What if South Africa was 1337?

[Music] hello everyone and welcome to the first bsides Johannesburg uh I'm really really happy that this is finally happening I think there's a Dar of uh community events specifically community events specifically in Johannesburg and this is a huge step forward to fixing that problem I can't actually see how many people there are this is the advantage of there not being a lot of lights but it looks like a lot of people so well done to the the organizers and like Shifty was saying it's a volunteer event so big thank you to all of the volunteers big thank you to the speakers I know how much you worked to put a talk together and then to all the sponsors

and everyone who's attending so hopefully this is the start of something you know 10 years from now they'll have pictures of all of you at the first bsides Johannesburg so today I want to do a non-technical talk so I'm immediately out of my comfort zone um and I want to talk about something that I at least feel uh is important uh and this is the weird thing about Keynotes you sort of feel like know you must now talk about something that's important but that you're immediately uncomfortable with so in Cape Town I talked about how I think we're not dealing with the root cause of cyber Securities Wes which are criminals and crime and here I want to talk about how

um we've got a like a pipeline problem a skills pipeline problem what the impact is on the market and what I think we can do to fix it which is predominantly community and that's a lot of what uh we're doing here today okay let me press the next button um I put this picture in cuz AI generated and I think I look far more handsome than real life so if anyone reads the slides they can believe that I'm I'm more handsome but um I work for this organization called orange cyber defense which bought sense poost in 2019 and the the relevant part here is I want to talk about some like macroeconomic things what I see about new entrance

into the field what I see from client Behavior what I see from the skills Pipeline and it's very much colored by my two roles so the one is running a penetration test testing business or having been part of the penetration testing scene uh in South Africa for for for quite a while but also we've got colleagues internationally that we spend a bit of time with so we're able to kind of compare how that industry looks between the different markets and then also in sort of selling Security Services more widely and to the customers that we speak to the sense I get of how this stuff plays out so this is my narrow View and perspective other

people might have a different view all right so the problem I want to talk about today is how how we don't have enough new people coming into cyber and what the the end result of that is and maybe the things we could do and why we should do it so I talk about this entry entry pipeline problem now in a in a functional or perfect economy should we say the way new entrance BR come into the economy is through traditional tertiary education systems so I spent a heady evening researching the department of education's reports statistics South Africa census reports uh I've got about five pages of notes and graphs and I turned it into one slide slide and it

really wasn't worth all of that time but I can at least back some of this up with stats so about 900,000 people registered to write metrick in 2021 and of that 75,000 wrote metric okay so you already start seeing the drop off at that level uh of that while we had a 72% pass rate only 36% achieved a pass that would allow them to go to university what's it called the metric exemption or university exemption of that statistics South Africa shows that only 11% of the people who graduate who pass metrick with a matric exemption actually go on to complete a bachelor's degree so that's a pretty significant drop off and this is cumulative so it's like reverse compound

interest that's 11% of the 36% and then of that looking at the census only about no this is actually from the Department of Education only about 4% of people leaving technicon and universities actually do computer science or information systems so from 900,000 students uh who write metrick we get this little tiny drop at the end of of Proto it people because importantly this little drop is not the pool of new people entering security this little drop is the pool of all potential new it technical hirers in the industry so this is the pool of people who are going to become developers who are going to become it administrators and CIS admins and feed the whole wider IT industry so

if we're relying on the traditional uh education pipeline tertiary education pipeline in South Africa for new entrance and we have a problem which is why I work with amazing people who used to install stairlifts who used to be biologists and zoologists who used to be developers because we don't we can't rely on the traditional education pipeline to get new people in the other problem we have and I'm going to talk about this gap between new entrance and entry level skills is it takes time to train people none of the people in this drop are security people yet they're people who want to be security people that means somebody with skills in a scar skills Market needs to train them

and because it's a scar skills Market those skills are already in demand somewhere else and if you're running a service provider you know there's literally money attached to that you pay people a salary so that they can sell their services in the market but if you're working at a large organization you need those skills deployed to actually deal with the problem of cyber security you now have to take the scarce skills redirect them into to training uh which which becomes quite expensive and that's why you see so few of those happening there aren't enough training and new entry and internship type programs in South Africa to really overcome turning this drop into uh well at least taking more out of this drop

than just a few new entrance but then the problem gets worse is that drop then enters the job market the skills pipeline whatever you want to represent by that plumbing pipe um and we then have an immigration problem so that the people who enter security are not internationally employable yet but once you have some base level of skill security is a glob Global field with International employability and South Africa has an immigration problem for skill uh skilled workers in general so that double whammy hits us at the mid level so what you see right now is that there's more senior South African cyber security people outside the country than inside the country between Australia and

