Season 1 Episode 8: Battling Cyber Risks
Bastien: 2019 has barely started but thanks to an ever growing community of hackers we’ve seen 1.76 billion documents leaked in January 2019 alone. Ransomware is expected to cost businesses and organisations $11 billion. It’s an epidemic and we need to start thinking about the future of how we’re going to combat this cyber risk environment. That starts with cultivating a new system.
Sometimes what we perceive to be an unsolvable problem just means we’ve got to put our pens down, have a walk, and get a fresh pair of eyes to come and have a look at the same problem. Fresh pair of eyes give new diversity and ways of thinking, and when we apply this to hacking we’ll get many new ways for hackers to infiltrate systems. They can use social media and social engineering, they can walk through the front door, plug into devices, and hack us online and through the cloud. There are so many different ways that they can get in now. So we need a diverse group of people solving these problems. A technical engineer is not going to solve particularly well at a social engineering problem, so we need someone that is social and understands how people can be manipulated, maybe a psychologist.
Right now we have a very narrow band of diversity within the industry. We’re still thinking about the nerd wearing the hoodie; we really need to bring diversity of thinking into it. Someone to help us with that is Karissa Breen, she’s a cybersecurity specialist who does a lot of communication, media, and PR work to educate organisations on the importance of cybersecurity, the importance of diversity, and how we can improve as an industry.
Karissa, give us your thoughts on how we can address this problem, how can we improve diversity within our industry?
Karissa: What I do is one part media explaining what cybersecurity means for the people who aren’t in the industry. The other part is helping companies communicate better, and decrypting all of the technical jargon so that people understand what it means for them and why they need to understand why cybersecurity is important.
Bastien: Talk to us a little bit about negative unemployment, a lack of intellectual diversity, and how this impacts an organisation’s capability to effectively defend themself.
Karissa: It’s really important because we need to know that we have a diverse group of people to look at things differently. First and foremost, I really feel that what we need to do as an industry is look at how people are different because that will help shape how we evolve as an industry moving forward.
Bastien: I knew I wanted to be an IT engineer probably from the age of ten, so I think we need to get into the schools. It’s going to take more than just one generation to properly solve this. If you wind back far enough women were the driving force, particularly in coding and even the recent film about the women in NASA, without who’s mathematics work the Apollo program wouldn’t have been possible.
How do you think we went from that environment, which was essentially driven by women, to where we are now? When you go into a coding class or an infrastructure class at university, it’s a boys club with a handful of women. How did we get here and how do we solve it?
Karissa: There are a couple of things for this. A presentation I was recently at spoke about dudes in basements in hoodies, and that’s not the reality. I think that we need to be able to advertise this effectively because there actually are a lot of women who are not socially awkward dudes in basements hacking things. Now I think that probably does also stem from Hollywood, we’ve all seen the hackers movie and the unrealistic way in which they apparently hack the mainframe – that’s obviously fabricated.
Secondly, there is that push for change and it is a changing face so to speak. Also, some companies are just looking at getting the numbers up and some of it almost feels like lip service, just to say, “we have a 50/50 gender quota now.” I don’t know if we’re compromising ourselves as an industry because we’re merely just hiring people off the street because they’re a female. So I feel that diversity is important, but it shouldn’t just be focussed on “because we want to look like we’re hiring diverse people.” It should be the people that are actually competent at doing the job.
Bastien: I think it’s really important as well to communicate that cybersecurity has so many facets to it. Every ethical hack that we perpetrate we essentially start with the information gathering session. We research companies and individuals and then we move to a social engineering phase – we’re now actively looking at arts students for actors. It’s a bit of a sad fact for men, but if you happen to be a telemarketer you’re going to have a much lower success rate proven statistically if you’re a man than if you’re a female. We see the same thing in social engineering in the cybersecurity space. Women are more effective at it and they’re better at reading emotions. I think a lot of people aren’t aware just how broad the cybersecurity space is. I would say a good forty percent of every ethical hack we start is social engineering and information gathering.
Karissa: It’s a great point because so many people say they want to work in cybersecurity, but when I ask what part they can’t really explain to me what they want to do. I guess it’s a lack of awareness in what we’re doing as an industry to actually not even demonstrate what roles exist out there. More to your point about social engineering from a female perspective, I think it’s because females don’t seem to get questioned as much. This is actually a space I want to move more into because I do test things in the general public to see if anyone’s paying attention, and no one really is. I think that as a male you’re more likely to get questioned if you look suspicious. Whereas a female, particularly a younger female, I’m probably less likely to be questioned even though I might be carrying a rubber ducky around and just destroying someone’s network.
Bastien: Even in our organisation we primarily have women deliver objects on site.
You mentioned the USB rubber ducky, it’s a small USB device that you can plug into a laptop or computer to execute code. It has a switch so you can put multiple codes on there, and it essentially turns into an HID keyboard device to upload whatever scripture you want. We also use people to deploy the USB Ninja cable, that has just come out by Kevin Mitnick, which allows you to create a backdoor into any system that you use to charge your phone cable with.
One of the things that our cybersecurity industry needs to educate ourselves on is that we are essentially looking for people like psychologists and actors. We need to look outside of that traditional information technology field at universities to get good people and add that diversity of not only gender but thinking.
Karissa: If you haven’t come through a traditional route into cybersecurity people can sometimes be quite pretentious. Maybe they feel threatened, because someone who can be completely curious has gotten into the industry. For myself, that’s how I actually got into cybersecurity. I came from a banking background and was really curious about how people exfiltrated money out of the bank. I asked so many questions that they found to be valuable, so they asked if I wanted to come and work with their team.
