BSides Glasgow 2018 - Dan Raywood - If the kids are united will they ever work in cyber

great thanks all for coming and a great season people hope for this afternoon and session so the title of this talk if the kids United will they ever work in cyber you get five points if you get the musical reference ten points if you've seen any my talked before and I just love putting musical references into my titles for absolutely no reason because anyone who's ever submitted a talk before knows that writing a talk is one thing my preferred title of it is a complete different challenge so that's that um just before I kick got a couple of comments I've been to a number of talks this morning Paul's in the front row I think it's named with Andrew from

context few others Vicki earlier on really great to see so many things focusing talks focusing on getting a job inside security I think is really positive and that's obviously why I'm gonna be covering today and I really sort of kind of really good hopefully need up so it's a one going to be covering also one big thing I know there are lots of you sitting over there with a batiste Society hoodies and t-shirts on this was obviously originally due for your conference snow got in the way and so you might see a little bit more so student aside of this but I hope all goes well and a couple weeks sorry I can't be there at that time so yeah my

name is Dan Ray would I'll get on to who I am in just a second then we're getting some more interesting stuff than that and so why am I doing this talk skills shortage in cybersecurity is well publicized and there's lots of efforts made out there to actually try and resolve it trying to fill it and I said quite a lot of things we've seen this morning ways you can actually get a job but I think is actually improving on the recruitment side are you those of you who are hiring are you finding the right people coming through vice versa if you'll kind of get the job are you finding the barriers and they're trying

to dress both sides of things in this talk also what kind of careers the next generation looking for and what the opportunities out there and let's try not done the barriers on both sides I think that's the hash tag I don't know if there is actually one today so that's kind of the agenda today we can look at how big the sir the skill saw sort can say skill shortage it is what recruiters looking for what do the recruiting companies in particular a security company look for what sort of roles are you interested in how do you get a job and what sort of certain qualifications you need trying to do everything in a kind of big old package about forty

minutes so everyone has a career path that one's mine I did some stuff before I got into security which is almost 10 years now which is gone past in absolute blink of an eye most be probably supermen because I've worked for SC boyfriend fo security magazine now which is obviously hugely better but I would say that and officially on the record as saying post security magazine today in that since why I get to be here so but before that I did a number of years I did the qualifications in journalism I'd admit a lot of time but I've only been in security for ten years so kind of seeing opportunities and great people come and

go many people in this audience right now and I've got the opportunity to get out and put a talk in which got accepted for a big-sized conference which is amazing so why is the skill shortage a problem well if you look at a number of these kind of reports that are coming up on the screen I just looked around I thought we're actually how big is this skills shortage problem and we've got four different reports it all telling me four different things so you've got the ISU Squared's global information security workforce study that's akechi showed an experienced expected shortage of 1.8 million by 2020 - that's 1.8 million that will be needed in cyber and

fewer than five years there's it's not 1.8 in this room I know that for sure also on that there you've got cyber security more threats and also let's slightly further down the page scroll down there and the bottom two is from cyber security Ventures could be six million global shortage six million people by 2019 that's next year Palo Alto Networks sighted 3.5 million unfilled cyber security jobs by 2020 one up from estimate of 1 million by Cisco in 2014 it's a lot of dust going around here of lots of people in a very short time so if you are actually in the position of hiring or you're actually trying to kind of get to the position of

actually getting the job this could actually be quite a daunting decision because might think how am I gonna be if you're hiring you're thinking where are all the opportunities where are the people and advice you know if you're the one getting the job am I gonna make that curry I'm ever going to make that decision well it may seem that way but it does actually seem a lot more scary than it actually is I think a career in cyber is obviously positive thing especially the moment when there's so much opportunity in different part in different parts of the industry but the question is this was a regretful decision to put him in but how can you get ready at the moment so yeah