New Zealand and the UK and Netherlands and America and Canada like I could put together huge teams of excellent senior cyber security people but they didn't leave the country as seniors they most of the time leave as as mid-levels so this time drop that we're getting of new entrance then goes into a leaky pipe where we're losing a whole bunch of people to immigration and that's that problem isn't really slowing down Co led to a little bit of a a break in it um maybe the weird fascists rising in Europe are going to put immigration policies in place that reduce it and keep more South Africans in the country but that's a pretty weird thing to rely on you know

want Donald Trump to be the reason we have more cyber security skills in South Africa uh and then you end up in a situation like this so uh Charles is Angus Angus is Charles if you know what I'm talking about you know what I'm talking about but he put this on on LinkedIn so Charles is South Africa's kind of security recruiter and he says he has over a million Rand I mean I'm guessing seven figures is more than a million over a million Rand to give to someone to just be a senior pentester now unless you're employing for the most odious organization I could imagine that sounds like a good deal but he can't can't find them he's got the network he

knows people he's got pretty good price but he can't find it so the skill shortage is repres presented in the market that even when you have a lot of money it's difficult to hire that we find that it's impossible to hire senior people the only way our competitors and us could hire senior people is by stealing from each other and just sort of pushing the price up and that's no way to to run a market um so there's this this skill shortage at the the top end and what that means is seniority is very expensive um so this is a picture of Leon from yesterday rolling in his money no I'm kidding um so seniors are

both overworked and overpaid in sou AFA no they're not overpaid you you're all worth your weight and gold but their skill is rare and so the laws of supply and demand mean that there's limited Supply there's higher demand um and so it becomes very expensive and because they're very expensive you don't want to use your senior skills towards training initiatives you need to use your senior skills to fixing this problem of cyber security in whichever way you do that in your organization and so when that expensive seniority hits the market you end up with this narrowing of the market so while there's a wide demand let me rephrase while there's a wide need for cyber security there's only a very small

subset of the market in South Africa that's actually serviced by cyber security and I think it's much worse in South Africa than it is in other countries so in places like Europe and the us there is a meaningful group of security companies and professionals that do service the middle tier of the economy because it's a big enough economy in South Africa anyone who's running a security company you know these are the top 100 companies in South Africa end up as their their primary client client base and so then weirdly you end up with this problem where the richest companies can afford this expensive Niche service and so now there's an oversupply of senior skills at this narrow part of the market

because we're not servicing the middle 1,000 companies in South Africa so senior skills end up moving between these companies working for uh services companies that uh deploy skills towards these companies and now big companies have their own incentives you know they've got they're a cost center within the organization we've seen a lot of the tech layoffs hitting the sector and in the last couple of years or last year so their budgets are shrinking one client told me he said look the budget we have this year is the same as the budget we have last year it's just what we need to do with it is increased by 10% so either as a supplier you give us a 10% discount

or we go find somebody who can do 10% cheaper there's just this reverse cost pressure and then they have the purchasing power to be able to to do that so we've seen in South Africa large organizations have put reverse auctions in place to try and deliberately Drive the price down to try and get new entrance into the market foreign entrance into the market to come and compete with with people locally and they're doing what they're uh what they're mandated to do what Their governance uh requires them to do and so even though there's an undersupply of skills senior skills across the country because we're targeting this narrow Market there's an over Supply and you end up with this um severe price

