Past, Present & Future Of The Cyber Community - Panel

um thank you for waiting um thank you for staying it's lovely to see all these lots and lots of people here um Rosie should be doing this but she's got no voice and these bugs have sat in the wrong order really it'll work swap fix your you swap you swap we you want to know we are

otherwise Music Stops long Rosie turn the microphone on minutes 30 minutes that's that feels better 30 minutes let's do 30 minutes cuz otherwise is the microphone on people want can you hear us um can you all hear us not me then I know I'm loud and I haven't got micophone I Just sh right um so closing panel time um so as I say I've been handed a piece of paper I have in my hand a piece of paper you got do yours first first yeah you bugger I ha her I really I know what it says Tim came second in a Ryan goling look alike politian only second only second yeah got it okay here we go fun fact

time I will do them in order I promise right these are made up maybe they CH GP not chat G right Andrea her hairdresser has dyed her hair every color but Andrew doesn't actually know cuz she's color blind we actually didn't check if you were that would have been awkward wouldn't it like yeah what hang on coming in sorry let these let these misin come in

[Music] welcome

welcome any okay Robin is the Sheffield backwards running Champion undefeated for 13 years upill I'll take you all on the after party if you want I want that to happen so much I believe this one's true Sam has been banned from DTX London that'll do actually would for trying to ride a zebra around wearing John mcae as a cake not the blanket just and Holly as of 1 pm. today Holly is now on the weather spoons PW watch list I think that one is true this could very much be true can we add some context no it might come out later right so we'll get the serious stuff ask these people some awkward questions the first question pack I have

one ped didn't IED your phone back it's on the back of P it's on the back it's on the back of the P yeah I don't know what my phone back is you handed me thece paper oh my word it's on the back I don't know what this Rosie if I stay out after midnight I am legally not allowed to use my legs to walk

back Sor okay should we get serious right first question I have here what should the future of the cyber security Community look like what should the future the cyber security Community look like I'm just going to work there Andrew oh fing c seat I think kind of turning around and just looking out diverse people from all different sectors all ages all backgrounds um all experiences I think the more diverse it is the better it is for all of us and what's great about here is you can see that I a slight Twist on it a little bit um I think what we need to make sure of is that we get people with backgrounds and

experience um there's a lot of stuff at the moment now with people coming into security that's what they want to do they go to Union they do a degree in security and that's what they trained up to do when I started when a lot of you lot started I can see plenty of gray hairs um we I'm looking that way not looking back um we sort of a lot of us shifted into security because we we're good at networking or good at app development and we sort of we moved across so we had the background skills and then learn Security on top of it people that were coming into it they learning security skills but they don't

have the background and I can't neither option is the best I think what we need is to make sure we've got a mix of both we need people with the experience exp erience and the skills of app development or network admin or whatever it is but we also need people trained in testing and how to be testers the test methodologies how to reproduce things how to gather evidence how to prove it how to write reports so as a community I think we need to make sure we Mentor people in the background skills but also make sure they've got the some testing skills as well um so yeah so I suppose the future what I'm thinking of is

mentoring and rounding people off not just focused on I'm a tester because I've done a degree in testing and this is what the degree set ads do so yeah that's kind of my take on that bit no say you've been on the end is there lot stuff to say it's fine for me it's it's a combination of a bunch of things bigger better like this is so cool right seeing you guys all here today girls um people friends participants right makes me so happy it really does um and I see that we are way more diverse than we were across a number of levels um it can still improve for sure um I want to see us really kind

of spread our wings a bit out into the real world a bit more which seems crazy how many people are serial bside attenders cuz I am yeah like we love it and how many people here I know we did this earlier how many people is it the first time that's so good I want to you know I want to keep seeing that Steve hands go up on the first time like tell your friends keep bringing them along people without security background Cy curious folks um more and more of that please I had a friend contact me last week who's a social worker and it's she's done it for like 20 years and it's absolutely broken her that's hard work I

wouldn't want to do that at all um and she's like I want to get into cyber what do I do she'd been talking to her friend who's a pentester and got you know they're saying maybe I want to be a pentester which is kind of a roote lots of people go down and we sat and we chatt about loads of different options and it was really cool and I pointed her at caps lock and she rang me well she sent a voice note which is not my favorite thing just putting out there um and she was crying she was so happy that she'd found this she was crying and then I cried and then I rang her and we cried

