Cairo Malet (she/her) is a cyber security professional, specialising in governance, risk and compliance. She currently works for Octopus Deploy, leading their GRC programme. Before moving to Octopus, she spent three years leading risk assessment and remediation at one of the world’s largest mining companies, working with technology across both enterprise and operational environments. Her previous experience includes consulting and internal positions, working with organisations across finance, government, healthcare, telecommunications and resources to assess their security posture and implement policy and process to increase security maturity. She is passionate about providing pragmatic security advice, increasing female representation in the Cyber Security industry, and Stardew Valley. She also has a degree in International Relations and a CISSP.
In our conversation, we talk about Cairo’s indirect journey to cyber security, and what cyber security entails from policy to supply chain cyber security and social engineering.
Watch on YouTube
Listen to the Podcast
Listen on Vurbl, Apple Podcasts, Spotify, iHeartRadio, Stitcher, Google Podcasts, Overcast, Castbox, Breaker, Pocket Casts, RadioPublic, Amazon Music, Deezer, TuneIn, RSS, and other podcast platforms.
[00:00:49] Cairo’s pursuit of the social sciences.
[00:01:00] Having an interest in history.
[00:01:29] A desire to become a diplomat.
[00:02:31] Working in hospitality.
[00:03:06] The transition into tech and starting in tech support.
[00:04:02] How tech support turned into cyber security.
[00:05:40] An opportunity in the internal cyber security team.
[00:06:06] Concern about not meeting the job criteria, by one item only. Michele’s note: This old chestnut with women and applying for jobs.
[00:06:49] Having experience in the regulatory and privacy side of things, just not the technical.
[00:07:08] A lesson in how initiative and making yourself available can lead to other opportunities.
[00:07:27] Cyber security has regulatory and compliance aspects as well.
[00:07:58] Also need to be pragmatic and apply context. What is actually relevant to the organisation.
[00:09:13] Process management involves knowing about the process you’re trying to manage.
[00:10:54] Governance, risk, and compliance in the context of cyber security.
[00:10:58] Penetration tests are only part of the whole.
[00:11:25] Defence and response.
[00:15:24] Supply chain security.
[00:16:12] Your relationships within the chain.
[00:16:34] Coverage through due diligence, contracts, and enforcement.
[00:18:02] Internal mitigating strategies for when things don’t go to plan.
[00:18:30] Sometimes a bad actor simply has more time and resources to throw at a thing.
[00:19:03] Trying not to be the low hanging fruit and taking an ‘assume breach’ approach.
[00:19:48] (Dis)trust in the universe, but lock your car.
[00:20:27] Multi-Factor Authentication (MFA): A small inconvenience that can prevent larger inconveniences.
[00:21:40] We know, it’s annoying can be inconvenient. But there’s a benefit.
[00:22:37] Having the conversations and taking the time to communicate the concepts.
[00:24:56] On password choice. We kid. Don’t use these passwords.
[00:26:38] Sentences and sequences of words are definitely an improvement.
[00:27:01] How Cairo’s background in social sciences informs her work in cyber security.
[00:27:53] Research, critical analysis, and effective communication is a significant part of the work.
[00:29:55] Understanding the audience and the players involved is essential in this space.
[00:30:38] Cyber security is relatively new as a field, we need to be able to communicate its relevance and significance.
[00:30:52] The specialists need to also have an understanding of the space in which their work is being applied.
[00:31:35] It’s an aspect of business that can be taken for granted because it ‘just works’.
[00:32:17] Hence the importance of communication to get ‘buy in’.
[00:33:05] Accessibility and visibility in communication.
[00:35:08] You are not separate to the business. Being invested in the business whose interests you are there to protect.
[00:35:58] Other cyber security concerns of businesses.
[00:36:21] Tailoring guidance to the organisation.
[00:36:48] The needs of small businesses.
[00:37:46] The needs of larger organisations.
[00:38:36] The foundations.
[00:38:55] Social engineering.
[00:39:44] It’s about manipulation.
[00:40:52] Capture the Flag (CTF) at DefCon.
[00:41:21] Rachel Tobac.
[00:42:21] Stress and urgency can prevent people from being rational.
[00:43:45] The challenges of being good at social engineering.
