doing a very good job of showing people the different areas in cybersecurity that they could be looking at. Because there are so many, and there are many that are technical and there are actually many that are non-technical as well.

You don’t necessarily have to be technical or have a background in cybersecurity to do program or project management. Even for more technical roles, if you've been working as an IT admin and you've scripted up everything and you know how to set up a network, it’s going to be really easy for you to then step in and go, well, I know how these networks work. You know everything about it. Now you can learn how to secure them.

Having better pathways from existing roles or existing education into the different facets of cybersecurity is something that we need to look at a little bit more. Because everyone goes, “I want to be a pen tester” because that's what they think cybersecurity is. From a media perspective, I think all anyone ever sees is that cybersecurity just means pen testing or bug bounties right now. And that's definitely not the case.

I think a lot of people and a lot of women in particular think “I'm not technical. I won't fit into cybersecurity because I can't pentest or I can't code.” But there are a whole lot of people in the building industry that can't build. They can't use a drill, can't use a hammer, but they’re necessary to support that industry. And it’s the same in cybersecurity. There are a whole lot of areas within cybersecurity that are supporting more specialised roles, so to speak. I think if we map that out a little better then we’ll have a better chance of getting more people into the industry.

Can you share three cybersecurity predictions for the next five years?

The whole ransomware economy seems to be setting itself up like they're legitimate businesses. The creators of ransomware are actually offering bug bounties to find vulnerabilities in their software. They’re really setting themselves up to scale, so we’ll likely see more ransomware attacks.

We saw ransomware going from being targeted at individuals many years ago, through to mainly being targeted at enterprises. Now I think we'll see ransomware going back to hitting ordinary people because of the Internet of Things. More and more of our stuff is going online. People can ransom your fridge or your washing machine, as well as your computer or your mobile phone.

Mobile phones are another one. There are some countries where it’s common for people to have two or three mobile phones on different carriers. Attackers may start looking at that as an opportunity as well.

Shanna is a passionate keeper and rider of horses.

What do you love most about having horses?

The bond. They’re like big dogs. Just being able to get on the back of an animal that has its own mind, its own will, its own way. It’s 600 kilos. There's no way I can fight that. To have them let me ride around on them and have that bond and feeling of connection to this big, massive animal is amazing. It's super thrilling to be able to canter around and have this majestic animal carrying you.

There's such a bond even when I'm not riding my horses. You walk over to the paddock and my horse will start nickering at me and run over to the fence. It's really beautiful.

Is there anything else you’d like to say?

For me, one of the most frustrating things about cybersecurity is that people still don't understand that you can't protect what you can't see.

In incident response the intrusion vector is typically an old forgotten system or a dev system. Someone had put the system somewhere and hadn't secured it, and nobody else knew about it. Organisations are using all of these fancy applications and security features but still have a box that's open to the world with nothing protecting it.

I think what frustrates me is that we still don't get the basics done and dusted, and yet we're looking at shiny objects and searching for the newest thing out there. I wish that people would calm down a little bit and go back to basics when it comes to cybersecurity. And if we did a whole lot more of the basics we’d stop a lot of ransomware attacks, for example.

There's always a new shiny thing coming out from a vendor and people love new shiny things. I love new shiny things too. But the new shiny things can't protect what you don't know is there.  It’s great that you’ve got EDR (Endpoint Detection & Response), but if you don't have EDR across your entire fleet, then it doesn't help. Spend the money on the things that will actually help you get a good baseline.

Follow Shanna