a bit more and it was great um and I think she she didn't know where to start looking she didn't know anything about bides um so I think spreading that word more and making it accessible having stuff online we had a career day stuff yesterday um finding people from you know across the board cuz security is it an everyone problem that's a whole another debate um can it be an everyone's solution yes absolutely so keep bringing more people in bring friends tell your grandparents bring your dog all those things can I can I ask follow s show hand who is not from a cyber security background or informational security so we got he Wicked quite a few that's brilliant

isn't it you I love that that make S happy as well so just coming on what you said um what I wanted to say and this is actually something I spoke about a few years ago is we need more allies we need more sociologists we need more psychologists we need more what biologists are that biologist basically we need what I'd like to what I'd like to see is welcoming those conversations with and I'm going to say it AI we need to start looking at more how are we going to understand more human behaviors and how are we going to adopt that in understanding human risks um and we need to look to our friends in understanding

what social sciences can look like so I actually come from criminologist the one I am I forgot so um my my academic my Academia actually started in criminology um and I went into cyber criminology and then cyber psychology there's a lot of ology there um and I think we can learn a lot from that side of the fence from understanding how other types of behaviors within the physical world can actually then transfer into the cyber world particularly how people are using the internet how people are using cyberspace and their relationship with cyberspace itself and this is going back to what I was talking about earlier about internet addiction um digital citizenship I think is an area we really

need to start focusing on um and who we then are online because we may have principles in IRL um but do we have that when we are online when we are behaving in ways online when we are using um interfaces and things like that so I think we we need to start looking as that as a community and also welcoming that and welcoming those conversations of understanding how their experiences can actually build our communities more and diversity what I what I really want to do is we do a lot of acknowledging diversity in this community but do we really accept it do we actually accept what diversity is brings looks like behaves Acts or do

we just acknowledge it and I think this is actually going into another question really which is the lip service one um because we do so much talking I think if I ever sit on a panel about women inside again yes it's needed but why are we still bloody talking about it and it's not about women in cyber it's people in cyber and recognizing strengths weaknesses and making them feel welcome but what we what we're not doing in community enough is is accepting and growing rather than just talking about it I'm going to jump straight onto that question because I think you've led into it Brin which is what problems of cyber security does the industry just pay lip

service to that the community could solve so Robin um I suppose I think sort of getting we sort of mentioned Community the the side we do a lot of training for uh people in work so companies train against fishing they they train this they train that what I think we need to do as Community is rather than train we need to look to educate which I think two separate things we also need to go completely out of the business and we need to go into communities and I've have no idea how you do this but you sort of you can you can in a business you can do a fishing campaign and then you can try and train

people not click links and tell them it's bad and stuff but that doesn't help the people who are not in businesses that do that so I don't know your person serving p is in Gregs or the bman in weather spoons they will never get that training but they need it because their lives are on the internet whether they like it or not so I think as a community we need to somehow work out how to start educating the world rather than training the business staff and the difference I think between educated and training is training you you tell people you do not click links don't click links just we've done a campaign you clicked link don't

click l and you s of you keep repeating the same thing to hope that somebody stops clicking it I think for Education you're explaining why not click links what can happen What happens if you do click the link and sort of working through it so people actually understand and buy into it rather than just keep getting bashed on the head of don't do it don't do it and it can be anything from it's like fishing good passwords uh online fraud the whole thing we need we need to educate the world rather than said just businesses I'm I'm going to follow up on here and this is something I've done in my personal time which I don't have much of

but I have done it um and I kept it a bit of a secret for a very long time cly because I didn't want it to be monetized I didn't want anyone taking it and then making money off this but how do you do it I recognize that in the um in the Portsmith education partnership talking to the parents it sometimes far on Def is talking about cyber security talking to the teachers they were like yeah okay get it but why is it relevant the only thing that they could only really get on board with was online harms to do with children I started teaching the kids I started teaching our future digital well actually they're already digital

