Release Date:

Cairo Malet is a Cyber Security GRC Specialist who takes a pragmatic approach to governance, risk and compliance in cyber security and works with organisations in various sectors on their path to security maturity.

Join us as we talk about Cairo's indirect journey to cyber security, and what cyber security entails from policy to supply chain security and social engineering.

About Cairo Malet

Cairo Malet (she/her) is a cyber security professional, specialising in governance, risk and compliance. She currently works for Octopus Deploy, leading their GRC programme. Before moving to Octopus, she spent three years leading risk assessment and remediation at one of the world’s largest mining companies, working with technology across both enterprise and operational environments. Her previous experience includes consulting and internal positions, working with organisations across finance, government, healthcare, telecommunications and resources to assess their security posture and implement policy and process to increase security maturity. She is passionate about providing pragmatic security advice, increasing female representation in the Cyber Security industry, and Stardew Valley. She also has a degree in International Relations and a CISSP.


Books authored by or mentioned in our conversation.

Listen to the Podcast

Listen on Apple Podcasts, Spotify, iHeartRadio, Amazon Music, Castbox, Deezer, Goodpods, Overcast, Pocket Casts, TuneIn, Blubrry, Digital Podcast, Gaana, Podcast Addict, Podchaser, Podhero, PlayerFM, JioSaavn, RSS, and other podcast platforms.