I mean how can you get a job where'd you get a job what are the recruiters looking for what do you have that they are looking for in particular and what is it that exactly they want I mean there's opportunities out there and the plug slide which I'll fire through is something we do with in post critical next-gen InfoSec we we talk to people hiring and sort of applying trying to find out what they are it's opportunities like that and the industry to try and boost yourself but the problem we're finding is that especially with the is c-squared survey once again many employers are refusing to hire and train inexperienced recruits they want the hacker man they want the

superstar who can do everything and something we mentioned a bit later on or B I think there's someone that job ad saying you want a sis for a first-time job and it's like that's five years experience I think that's that's quite a lot to ask for but someone who's a first-time applicant and and also there is you squares at 93% that previous cyber security experience is an important factor in their hiring decisions what does that mean for the first time applicants it means that they're going to just have to keep working at it and getting that job or a problem is ultimately employers want staff who can sit down on day one and get going with minimal mentoring

training supervision get down get on with the job I come from a background in journalism which is exactly like that nobody wants to kind of think right I'm gonna take you through how to write here's our user your type you know you expect him to know this stuff and he'll walk in on day one and kind of figure that out so back in January we we did a webinar actually which I'm going to push the URL to at the end and we asked people on listening to it what their employers looking for any recruits and I deliberately put in all of the above I don't usually put these in on my webinars because I don't like give

people a really easy option Bogardus but 59% wanted all those three experience qualifications and skills and the 2% sorry 9% said other they didn't specify what the other was but if you're actually up those three 59% were at all three and you add those three 1319 - that's 31 plus 59 whilst that's 91% want all of that and that's from the people just on our webinar that's quite a tricky situation so I was quite intrigued by this to think actually what is it that's that's the barrier for people actually getting the job so I had a quick chat with a recruitment company and the one in this case was acumen who I've dealt with a

lot and have been very very good and I said what do you think what's actually is what people looking for when they go to acumen to get people to help them find the people that they want what are they looking for and these are some of the answers he gave me listing evidence achievements that the chap in context upstairs earlier on so there's give examples prove your battle scars he also picked up specific responsibilities target is the role don't be generated job spec esque try and prove why you actually what you achieved and just say you know this was a coding job I wrote lots of code also be represented as as a company or you

know the company you're trying to work for if you you know maybe have a certain dress since that's that's great that's absolutely brilliant but is that sort of thing I go down particularly well on a bank for example or even you know working for someone like GCHQ which you might want to do consider that this is what acumen were telling me obviously don't this tools with no context did you admin design implement procure what's your skill sets and and finally desirable skills and experience so it's quite a lot of detail there that actually that that's what recruitment company told me that these the main things that a company would look for in a new members are new and your

applicants so I'm going this guy's gonna appear a few times because I just want to try and get some hands in the air and just make sure you were listening so just a quick one I mean in terms of you know some of you University some of your workplace how many of you actually are sort of training you to be do like skills that those ones that you sort of saying right go out and actually show that you can code and all these kinda things there anyone who wants tick their hand in the unlit pick on you I'm just curious one or two thanks very much it's it's an interesting one actually that people that are workplace is

actually training your your universities are they training you too should he be capable to actually be a good employee in the future that's something to consider so the next thing I thought that's what the hiring company or company representing hairy companies looked for what about in this industry in particular and so I thought well what is a major product company in cybersecurity looking for this if I don't go work for the vendor and you want to work for them what sort of skills do you actually need after spotting these tweets in about three day period Leslie's a very lovely guy from turnable and he posted five jobs in about three days I can't quite see them on the resolution

there but they're all about mid-february I thought let's just have a chat returnable and what the tenable thing people actually want what makes a good applicant for someone like tenable so first job there this was from Gavin Millard who is a mere technical director with tenable so it's likely sort of highlighted in yellow in me and bolt in the middle one what hurts me someone who's genuinely curious some keep on top of where the industry is going doing something else other than work doing an interesting side project have that tinkering nature he was he kept wet he kept music on when we talked when I talked to him was was that aptitude if you can show aptitude to actually go out

and prove yourself that's the sort of thing that coming like tenable would look for my to promote tenable and responsible you know if that's a sort of a company that is actually actively hiring as we saw with the slide just previous these are the kind of skills they're looking for then he didn't come up and say I demand sis I demand pentesting I didn't mind ten years of going to be sides wherever Scotland sending two years of it but here it didn't commit they showed this aptitude and keeping on top where the industry is going people are genuinely interested and moving back to that webinar that we talked about back in January what sort of job interests

