The Best People in the Cyber Security Industry

Thanks very much. Hello everybody. Hello. Okay, you know I started with a carried on game because every time you say hello normally you don't get any feedback and there was like, oh, feedback there. So we'll try that one more time. Hello everybody. Hello. Cool. So how many of you don't live in Manchester and have come up here specifically for B-sites? Well, a whole lot of you. So you all feel my pain. I come up here Monday. and it just gets grimmer and grimmer, you know, up year one. It's just absolutely awful. But I had such a great time last year at Eastside, so I thought I'd have to come up here for this one again. Like Mark mentioned,

we've got to thank all our sponsors for making this possible and the local community. But I think an important sort of group that he left out were the actual volunteers and the people who get together and put this all on for us every year. So I think Mark, Lloyd, Paul, Duncan, Kate, Amina, even Matt, I think. They really help a lot. So I'd just like to give a quick round of applause for them.

Cool, right. Okay, so I think we should get on with it. You're here for our fantastic keynote. Ian Glover is the president of CREST. He explained what Crest is if you're not familiar with it. He's been around the industry for a long time and apparently around 34, 35 years, so probably a lot longer than a lot of you have been around on the earth. So he was probably using stuff before it became electronic and comes with a string attached to it. uh... apparently he was a one thing is he was like the one thing we need to stop it and uh... he's also all uh... lot of the house on it all something cool and it's it make a car that can do 1,000 miles per hour. So very

interesting stuff, and I wish I was half as cool as he is. But on that, I think he's got a lot of good wisdom to share, and I'm really looking forward to his talk. So over to Ian Glover. Thank you.

So I'm hoping that somebody's going to fit too important.

I'm just putting them in my trousers. So thank you very much for that build up. It's 40 years, which is even more scary than the mid-30s.

And it wasn't quite that bad. I'll start with paper tongue. So just to put that in context, which is sort of how we like to open this particular part of the presentation.

I'm just loving coming to a technology. Once you're at eight o'clock, all set up for you to go. I've actually genuinely done that to do that, but just work with it. So really, I thought I'd start this because I was asked to both address the more mature audience like Paul McWill here. and also the young people trying to get into the industry. So I thought I'd start with that first question of what did I want to be when my mother was asking me. The interesting thing was, in actual fact, these are the list of things that generally young people were saying that they would like to become. So all of the doctors, engineers, lawyers architects

So these are all of the types of professions that are most popular with young people. And in actual fact, if you look at the list associated with that, if you then go down to the top 10 career choices, it's pretty similar. So in other words, what we're doing here is we're looking at very similar careers in terms of the sorts of things that people like to do. There is a little bit of technology in there, but not a great deal, which I think is a real shame. You've also got some other parts in here in terms of different types of careers that people are interested in. Excluding, so in other words, you look at all those professions, but they don't include sports. Obviously in Manchester you've got a

couple of football clubs. And in addition to that, you've also got some media stars. But more very importantly to me, I wanted to be an astronaut. So in the 1970s, that's absolutely what you wanted to be. So a young man, he left school at 16 in West London. astronaut was a great choice of career, I thought. Absolutely, I'd get that straight away. The interesting thing is that parental advice for those sorts of things is you probably need to do something else. There's a young rugby player who scored twice last weekend for England. I advised him a little while ago that you should think of a plan B just in case his rugby career didn't take

off. So don't always take old people to drive something. The other thing about those other professions we were talking about was they are professional. They have a structured career path and they're supported by professional bodies. So in other words, what you're doing is you're going to see your parents, you're saying, I'd really like to do something here, and their parents go, yeah, that's great. You look after me when I'm old, there's a nice career structure here, we'll put you through some form of formal educational system, and you have a nice structure to your life. And that's really what your parents are looking for. Now, what you then do is you also have material available to you. So if you go to universities or you go to colleges or you

go to schools, What they'll do is they'll provide you with a whole part of information about why it's really interesting to be an actuary. I don't think it's really very exciting to be an actuary, nor an accountant, nor an auditor. But if you actually go into schools or universities, you'll see a ton of information on that type of career. In addition to that, they also have individuals from these industries who are encouraged into schools. I was on the board of Siemens for EMA, but I was doing tech stuff. I went into my children's school because they were asking for volunteers to come and talk about things. I explained to them what I did, you know, equitable hacking, computer security, technology, you know, that's really

interesting. And they never called me back at all. And so what they did have, they had barristers, doctors, lawyers, and other people like that coming into doing presentations. So even though I was fairly senior and I was wearing a suit at the time, My son is a bit disruptive, but we'll ignore that for a minute. In actual fact, they weren't really interested because it wasn't a career choice that was on their top 10 list and wouldn't get them into some of the red brick universities they wanted to drive their children into. So now as you come to the scenario of where that sits today, I want to work in cyber security. It's unlikely that a

