Panel: Mythbusting The Silver Bullet

e e

a uh cyber secure consultation support platform trying to achieve true confidentiality but Sophia we'll start with you as you have the mic please do a quick and short introduction of yourself and what you're about so my name is sopia um I actually live in chelon by I'm originally from Devin um I'm strategic threat intelligence lead in Industry co-founder of security queens and admin for the ladies of CH hacking Society brilliant Tom hi my name is Tom Langford and I'm the sole founder of uh internet group called host unknown hi everyone uh Gary Cox I work for info blocks who are a d security specialist and uh yeah happy to be here and I'm Matt broomhall I'm the

Chief Information Security Officer for financial uh Services firm in the city of London great thank you so hopefully we got a little bit of a broad sort of um panel here with slightly different perspectives um and uh that's what we want to draw around on some of these issues and we had a a meeting beforehand going okay what do we want to myth bus um we could there's a thousand things we could do but we we've chosen three that we really want to focus in on and our start point for today is to talk about Surs and quals right where are they useful how are they useful indeed are they actually useful are they useful to

the organization um are they useful to the individual um so let's just start with a very simple question for the panelists and we've got it you've got it so you can go first um do they provide good guidance to a person's competence uh I think they give good guidance to a person's capacity to learn um more than necessarily their competence so um I I would say practical experience trumps certifications I don't know if that's [Music] controversial so I would agree entirely with that so I mean i' I've been a proud hold of my cisp since 2016 but I mean one of the things that really kind of annoyed me when I was going through that was you kind of had

to learn the material and pass what was in the study guide as opposed to perhaps what was in the real world so to your point I think there's book learn and that's fine that proves the ability to to to learn um but it's not necessarily the same as as practical so if it's a it's it's definitely a balance but I mean I think it is useful it's a measure of a person it's not a soulle measure of a person yeah certifications are as useful as say a degree or something like that you know they show you you can learn that you can synthesize content Etc but anybody who hires you solely on the basis of your degree the name of your

degree or the score on your degree is is solely lacking when it comes to um trying to work out who you are and what you're able to give to an organization so they're good they're great and they show a sense of commitment but outside of that um we tech technical skills um know hard skills uh and you can teach those at any point in the in in somebody's career you should be looking at passion values commitment Etc yep just to kind of add to that all and obviously I'm still quite early on in my career and actually achieving these certifications has helped kind of demonstrate that knowledge when you're so early on um yes it's a few letters on

a piece of paper but when you're trying to get through that first door it really does help um but absolutely it's not just about the technical skills or the the syllabus of that exam but it's the soft skills the interpersonal skills as well um that could also help within that Journey trying to break into the security industry great thanks um so you sort of answered the second question we were going to go into so I'm going to tweak it a little bit um instead of asking are they really relevant to the day job which you largely impli that're not but how could they or how should they be relevant to the day job let's start with

that instead s um so the particular certification I have so I've got Crest certified thre intelligence manager which is an absolute mouthful and I'm not really sure what it means but um it is something that is required for certain types of work it is a great way to kind of Baseline the level of competence to deliver that type of work um so in that sense I do think it's quite key to some parts of Cyra and some sort of Niche areas of delivery um so yeah yeah I don't think they're ever relevant because the the the exams and the certification bodies renew them about every I what 5 10 years something like that and the

industry changes weekly um so I I would suggest they're not relevant and all I do is just show that you have a a commitment to learning something and learning fundamentals and things like that in the same way that the degree that I did in 1990 is not relevant anymore um in fact I never even used the degree for what it was meant in the first place so it's it's kind of like they are useful they're indicators and nothing else uh so if if if it's at the Forefront of your o of the reason for somebody interviewing you you need to question if you want to be interviewed by so as a hiring manager if someone

turns up and they've got cism any of the qualifications my followup question is normally and how are you involved in those communities so if someone has CP or ccsp or something like that I would always say do you attend the chapter meetings you know have you ever spoken at chapter meetings have you been to some of them have you been Have You Been yeah I have I have but but I mean outside of that there are there are great communities I mean bsides is is one of those right but I think the certification I think you're hearing it consistently from from all of us is it's the starting point on a journey how you follow up with that how you continue to

learn beyond that is more [Music] important yeah I think I think that's right and and no certification will get you a job but sometimes not having a certification might you might not get an interview so so there are certainly some jobs um I'm thinking of some of the more advanced red team jobs that you cannot get an interview without a certain level of certification so um I would say that as long as you go for a certification with a purpose I want that advanced red team job and therefore I'm going to get this certification or or maybe you're not job hunting maybe you work for a firm and you're about to go for ISO 27001