citizens and they are from about four years old now bit of a bit of a scary moment but it's not that we're forgetting about this band of people who need educa now but what we can do now is I bet everyone in this room has a connection to a school somehow a niece a nephew a friend a cousin a someone who goes to school I created a pack a downloadable file that has streams on it has cyber security posture support for the school in in ways to explain what it is what they need to do what information they need to secure how to secure it how to develop a crisis management um tabletop exercises for them to do and

governing letters to to write to their board to get budget for cyber security I then wrote a digital Champion program so that the school can nominate someone to become their digital Champion understand cyber security where to get resources from I then wrote parent support workshops that can be delivered by this person and can keep going on and then I also wrote um workshops for children in dis misinformation digital citizenship cyber security and why it matters take it if you want it email me I will send you my file free to use the only thing I don't ask you do is brand it and say you came up with it yourself um it's not to be branded by me either it's a community

initiative and I'm really passionate about that but what we can do is just that little bit and I beg you take it from me take it and I'll will email it to you change it and if there's something that I've done wrong also tell me because I'm not great at everything but it's a community initiative and I like what what people do for cyber Essentials that's great but is that going to help the electrician who works on his own no where do they get their cyber security advice from schools are a fantastic way for us as a community to start supporting The Wider picture of uplifting that cyber resilience of basically the the country really thank you H that's excellent

excellent you're amazing you are amazing yes um I'm going to carry on with the schools thing I think this is really cool um I have not done any of the work you've done cuz you're brilliant and that's just yay you um so I'm working with an organization called hacking games and this came about because like kids are learning coding at school my kids been coding um albe it was it proper coding because she's moving little flocks around in scratch um it's still coding it's it's learning that coding mindset they're learning it super early now super early um they are living their lives online they're in online they're in the Discord forums this is this is just the norm now right

um cheat codes are a massive thing huge thing and you might go is that really hacking well it's still [ __ ] something up isn't it so they they're learning skills of how to code and they're in in a world where they can get something for nothing without thinking about a victim um and you know there are people on the bad side of the hacking house and that's exactly what they're doing they don't give a [ __ ] about the human on the end of it and these kids are learning you know how to get more Robux or whatever it might be um you know either they're nicking the parents credit card to get like this extra Che code or

they're just finding stuff in the forums and they're then being targeted by criminal gangs if they're seen to be doing this a lot the next thing is Criminal gangs saying to them Wicked would you want 100 Robux you want 200 Robux just do this just do that just do that and before we know it they're off down a path of you know an unethical future because they're not being taught the ethics around it so the stuff we're trying to do with hacking games right now is giving kids the opportunity to come and learn you know the why behind it and there's the the Brilliance of this wonderful industry and how they can come and get involved from that side um

before they wind up on a list somewhere there one in four 16 year olds in the UK is admit to hacking that's pretty high can I just say like who did something really naughty when they were between the age of 13 and 17 what was that that our old person she ran for a field of wheat or something talking about that down sorry when I went to Super drug when I went to Super drug and I put a um I think it was like a Rimmel mascara up my sleeve right now let's look at all teenager Behavior we test boundaries we test boundaries that in we always going to do that as humans we learn we're learning our own moral

compass but the danger is now the field has changed they're not so much going down a park telling their parents they're at the mat's house and staying out drinking in fields drinking white lightning which is what I used to do when I was 15 years old no they're going on Discord servers they're seeing what they can do and we don't have we didn't have control over what I did back then but it it's a much more dangerous playing field but we not going to stop teenagers from doing that if you tell them to stop doing it they're going to find another way if you let them do it in a responsible way and guide them

makes it more fun this is it if they can find out about like as opposed to the well bur exactly that um it's damage limitation really disaster control what's the other one you can call it is that it that would do that do yeah sounds good been a long day teenagers are always going to be teenagers and this also and I on my pip right this also goes into oh we don't get females in stem and I've looked at this with the schools I work with and up until year six you do have lots of girls coming in and doing and going scratch going in the coding clubs when they get into year seven they drop off none of