Apple PodcastsSpotifyiHeartRadioAmazon Music

Watch on YouTube

  • [00:00:49] Cairo's pursuit of the social sciences.
  • [00:01:00] Having an interest in history.
  • [00:01:29] A desire to become a diplomat.
  • [00:02:31] Working in hospitality.
  • [00:03:06] The transition into tech and starting in tech support.
  • [00:04:02] How tech support turned into cyber security.
  • [00:05:40] An opportunity in the internal cyber security team.
  • [00:06:06] Concern about not meeting the job criteria, by one item only. Michele's note: This old chestnut with women and applying for jobs.
  • [00:06:49] Having experience in the regulatory and privacy side of things, just not the technical.
  • [00:07:08] A lesson in how initiative and making yourself available can lead to other opportunities.
  • [00:07:27] Cyber security has regulatory and compliance aspects as well.
  • [00:07:58] Also need to be pragmatic and apply context. What is actually relevant to the organisation.
  • [00:09:13] Process management involves knowing about the process you're trying to manage.
  • [00:10:54] Governance, risk, and compliance in the context of cyber security.
  • [00:10:58] Penetration tests are only part of the whole.
  • [00:11:25] Defence and response.
  • [00:11:39] Governance.
  • [00:12:21] Risk.
  • [00:13:59] Compliance.
  • [00:15:24] Supply chain security.
  • [00:16:12] Your relationships within the chain.
  • [00:16:34] Coverage through due diligence, contracts, and enforcement.
  • [00:18:02] Internal mitigating strategies for when things don't go to plan.
  • [00:18:30] Sometimes a bad actor simply has more time and resources to throw at a thing.
  • [00:19:03] Trying not to be the low hanging fruit and taking an 'assume breach' approach.
  • [00:19:48] (Dis)trust in the universe, but lock your car.
  • [00:20:27] Multi-Factor Authentication (MFA): A small inconvenience that can prevent larger inconveniences.
  • [00:21:40] We know, it's annoying can be inconvenient. But there's a benefit.
  • [00:22:37] Having the conversations and taking the time to communicate the concepts.
  • [00:24:56] On password choice. We kid. Don't use these passwords.
  • [00:26:38] Sentences and sequences of words are definitely an improvement.
  • [00:27:01] How Cairo's background in social sciences informs her work in cyber security.
  • [00:27:53] Research, critical analysis, and effective communication is a significant part of the work.
  • [00:29:55] Understanding the audience and the players involved is essential in this space.
  • [00:30:38] Cyber security is relatively new as a field, we need to be able to communicate its relevance and significance.
  • [00:30:52] The specialists need to also have an understanding of the space in which their work is being applied.
  • [00:31:35] It's an aspect of business that can be taken for granted because it 'just works'.
  • [00:32:17] Hence the importance of communication to get 'buy in'.
  • [00:33:05] Accessibility and visibility in communication.
  • [00:35:08] You are not separate to the business. Being invested in the business whose interests you are there to protect.
  • [00:35:58] Other cyber security concerns of businesses.
  • [00:36:21] Tailoring guidance to the organisation.
  • [00:36:48] The needs of small businesses.
  • [00:37:46] The needs of larger organisations.
  • [00:38:36] The foundations.
  • [00:38:55] Social engineering.
  • [00:39:44] It's about manipulation.
  • [00:40:52] Capture the Flag (CTF) at DefCon.
  • [00:41:21] Rachel Tobac.
  • [00:42:21] Stress and urgency can prevent people from being rational.
  • [00:43:45] The challenges of being good at social engineering.
  • [00:44:21] Cyber security awareness training.
  • [00:45:10] Preying on kindness or momentary lapses in focus.
  • [00:45:49] Online scams are a numbers game.
  • [00:47:17] Spearfishing and whaling is more effort with a higher payoff.
  • [00:47:48] Scams are run as a business as well.
  • [00:48:52] Cyber security is challenging and rewarding.
  • [00:49:27] Motivations in cyber security. Societal and geopolitical factors.
  • [00:50:13] Considerations in the resource sector.
  • [00:52:47] Understanding the business, their needs and risk factors.
  • [00:53:01] Needs of financial institutions vs emergency services.
  • [00:54:03] The CIA Triad (Confidentiality, Integrity, Availability).
  • [00:56:31] Bonus Question 1: What hobby or interest do you have that is most unrelated to your field of work?
  • [00:56:35] Cottagecore.
  • [00:57:09] Taking up knitting.
  • [00:57:40] Assoc Prof Rhea Liang (#8) and her crochet.
  • [00:57:52] Tom Daley's knitting fame.
  • [00:58:35] Bonus Question 2: Which childhood book holds the strongest memories for you?
  • [00:58:40] Tamora Pierce.
  • [00:59:29] Strong female characters in science fiction and fantasy.
  • [01:00:44] Tortall being adapted for television.
  • [01:01:36] The adaptation of Ursula le Guin's Earthsea.
  • [01:03:29] Bonus Question 3: What advice you would give someone who wants to do what you do? Or what advice should they ignore?
  • [01:03:34] You need balance between your work and personal selves.
  • [01:04:55] Get involved with the community.
  • [01:05:16] Don't let a non-technical background deter you. A broad range o skillsets are needed in this space.
  • [01:06:07] Cyber security twitter is a great resource.
  • [01:06:21] @hacks4pancakes
  • [01:06:27] Tanya Janca (@shehackspurple)
  • [01:06:38] @SwiftOnSecurity
  • [01:07:02] Finding out more about Cairo and her work.

Topics/Resources/People Mentioned

Additional Resources

Connect with Us

Support STEAM Powered

Review Us

Please leave us a review on Apple Podcasts, Spotify, GoodPods, Podchaser, or your preferred podcatcher.

Become a Patron

Affiliate Programs

Start your own podcast or YouTube channel, or run panels and seminars with Record up to 8 people in a session with up to 1000 audience members. You can record in advance as I do, or you can livestream with the option to send it straight to Facebook, Youtube, Twitter, or Twitch. There's even a green-room for guests and live call in for audience members. Afterwards, get separate video (up to 4K) and audio (up to 48kHz) tracks per recorded participant for editing, none of that “active speaker only” limitation. You know you're in good hands with a service whose client-base includes some heavy-hitters. Check out to see who else is on board. Use promo code STEAM25 to get 25% off the first three months of your subscription.

Music is “Gypsy Jazz in Paris 1935” by Brett Van Donsel.