you most in cybersecurity well 37 percent as you can see there said see so senior level that's the level they want to get to yes in just a moment security evangelist I was particularly interested because the webinar was about being a security evangelist seven percent of our audience again the exact sample set from this but twenty percent analyst twenty seven second to be independent that's kind of an interesting one and there's a lot of companies in the foyer area and obviously probably in this room as well who are can or our consultants pen testers all want to get to that stage but it's actually getting into the big job getting into the sea so position that most people are

interested in so yeah see so that's the big job is it you know you want to be you want to be that the boss at the top you want to be telling people what to do and you want to be doing the procurement if you sort Paul this morning I think you know you cover most of the stuff that we're in there and I'm bequest see your thoughts on these actually look at your reaction as I talk so people want to be the boss what advice is there on how to become a see so this also came from acumen you're not going to go from the stock to see so be realistic on your next job

there all right good interviewed you for this your night make strategic steps and understand what you are good at and finally not everyone has to be a see so in the end tailor your path so that 37 percent said they want to be senior level wanting to get to see so position well actually you only if you're gonna get there what statistic in a moment and I'll show you so this guy again anyone here is not to see so who wants to be a see so one day Chow or put your handle if you're too nervous behind that then just show I've seen three or four good good far five old even better know you

guys the see so to the future and the current not the past the past any we're probably anyway but yeah yeah it's a good job to get I mean it's I think you know really laid out some really good examples this morning what see so role actually consists of but I think one of the big problems is doing people understand what it actually takes to get to that position and also be good at that position as well if you also consider the fact that 27 percent want to do some sort of pen testing or F you're hacking role so they get to wear the white hat and do the matrix in which you get to sit in front of a computer

screen and blank face like that also of course 7% only wanted to become a security evangelist and so and should we all be security manlius now no of course we shouldn't because nobody wants to be working for a vendor which is quite interesting cuz it's yeah it's pretty good job in this but people do seem to move around quite a lot so you'll be a seesaw and there's lots of good advice there about how to become a CE so I think it's ultimately it's a career progression thing and I think you probably talk to call a lot and get a lot more advice on this that's actually what's what's the best thing to actually do and to get to

that C so position a few little points of reference I can point you to one is look for a talk by Tom Lankford and Lee Munson from iris Kahn last year they talked about how to actually get to sort of prove yourself in the industry and also the other thing I look for f-secure cybersecurity sauna podcast take the episode - they talk about the bill the real need for people who can design stuff who can be architects who can review fix and test that real hands-on capabilities that's where the shortage is according that's according to f-secure but in terms of year do you want to be a see so there's teams like you know those of you put your hand up

yeah it's a good position to be in but so we'll get to a moment just about some of the positions that people are actually holding there's some terrific CISOs around I'm probably talking to Mountain over the years and but this was an interesting one this was from I Sarkar's state of the cybersecurity 2018 report honestly never writes these report has terrible names for them almost about the title of my talk I soccer state of cybersecurity 2018 report on workforce development this was a survey of 2366 people what in particular great resolution but 81 percent that there were no openings for the c-suite this is in 2017 I guess and 14 percent said few openings again and

put them together that's 95 percent will say especially the bottoms do you can see it executive or c-suites Oh security openings 95 percent sir there's no openings why you can argue probably cuz there's one see so in most companies I guess I don't know how many engineers a company would would would recruit would actually you know turnover in any one year would actually appoint there's a lot of jobs out there what about sort of stepping below that position well if you look up slightly more I think it's the position just the sort of the second from the bottom this is senior management or director of security 64% said no openings but 29% view so 22 or 64 + 88 89 90 five again

not particularly good but maybe things are something no 93 pardon me 93 it's it's slightly better by about 1% but maybe it's worth considering looking at that and next option down or was that promotion where there's going to be an opportunity for a promotion the other thing about seaso is we actually look at some of the great people in the industry and it sort of job titles they actually carry then you know we actually don't see anyone sorry Jess but you're right in the middle yeah we look at some of these people here these just people I just picked a bunch around and I thought who actually carries them towards all people we've seen speak will speak later

you know stuff we've read to who we look at and think that's the kind of person I would want to be like none of them carrying a position of see so actually and I try to pick a bit of a selection of people as well and it's Maeby's goes to prove that actually maybe it's not the be-all end-all to kind of be the lead and maybe actually you can go out and be a Gavin or or a job ad or something like that and do that kind of position work your way up another point of reference I do want to point you towards is Ryan arrange security conversations podcasters particularly episode 11 with an she'll grips are from