pressure but then you get other price pressures so because there's a of seniority when a big company wants to employ senior cyber secur skills it's it's a risk it's something they have to deal with there's a bunch of uh legal things on them that requiring them to deal with cyber security so they've got a big budget to go and hire cyber security people so they won't pay their service suppliers um well no they will pay their service supp they're pushing the price down of their service suppliers but when they're actually hiring people then they'll double their salary we've had that we've had people leave our organization to go to large organizations for double their salary

and I don't think we pay terribly but it's just because they're prepared to play outside Market rates because this is a skill that they need and Senior skills are so so scarce so you end up with the price inflation on salaries going up year on-ear higher than the price inflation on on the market so if you're running a company where you're trying to grow and maintain senior skills over time and you're seeing a 10% year- on-year price inflation on people's salaries but you're only seeing a 5% year-on-year inflation the price you can actually charge to the market then that's not a sustainable business um and so what you see start happening is those companies this is something we

did many years ago is we started targeting outside of South Africa started targeting us and Europe and things like that because it's one of the ways to break out of that that price pressure but you see other people will start replacing South Africans with lower cost employees so employees from India employees from azaran employees from Cairo you can get senior skills that are cheaper than they are in in South Africa because this is one of the ways to respond to the price pressure that the the Market's putting on them plus we've got this weird situation where other countries are seen as better at Cyber than us so companies will be more willing to pay a premium for

services that come from another country than for seniority based in the current country so for example Israel has a fantastic reputation in cyber security because of the kind of funding and training that they get through the the military so if you're hiring Israelis well they're amazing at cyber security we can pay a premium for them if you want to hire senior people in South Africa now we can get them cheaper and what this does is it creates a race creates a race to the bottom and uh my wife said to me no but they're running up and I said no that's the thing about a race to the bottom is you don't want to run to the bottom you're being forced

to the Bottom by a market that's putting you into this this death spiral where you're having to constantly figure out how you can lower prices um and so one of the solutions that a market might normally posit is well new entrance can come into the market but it's very difficult for a new entrance to enter a market where you've either got people on the low end that have optimized their costs down to um to very low where they're relying more on volume than on on margins or at the top end where you've got people senior enough that they can maybe charge a bit of a premium leaves no space in the middle for new entrance to come in to service the

existing Market let alone where we actually need a lot of the service which is the whole middle part of the market or The Wider country okay this is more economics than I'm comfortable with and there's a bunch of flaws and holes in this and there's I think a lot of detail but I do see this impact happening in South Africa we've had a general lowering of seniority despite a growth grow in um in new people in in the industry and that growth of new people in Industry hasn't matched what we actually need to service the industry and then we have twoo few people being serviced this way and the people who benefit the most in a race to the bottom

are the criminal the corrupt and the charlatans so in any industry you could say you know you get what you pay for there's cheap and cheerful at the bottom and then there's some maybe more High tier premium service providers but there's been an actual incident in South Africa where a known criminal was running a forensics company he was using as a front to break into organizations this actually happened that's not made up um and if that's what you have to turn to is to start funding security no I don't think that was actually driven by the market I think it's because the guy was a criminal um but that's one of the ways those are some of the people

who can start to flourish in a race to the bottom and then of course we live in South Africa we know all about corruption uh if you're finding it difficult to compete then make sure you're offering uh things outside of maybe traditional um traditional Contracting to see if you can you can get the work and then charlatans either maliciously or um unknown L why do the work of spending 5 years training someone to turn them into a mid-level or a senior if you can spend two years and say they're a senior and then charge a cheaper price uh so that ends up happening with this this race to the bottom and it ends up just hurting us as