them not none of them most of them don't aren't interested in computer science now if we look at how the brain actually works when a female reaches that age and she's most likely going to start her menstration she's wanting to form bonds relationships and that's why we need to have more conf conv Sation around theologies um and I actually proved this in one of my colleges so I run a once a year it's my favorite thing I do it um done in Chichester I get my digital forensics and my wet forensics and the classes are basically male female females like studying dead bodies and maggots and finding out why someone died and I've got my male counterparts who

just like fixing breaking and finding things wrong and I got the police in and we wrote a crime scene it's even got it own dark web page called Cult of the white squirrel this there a white squirrel that lives on my brows anyway they have to solve the crime but they can't solve it without each other's help and by putting in the digital forensics it's now opened up so many Pathways into the wet forensics and the females coming into technical subjects by engaging them in a way that they never realized if you sit them down and get them to code sometimes they're just not interested but by opening up the door door to that investigation understanding why things

can be different and incorporating as I said earlier theologies maybe we can start finding different people into the industry sorry this is become the Holly show I'm not going to talk sorry you're anything to that about what we do with lip service I going to totally forgotten the question the original question is what problems do the cyber security industry just pay lip service to okay I'm not going to answer that one I'll try my best um I kind of like it framed a bit round what do we currently do that we could do more of what do we currently do that would be good to stop and what should we look at starting doing in

terms of kind of that lip service element and I think for me one of the big ones is gatekeeping um we talk a lot about removing barriers about making it more accessible um so I think looking at how we stop that and actually make it truly accessible um start listening and believing in ourselves I think we should do more of that and seeing ourselves as Role Models I think quite often we can look to others and say they're the role models they're what we should aspire to be but actually there might be somebody who identifies quite strongly with you so seeing yourself as that positive person and role model rather than looking somewhere else and expecting it

to look like this actually it can look like me too um so I think that is great because I don't think a lot of people can be what they can't see so instead of paying Li to that actually I think it's standing up and and seeing seeing yourself in that role actually and your responsibility to the sector to help others and bring other people in which again is about removing barriers I suppose um and what was the other bit I can't remember what the other bit I said myself start doing stop doing and do more of I guess more of this community and there's nothing better in my opinion than a Community Conference where everybody is here for the same

purpose to learn to share knowledge to meet each other to network it's quite different from going to a conference where you feel like somebody's selling something to you all the time and actually you're not sure what you're learning or taking away from it I think bsides is an amazing conference for doing just this really building community and that did nowhere near answer that question but it's all good right does anybody out there have a question for the panel oh look at that I think I saw your first oh brilliant got that first today um kind of I've been in this industry now for a little while and I didn't start off in it right so I

moved into security I other careers do we think we can do more to actually allow people to make that migration across mid Korea me I've got a wife who's done exactly the same two years ago head of quity care and compliance for charity now running compliance with data centers across Europe so I've seen it happen and there's some really talented people out there I'm in a recruitment conduit right now where I need someone who can come and hit the ground running but I'd prefer to bring someone in that I could actually groom and bring into that groom bad word somebody can mold that you see potential all the time but budgets sometimes restrict you from bringing in

and and nurturing that talent because you've got to have someone hit the ground running because you specific problem or area that you need to fix so my question how do we do that just try and repeat repeat the question if I can so how do we recruit the next generation of of security people mhm entry level but who can hit the ground running yeah there you go for me is Boom he's focusing on the skills that count now quite often people believe one set of skills is needed like we need all these heavily technical skills obviously need somebody who really knows the intricacies of this tooling actually what businesses generally need is somebody who's a critical thinker

somebody who can problem solve somebody who's prepared to dedicate some time to something um and commit to what they're they're doing and for me is starting to look at different skill sets and those midcareer changes for me are absolutely fantastic and we've seen lad of them who bring some incredible skill in quite often it's working with recruiters around what what skills matter and rather than listing these 20 things out of those 20 things what are the core things that you're really looking for and often it is those skill sets that will help somebody um into a career like that so for me it's that hang on I'm gonna get s in first I'm sorry so how many people here are hiring

managers right I think we have a g of care 100% job descriptions are [ __ ] they really are so bad and if we want change and we're not changing the damn job description that we put out every single flipping time and actually going back and thinking about the skills that you need what's really important you know what what are the non-negotiables versus what are the nice to has versus is what you know what will you get back why do I want to go and work for you I saw a brilliant one the other day um Tara wheeler put that job description um that I read on LinkedIn and it was that good I just I can't do the job at all I was