Facebook and she said the student asked me it wants to wants to be a pentose that why do what I said why do you want to be a pen tester nothing wrong with it but I nee what experts do why not build security tools she led the team at Yahoo and you can pair it easily into security there's opportunities to get into security if you're prepared to put the work in and look for those opportunities it's gonna push on to this one then this was getting also from that webinar what's your current employment stage to 64 percent of the people we who participate in this webinar are actually employed and looking for a better position are they looking to move up

that's the consideration look for positions where you're able to pirouette in as Angela said or step up as some of the statistics have suggested but 20 percent of people were in education maybe those people are actually looking for those C's those positions maybe some of you are actually in this room with us today and that opportunity is out there to actually do that so this one's according to cybersecurity ventures who slight once again they said there's jobs out there and if you read those highlighted quotes almost anyone with cybersecurity experience and realistic salary expectations can find immediate employment explicitly in the job for everyone I think if you actually go back to the very first when those first

slides there is going to be a job for everyone there's gonna be 1.8 million or 5 million or 6 million jobs for everyone it probably available now there is jobs out there it's just question about how to determine are you to actually find the job that you want and how settled are you going to be with it if you go back to that stuck just then I think was 20% let's go back actually 64% are employees but looking for a better role so actually there's a lot of people paid to move around there's lots of opportunities out there so you're gonna get yourself a job how you gonna get a job well I was quite keen to talk to so

I mentioned earlier on we do this this the next year we talk to a lot we feature a lot of new people in the industry we get out and we actually interview them and get them to talk to us about what they're doing in terms of finding a job and how they're finding those first jobs so what do you need to do get to get hired is there a job for everyone and this is what they said and I talked to UM not named them but you'll see in the quotes here I want you to write in code messages and trying crack codes I was messing around on computers and trying to hack into my sister's

laptop good for you pursuing a career in a field where I would be protecting individuals from criminals and look at counterterrorism roles opening in the university's office the university see so who was my professor asked I was interested in the job that's quite a nice thing to have isn't it really if you're able to go and talk to the guy who's teaching you and he gives you the job mean advice by the army career staff that completing your degree would enable promotions to come faster get the qualifications in that's quite a good one I particularly like this one it's a little long but do bear with it I went to be a police officer and I did

internship my local police demand which lasted almost three years I handled the computers in the police car since I was really good with computers but it couldn't be the police office until I was 21 I got into IT right out of high school when I translate into cyber security when I was 21 I was already making double what a police officer makes I honestly can't remember top of my head who this was but I loved it the best comments had received a survey I did so what get in that job at the time to get that job how long did it take super my job offer during my second year of university we see a lot of

universities offering work placements now that's how many people actually want to go out and do that work you lure them with the kind of a character virtually this is what a working life looks like well maybe actually that job comes around neighbor's brother owned his computer forensic firm which after sorry cut the text off there she was fascinating anyway yeah here yeah it's computer forensic term firm press it over a month to get a job you're taking a month how many other people looking for you is 1.8 million 5 or 6 million if you're taking a month to try and figure someone out then people might be talking to other people a short interview I

landed an internship 6 to 8 months to be offered a position which end up rejecting on to the summer of 2016 which does come currently still in this is all done at the start of the year by the way sorry hopefully that person is still there the second to last quarter at uni I started applying for jobs 20 weeks or so before graduation so if you are hiring or you are looking to get the job this is kind of what some of the people we've talked to who are on their sore first jobs or first couple of jobs now that's the kind of experience they're having about actually trying to get that first job that's the kind of lengthy

process so I don't if there's something as an industry we can actually do to try and remedy this to actually make sort of transition into that first job better because then that we might lose lose some people in this long process potentially to you know two sectors that isn't cybersecurity and welding from the aisaka survey 26% you can take six months to fill a position $0.25 three months in Iceland 19% didn't know at the very bottom statistic they're trying to fill the cybersecurity position and it's yeah it's just kind of quite a little bit soul-destroying for me I think if it can take that long for you someone to get a job I mean what's kind of going