South Africans instead of cybercity people being able to charge for their appropriate skills at the appropriate level uh we've got this weird mixing of the market while everyone's trying to service too few people with this race to the bottom and what it does does is this exit of skills from South Africa this inability to bring new people in and train them up rapidly this inability to put enough slack into the system to have people to do training forces us into a situation where we're dependent upon and consuming the work and innovation of others rather than from our our own community so those I mean most people in cyber security you can't do your job without Googling things constantly

during the day I remember the first time I had to do a project for a client where they insisted we put our screen up on a projector uh it was the most nerve-wracking thing like what if they find out that I just Google all of this stuff um after a little while you realize that's what everyone does uh and if we're relying purely on stuff created by other people what it does is it kind of gets us into this complacency where I don't need to create or contribute anything I can just use stuff from other people but that creates two problems the one is we just get used to that and then we lose that skill that reflex that

muscle to creating new things Plus we end up converging the work we do on the interests of others so we're in South Africa all the way on the southern hemisphere you know every time I have to fly to Las Vegas or blackout I'm reminded just how far away from the rest of the world we are but we end up engaging in the defense of our it systems in the way American do you know there's this Unholy focus on active directory uh arguably because it's widely deployed I think there's a necessary focus on there but we end up consuming the tools written by other people around active directory and not maybe building our our own but more

importantly there's a world of technology out there if you just think about your laptops and your phones or the technology all around us there's thousands of opportunities for things to get hacked that's what hackers know and there's thousands of opportunities for things that need to be defended which is what Defenders know but then our security research converges around a few handfuls of things because we're dependent upon researches being produced by by other countries so it turns us into consumers and then this becomes a cycle the more we consume from other countries the less we get used to building it ourselves and able to create it ourselves the more we're unable to train Juniors up uh the more we can't

retain our mid-levels as they immigrate we end up with this problem getting getting worse and worse okay so South African infc much like Johannesburg is a functional City it works right there's no I'm not saying the industry is doomed and uh if you're new if this is your first conference like you must just leave and go become an accountant because it's all all doom and gloom Johannesburg Works despite the efforts from our our politicians you know I can go down the road I just know that that road used to have a pavement and now it's a grassy plane um that's weird trying to explain that to my my children but so much like Johannesburg things are are functioning uh but we

with a bit of spit and polish I think we could make it better we could accelerate ourselves into a future that is brighter and more exciting uh for the people in this room in your day-to-day lives okay so what would that future look like what's the future I'm trying to you of so the one would be a a thriving market so what do I mean by a thriving Market it's a market that where the demand is supported enough commercially that new entrance can find roles and that those new entrance can advance through an organization to mid-levels to seniors because there is enough demand for those skills and that the demand for those skills is at the right level so the

medium-sized organizations are able to employ cyber security skills at a reasonable price in the same way that large organizations are able to employ cyber security skills that we're incentivized to create more companies not a handful of uh one or two companies that end up competing between each other because the Market's so small um and that there's enough slack in that system to allow for training for development for creativity and it's a little weird when I say that because on the one hand anyone who's ever talked at a big conference knows that stuff happens after hours at the best of times uh but on the flip side you know if you're working yourself after hours to

try and get all of your work done um day to-day you're not going to even have that slack available and then with this thriving Market with there lots of competitors lots of people it pushes charlatans out or it pushes charlatans to perform because there's enough options for a buyer even if they're UND Discerning to be able to choose people who aren't charlatans at a good price and then of course a thriving community and that's really what we're we're here about today I'm going to talk a bit more about Community later but I think this is one of the key things that we're missing in South Africa and that's really hurting us um and so what does a thriving Community

looks like on the one hand it's a place where we can showcase our skills where people know where to find friendly hackers when they need to interview them on TV and things like that and that can get the word out that this is an actual career 20 years ago when I got into this I didn't know security could be a career I thought it was just a hobby that you did or if you took it as a career then you were a criminal and we speak to new people who entering our Academy and we see that same thing they're like oh wait security can be a career I didn't know we almost have to like prze security to

people to Vince them to join so I think thriving communities can do that uh it becomes a place where new entrance can find out about an industry can meet people can get that foot in the door can learn skills uh those of you here who have hiring budgets it's a place for you to look for people that you want to hire uh and then it can it can help to train mid-level people better so you're sharing ideas I benefited a lot from some of the early Community stuff in South Africa because I was able to work with peers and other organizations and share ideas and show them scripts that I've written and then they'd write it