certification and you decide to go for the iso 27001 audit certification as preparation for that process so certification with a purpose is is I think really helpful uh but definitely don't think it will ever get you a job it can only get you it can only stop you from being filtered out of an interview that requires it for my part um as a hiring manager I try to never say that any certification is required I only ever put it as preferred because I would hate the idea that I'm filtering out a really good candidate uh for my role just because I've said this certification is required I'd much rather hire that goodd candidate and then pay for that certification if it's

something that they really wanted can I just jump in as well I just want to pick up on on the um Community aspect here coming to events like this in fact even volunteering for events like this I think is something that is potentially far more important for any decent hiring manager out there because it's showing a commitment to the community and the craft in adversed commer um it's it's rare that I see uh people who are really good at their role who are not involved at some level in the community I mean even the whole concept of Open Source is about being involved in a larger Community for the greater good so getting into these events even if it

means you're you're doing something that is not your skill set even if you're the photographer or the um you know just handing out badges or whatever the the fact that you are out there and getting involved is far more important that's a that's a a really interesting insight and uh you're all qualified now well done yeah well no only if you got a blue shirt on well that's true yes get one of these next time you'll be good um brilliant I think we've probably covered that one because I think we were going to go into a couple of other areas but um I think we've kind of done that one quite well and I I just be interested is

there any questions or or challenges from the audience here before we move on to our sort of next topic area any questions around that particular topic yes over there so um do you you see any value of any certification that requires Contin learning after certification yeah I'd say continual learning through practical application is way more important than the initial certification same as any profession I think really imagine a doctor um you come out a medical school would you rather be operated on by the person straight at medical school or someone who's done lots of successful heart operations I think the question was slightly different okay um question was is there more value to a qualification

that has a continual learning component to it ah yes yes but they all do they all do right because cpds and you know that God awful exercise you have to do 12 you know every 12 months of typing in all of the conferences you've gone to and all that sort of thing that's kind of a demonstration of that continual Improvement and that continual education commitment to the craft yeah any other questions oh there's one over there sorry I'm on

aery saying certain myself isn't from like an applied technical background he are there any sort ofen ships way getting in that also then all the level of living that I'm currently accustomed to responsibilities there are some programs out there that are specifically set up to support people like you is it caplock as example um so the the idea of those is to get get a person some practical experience as well as some learning um to make that entry point if you already work for a company it's normally possible to have an internal conversation and say um I would like to get into cyber security can is is it possible to find an entry level role

I've brought a number of people into my team from help Des roles in in the last two years for example and all they did was ask can I um and now they're sock Engineers just to add to that as well um I knew I know quite a few career changes that have gone the SL I know um there someone that was a vet I know someone that was in fashion weirdly um and they've all switched into the industry through community events so just meeting people talking to people and actually eventually you might even end up talking to someone that can open that door for you as well so it's just so so important you know coming to events like this

chapter meetings just getting yourself out there and then just talking really yeah I I think um part sorry thank you I think part of it as well is you you've already done the right thing by coming here do your best to network I know it's not easy for everybody you know it's we're all different do your best to network because the the industry is changing very slowly and and there are more opportunities for people I know I've hired somebody who was and you can tell how long ago was who who used to be um an overnight shelf stacker at Wilkinson's for instance but he ran a website that t called security FAQs um and was was publishing regular

content so he was demonstrating his commitment outside of the work life and and also had demonstrable skills that were available for me to view so I think showing and doing uh uh things that will contribute to that community and whatever format that is is a key element to that foot in the door as well bril thanks very much um soor I was just going to no no I was just say Tom isn't alone in that one I've I've interviewed candidates who um don't have a background which is normal because of the things I've seen online from them yeah you know whether it be fighting fighting fud on on LinkedIn or whatever there's all different ways of

being being visible um I think the other thing you said at the start of your question we didn't see value in Serv I think we do but it's it's it's just it's not the be all and end all organizations tell you it is yes great thanks guys U I'm going to move on to the next topic if that's okay so one of the things that I think we all struggle with within our organizations is making sure that those that are responsible know that they are and not being held accountable inappropriately so one of the things I'd like to ask the panel is when the IT team is held responsible how do we push back or

engage the organization to broadly or broaden that perspective and have a better understanding of where the organization's responsibility is as a part as opposed to the people at the front line who are doing the doing who often get should we say pointed at inappropriately that feels like a ciso question straight to the ca um could have got EV way yeah yeah so this is a big and sort of long running question um so so first of all the ceso is always accountable uh but everyone in the organization Bears some responsibility um and and getting people to understand that is indeed part of part part of this job so it could be at the lowest level of detail it's um