through I know some of the my NCC for example do the Academy which gets you into the workplace and whilst you're being interviewed and gives you the hands-on experience which i think is absolutely great I hope opportunities like that out there I'm just a couple more from the survey I did then was it clear what you needed to have as in qualifications certifications to get a job open these all come up together and enter a graduate scheme with my current company despite having worked for three years beforehand and then the jobs required any specific qualifications it usually seemed more focused around achiness to learn new skills it was obviously a decent amount of networking skills for the entry level

even in 2012 here we are most organizations were still in their infancy with respect to cybersecurity sis was a required cert on the vast majority the bottom one there which my small employers were open with what they were looking for including listing several essential requirements lots of stuff going on there so yeah it's there's still quite a lot of problems I know that conversations I've had about people talking at HR departments HR departments had this list of essential skills that you must have a new must have you know a maths in GCSE and you might be in your 30s That's not me at all because I still caught that when I was in my 20s I still getting one maths

GCSE so yeah it is still that problem there this is a disconnect in within businesses so this chap again maybe just sort of those of you who are looking for your first job or maybe you're in your first job is it is it obvious what you need to have sometimes are you kind of getting a bit lost but if I say you know how to teach shaking heads that's good it's not obvious what you need to know what you need and that's the problem I think as an industry I think we need to need to address if we're gonna try and resolve this skills gap what we need to do is go out and say right this is what

we need to do and what the industry needs to help businesses do or you know if you're working for a business help your business realize this is what we need to do to help people out so this one just parbat with in terms of qualifications Tracy's a really cool person to follow on Twitter if you don't already works in Pennsylvania for last pharmaceutical we're doing a Twitter take over 15th of December as you can see on the day and I asked her what would you recommend someone looking to get a job in security do I already think about this talk back in December if they don't have what would be deemed to be directly relevant experience get a

Network+ sir we study networking understand that and then get on security do some side thing first then move on she was very fortunate she had a society called women's cyber Jitsu in the US I think they do much over here who said she told me she was able to work through them the certifications are ultimately something you do altima 20 people here at university level are probably doing certifications I mean you might be talking to things like Crestor guys like that or doing something a baby a bit more practical to try and boost your learnings but it's ultimately it seems a bit lost to people to know what sort certifications they should be doing and maybe kind of figure things out

Tracy's case was networking so if it's about certifications and you do want to get the job as mr. Napoleon Dynamite's brother come from his name yeah as he as he determines he's got his job is it about certifications and what do you need to get the job well just a few more comments them from tenable and from acumen from tenable so in terms of certifications depend on what field you're going into hiring date scientists and if you've never heard of CCS Pitts and also I think he says here NCC don't have 100 pen tested with sis and implements EC do tell toner below that scan put in correctly Rolex is what you told me have a diverse background again

he talks about hats do quite a lot and acumen sis and scizzin evaluative quality but what do they exist for he's been controversial making it more attractive but does not validate your career I think most people by the sound of what I was well been covering is people looking for not looking for a sort of a stamp on your forehead saying this person is good enough it's more about the capabilities you can bring to the job so I just kind of has been sort of just moved to wrap up here in terms of education this were Twitter poll I ran via info Security's Twitter what was your educational background before getting into cyber 47% computer science

it's this kind of theory that everyone has to have had a computer science degree in order to get a job in cyber security but only 47 percent of the 393 who voted in that said that was for it can be a science 20 percent engineering 30 percent other I said please specify and everybody did these are some of the jobs that people said and over Twitter to me theater lighting criminology social science economics mix journalism maritime studies accountancy sociology psychology don't have to have a computer science degree I'm sure it's great I'm sure computer science degrees are you know really really improving this computer science so cybersecurity modules out there which will boost you but ultimately it just

goes to prove that if you can actually do something else that isn't sort of the norm and everyone's following the same old path and also you know we really cut touched some diversity here but maybe not everybody in computer science is you know wanting to do computer science maybe it's something else the attitude that you can bring to the job is great but what if you do want to get one of the top jobs or if you do want to work for a big company and you want to do a big cybersecurity job it's buy this on Twitter some time ago nsrc Microsoft security Research Center in Redmond looking for experienced cybersecurity professionals to join our team that's