better and then I'd want to write it better and that kind of collab collaboration and competition um can create good outcomes and some of us are fortunate to have that in the companies that we we work in but not a lot of people are fortunate to it and there's not a lot of those companies that are are like that so the more that we can do that in community the the better the outcome and the outcome here is that we would like South Africa to be renowned for cyber security in the way some other countries have been renowned for cyber security and I don't mean that the 60 million people in the country 40% of

them all cyber Security Experts I mean if we increase this room size by 50% next year rather than 10% growth and that the number of people in here that weren't just attending to listen but left to contribute create things to build community meetups to build tools to do talks themselves increased at a higher than 10% rate that would be fantastic I think that would also help us to attract foreign organizations to pay for South African skills that's a nice way to bring Forex into the country but again it brings relief from that price pressure and not having to um face a a small economy in a small Market um and then that work that we do outside

the country generates more experience for our people to learn from and generate research from and the cycle continues okay nice nice idea but how do we get from from here to there so I think there's there's a couple of things that we can do but the problem we have is a a chicken and egg problem so on the one hand we want lots of new people to enter the cyber security industry so that's the the egg problem on the other hand there aren't a lot of jobs for people in the cyber security industry so how do we make the market bigger for for them to but there's but there's a bunch of demand for it so we've got people who

want to join and we've got demand and we've got this weird broken cycle in the in the middle okay so let's start off looking at the egg problem I don't think there's a lot of exciting Solutions at the egg problem you just need to do the work uh I had a conversation with ruoff taming about this and he said you remember that passage in the Bible where they talk about throwing seeds everywhere and some seeds fall on um fall on rock and don't grow and some fall and grow but they get choked by weeds and some fall on fertile ground and I mean that's it's just a game of numbers you know get out to Schools get

out to universities and and talk about cyber security whichever way you can and not everyone wants to do that or will do that but the people who are fired up about those kind of things should because that will help us to make people more aware that it's even an option and you know it's interesting recently listening to a lot of the economic impact of U so-call Western First World countries well not just Western First World countries and this problem they have with replacement rates where they've got this aging population and couples need to have on average 2.1 children to maintain a stable population and if they have less than that which is what's happening in places like South

Korea and Japan uh then they end up with this aging population and shrinking population so if you think about that in terms of cyber security in your career in the entirety of your career if you bring one new person into the industry now I'm not talking about mentoring someone that's also work that we need to do but if you bring one new person into the industry that stays and what you've managed to do is replace yourself such that we have the same number of people in this room 10 years 10 years from now well replacing yourself I don't know some of us will die sooner than others maybe say 20 years from now um but on the flip side if you can

bring two people into this industry then we could potentially hit exponential numbers but the reality is not everyone's going to bring new people into this industry so you kind of need to bring two people in just so we can kind of hit a greater than one replacement rate and actually meaningfully grow the industry uh so there's kind of an obligation on all of us if we want to have a thriving Community that's not declining where we're dependent upon the work from others and just waiting until we can immigrate is to bring more people into this community and not everyone's going to do it so if you're in a position to bring more than a few people in you you

should do that on the other side we've got the the market so this is a report from the ISC squ I think it is um they're the people behind sisp they did this Workforce Study last year and they said this often quoted stat you know we just don't have enough cyber security people the global Workforce Gap continues to grow even faster the Gap grew by 133% so the number of people that we were unable to supply the market with got bigger uh so in 2023 you need roughly 4 million cyber Security Professionals they estimate that there's 5.5 million in the world which is almost double the number of people needed so great there's this massive skill

shortage we need all of these people but this was a comment from Jonathan is Jonathan here where's Jonathan he's not here oh it's going to be embarrassing for him uh one of the guys we work with uh in teams yesterday when he said it's I've got a friend who he's entry level and he just can't find positions and this is true for a lot of people when they want to get into cyber security there's just no jobs available for entry-level people but there's all of this demand and in the most ridiculous you see these job ads or it's like entry-level position must have 5 years of cyber security experience but if you think about it

what's happening is if I need a plumber and I don't have Plumbing skills I don't have Plumbing SK skills I go hire a plumber because they have Plumbing skills it's very difficult for me to hire somebody who doesn't have Plumbing skills and then train them to be a plumber with the plumbing skills I don't have you have this starting problem so unless you are a cybercity organization that already has cybercity skills most of the time when you're hiring for cyber security skills it's because you need them and you don't already have them so you end up with a starting problem because you've got new entrance that don't that need them and don't already have them and you've got companies which