like this is brilliant and and it's really well thought through and it's not just a must have this and this and this and this it was a story and it felt amazing and I think that as hiring managers we need to be working with the recruitment teams to make sure that actually we are really think about what what do we need how can we help somebody and what does their future look like not just a list of Flip inserts for for me for uh s turning it on its head I've been asked by quite a lot of people about how do they make the transition so it's not how as a business do get people in it's how do you I'm

currently an accountant or whatever I want to move into cyber and so my kind of recommendations on that side are for people look at the skills you've got and look at where you can put them into action in a company so the sort of the the one that I do remember was the guy was an accountant really good he got fed up with it so right what you need to do is find yourself company so so that you don't end up stop and start again find yourself company that's does accountancy but also has cyber teams and a decent team and see if you can get yourself into there the it's bit tricky first move but do that and then approach the

the security team the Cyber team talk to look I can I be your champion in this department and work with them because if somebody came to me and said right I want to be your Champion for the receptionists off for the accountants off for brilliant I'll tell you what to teach you teach it out there and so I sort of said to him do that move in and then slowly sort of shift yourself across because as an accountant if you're starting pentesting in an accountancy firm you know what you're looking for I know to look for default credentials I know to look for open shares you know to look for a file named this because that word means something

really important and it's the same for sort of whever you're in if you've got the core knowledge for that industry use that knowledge as a tester even if you're kind of you just help the testing team you could be the one sitting there looking over the shoulder of the tester who's scrolling through all the open shares and they're scrolling through you going Stop open that one no rubbish next yes open that and work with people and that would be a really good way to S of slowly shift yourself in and then once you're in build yourself up and then you can maybe sort of expand out so that's how to get in rather than to to get

people in go on um I an idea I just had this happens quite a lot we need something where people can gain experience and show their experience we need almost like a somewhere where you know I said about the electrician you know the soul Trader or someone like the coffee shop like a central body where people can devote their time and almost build a repertoire of things that they can do so that they're building on hitting the ground running they're finding what skills they're interested in they're finding areas that you know that actually I really like that and it's not what I was looking at at all we almost need to as a community find this like central body

maybe a it that offers out these Services again this has just popped into my head um but maybe something like that that has a community interest where people can get these skills and they can showcase them like a lab sort of thing but actually also feed in to help people don't know someone roll with it something to add to Robin's comment was just that on the bides from last year there was a presentation on lying on about lying on your CV again worth watching to talk about how do you take what your skills and capabilities to answer the questions without actually answering the questions so you're not yeah you're like you just kind of not

telling the truth but you actually selling what you do without answering the question and the other point was where did you get that experience is we know that working with work um having students on placement opportunities on apprenticeships and um kind of uh degree placements all works but there's nothing saying to an trying going to an organization saying would you mind if I came did work experience with you as an adult it's the same sort of concept of getting somebody in trying working on a project or solving a problem you know as as an organization you have a whole number of things that you'd like to get round to if you had the time to get

round to it and just sort of opening up the barriers and saying why don't you go to an organization say have you got any problems you want solving that I can take a look at so you've got the ability to show demonstrate your strengths have that work experience and then hopefully leads to an opportunity just thinking out the box fantastic thank you transferable skills are amazing they talk to people like Dorman know like on the bouncer well what you transable skills people skills conflict resolution all these things make sense other question so there's another question over over there yes paully yeah you mentioned an education pack yeah any objection to using it for the scouts or

are the youth groups no I used School absolutely no I just did it for schools because that's just so bloody any of them um um I do run the C security um Scout badge for my uh son's pack so absolutely okay just change it from the word school to scout what age what age is it end up CU I think it's a brilliant idea primary and secondary school is what I've got so I've got two different ones with the language very different and then the secondary school for the pupil I've then got year seven and8 and then 9 10 and 11 through identify that there are different Trends in the way that children are using the internet and for