making sure that everyone in your organization can recognize fishing and knows that the correct response is to report it even if they've clicked even if they've given up their credits and so that's a cultural piece to focus on but then throughout the business making sure that line managers and more senior people um understand that they set the tone for the culture of security in their departments and and the the way I explain it that sometimes works not always but sometimes does is to compare it to some of the other functions that are also like that so HR is a good example that everyone understands HR is about people but everyone is responsible for line managing people leading people

performance managing people um HR is a helper in in that many ways they provide the policies the procedures but as a line manager I'm responsible for my people similarly for the Business Leaders they are responsible for the security culture in their particular department and explaining it like that sometimes works y love that I mean I think you know security is everyone's responsibility um technical controls fine put that with the technical teams but every single employee should have a responsibility to be mindful be aware now everyone gets distracted by their day job that's human nature so I think how those policies are implemented how the training is done is important how that culture is established is critical But ultimately

every one of us should should take a degree of ownership and accountability for security yeah from what Matt said about the the the ceso is always accountable it's absolutely right and that's why ceso stands for career is so over but but we need to remember that security you not wishing to try and rehash what everybody said but security is a culture and I think the culture element of uh the education awareness campaign is so important and it can only come from the top uh the no blame culture for instance I've known organizations that will happily fire people for for admitting that they made a mistake and sent a contact list to to to somebody and then

the word went round and we never got any more notifications of security instance from that country again um which is a bit of a problem when you're operating in a number of different countries so it's you know it it should never just be its's fault or an individual's fault yes there are elements of you know control failures and all that sort thing but um I mentioned NASA in a talk earlier NASA has this thing of asking asking the question why nine times um in order to get to the bottom of something so uh if we if we did that a little bit more we'd understand that it was never really down to one individual or one team that

something went wrong there's a there's a whole range of reasons why and that's why culture is far more [Music] important yeah absolutely agree and just to add to that I think it's rebranding security as not the troll you know it's not really helped by the fuds sort of I guess blasted out by the media as well it's costing us Millions it's causing everyone a headache no one really wants to to know about it or take it on as their responsibility um so going back to building that culture embracing the human element as well because you know most of the time behind the computer is a human and they are the ones interacting and unfortunately clicking the links or giving out those

details so making sure we're tailoring those campaigns to focus on that psychology too I think I think what one other thing to add to that is I think one of the reasons why the question was even is even posed in the first place is you know where does the blame lie for so long security has been that business prevention unit that says no to everything so that when something actually does go wrong because security said yes to it well obviously security made a mistake when that's not the case it's it's actually again down to those nine levels of why or whatever it's it's it's actually a far broader problem than just one group said yes to

something the the type of exercise that can really bring it to life for organizations is is really well done red teaming as well um I I used to work for um uh a Oil Company um and they the refineries that refi refine the oil were thought to be impregnable um and the red team exercise was able to demonstrate that they were not in fact and that the consequences would be extremely high and th this almost flicked a switch in the in the business Leader's mind realizing just how much uh they needed to build that security culture culture in and that red teaming at both my all of my previous employe employee employers has probably been the most successful type

of exercise to educate people about what can really happen and how it's everybody's problem great thanks guys any questions from the audience on that little one well we got unanimous agreement culture is Everything full marks team well done we answer that one then mythbusted great well all right you can't possibly have a a talk like this today in the modern era without talking about Ai and llms um and you know is it some new Magic Bullet is it going to solve our our ills um what's good about it what's going to be crap about it um let's have a little discussion around that so who wants to start on that one oh well the mic's in

my hand Jeff so um you go oh good grief AI uh hands up in the audience anyone that went to INF for SEC this is a bsid audience so I'm not expecting many hands excellent so yeah you me you and me both so if you would have walked around in SEC this year uh what you would have seen uh from every vendor including my own is ai ai ai ai ai ai ai ai squared um right and I think the problem with that and it's an industry problem is if everyone is saying the same then how are we differentiate it right which is a that's a vendor problem that's not a you that's not a you problem so Jeff's

question was can AI help or hinder where do we go with it right so what's the new world look like yeah I think AI in its many flavors whether that is llms or anything in between right machine learning whatever whatever yes it can help if it can take a repetitive task away from a human um and provide a Consolidated data set that they can work with in a faster more efficient manner yes it can help but it can also hinder because we're not the only ones using AI right so are the Bad actors so for every gain that we make so do they so taking two steps forward here before someone has to answer but it's not going

to take away any of your jobs I don't believe it is anyway human in in the middle still still needs to be there I mean I for one welcome our future future robot overlords to the point where I've even started saying please and thank you to Siri every day um just in case but I think like Thanos AI is going to be an inevitability for for us it's it's going to become a a part of our life uh in fact and it already has in fact 2013 was pretty much the year of AI with Chachi BT and all that sort of coming out you know everybody literally when when the Daily Mail was talking about it it's kind of

entered into everything um what it's going to allow us as Security Professionals to do is to operate at scale and take the drudgery out uh at least for the foreseeable future anyway uh who knows what kind of change is going to happen around the corner um I mean we've been talking about Quantum for about the last 10 years and that's going to go make everything change um AI included so but right now it's a about scale and drudgery yeah I think with any sort of new technology we they have to be aware of the risks so what could go wrong it could be weaponized or it could be sort of utilized um so as you sort of

mentioned um lots of threat actors they're now using AI to write new malware strains they're using it to evade detections but in threat intelligence is hugely beneficial to automate a lot of that sort of data processing and going through and refining those data sets so it's inevitable absolutely agreed um but I guess it's how we use that in the future and embracing the risks that come with it as too yeah I I I expect we'll see more coming from threat actors than the value uh in in the early years I think we're already seeing some signs of fishing that you can tell has being powered by AI um I don't think it would be long

before we're seeing deep fake voices being used uh in voice fishing in fact I have a deep fake of my own CEO on my phone um so I can whip it out in meetings as a party trick uh rather than talk about it just conceptually um and it won't be too long before kind of llm models joined up with deep fake voices allow a sort of chat in a voice if if that's not already here um I also think we'll probably see big data incidents um fairly soon as a result I've heard of some internal ones that are pretty embarrassing um if you turn ai ai on too early before you've got the access control locked down in your environment

the AI can find all sorts of information it shouldn't like who's being paid what and who's getting what bonuses that sort of thing um so know I'm a bit I'm a little bit sort of skeptical in the early I'd rather let let other companies uh get all the lessons learned that before I go to G one interesting element I I was in a discussion with someone about was that markets that have not been traditionally attacked by you know fishing uh uh campaigns uh because of a language uh barrier so Japan Philippines you know that those kinds of countries are now finding that the the attacks are going through the roof because AI is doing all

the all the heavy lifting translation work for them so we we it's it's it's causing the same problems but I guess again to my earlier point about scale but also reach as well yeah very interesting okay but what about the the the threat model the threat framework that you know what we're now looking at is ever large ever increasing data sets with ever increasing levels of personal data in them that are being used to feed these systems and the kind of new threat surface that we have to look at I have to go first it's a it's an it's a threat intelligence question you go Sophia so I think when we think about data sets and

machine learning we have to be very conscious about the bias we're using to train these sort of llm models um a lot of the time with these sort of data sets it's very difficult to depict what actually that machine learning sort of model is picking up and how it's going to use that information to process it going forward um so I guess to go back to your question whether s of Big Data should be a concern for AI I'm understanding correctly essentially what it's doing I think is increasing the levels particularly personal data utilization Biometrics you know your voice your your tonal use your your emotional content all of those things are now being measured and collated and

used to uh feed these engines to be ever more realistic um and that's a that's an increasing data model now is that just the same in a different package a bigger data set or is it a new threat I do think it's obviously a concern I think you know expanding that sort of attack surface Beyond just generic knowledge but actually including personal data as well it's going to be very difficult to to to combat that if it ends up in the wrong hands I mean going back to my initial point where it can be weaponized or utilized we just have to be wary of those risks y yeah scale and reach scale and reach yeah agree what they

said I'm a bit worried about the the pace of progress driven by competition between big Tech firms I I think the pace of progress is going to go so much faster than any thinking on ethics and what regulations might be required is inevitable um and I'm a bit worried about it to be honest yeah tend to agree um literally got about two minutes left so a couple of questions from the audience on this one anything want anyone want to take this down different tack or challenge any of the feedback from our panel that's over there yeah so um Beyond giving non users a n ask questions are you seeing any benefit of AI products at the moment Beyond just

making in automation that's really expensive yeah yeah so um yes but I I won't speak for every vendors out there I can only speak for what I can see inside my own company so certainly um having good algorithms uh ml inside our data when we understand the data which I think was Sophia's Point earlier you can make a difference you can streamline a lot of that tooling um when you really understand your data and you understand how what you want to achieve and how that model is being trained so I mean certainly you we use it to look for in very large dat sets of of you know massive dat Lakes of DNS queries right so we're looking for

traffic Distribution Systems and things like that and and in that model it works for us inside our product and there is there's there is genuine value to be derived but that's because we understand the data so I think that's again I can only answer from my own perspective I'm to comment on what other vendors do but but maybe these guys can any no no they they don't want to they don't want to solve honest I'm I'm I'm conscious of time I think we're at time yes yeah brilliant okay well just leaves me now to thank our panelists thank you very much um useful and educational talk hope you found it good as well um and that's a wrap for us

thank you