need them and don't already have them so who's filling this Gap in the middle and weirdly in South Africa a lot of the time it ends up being pentest companies every pentest company in South Africa is running some kind of Academy because it's the only way they can get new people into the industry meantime the big organizations pretty much never run cyber security internships I you know I can count on oneand the number of cybercity internships that have been run by the large companies who have the biggest cyber security need because they've got a big enough budget that they can just go higher a senior person at an exorbitant rate rather than putting that budget towards training and

getting new people into the country we run a cybercity Academy that costs us an eyering amount of money when people have asked us can we do it for them we show them the price it costs us and they go it's no too expensive like we're a tiny little company how are we affording it so you can't have this Gap filled by cyber uh by pentesting companies we need more people who have skills to have enough slack in the market to be able to train people up and create space for new entrance now I don't think it's all down to companies I think Community can be magic magic this is yeah I've never been a magician or a plumber um so

communities can fill some of these things they can provide I've mentioned it before they can provide places for new people to find out about security for new people to get the foot in the door they can provide mid-level people who aren't at companies with lots of other Senior People a place to work with their peers learn things and improve and for senior people and I really want to encourage this for senior people it can be a place where you can get research ideas it can push you to achieve more and you can collaborate it's totally worth engaging as a senior person and I'll tell you why shortly but the quality matters so having an expensive commercial conference where

they invite the regional head of Amia sales wat to come talk at the keynote is not the right kind of uh Community there's a place for that for sure but if that's what you're relying on you're going to have a bad time because it's very expensive so it means the new entrance can't attend and the kind of knowledge sharing you get there isn't necessarily the kind of knowledge sharing you need to advance people the way that you you want to the other thing is while conferences like this are fantastic it ends up being one way you have a speaker on stage that's talking to everyone and everyone hopefully learns something from that speaker so I'm talking about the other talks not

mine but what you really need is a community where everybody is sharing with each other I think the sense posters are getting sick of me saying this but if you have three people who learn three things then collectively we've learned three things if you have three people who take the time to share that with the others then collectively we can learn nine things so you can end up with exponential learning very quickly which is how you can ramp sen U Junior people up to mid-level people up much faster if you engage in this communitarian sharing stuff and this is where meetups like hex coffee I run a hex coffee so I'm a little biased here

with Shifty and Jared who actually do more work towards it than I do but when I first created it I wasn't working for sense post and I was really jealous of what was happening at sense post so I thought well let me create a Meetup so I can at least hang out with the sense posters but it also became a really useful way for me to learn things get ideas and and push me for it's been hugely beneficial to me in my career and I think it can be very beneficial to the of you so I really would ask that you all engage in community whether it's starting up new communities if the existing ones don't work for you those

of you who live in Petoria where is hex coffee or whatever you want to call it Petoria you know driving to jber is just a pain in the ass uh those of you who work next door to where we have hex coffee in santon why don't you come around sometime and if you're going to rely on International conferences that's getting increasingly difficult so this was a calculation we did internally to figure out how much it costs us to send people so we're sending 18 people to black hat it's funded differently on a different model and the ticket right now is 51,000 Rand 51,000 Rand I'm sorry it's just shocking and it's partly because of the

the deflation of the Rand against uh against the dollar that keeps hurting us as the Rand weakens and weakens it's because of the cost of fuel driving airplane prices up postco there's this kind of vicious circle coming together to make it just outrageously unaffordable I mean what could you do for 112,000 Rand Auto Trader yesterday told me I could get I could get these cars like this could meaningfully change the life of somebody who's currently unable to get to certain offices because taxis don't go there or it takes too long um in a way that black hat wouldn't I mean I think black Hat's a great conference and you can learn a lot from it but you're not going to get