example years 9 10 and 11 have C Cate what did I sound then like austral separate um separate mental health in um in social media ones um and damage or harm reduction in terms of elicit substances I was talking about it at lunch with people um uh yeah um so the computer science curriculum because my son's a computer science teacher yeah and I keep on telling do you know tell people about security is about a little bit Yeah so how do we influence the educators because ultimately people want get GCS yeah so how do we how do we take this as a community forward food to our MPS and we've got election maybe and how do we

ensure that what we're doing from the community is what should be done from the ground rather than to out so in my letters that I put together um you just need to change who the address goes to um and the signature strip at the bottom to your own name or the school although the school's name um nothing schools love nothing more than scary statistics and these scary statistics of children being involved in crime the amount of children being groomed online both through sexual exploitation and radicalization into both political parties um nation states and um cyber crime activities include all of those scary statistics and they start listening and also how much it's going to cost them should they not take this

advice and I used the statistics of two local colleges one in the is of white and one in Portsmouth one was they were attacked by ransomware gang that they still was six years ago now they still haven't recovered one was about two months ago and we still haven't fixed our Network they had no IDE they just came in um it was through bloody ransom they came in with no other intention other than just to make an absolute mess of things so you start using those stats they start sitting up and listening I just think just one thing IC squ has got some really good educational pack stuff as well to wash along side of yours yeah so I do some of the IC first

as say I have pulled in resources I basically cated made my own content and made a lot of content more digestable to how schools need that information delivered um and yeah and I say it's not it must stay that way please take it it's just a central resource to start getting people talking s as well came to the region in March the contract just been one and they're looking for mentors and they're looking for people to engage can deliver content in the schools so if you can sign up as um cyber first mentors and ambassadors then they can get into each of the regional schools and another thing is to engage other school sometimes you need clearance and

way through that is joining your local stem ambassadorship they go through the clearance with you and you you will already have relationships with schools right I'm G have to bring this to a close we've got very very quickly very very quickly you looking at me one thing from the past that hasn't been fixed that you could you say if I could wave a magic wand we fix it Andre me first I mean on I don't know hunger no I know the fact that we're not in the pub yet that has not been fixed um there's so many things I mean you talk earlier about the whole you know as much as things change they stay the same it's

so true like we're never going to get to 100% visibility for example um but we're still really quite freaking bad at it for a bunch of reasons because we're not really partnering properly with our businesses still now so there we go visibility we can get that better stop blaming users users will do what they do um fishing is a common example if a user clicks on a link you've had a and something bad happens the link the email shouldn't have got them in the first place if it got to them there should have been warnings if they clicked the link they shouldn't have been able to get out to the website if they G out to

the website they shouldn't have been able to download anything bad if they downloaded something bad it should have been caught on the machine if it wasn't caught on the machine it should have been caught when it actually did something and tried to talk out seven areas where it could have caught it one human clicking the link if if basically if you blame the user you should be blaming the it security team seven times as much because they're the ones that screwed up so stop blaming users stop scare Ming stop telling people they're idiots let them click the links we should be fixing the problem elsewhere yes educate them as to it's probably not a good idea to click that link and tell

them why but don't rely on them not clicking the link yep start with a smoke and mirrors actually demystify it it is generally just a job or can be a very exciting job a great job with lots of opportunities but the mystery kills it for people I think it's one of the reasons why girls reached that age and suddenly decide it's not for me because it's seen us too hard or it's seen us out you know over there so I think for me remove the smoking mirrors make say it as it is um it's a job a great job and many great jobs should I say but is just that um I think there's too much

gatekeeping with people and I'm going to say I'm say something that people probably going to be like one she said that there's too many people at top in cyber security who just keep themselves at top and don't allow enough people in um I've seen it myself um I've seen it with women against women I've seen it with people against people um we need to be doing a lot more reverse mentoring to fix some of the problems we talk about without always sitting on the same panels which I get invited on to to talk about the same problems um and sometimes with the same people I think we need to be more transparent I think we need more mentoring opportunities

identifying and being more open about the problems we faced and how we overcome them to share our stories because you cannot be us if you cannot see us thank you thank you all and I'll add to that there will no doubt be a call for papers for bides in the future either this one or others get yourself up here come and have a come and have a laugh you're in a safe environment so uh big round of applause for panel