The director-general of the Australian Signals Directorate – and the first woman to lead an intelligence agency – deals with the worst of humanity but sleeps just fine at night.
Current Role: Director-general, Australian Signals Directorate
Tenure: Three years
Previous Roles: Head of the Australian Cyber Security Centre; deputy secretary executive group, Department of Home Affairs; national director intelligence and chief information officer,Australian Customs and Border Protection Service
How do you define good leadership?
In national security and intelligence, we do tend to be a rather direct and no-nonsense lot. We understand we’re at A but we need to get to B so we have very direct conversations about what’s required to do that. Beyond that very goal-oriented mission focus, I’m a big believer in building a team where all of us have different strengths and we genuinely try to value those strengths. I try to create an environment in which people feel safe and confident to come forward and say, “Hey, I’m having trouble.” That’s really important to me.
You’ve described the ASD as both poacher and gamekeeper. What do you mean by that?
We’re charged by the government to collect intelligence against foreign entities. The Australian Secret Intelligence Service does that by collecting intelligence from humans; we collect intelligence by accessing electronics – emails and things like that. When you get very good at that and you know how to exploit or spy on a network, it gives you a deep understanding about what organisations such as ourselves are capable of and therefore what we might need to do to defend ourselves against highly resourced intelligence agencies across the world.
You’re dealing with threats on a daily basis. How does that inform you as a person and as a leader?
As a leader, it’s a gift. The one thing I’ve never had to concern myself about is trying to mobilise my people behind a mission. People work here because they genuinely want to make a contribution to our nation’s security. I think it’s hard for all of us as individuals. We see some pretty horrifying and scary things. But we need to have the grit and resilience to be able to cope with and know about those threats. We see a lot more of the darker side of humanity than the average person might encounter but my belief is that’s okay because it’s our job.
Beyond seeing the dark side, what’s the hardest part of your role?
I sometimes joke about this but I’m not really joking. Senate estimates [laughs]. It’s the thing I most dread. I spend a lot of time preparing with my team but you can get questions you just haven’t anticipated. There’s a lot of pressure – you’re representing your organisation and other agencies and departments are watching to see if you accidentally make a problem for them. And in the intelligence community, we have an added challenge of constantly sifting and filtering. How do I know that? Is that classified? Can I say that?
For a long time, spying was kept in the shadows but do you need to be more open now?
I think so. I’ve been in the ASD on and off for more than 25 years. This is my third go. When I first worked here, there was only one talking point that we ever wrote for public release and it said, “It is the longstanding practice of successive Australian governments not to comment on matters of intelligence and security.” Now any Australian can call us and talk to a friendly spy [laughs] about how they can secure their device or get advice on what to do.
And presumably it’s a recruiting tool. I know the ASD is growing rapidly. You have more than 2500 employees now?
That’s right. And we’ll grow to nearly 5000 in the next four years so we’re on a big recruitment drive.
So how is the skills shortage impacting your organisation?
We’re very privileged that we don’t experience it. As an employer, we offer something that no-one else can offer and that is when you come into the ASD, you can legally hack computers. Tell me who doesn’t want to do that legitimately. Jokes aside, we put a lot of effort and energy into partnering with institutes of technology and investing in training people. We’re trying to create our own skilled workforce.
What are the greatest misconceptions about cyber attacks?
That “it won’t happen to me” and “I’m savvy and if somebody sends me a scam link or a scam email, I’ll be able to detect that.” Criminals are becoming increasingly sophisticated in the way that they can target organisations or individuals and will do their own body of research before they launch the email or the attack. During the COVID-19 pandemic, a group of cybercriminals had a very good understanding of the Australian ecosystem. They closely watched how the government was communicating with Australians… and were able to insert their SMS with a malicious link in it into your SMS chain from myGov. It looked legit because it was sitting in the chain you were expecting. Fortunately, we were onto that very quickly with Services Australia and were able to thwart that effort and take down those criminals.
And what about from a board level?
We’re seeing a real shift. I think what happened to some of our big companies towards the end of last year was really impactful on other leaders. It’s such an enormous credit to David Koczkar [CEO of Medibank] and Kelly Bayer Rosmarin [CEO of Optus] that they have courageously spoken publicly about what happened to their companies and shared those experiences. Abi Bradshaw [head of the Australian Cyber Security Centre, which is part of the ASD] and I have never had so many invitations to speak to boards, which we do regularly.
Are cybercriminals focusing on telcos and health? Is this a trend?
Unfortunately, we do see the health sector targeted by criminals. Also private schools. Our theory is that the criminals are banking on the fact that people who own health data or data about children are going to be much more sensitive to any threats of exposure and are therefore more likely to pay ransoms. Our critical infrastructure is more likely to be the business of states and they’re more interested in espionage. They’ll put a great deal of energy into not being found, whereas cybercriminals will eventually reveal themselves. These are the two big bad guys I talk about being out there and they pose very different threats.
Does that keep you up at night?
No, because my people are excellent at what they do and we will continue to mature and get better and better. My people will ring me if they need to. I’ll sleep until the phone rings but my phone is always by my bed.
How much is AI impacting your work?
We’re using artificial intelligence to help our analysts get through large amounts of data. It’s an enabler to support them to prioritise their work every day but we don’t use it to make decisions and that’s an important differentiator for us. We have to stay on top of every cutting-edge technology so we put a lot of effort and resources into understanding how AI and machine learning can be used for good, how it could be used against us and what we can do to defend in that regard.Your father and sister have both worked at the ASD.
You’re its first female leader. What was in the water in your family?
I don’t know. I met my husband at ASD, too, and my sister’s husband also worked here. We’re a family who is passionate about our country and motivated about doing things in our careers and our lives that are about defending and protecting our nation. When my sister and I were younger, people would ask my father what he did and he would say that he was an electronics engineer. It wasn’t until I was much older that I went, “Oh, my god, my dad is a spy!”
What advice would you give a brand-new CEO?
Come and talk to me! I’m happy to meet you. I’d really encourage you to treat cybersecurity risk at the same level of importance as you would treat financial risk and other risks in your business. Understand where your networks are, what is the most valuable data to your business, how it’s being stored and how it’s resilient. Exercising and practising for a bad event can help an organisation learn a great deal about what it needs to do now to prepare.