from it what a car could give you if you if you don't have it so if we're relying on Commercial conferences internationally you're just going to have a you're going to have a bad time it's increasingly unaffordable and unapproachable and it's certainly not going to get us to this point where we can turn this water droplet into to some kind of sustainable skills pipeline the other thing we have is like the second it's shiny and flashy and you have to pay money for it we're all in let's do it the second it's grungy and a community event it's like no I'm washing my hair that day um we've got a problem particularly in South Africa where

existing people in the industry don't support community events as much as they should have so it's I'm preaching to the converted because you're all here supporting this event but when I look at some the other conferences in South Africa where they're able to attract 700 people where are they why aren't they here why were they happy to spend the price of a Defcon ticket at 10,000 Rand to attend another commercial conference and not this one when arguably I think there's better speakers at this one why is it that hexcon for its seventh year uh has only just cracked 100 people uh this is a fantastic Community Conference that's almost freet to tend I think they

started putting ticket prices on um that we don't support enough people need to support these things and I think what we we end up with is this situation where seniors or people with existing skills climb up a ladder in the mountain that somebody put there and then they take the ladder with them uh so this maybe a little uncomfortable all of you who are practicing security people despite the benefit that you can receive by attending security conferences I think you have an obligation to join security meetups and security events it shouldn't be that hex coffee has 20 people who are mostly Junior trying to get into the industry I can count on one hand the

number of seniors that regularly attend that to share their knowledge and wisdom with the group of people we need more people to engage in that sharing so that you have a more thriving community so that it benefits you in your collaboration research so it benefits you in hiring and finding cool people to work with there's all of these other benefits that come from it shouldn't have to convince you to uh to turn the car before it goes off the cliff okay and then I think we should grow research I'm not going to trod ground that has been well trod and better trod by other people so there's two talks I want to highlight uh here

the one is by harun Mia uh called you and your research Richard Hamming wrote this amazing paper which I'd really encourage you all to read and harun brought it to life particularly for South Africa and the cyber security Community about what it looks like to do World leading research and more importantly what tradeoffs are required to do that how do you get there to do World leading research it's a fantastic talk and I'd really recommend you reading it there was another fantastic talk by Leon Jacobs at hexcon last year called your contributions today where if harun was talking about the the how Leon was talking about the why why should we contribute to this industry what are the

benefits to you personally and to to The Wider Community they're both fantastic talks that i' I'd recommend checking out I'd like to add two things to our our research uh view so the one is what I mentioned earlier I think we should use our differences from the rest of the world to differentiate the kind of security research that we can do we don't need to follow in the footsteps of American and European researchers for our entire careers there is a world of stuff out there that can be hacked and has problems you just need to go and look at it um so use our differences as an advantage to contribute and then the other thing is I really think we need to

do more to support South African companies and South African researchers when they're playing on the international stage we should think of them like the springbox when Jason Jordan is in us and Washington teaching people uh teaching us practitioners about forensics we should go that is like the bum Squad of forensics in in South Africa that guy's awesome let's support him when we see think Canary doing incredible stuff on the international stage we should give them a round of applause and support them and promote them because Beyond just supporting our peers it also helps to position South Africa as able to provide highend cyber security skills which makes us attractive to an international audience which then brings some of these

these benefits here so I'd really encourage you to both engage in research and support those who are publishing on the stage okay and then one of the responses you get with this is this is all nice but South Africa has bigger problems we've on a mission to get rid of pit latrine toilets from schools and now we're talking about cyber security skills there's such a huge disconnect between those two and this one is obviously so much more important than this one we need to fix all of those first but I don't think that's necessarily true I think we can have an outsized impact in cyber without fixing all of the problems in South Africa and

I want to show you with graphs because everyone is always convinced by graphs okay so UNESCO does the science report every couple of years the last one they did was in 2021 and they had a subset of the report looking at Southern Africa uh so our peer organizations and so what you've got is this is the number of scientific Publications by country over the last couple of years since 2011 and you can see South Africa is right at the top 21k Publications in 2021 so many more than our Pure states that they actually had to change the scale to demonstrate the next one of Tanzania at 1.7 1,700 and then you can see there's the pack pack lower down so the first

takeaway here is South Africa already publishes a lot of research and now this isn't necessarily just cyers security research this is everything from biotech to energy and all sorts of things but we we've already got a train that's working on some level you don't need to fix every problem in South Africa to be able to publish publish research and then I want to show how you can diff how you can make an outsized impact in a niche field like cyber security by using two examples marcius and Cameroon so South Africa versus Marias we are 600 times off by one eror 600 times bigger than than Marias they have 2% of the population of us okay but

when it comes to research into bio yes biot technology my brain had a fart you can see that there're a huge outlier now this is adjusted to be per capita because of the population differences but per person they publish or per million far more scientific research papers into biotechnology than the rest of us what's also interesting is that there's two measurements there the Blue Dot and the orange dot the blue dot was 2012 2015 and the orange dot is three years the next threeyear period so that dot has moved substantially in 3 years they were able to generate this outsized impact so despite having a much smaller population uh they were able to become liers in a niche industry if you look at

that UNESCO chart marous is somewhere down at the the bottom over there so they aren't publishing the most but they're publishing enough for people to go what's going on in maius that they're able to do this at this level but then people will say well you know what they have a higher GDP per capita than us they've got more money since 2010 you've got an idea what's happened since 2010 uh they managed to separate from us from GDP obviously we have a higher GDP overall but per capita they have a higher GDP so that's that's why they've got more money okay let's look at Cameroon so we're 2 and a half times bigger than Cameroon and have roughly

double the the population of Cameroon and to take the GDP argument away we've had a larger GDP per capita than Cameroon for for many years but when you look at Publications on energy Cameroon far outstrips us what's also not shown here is Ethiopia which even further outstrips that but that's beside my point now if you think about the people who have reason to perform scientific research on energy I think South Africans have a pretty good reason like you can literally sit in your home at night watching your light Flicker and you need no more motivation than what's in front of you but somehow we're just kind of on the same level as everyone else whereas Cameroon is an

outlier over there so even in the places where we should be outliers in a field in a in a place where we're able to overperform because of our size we aren't and Cameroon is and so between Cameroon and maius here they are investing in scientific research into Ai and Robotics I've heard that'll become important in the next couple of years uh and South Africa is sitting sitting down there at the bottom so the point I want to make with these is you don't need to be the US you don't need to be the biggest Behemoth in the in the room to be able to have an outsized impact and cyber security is an incredibly small Niche

where if we talk about this consumer problem we're seeing that more and more internationally too the number of contributions per capita in our industry is shrinking now I don't know if that's because of the red versus blue blue you know red team doesn't want to share stuff in case the blue team Burns it The Blue Team doesn't want to share stuff in case the red team misuses it or actual criminals misuse it um or if it's just because we can endlessly amuse ourselves by scrolling infos drama on Twitter rather than than engaging um but there's this General slowdown where people are becoming more um are consuming more which means it's easier for us to have

an outsized impact in that field because we aren't up against a group of people who are absolutely killing it you know there's singular individuals that use a lot of the stuff all the time and as Char some work one of the founders of s pointed out to me many years ago if you if you look you'll see that those people actually change quite often people come they do some research and then they stop and then somebody but we get this idea that there's this whole group of people producing massive amounts of research all the time it's not necessarily true so if we can create some sustained output from South Africa it can be pretty amazing and then lastly I think

Embers can create fires and what we need is some people who maybe prepared to engage in this a little more than others I think there's takeaways here for everyone whether you're in a a corporate um buying Services whether you're a senior uh looking for meetups to attend uh or contributions to make at a research level there's all sorts of uh ways that you can contribute but I think there's a few exceptional people in this room who are okay with being a little uncomfortable either to push themselves to produce fantastic research or to push themselves to form a company that's going to become one of our shining entrepreneurs or to push them themselves to run a conference like this where you

have to ask deot to bail you out because it nearly fell under if I was reading that right thank you deot um so I think that's one of the ways in which we can take the existing exceptional individuals that we know exist in South Africa and use that to create outsized impacts in in cyber so on that note thank you very much for your your time I hope you got some value out of this if not tell me and I'll just stick to technical talks in future [Applause]