[00:44:21] Cyber security awareness training.
[00:45:10] Preying on kindness or momentary lapses in focus.
[00:45:49] Online scams are a numbers game.
[00:47:17] Spearfishing and whaling is more effort with a higher payoff.
[00:47:48] Scams are run as a business as well.
[00:48:52] Cyber security is challenging and rewarding.
[00:49:27] Motivations in cyber security. Societal and geopolitical factors.
[00:50:13] Considerations in the resource sector.
[00:52:47] Understanding the business, their needs and risk factors.
[00:53:01] Needs of financial institutions vs emergency services.
[00:54:03] The CIA Triad (Confidentiality, Integrity, Availability).
[00:56:31] Bonus Question 1: What hobby or interest do you have that is most unrelated to your field of work?
[00:57:09] Taking up knitting.
[00:57:40] Assoc Prof Rhea Liang (#8) and her crochet.
[00:57:52] Tom Daley’s knitting fame.
[00:58:35] Bonus Question 2: Which childhood book holds the strongest memories for you?
[00:58:40] Tamora Pierce.
[00:59:29] Strong female characters in science fiction and fantasy.
[01:00:44] Tortall being adapted for television.
[01:01:36] The adaptation of Ursula le Guin’s Earthsea.
[01:03:29] Bonus Question 3: What advice you would give someone who wants to do what you do? Or what advice should they ignore?
[01:03:34] You need balance between your work and personal selves.
[01:04:55] Get involved with the community.
[01:05:16] Don’t let a non-technical background deter you. A broad range o skillsets are needed in this space.
[01:06:07] Cyber security twitter is a great resource.
[01:06:27] Tanya Janca (@shehackspurple)
[01:07:02] Finding out more about Cairo and her work.
- Cyber security (wiki)
- Payment Card Industry Data Security Standard (PCI-DSS) (wiki)
- ISO 27001 (wiki)
- Governance, Risk Management, and Compliance (wiki)
- Penetration test (wiki)
- Supply chain security (wiki)
- Privacy Act (Australia) (wiki)
- General Data Protection Regulation (GDPR) (wiki)
- Multi-factor authentication (MFA) (wiki)
- Information Security (wiki) - Covers the CIA Triad (Confidentiality, Integrity, Availability)
- DefCon (wiki)
- Capture the Flag (CTF) (CTF101)
- Rachel Tobac (@RachelTobac)
- phishing (wiki)
- Assoc Prof Rhea Liang
- Tom Daley
- Buffy the Vampire Slayer (IMDB)
- Hack the Box
- Tanya Janca (@shehackspurple)
- Tamora Pierce website BookDepository GoodReads
- Song of the Lioness by Tamora Pierce BookDepository GoodReads
- Protector of the Small by Tamora Pierce BookDepository GoodReads
- Circle of Magic by Tamora Pierce BookDepository GoodReads
- Earthsea Cycle by Ursula le Guin BookDepository GoodReads
- The Shadow and Bone Trilogy by Leigh Bardugo BookDepository GoodReads
- We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened (CNN) - Not the scenario mentioned in our conversation, but similar.
- British diver Tom Daley knits dog jumper and cosy for Olympic Games gold medal (ABC Australia)
- Untitled Tortall Adaptation (Tamora Pierce Fandom.com)
Find out more about Cairo Malet and their work
- Twitter: @intrepidrainbow
Connect with Us
Support STEAM Powered
Become a Patron
Buy your books from BookDepository. There are over 20 million titles and you get free delivery worldwide to over 150 countries on every order. Want some ideas? Check out the list of every book mentioned in our conversations, or authored by our guests.
Start your own podcast or YouTube channel, or run panels and seminars with Riverside.fm. Record up to 8 people in a session with up to 1000 audience members. You can record in advance as I do, or you can livestream with the option to send it straight to Facebook, Youtube, Twitter, or Twitch. There's even a green-room for guests and live call in for audience members. Afterwards, get separate video (up to 4K) and audio (up to 48kHz) tracks per recorded participant for editing, none of that “active speaker only” limitation. You know you're in good hands with a service whose client-base includes some heavy-hitters. Check out Riverside.fm to see who else is on board. Use promo code STEAM25 to get 25% off the first three months of your subscription.