young person is going to say that. And so what you're actually going to get is some form of manifestation of what that actually means. In other words, I want to get hacked. because that's generally the terminology that the media uses, it's generally the terminology that's used in some parts of the industry, and therefore that manifestation is generally what I hear young people say they'd like to be, if they even know this industry exists. Now the problem with that is the press and other things have a very negative manifestation of that, and the difficulty is if you then went in to speak to your parents and said, this is what I want to be, you'd probably

get the same answer as I go to the England government. I really think you should have another course. Or I think you should look at returning to options. This isn't really a proper career for you, this is all bad stuff that you don't really want to see happening. All of those sorts of things I think are really very negative. The technology has just got even better, which you haven't noticed, that my big screen has never gone off. So what is the difference between us and some of those other things that are going to get into schools and viewed as being something really important? It's a person that's engaged in an activity especially to do with sort of a sport or a main paid occupation

rather than a pastime. So we do this for a living. We earn money at this. And it's a person engaged or qualified in a profession and professionals such as lawyers, medics and architects. These are the descriptions and these are some of the better ones I've found in terms of what this actually means in terms of an industry and what a profession looks like. You can see down the bottom there we talk about architects. The architectural people that I've spoken to and some of their professional bodies, they believe that establishing a professional body, putting a career structure in place, and having some form of an organization structure and career path development is actually very beneficial in

terms of what it allowed us to do by building buildings like this. So in other words, the structural engineers, the architects, we understand what those types of roles are, and we can relate to them. So then you come forward, you've got that term in terms of a professional association or a professional body. So a professional association is normally a not-for-profit. And what it's doing, it's seeking to further a particular industry or profession. So in other words, they're trying to make a difference. They're trying to influence and they're trying to move the whole process forward. The interesting thing about that is that it links into the individual's inclusion in that occupation as well. So in other words, it's a group of people in a learning occupation who are

entrusted to try to do something good for society. So there is a society element associated with this. And I think this is a really interesting thing from our industry. I'll come onto a slide down in a moment. But we actually did sort of survey of why people do this. And that we have a social responsibility aspect. That actually came out really hard. It didn't come out as high as if you want to earn a lot of money, but it came out quite high. And so our contribution to actually doing something for the good of society, I think is a very good thing to do. So, how should industry fully respond to that? What we need to do, I'll have to put my glasses up, I'm

really smart. We need to be viewed as being a profession, and it's got to demonstrate certain attributes. In other words, if we're going to be viewed as being a proper profession, we have to look like some of the more traditional ones. So looking in terms of the IT professions isn't really the right approach to take either because a lot of those don't actually mirror what it is to be a profession. The BCS is probably the closest in the IT livery. ISSP is definitely moving in that direction trying to get to a Royal Charter status. But if you look at it, they haven't really got some of the structures and things in place that I'm suggesting that are necessary. And if we're going to get the very

best used into the industry, then what we've got to do is we've got to demonstrate that this is a profession. We've got to demonstrate this is not only an interesting place to be, but it has all of the other attributes associated with being of interest to schools, being interested to colleges, being interested to universities, and being interested to parents, because those are the people that are going to support people in there. We need to know how to find career paths, really important. So in other words, it's no good just coming in and saying we are good. I've just come back from Black Hat. I had at least two Americans, and they were Americans, I haven't

picked on them particularly. And they both describe themselves as being the very best in the industry. I'd like to put the two of them in together. They could have had a big fight. But they both describe themselves as being the very best in the industry. And I said, against what metric? And I said, well, you're really good. And I said, yeah, but how do you measure yourself against other people in the industry? I've been doing it a long time. I earn a lot of money by them, actually. Which I think is quite an interesting point. So what we need to do is we need to define what it's like to join the industry. I work

very closely with the cyber security challenge for example, and it's quite difficult sometimes for some of those people who think they're really good when they come up against professionals because they're nowhere near as good as the professionals working in a structured environment, working within structured organisations that develop them. And what we need to do is to have a measurement to actually describe what that means. And we also need to recognise the pinnacles. In other words, we need a career path which will move people through the whole process. And I think that's a really important thing and that's something I've been striving for in all the activities that I've been doing, almost in terms of some

of the descriptions of what's happening in terms of my career. And if we don't have the communities that have confidence, we've got to provide processes that protect the public interest. So in other words, we are doing things potentially that are a bit dodgy. We are potentially knocking over systems, we are potentially doing illegal things that we're not very careful. And therefore, if we're going to provide this as a service, we need to be very, very careful and we need to go within certain confines and certain parameters. Again, if you look at the medical fraternity, again, a really good profession to measure ourselves against, you know, it used to be quite acceptable to not have any

penicillin or anything like that to sore people's legs off. It wasn't that long ago. And what we need to do is to get a level of confidence that if you go into a hospital and they're going to sore your leg off, at least they're going to put you down. What we also need to do is we need to make sure that we build the position around the negatives. There is an awful lot of negatives associated with the industry in which we work. But I think that publicity that's available to us, if we can flip that into a positive, will actually help us to close the profile. So whilst those negatives I find really frustrating sometimes,

The fact that I can counter some of those, and I can wear a suit, and I can wear a tie, and I can stand up and say professional things, and I can talk about the industry and all of those sorts of things, that provides me that opportunity. So we mustn't throw away that sort of negative connotation of all the silly films, but what we need to do is to actually build on them to say, you know, that's not really reality, but in actual fact it's a really good industry. You know, our police forces don't work like they do on the TV, but it does encourage people into the industry, and I think if we're clever,

we can do this somehow. In addition to that, we have to be really good. So in other words, I think if we're going to establish ourselves in the profession, we've got to be really good and we've got to work really hard. And the really nice thing I like about representing this industry is generally it is filled with really good people who generally work really hard and are really interested in what they do. Now that level of interest is fantastic. You mentioned some of the other things I do with blood count. So I go around to schools and things to encourage people into science, technology, engineering, and math. I went to a school a little while

ago, it was actually over a year ago now, where I had two young people, both boys, because it was an all-boys school, and they both said they wanted to be actuaries. And that's just such a boring job to do. And I asked him why, and it was because an actuary had come in and done a presentation, they'd gone home and they spoke to their parents, their parents said yes, they were very good at math and stats, I think you should be doing something in maths and stats, and this sounds really interesting. So what about cyber security? This is the most exciting place. This is a fantastic industry to work in. Go home and tell your

parents you've changed your mind and they've done something interesting. I think I've probably gotten divorced. So then you come on to Crest. So this is Crest, and I'm trying to keep the presentation away from just what Crest is doing, but we are working really hard to try to look at all of those different attributes and actually have a contribution in each of them because we believe they're the cornerstones associated. We're trying to make this a profession and trying to move the whole process forward. So really, we break our process down into in full segments. We've got the part that looks at the organisation structure. So in other words, we are a credit organisation. You wouldn't go into a hospital that wasn't accredited unless you really didn't want

to pay, unless you were doing something really dodgy. And therefore, what you need to do is to have confidence in the organisations that are actually in place. And that's what CRUS does. So in other words, looking in the UK, we've got over 60 members now. All of those members have gone through quite a detailed audit process. We actually have more outstanding non-disclosure members, so the bar is really high. And all of those members sign up to a code contract. So in other words, that code of conduct is driving them to try to do good behaviour and try to make sure they support their particular staff and development of those people. We then look down on

the professional qualification side. We come through from practitioner around about two and a half thousand hours after you leave university or after you've been on a network security course or after you've been working operations or you've been doing work development. Exactly the same sort of route I came through. So I have school at 16. I sort of moved away from wanting to be an astronaut because the limit limited my opportunities. My career's advice was you're probably going to get your job over the airport working at Nessie. I wasn't overly keen on that. And I was quite pretentious. I'm sure you can't believe that at all. And I wanted to be a systems design engineer in

the 1970s. I had no idea what that meant. It sounded really sexy. It was in technology. The technology was in the space station. in the Apollo program. And in addition to that, there was a lot of people from banks losing their jobs, and I thought, well, if I'm working in the tech side of things, I'm probably going to keep a job. So I had an interesting job. I've worked in tech, and I hope you have a career. I have no idea at all what I was doing. So I left. I was very fortunate that I went to night school and all sorts of other things. And the Ministry of Defense sponsored me to get a

bursary for the first ever computer science degree that didn't have mathematics in it, because I didn't have an ASA level. if I couldn't get into the vast majority of the other ones. So there's lots of different rooms. I came from computer operations. I had loads of time on the computer, which was fantastic. All the programmers used to put their punch cards in, used to get one time runs, and then it used to fail. I used to have unlimited times with all of my coursework, and I used to try and mend their programs for them in the night shift. So I was trying to get overtime. That's basically what I was trying to do. And in

addition to that, I would then move into programming and progress really quickly. So what we want to do is to make sure that we don't just go that pure academic route, we allow people to come in from other directions to make sure that they're still looking for purpose and they're getting the opportunities that I was given up there. So that's a practical qualification moving from practitioner through registered through certified. I'll come on to where I think we should move in the future. I think it's a reasonable career structure. Two and a half thousand hours, six thousand hours, ten thousand hours aren't mandatory requirements but they are typically what you'd find in terms of accountancy, audit, medical, legal, all of the other proper professions. So those elders, although

I talk about the block and you look at me very strangely, I'm doing that because I want to demonstrate real professionally. In addition to that knowledge sharing is really important, that sort of common good element. We are really good as an industry in terms of sharing stuff, and that's one of the other joys about this. You look at this in terms of competitive organisations, and they sit there and they can look at it. That's a really good thing to do and it's something we should enforce and it's something we should embrace. And in addition to that, looking at professional development. In other words, how we're gonna get people in and then how we're gonna support

their career structure moving forward. So, in terms of the company membership, what I'm actually doing here, the first thing to do is, We have to look at the company membership to make sure that it's appropriate. And therefore, we've set the bar really fine. It's an aspiration for a lot of organisations to pass their press audit, both in the UK and any other parts of the world. We have been placing forcible, more meaningful codes of conduct. In theory, at least, if we remove somebody from our register, they certainly wouldn't work for the Bank of England nor the Financial Services Regulator. I don't think they work for top-tier UK financial services. If there are a check team providing services to the UK government,

we have a back-to-back agreement that I would tell them I'll remove something from the register. I don't have to tell them why and I probably can't, but I think they'll probably do their own investigation and take some action. And one decision, we could remove a company's expertise to work in the UK, top tier financial services, and the UK government. It's quite a big statement. And that meaningful code of conduct, although I never want to enforce it, is actually a really strong element associated with it. In addition to that, the industry has increased the membership. 60 members in the UK, the UK is not a very big place. We probably represent 80 to 90% of the

professional element of the UK penetration testing market. I think we represent smaller numbers in terms of instant response. And certainly we're starting to get more and more traction in terms of things like threat intelligence. In addition to that, we need to do more to educate the blind community. So in actual fact, what we've done is the industry itself has got together and made improvements almost without the help of the buying community who we're benefiting because the buying community absolutely benefits from the processes that we go through. But what we need to do is not just have our press bears and things in terms of our logos, you'll see quite a few of those outside in

terms of the presentation moves and things. And what we need to do is actually say why we are part of the press and why that organisation is part of the press. And it's because of the enforceable case of conduct it's because we are a profession and all of those things I think will help you as well as doing other things.

In addition to that, we need to do more to support the development of growth and other companies. I'm trying to work with the UK Trade Ministry at the moment. They would like to to have Crest help them to increase their level of exports, around that two billion pounds worth of cyber security related services. Now there are some issues associated with the UK industry, particularly in penetration testing. We have a lot of boutiques, which is really good. It's a fantastic place to have a startup. But what we need to do is look at things like service line maturity, we need to look at how those organizations can grow, we need to look at where investment can

come from, we need to look at where grants can be available, how to develop people, and all of those sorts of things are really important to allow those organisations to grow and flourish, and be interesting enough to be acquired, or be interesting enough and big enough to actually be able to supply exports. So I'm working with UK Trade the Industry to try and put together a programme to help those organisations to grow. And I think that's a really important thing, and again, it's quite untypical that we're going to work. In terms of professional developments, then what we're looking at here is we're looking at the pathways through. So again, the bar itself is set extremely

high, but we move from practitioner through registered to certified. Two and a half thousand, six thousand, ten thousand hours up here. And it doesn't really matter how you actually derive those hours. If it's personal research, that's really good. If you're at home watching Jeremy Carlin and trying to do a university degree, you're not going to get the number of hours you need to do it. We work on educational pathways at different levels. So we work in everything from trying to encourage more school children in, So looking at the Trailblazer apprenticeship programs through the tech partnership, through working with our academic partners, which we've got 18. So in other words, we're trying to look at all

of the different pathways in to allow that to happen. In addition to that, we're working with other players to identify talent. We're working with people like the Cybersecurity Challenge, for example, to try to identify the right people. The issue I have with that is they identify really, really good people and try to get the English generation off from the job. And what we should be doing is bringing the mass up in terms of raising the skill level of all the people at play and trying to persuade them that the industry is a good place to be. But we've also got other initiatives, for example, with the NCA, the National Crown Agency, where we're looking at

interventions to stop young people going into cyber crimes. some of those people are going to be really good. But if they start to go down the wrong path, as a profession, you're going to find it very difficult to employ them. So we need to look at those sorts of things as well, and again, that's what we're trying to do. And as an industry, we're trying to do it, and this isn't just crazy. In terms of our professional qualifications then, what we also need to do is to move that whole forward, to recognise some of the people that contribute to their life. There are some old people in the room, even though they're wearing black t-shirts.

I think we should recognise those people that made a massive contribution to us. We should introduce a fellowship and whether or not it's a fellowship for just for Christ or is a fellowship broader than that in terms of other people that have identified and actually made a massive contribution. I think those are really important. We need to document why they've done that because that's all part of the history and if you look at professions they can always go back to history and describe what it is they're going. We need to work on others to identify talent and provide non-academic pathways, like I've said, people like NTA and the Cyber Security Challenge, but also others. We

should also look at the financial support for talented young people. A lot of the other professional institutions outside of IT provide support for those who can't afford to go to university or come into the sludge and boom. And I think we can do that through our training organisations as well as providing financial support. something in the industry we should get together and try to do. In addition to that, we should also look at the soft skills necessary. The criticism that's levied at us is that we're all long-haired people wearing dark t-shirts or hoodies. Now, I want to dispel that because first of all, I look really rubbish in a t-shirt. I can't wear my hair long. And although I have got some hoodies, I tend to wear them. I

already went loads of hoodies. So what we need to do is to make sure that we're actually taking that again, but then we're saying that these people are really good. And we need to look at the soft skills associated with trying to get into the industry. Because I think if you've got the technical skills, we can do it. In other words, we can train people in soft skills. And this is completely contrary to a lot of the people that stand up from the soft skills side. But if you've got the technical stuff, I think we can train soft skills. I think it's really difficult to do it the other way around. So what we need

to do is to look at things like the price of qualifications in We need to look at the ISP skills framework in terms of the soft skill elements. We need to look at odd things like Sophia because they're quite important. And whilst a lot of you young people here are sitting there going, yeah, but I just want to do tech, if you can't articulate your argument, if you can't stand up and you can't present it in a written form, you're not going to be listened to. And that's certainly going to curtail some of the opportunities you've got in terms of your career. What I really want to see is good technical people sitting on boards.

You know, again, I was sitting on the board, seeing, you know, it was really difficult. I was the only tech person there. I was trying to explain to them why IT security is important, why continuity is important. I was losing even though I was sitting on the board. And some of those were my lack of skills, but in addition to that was the lack of skills of others who were sitting on the board and the lack of recognition of what they did. If we're going to make a difference, it's very important that our young people actually have the soft skills associated with it, and they take that element of their career path just as seriously

as becoming technical. In terms of our professional qualifications then, we need to contribute to more information to encourage youth into their careers and we need to promote our industry and yourselves outside of the industry. So take the opportunity to talk to people. You know, if I stand in front of this room and I say you should really come and work in cyber security, I think you're pretty sold on the idea already. But what we need to do is to move that outside that debate, into doing maths or soft sciences or history and all of those sorts of things. And we need to describe to those people what an exciting career in this place looks like. It will help to know what you do, it will

help to know the profession, and it will actually drive the whole process for you. We also need to look at the requirements in the soft skills, and as I mentioned, things like ISEP, the sciences skills and others. And we should actually develop materials for the profession So in other words, we are now trying to work more with our training partners. We are trying to work really closely with academia to develop their syllabus areas. And we're trying to align these things into something of a common body of knowledge. And those things, I believe, are really important. In terms of knowledge, the really fabulous thing about working in this industry is the level of collaboration. And I don't see that in other places. And I do go into other industries. When

I pull together a workshop, even to look at things that are as obscure as the National Crime Agency's intervention, we are overwhelmed with people who want to come to that workshop and contribute. That is a fantastic thing. And that idea about sharing knowledge through informal groups or formal groups or workshops or retail projects is, again, something I think we should embrace. It's something we do really well as an industry. I don't think we'll always recognize it for it. But again, if we can put together good quality material, and we can push it outside of our point of points, then I think we're in a much better place. In terms of press, then, all of our research quite intentionally we've made IPR-free. So in other words, we pay quite

a lot of money to develop that research material, where we're producing research guides, some of which I hope are going to be on our stand outside. Please take them away, I don't want to carry them back. But that IPR-free element is really important. because what we want to do is to share that as broadly as we can. The investment we make in terms of reducing research is because we want to share that information. It isn't because we want to make ourselves a better. In addition to that, we've also got some of the best industry conferences. This is fantastic. And a really good thing I like when I go to some other conferences, or I'm at

PressCon and some of these and some of the Hogwarts ones, is I have other people in the profession say, yeah, we'd quite like to go, but it's quite technical. Awesome. That is what we are. This is a technology-based industry. I struggle sometimes with the amount of other conferences where they stand up and say, the board doesn't understand us, we need to have more board engagement, and what are we going to do about awareness? Well, in this audience, I can say, well, stuff the awareness. If you haven't got proper access control, authentication and you don't know how you're going to try your database and anybody can walk over your website, you're pretty boggled. It doesn't matter what element of awareness you're going to do, we need to get

the tech big right. So tech is really important in terms of what we do. And I think, again, we need to push back against this principle in terms of cybersecurity that we can invite anybody in. We should invite anybody in. I can't do a marketing program. I can't do an awareness program very well. We need to get some soft skills to help us in there. But the job you do as technicians, technical people, is really important. And again, I think we need to shout at that.

And so we should do conferences like this. We should do technical conferences like Crestcon. And we should do things like Overs. I think they are really important. And I think we need to embrace them as an industry. So what I'm asking you to do suggests, attend, and contribute. You've certainly done one of those, you've attended, but suggest what it is that we should be doing and then contribute to it. The fantastic thing about this industry is it's young. Despite having old folks like me standing up and describing it, it is a young, vibrant industry. And you can contribute and you can make a difference. If you think there is a subject you're not covering, or

you think there's a subject area that needs research, talk to the industry bodies, talk to the organisers, and you'll get an opportunity to stand up and present with other people rather than the other cyber security conferences where you've got to be 50 and you've got to be around a certain type to even be considered about standing up to the front. We want young people, we want young people with good ideas. In terms of professional development, then we have quite some strong views. I've got some very strong views, which I've tried on the force and the rest. CPDs. Professional development points. I do a lot of Friday afternoon webinars. Fantastic. I get somewhere between 200, probably

300 people come on those to listen. I think there's probably five people listening. There's 95 of those people who are already doing their emails and probably about five people are actually doing it on the rest of them come with dogs. And they're getting their two CPD points which allows them to stay in the profession. So what we do is we recognise this industry churns and turns very quickly. We invest significantly in terms of our rigs and our qualifications, and you have to do it again after three years. I think that is absolutely the right thing to do for this particular industry. And in addition to that, what we need to do is not only recognise the people that are in, but we've got to encourage more people in. We've

got to get them jumping a little bit through the schools, colleges. We need to do the competitions, the universities. And we also need to encourage career changes in. We haven't got enough people in this industry and in actual fact we can take a lot more people in without having an adverse effect on our personal career path. I'm really hoping they don't solve cyber security for another 10 years because I'd certainly like to work for another 10 and if you solve it in five years I've got to think of something else to do with the other five. So please don't solve it. I'm welcome too fast for you. In addition to that we've got to support

the career enhancement through accredited training and we need access to current industry views. So in other words contribute, the fact that this is being filmed, the fact that other presentations in this particular conference are being filmed, we should share them. There's only a limited number of people that can get in this room, but there are hundreds of people that are really interested in what we do, and there should be thousands. So in other words, we need to look at how we're going to promote ourselves. These were the 10 best reasons for entering the cybersecurity industry. in terms of a lot of the day and the life videos that we put together.

I think that variety bit is one of the most important bits. And it certainly came up at the top of most people's list. And that's what it's done for me. I've had a fantastic career. It's been a joyous thing, right away from when I joined, right the way through to now. And that variety and change and challenge is really nice to have been. And also, if you look down there, I think with all of us, you can associate yourself with at least three or four of those in terms of reasons why you would actually like to, why you join this industry. But think about those sorts of things when you talk about being outside. And

actually embrace it. Don't be afraid. Again, coming back to me being very young, at the age of 17, I worked in technology. Not a great thing to all young ladies. I was a civil servant at that time, so I'd actually moved away from the private sector into the civil service. So I was a civil servant computer person. And if that didn't get rid of people, I worked night shifts, and therefore I didn't use to go out with people anyone. So it was a really difficult thing to try to actually have that sort of social bit. And I was always apologizing, you know, I'm really sorry I work in tech. I'm really, really sorry I'm a civil servant. I'm really, really sorry I can't come out with you because I'm

working nights and I'm trying to get my phone work done. You know, those sorts of things. But what we need to do is to actually embrace that and actually say, this is a fantastic place to work. Pick three of those things in terms of the top reasons for joining here and use them all the time in conversation. We are, I think, at the pinnacle of a really fantastic industry. And we don't tell people. We almost apologize for them.

In addition to that, there is this misconception of what the industry actually does. And again, I think you should take the opportunity wherever you can to actually mitigate that. Again, I think we can build on the nittatives. What we should do about the contribution in terms of our social responsibility. There's a lack of understanding of options in communities. And even I struggle. I try to mentor a lot of young people. And I do struggle when they ask me what university course to do, what training courses they should go on, and exactly what path they should take, particularly at the lower levels in the apprenticeship areas. Now, we're trying to sort that out. But again, what

we need to do is have some consistency in terms of what we provide in terms of descriptions about careers. There's also a lack of careers material at any level. I'm not sure if it's going to come up, but I do quite a lot of educational events, big educational events. And I did something called Big Bang. A Big Bang, there was absolutely no technology-related presentations at all. I had a 383,000 piece Konex model, the largest Konex model I've built, that replicated the four landsby record car. We had exercises doing things like gravity and friction, all sorts of things with these little model cars. And I was firing rocket cars at around about 23 to 30 miles an hour across a hall in

central London. The technology bit was a tiny bit from the BBC. It was actually talking about digital broadcasting. You had CDSG doing puzzles, and they had a linked computer system to try to demonstrate how a new Raspbian Pi could be a mainframe. A lot of people in that particular audience didn't get it at all. And the fantastic bit about coding was Coding Club. It was just brilliant. Because from last year, where they had musical bananas, they now have musical bananas and musical peppers. So I moved all the way through. And that was our major representation as an IT industry that known the exciting bit we do here. As with the rest of the industry, I think the IA community, and particularly the community that I represent, we

can make a magnificent difference. We can just go in there with really good interest in the stuff and demonstrate how good technology is and why security is related to technology and so forth. We also have a lack of juvenile opportunities, and I think that's a big part. Of all the things I've struggled, it's trying to get internship and first work-based opportunities. So if you do work for an organisation that can do that, an internship is a great thing to offer. It's a try before we go. We're not even saying you're working with it. We're just saying, put on a programme, ask them to come and work with you for a while. If you like them, you can employ them, and if you don't, you can throw them

out. You can shake each other's hands and say that was a good experience. We've tried to do other things. This has inspired careers. So this is done in collaboration with Crest and also with Biz. And what we've now got is the 73 jobs that are available in the cybersecurity industry. We've also got over 200 now done in live videos. We've got all the university courses that you might want to consider if you're entering this as a career. The training courses that will get you from one position to the next position. And also social media groups you might follow and also other material that might be interested. If you wanted to contribute to that in terms

of any of those things, Just go on, it's all free. It's absolutely free. And if you've got anybody who's interested in entering this career, then point them in that sort of direction because it will give you some empathy in terms of what it's like to work in the industry. You can see that you can work from a boutique, right the way up to BWC, or you can set up your own firm, you can do exciting things. And there are incredible people working in this particular industry. We need to be able to do that. And this tool is interesting enough because It's not only driving the young people to consider this as a career, but I'm

hoping they're gonna go home and say to their parents, yes, but look, this is what a career in hacking really is. There is a proper industry here and we can do something about it. This is the big bang thing, sorry, I did think those slaves came up. And this is the material that's available for other professions. And this is what we have. There was a tiny bit in terms of the higher apprenticeship program, which actually doesn't exist because the tech market don't want it. And there was complex challenges from CSG and I couldn't find anything else. And I spent a long time doing it. Interesting enough, I had a couple of schools doing some quite interesting thing with virtual reality. But I'd introduce those schools like in Berlin.

They also had a couple there doing their helium balloons that they take up to the outer atmosphere with go pros and take pictures of the culture and work. fantastic and as an industry I think we should get together and give you a brilliant set up with GoTros and take pictures of the clients or whatever. That's a great exercise that we can do together. So what do we need to do? We need to work collaboratively as an industry. I find it really frustrating when I go to some of the other industry bodies and we're almost in competition. We are not in competition. This is a not-for-profit organisation in terms of Crest. A lot of those other

ones are not-for-profit organisations as well. Who is going to make it? Nobody's going to be able to realize the cash out about anything. I'm not going to be able to sell another business, buy another boat or anything like that. What we're going to do is we're going to develop the industry. And if we don't work collaboratively, we just look stupid. We've got to make it interesting. This is a fantastic industry. I love it. I hope this is going over just how enthusiastic I am to still be standing up here thinking about something I'm passionate about. But we've got to make it look interesting to young people and we've got to make it look interesting to

other people looking in as an industry. And I want them to be jealous in terms of what they might do. We've got to produce specific careers material. I've got a proposal out with OCSIA at the moment to develop careers materials. Again, we've just taken the initiative because we can't wait for these people to make a decision. So we've started that process already with things like that 10 key reasons to join the cybersecurity industry as a poster. We'll do it as an interactive PDF and as a poster, and we'll provide material into schools. We need to pump prime those initiatives as large companies don't seem to be interested. And I think that's such a shame. We don't see the big companies going in there in the careers fairs

in that sort of form to try to promote young people. And if we haven't got them by the time they're, I would say 10, we're almost losing them. And if they haven't started to get an idea by the time they're 12, then we really start to lose it because that's where their career choices are. Their concerns is that whether they're going to technology or whether they're not going to any of any of the science is. And by the time you've got to 16, you've almost lost them completely because they're trying to decide what type of university courses they're going to do. So we've got to hit young people early. I think that sounds really good,

hit young people early. But what we need to do is to make this a really interesting thing because they all use tech. but they don't realize just what an exciting place this is. We need to use gender-neutral language. I find it hugely frustrating, the guys and all of those sorts of terminology that's used. And then there are all people up on it. I'm almost embarrassed to do it. We should be very considerate. I don't want anything done in our sense. I don't want anything playing pink.

I don't want it to be done. That's not how the hard engineering is doing this. What they're doing is they're using gender neutral language and they're trying to make sure that they're describing their careers and their job opportunities in a way that we're attracted to the widest possible population. And that's again what we need to do. We are already in a really diverse industry in terms of the academic qualifications that people come in with, whether or not they have academic qualifications, their integral background in terms of where they've come from, where they live, All of those sorts of things, we actually do that extremely well. But what we need to do is do it better. And therefore, we need to be very careful about the

language we use. We need to think about those things as we're doing presentations, in particular, or we're writing documents. In addition to that, we need to have representations, significant educational events. If I get this thing running with OCSIA, I will be asking for volunteers. I will be asking for their science, technology, engineering ambassadors to come and help us to actually put these messages into young people to actually describe what that process is. When I do that, please come and help me. I have 500 STEM ambassadors, so it's a bloody hand project, going into schools talking about science, technology, engineering and maths. Hardly any time. I've got two people, and not extremely me, that talk technology, and one of them doesn't like it. It's just quite incredible. So what

we need to do, we need to look at that in terms of us as an industry, and we need to have volunteers to go out there and do this. It's a really exciting, really nice thing to do. But when I do that call, please come and help me. In addition to that, we need to move on to the next slide. We need to look at some of the existing entries. So again, I'll push people in terms of looking at some of the stuff that the tech partnership is doing. in terms of the partnership trailblazer. You've got an intrusion analysis one, which is something that's done well in a SOC. Then you've got the more generalized security management type ones. You've got the Crest Academic Partner Program. So

if you're working with the university, make sure they're aware of all of this in terms of publicizing what they do. We make all of that Crest information available for their presentations to anybody, but mostly to the academics. We help them with the creation syllabus. We look at the higher approach, apprenticeship definitions and syllabus areas. We do exposure to potential employees. So if somebody sends me a CV, I will send it out to Crest Member companies and anybody else who's interested. So if you do want to employ young people, you don't have to be a Crest Member company. We'll get the CVs, we'll send the money at least to you. But hopefully, we'll get some of the young people who are interested. Internships, again, we try to encourage internship opportunities.

We look for workplace opportunities. and also we try and provide careers advice. And the problem I was having with the careers advice was I was beginning to run out of time. So in other words, I couldn't do that. And now what we're trying to do is look at many to many mentors. So in other words, we're going to again ask the volunteers to help people mentor, but we're going to do that online so lots of people can contribute so it's not just a single person to do. The entry routes, we need to look at the work placements, as I've said. a really good in terms of your social responsibility and you might also be really

lucky to get a young person that's really good. The companies that have utilized them, some of those are in this room, have had really positive experiences. Offering a first job is a great thing. I really remember the person who refused me a programming, an operations job because there was no programming opportunity. I said I wanted to do a program and they gave me one that was quite hurt. But then the person who did give me their first job and let me run their their computer system at the age of 16, which is kind of a scary thing to do. I remember that person today. I remember the interview today. I remember my cousin getting a job in the Ministry of Defense, or at least giving me the article and

saying, you're not going to reply for this. I remember that interview because it was all women, which has enough work. At that particular point in our careers, women were dominant in terms of senior position. And I remember those people giving me the opportunity to go to college, And I remember the person who goes to the first room and to actually allow us to get a university education. Absolutely fantastic. If you can do something like that for one other person in your life, it's a really good thing to do. So give somebody that first opportunity. Spend the time and help. You always remember that person who gave you that first opportunity. And I think that's a really good thing to do. We must have an industry plan, I think, to

encourage youth into industry. It's no good press going on their own. What we need to do is to do that as a consolidated group in terms of employers, industry bodies, industry bodies, I hope we can involve other people, but also the people that are working in the industry. Employers and buyers must understand why we need certifications and professional membership, and again, we need to promote that, I think. We need to define what these certificates mean in terms of career problems, so they are understandable when we use them in terms of consistency, in terms of the term membership, and where we can look at equivalencies we do, but we understand We need to work with the

professional bodies to encourage us to work collaboratively. And anything you do, if you sit in other professional bodies, the question is really interesting work collaboratively with people. We want to move this process forward and we've got an awful lot to do and therefore the more we can share, the way the better.

It's essential, I think, that we become a professional. We can continue as we are. There's no problem. We can double the size of our industry. There's lots of employment opportunities. All of those sorts of things. We can just continue. But I strongly believe that if we're a professional, we're going to do a much better job. And also, we're going to leave a legacy for playing, which I think is really important. I think we're moving in the right direction in terms of press and in terms of some of the other opportunities we've got, both in terms of industry bodies and other collaborative type groups. But I think we need to do more. I think we absolutely

need to promote the certification of professional ownership to the buying community. So Crest has done, I think, quite a good job in terms of getting members in, so in other words, people that provide and supply. What we haven't done is thinking, talk about the marketing messages that we're putting out to the industry to say, we are really good at this and this is why you should buy through these channels. We should go for a trip of trade, I don't think, but almost that equivalent in terms of if we actually got together as an industry, we could do something really good in terms of raising a profile of really good organisations providing access to skilled, knowledgeable and competent individuals. In addition to that,

we've got to work together, I think, to allow the businesses to mature and grow. There is a huge amount of opportunity. And what we can do is we can take this in isolation. We can say my little business or my medium sized business or even my large business, we're in direct competition with all of these people. So we can't talk to them about strategy, we can't talk to them about investment opportunity, we can't talk to them about growth. But because there is so much of us, I think we can. We can put all those things together and we can identify how we can put up the whole industry to be more professional, the whole industry

to be better, and then we've got a global market which we can pay for. So I think there's a huge opportunity the organisations working in this area to actually do that. The professional bodies in the UK should be encouraged to work together as an industry and again I think you're getting the idea that I think we should invest in youth. In terms of... So in terms of that as a summary, I think what I'm trying to get over here is first of all my enthusiasm for what I'm doing. And I hope you take that enthusiasm away and I hope you utilize this in all of the other venues and opportunities you've got to speak to people, both in terms of your normal

outside of work environment, but also within your work environment. And I think you should participate because you've just got this fantastic opportunity. I came in the very early parts of proper coding and certainly in terms of interactive coding, so in other words, developing programs, you can have to do punch cards or paper tape. That was a brilliant time where we developed things like SSAVN, and PRONT, and all those sorts of things were put in there to help us to do structured systems design and development. We stand a really good chance in this industry, and I think we're at the junction now where we've got opportunities to make a difference. I hope we enjoy the rest

of the day, because the rest of the day is orientated to a lot of those other communities. So thank you very much for your patience.

Thank you so much to you for that, that was great. Ian will be at the press stand apparently all day and he's doing his quick-way duties. So you can go over our system and questions. We're heading out now, so we're not going back to the stream for the rest of the day.