interesting I thought what sort of thing do microsoft deemed to be a an experienced security professional well here we go this is the qualifications five years or more inexperienced project management or instant response minimum of two years experience what about qualifications a degree in computer science Thanks Microsoft thanks for that or under or similar field or its equivalent experience tell us what equipment experience is Microsoft don't just say that you know say this is what the research side of things and a demonstrated interest in information security or prior experience in product development I felt like someone that they're trying to map from a competitor but yeah computer science again kind of obsession with computer science in this industry

is it good is it training everybody to be it is every see so you know all of you can head at me and didn't understand what you need or put your hands up to said you want to be a see so if you're doing computer science maybe you did computer science and maybe you're still not quite in that position that you know people aren't throwing job offers at your your company or your university maybe that's a slight problem but this is what I've seen you're hiring company like Microsoft is looking for from their people and apparently to get a big job with a company like Microsoft it's a wonder that only seven percent release my mouse only seven percent want a job

as a security evangelist in in the poll we did earlier wrong so that's probably because this is the level you need to become a security evangelist and you're going to work for these kind of companies in order to get that sort of that high up so it is a tricky one but I mean overall I mean kind of conclusion I think that cybersecurity is in a really sort of positive place and I think sort of draw some conclusions from all this this research I've just presented over the last 40 minutes or so yeah there are lots of jobs and that are continuing to be lots of jobs available and I think that that you know 2020 to figure is

going to push 20 25 20 20 30 to the point where I'm retiring probably is still gonna be unfilled because I don't think we've had a solution as an industry to try and fill this situation up and fill this problem up really so I think the kind of you know those of you who are at university or are in your first job is it just case if you go out you get skilled you get certified and you know qualified and you walk in like so kind of you know big bags packed full of certificates and books saying write unready launch me on your sock now when actually what they might think actually you're overqualified that's probably the

worst thing actually if anyone says you actually overqualified for the job acumen did say to me there was a concerning volume of graduate students seeking work experience equal to concerning volume and it's an industry becoming that's becoming top-heavy they're too many barriers and we're creating more so maybe one for to consider if you do work for a good company how many apprenticeships and internships are being offered the the late Stephanie Damon from saber security challenge about two or three years ago said this you know we need more apprenticeships in this industry we need more people coming out and offering you the opportunity to come on it's a Dracula off in a minimum yes create opportunities actually give people the

chance to get into a workplace and figure out if that's what they want that's often hard back to my very first job I got into a workplace I was kind of sat at a desk and told to get on with it and by day three I was like what in the hell am i doing I'm now in year 17 the journalist of professional journalism um kind of got over it cuz I figured the only way I'm going to learn is by actually pushing myself and getting on with it and figuring out things out of myself not particularly ideal but at 40 if that's the sort of thing we doing with people in cybersecurity we're but we're causing bigger problems if

you're hiring oh if you're looking for if you are hiring talk to you or your university your local universities your colleges about placement options it's you know we focus so much on things like bug bounties I mean we actually need to stop focusing on trying to fill things like scott skills shortage by building better collaborative structures between academia and work and businesses and and also consider what work experience and apprentice positions you can offer get the sort of the people in and they'll realize the opportunities are out there there was a lot of good stuff happening in terms of the skill shortage but generally I think it's it you know it's when you fill with those numbers I

mentioned at the very start we're gonna have to do something a bit better about it so just to close I want to thank acumen tenable and all those people who voted on my Twitter polls and and attended the webinar I did and all that kind of thing if you're interesting getting a career in cybersecurity there's a lots of opportunities out there and it could be saw there's opportunities like I said with next-gen which we do it info security get off you build a profile do a bit of yeah so get your sort of make yourself known to the industry and you can still go to an employer so what was that excutive you had me said well I talked to that bloke

over info security about this and this is the thing I did in these like that's quite impressive so maybe that's a one way forward but just conclude if I had been given permission by 'besides to say you do want a copy of our current issue which q1 there's a stack of over here there's about twelve because that's all I could carry and I couldn't I didn't have enough to post up it please take them because I'm not gonna take them back again and the webinar I mentioned is on the top corner there it was on the 11th of January and it's on info security magazine comm that if you don't get a copy of that if there's any left

digital edition is there you're tweeters at your security mag I'm at Dan roads and that's my email and with that I'm done thank you very much for listening

does anyone have any questions otherwise I'm here right through the day and I'm here hopefully it tonight if I can get into this party so many questions or anything do let me know otherwise grab mag and I'll I'll be around thanks very much