Benjamin Mossé

There is no right way to be a cyber professional, only wrong ways.

© 2025. All rights reserved.

Will professionalisation prevent the next Veronica Theriault?

11 May 2025

Professionalisation should stand on its own merits — not on the illusion that it will prevent the next fraud. If we build professionalisation on that fantasy, we are not protecting businesses or consumers — we are deceiving ourselves.

Veronica Theriault was not the first person to lie on a CV, and she won’t be the last. But she may have been one of the more audacious. In 2012, she faked her way into one job. In 2014, she did it again. And in 2017, she achieved her most remarkable feat: convincing the South Australian Department of Premier and Cabinet (DPC) to appoint her as Chief Information Officer — with an annual salary of $244,000.

Six weeks later, she was arrested by the Independent Commissioner Against Corruption. The charges were serious: deception, fraud, and abuse of public office. She had already collected $33,000 in taxpayer funds and helped award a $21,000 contract to her brother.

Predictably, some now ask: Could professionalisation have stopped her?

But that question is a diversion. The real question is: Why didn’t anyone check her employment history?

No amount of professionalisation — no register, no badge, no credentialing scheme — can save us from the simplest failure: the failure to verify.

In Theriault’s case, routine employment checks would have sufficed. The mechanisms existed. They were simply ignored.

And so, as in the case of Stephen Allan Olsen before her, we’re left with a disquieting truth: what failed was not a lack of professional standards. What failed was ordinary due diligence — the bare minimum of responsible governance.

This is where the fantasy begins: the belief that a credential can replace scrutiny, that a title guarantees integrity, that structure ensures substance.

Yet we know — if we are honest — that this is not how the world works.

In cybersecurity and beyond, inflated CVs, overpromised skills, and underwhelming performance are common. Most of these people are not criminals. They are participants in a professional theatre we quietly tolerate — because, occasionally, we play along too.

And even when the paperwork is accurate and the intentions sincere, there are no guarantees. A capable individual in a broken environment will fail. A qualified candidate in a dysfunctional team will underperform. Culture, timing, economics — these are not exceptions. They are the rules.

Professionalisation may offer structure. There may be legitimate arguments for it. But let’s not pretend it is a safeguard against deception. If that’s the case being made, it deserves to be rejected outright.

The Real, as ever, is less consoling:

To put it bluntly: fraud will not be credentialed out of existence. It slips between the lines — precisely where it always has — in the gap between what we know, and what we pretend to believe.

In cybersecurity, we understand this brute fact: adversaries constantly innovate to outsmart and outpace our controls. And yet, when it comes to professionalisation, some fail to apply that same clarity. Employment fraud and skills misrepresentation will persist — just like breaches — because no badge or register can eliminate deception. The answer isn’t nihilism, nor empty gestures that soothe our conscience. The answer is the same as in cybersecurity: to innovate ruthlessly, without illusion. We must reimagine professionalisation from the ground up — without fantasies, without guarantees, and starting from the contradictions. Only then can we discover what real problems it might solve — and how.

If we move toward professionalisation, let it be driven by a clear problem statement and a solid business case.

It’s not fraud that threatens us most — it’s our desperate need to do something, even when we know it won’t work.

Sources: