Can An Old(ish) Dog Learn New (cyber) Tricks? - Andrew Carr

so I'm Andrew car uh let's talk about um learning things when you're a little bit older uh so just want to note that this was originally a 45 minute talk and it's been so we've got a third of it so hopefully the interesting stuff is still in there so I'm not starting with the who are I slide because that might give away spoilers for the end so we're going to start with a part one of my it career so in 2007 got my first job on a help desk in the building Society so build Society money personal data so security was there it wasn't a big focus of a help desk job 2009 I was uh with a little

restructure I end up running my own team looking after amongst other things exchange document management internet banking cash machines and Visa transactions so security kind of ramped up a little bit more um I went on a career break I ran a ski hire shop no security there but when I came back I thought right me to skill up so went away got some SS and in 2014 end up in the public sector specifically in placing so uh and I was network security analyst so network security was a bigger part of the job in 2017 there was a restructure and my job disappeared uh so I end up in management I got talked into it um and

then so and then and up going to University in 2019 so the title says oldish dog uh 2007 2019 sorry 20 yeah 2019 was 12 years which makes me in dog years between 64 and 77 that's the justification for oldish dog so new Cyber tricks so ended up going to a meeting early one day head of it looked up at me and says do you want to go back to University it is fully funded asteris and you you will have time to do the work double asteris we'll come back to those Aster shortly so 3 weeks later I was at the University of gler I live in carile it's 310 miles or something like that so it's

not particularly convenient but the other option was bedfordshire and I have no intention of going to Luton so initially it was one week every in every six I was down in chelon for the full week later on it was 4 days a week but uh sorry 4 day weeks although it's not the finest un University it does have quite a nice campus so a quick note here on degree apprenticeships so they were introduced around 2015 Bachelor and Master's level so level six level seven qualifications they're offered by universities and training companies so you can go to back then had the choice of gler Shire and bedfordshire now you can go to decent universities not they're not decent but Edinburgh you

could go to a training company like QA who do it in conjunction with North Umbria uh wide range of subjects including cyber security but also things like data science and how to run an avire um all businesses with a salary Bill over3 million pound have to pay into the apprenticeship Levy they have no choice in that but is entirely up to them if they spend the money in that pot so it's a good way of stretching your training budget fully funded by the employer so I was working in the public sector at this point so if I was relying on public sector procurement rules to get me in my textbooks would have been two assignments behind by the time the

textbook arrived and would have failed the course 20% off the job training this is how they make you you make sure that that you get enough time to do the work so 20% off the job training kind of covered my travel to chelam I travel back from chelam my four week in cheltam and then as time was pretty much on my own time whenever I could but we never I could squeeze it in at work the guys at worked at Dyson on the same course they got every Friday off to work on this regardless of how much time they spent at the campus and it's important is to note that they are tied to an apprenticeship

standard the standard is written by the government in conjunction with large businesses often Bae KPMG deoe people like that so the universities don't have a lot of movement in what they can deliver so I turn up on day one and everyone looks like this so it makes me feel like this I was 12 years older than next person agewise on the course so year One what do you learn so we started with project management I thought that's a strange way to start but okay I'm here now so we did agile waterfall that kind of thing second module web development okay getting more into it now this is kind of getting towards what I wanted to

learn next module was python I thought brilliant this is what I'm here to learn IPC uses python all the time on YouTube I I Want To Learn Python so Learn Python I really good lecture for this as well one bearing in mind the teaching is this in a week so you have a week to learn it and then go away and do whatever the assignment is next one Arduino okay pretty good embedded systems go and build a I think we have to build a weather station not very cyber security related but you know fit the brief of the assignment and finally networking because I had a ccmp they let me off with that one which is really good

because this was the first module they tried to deliver after the first lockdown started and apparently was an absolute car Crush so year two well into covid times here risk management didn't appreciate it at the time in my new role um very much appreciate having spent a week learning risk management operating systems it's hard to secure an operating system if you don't understand how they work and we R really deep into the details of how they work likewise good based knowledge of cryptography very important ethical hacking definitely in quotes because I could have learned much more by watching two or three videos on YouTube it was quite a poor module research project so you have to

go away for the summer do a research project related to your job we recently implemented the ncsc's protective DNS service so I spent the summer doing data visualization of all the Block events that was generating and it was covid so everything was remote year three risk management again but it was nearly word for word what they taught us the year before it's very strange secure coding this was pretty interesting buffer overflows use after free vulnerabilities things like that uh I think we covered four four or five programming languages in four days malware analysis if so anybody here for the first talk in this in this track this morning guy was going through reverse engineering they tried to teach

us that in four days it just didn't work Advanced networking and security this is not networking and it wasn't security it was about um really strange stuff um I'll talk about it afterwards I'm kind of worried about how long the battery is going to last on my laptop having to uh risk the charge of that dissertation I can't talk much about this because it is currently being implemented as a national policing system um but some pretty interesting stuff with Azure function apps um and uh IP addresses and Rapid blocking of threats so what did I really learn so I realized I'm not too old too learn which was a good thing to know I realized that being older can be

very useful so people guys on the course there was only eight of us on the course so they were coming to me there was messaging me between sessions asking what do I think about this because I have been managing a team of 23 at this point had to juggle my management responsibility has to manage my day job I had to manage my assignments and help these guys as well so being older with a greater appreciation of Education um I time management skills self-management skills and been a to coach others so not giving them the answers but helping them work their answers out learn academic writing so now I write a lot of uh business papers

business cases just written a new strategy document so academic writing and kind of justifying your reasoning has been very helpful there I learned python that's kind of what I wanted to learn so I use it quite a lot um I learn all the key landmarks on the train chelam I was taking the train to chelam every 6 weeks getting the train back every 6 weeks I learned a lot of things about that I also learned all the key Landmark within the 5 mile radius of chelton toown Center because everybody else lived locally and went home I had to stay in the Premier in above the wios and wander around on evening I also learned the U the link

that they claimed between the local uh how I worded it the large government organization in the local neighborhood was questionable I I I walked I came across it one day because I walked there I kind of stumbled across it but the link that the university claimed between themselves and gchq was pretty much non-existent so what didn't I learn and this is hard because you don't know what you don't know but I definitely didn't learn any Elite hacking skills I don't know I didn't think I would but I definitely didn't I didn't learn anything recent either so the the apprenticeship standard is very rigid so the University have limited movement in what they can deliver and it was written

years ago and hasn't really changed so did it work so Management in 2016 started a degree in 2019 in 2021 I got a tap on the shoulder in the pub at Christmas from the head of it from where I used to work saying how's things what's next some job adits coming out in the next few weeks you should be applying so in 2022 I started work as a cyber architect and I graduated later that year so are there better ways to learn cyber now this the image was suggested by PowerPoint I'm not sure why so training courses are costly so you know sans's QA will bleed you dry take all your money but you know if you got

your paying into the apprenticeship Levy you may as well take out of it teaching yourself can be hard you need to be disciplined you need to set the time aside you need to work out what you want to learn it's not for everybody but if it's for you then great if you didn't have an assignment to submit would you give it the same time so I spent according to the the tracker that I had to fill in by all the hours I was doing I spent 1,441 hours over 3 years on the degree would I have spent that same amount of time if I wasn't doing the degree and had the assignments to submit definitely

not you know I I was getting married I had things to do I just bought a new house um you know it's it you have to balance out for yourself and you have to ask yourself what do you want to learn so there's two colleagues I used to work with and they would basically immerse themselves in the latest vulnerability they would learn everything they wish to know about it and all of a sudden they were learning about something else then they will learn about something else and then we like oh I've got some time I'll read about this I was having to learn about I 27,000 And1 6 weeks then I go and do something else

so I didn't have that flexibility that they had but that worked for them and you know they they had families and kids I don't think they Li they I don't think they like their wives and I don't think they like their kids either so they were they had the time to do it so is it worth it if you're a learner it's not just for young people I was a 31 year old manager and you know I i' never thought I'd become an apprentice fortunately I didn't get paid in apprenti wage because that would have caused problem with the mortgage um make sure that you check that the institution in the course is right for you it's not always going to

be right you to make sure it's the right fit really make sure that you the employer gives you the commitment that they're going to give you the time to do the work otherwise you know burning a candle at both ends uh you know accept you're not going to run everything if you're the employer it's a great way to stretch your training budget but can you release that member staff the equivalent of one day a week the 20% time and also does the course meet your requirements you know if you're security focuses on a and they're teaching BCD you know it's not going to work out for you so finally is it worth it so I'm Andrew

car I am an oldish dog but I'm also now a cyber architect so I guess in summary it was worth it thank you [Applause]