Being curious, asking questions, and wondering why people do things – this is the true essence of being a very good cybersecurity practitioner. If you’re not asking why or you’re not challenging things then we’re just going to be owned by the bad guys.
Bastien: We’ve also got with us Fergus Brooks, former Head of cybersecurity for AON Insurance. Fergus, you’ve been in the cybersecurity game for 25 years, what are your thoughts on diversity and using it for problem solving?
Fergus: You have a table full of people who are gathering to solve a problem or respond to an incident. You’ll get a bunch of people who have qualifications in IT who are mostly male, sitting around and sharing similar experiences. You simply just won’t get as many different angles for the potential solution as you would get if you had people from different backgrounds and more women in the room who challenge the men.
What are your thoughts on group think, Karissa?
Karissa: Because cybersecurity is something that is so diverse and fast moving, how are we ever going to be able to keep up if we’re actually just breeding people from the same background? We need to have people think differently to come up with ideas and solutions. The counterpoint to that is that in this industry, as soon as you start being quite vocal and have a difference of opinion, people try to shoot you down.
Bastien: An analogy here is I’m always losing my keys, and my partner is significantly better at finding them than I am. In cybersecurity, we will analyse from a certain point and say these are the ways we see a criminal could enter in an organisation. The more diverse the group, the more paths they’ll come up with. Even between companies, if you paid two ethical hacking companies to breach an organisation I guarantee you they will use two different paths to enter.
The more diverse the groups are the more paths we’ll find – and criminals are doing this. I’ve witnessed these organisations; they have HR managers and females working for them. They know that telemarketers are more effective if they’re female, and the females who are working in these criminal organisations are helping them expand their attack vectors. So if we as an industry who are fighting this are purely a boys club, we’re going to be increasingly ineffective.
Karissa: One of the things that is really important is profiling the right people, and in my experience talking to practitioners globally, it is a changing face. We need to look at this on a larger scale, if we’re not going to embrace people who are different I don’t think we’re going to be able to win. We’re going to lose as an industry because we’re being naive in the fact that we don’t want to embrace people from different backgrounds.
Bastien: From my point of view, the cybersecurity industry is really attractive: reasonably high wages, interesting work, every day is different, and you’re helping organisations build frameworks to stop themselves being breached and minimise their risk. Yet there’s negative unemployment in this industry. There’s low unemployment and that’s driving wages up, so I personally believe that’s going to create a big backfill. What period do you think it will take before we start seeing gender equality?
Karissa: I don’t have all of the answers in terms of the timeframe, what I do know is that while there is a genuine thirst for more people to be in this industry, there’s not enough people to be motivated to be constantly learning. I feel that people are getting to a certain level and feel quite comfortable. There’s not the satisfaction with continuously achieving a certain level within the cybersecurity space.
Bastien: Which is a problem because our job in cybersecurity is to research. It’s probably one of the hardest things about working in this profession. New operating systems and technologies come out all the time and we’re expected to be masters. One of the things that my COO, Steve Williams, commented very early on was how we would just learn something new and then try to mitigate and create strategies to protect from risk – it is a constant cycle of learning.
Fergus: When I got my first job in IT 25 years ago, there wasn’t even a security industry so we all just learned on the job. One of the things that I did in order to get myself to a level of seniority was I jumped from contract to contract. So if I wanted to be in Windows NT, then I’d learn a bit of Windows NT in my current job and then put myself out as an expert to previous employers.
Bastien: Do you notice that some clients, and I come from an infrastructure background as well, they’d sometimes be surprised that you’d be onsite fixing for example a storage area network or a server, and you’d be googling. They’d question if we knew what we were doing if we had to google an error message.
Fergus: I remember installing companies on the internet for the first time, and a lot of people freak out when I say that I used to install banks and such to the internet. I’d say I had a lot of trouble with firewalls and getting them to work. People in the room all just go, “why didn’t you just google it?” Because I’m connecting them to the internet! It didn’t exist then. But that in itself made it such a challenging and fun career.
Throughout this episode we’ve talked about how it’s such a constantly evolving industry, there’s nothing static about it and the threats are increasing. You can’t go through the internet without finding someone who’s been breached or dealing with a problem. It makes cybersecurity an incredibly dynamic and fun industry.
Bastien: Karissa, you hit the nail on the head when you said you don’t do anything without knowing why and how it works. Anyone in the cybersecurity industry really has to have a fascination with understanding how things work. Whether that be the human brain (which is what we hack more often than not, surprisingly) to technology, marketing, and sales. You just have to understand how all these processes work.
To your point on how people in the industry will achieve a certain level and then stagnate. How do you think the industry can solve that? We’re seeing things like ethical hacks in terms of pricing go down because people abroad are offering these services for much less. So organisations in Australia perhaps aren’t designating the 3-4 months of R&D time that we use to have into researching new technologies, into recertifying, and into education. How do we combat that as an industry? Is it an education for the businesses that are buying these services? That they should be valuing cybersecurity more, paying a more reasonable amount for them rather than trying to cut costs?
Karissa: I believe the best skill to be successful in cybersecurity is curiosity. A lot of people have their opinions on this and technical skills are one thing, but if you’re not curious then you’re not upskilling during your career. Finding people who have that genuine curiosity and hunger about them are more likely to succeed, because you can teach them everything else. If you’re not asking “why” then I don’t think you should be in this industry, because we don’t need more people to sit on the fence and not actually ask questions and challenge.
Bastien: Our job is to hack and crack systems, so teaching the traditional way of doing that isn’t the answer. For example when we interview staff we put a Rubix cube in front of them. A person who got the job straight away didn’t know how to solve it, so he ripped off all the stickers and stuck it in the correct position. He hacked the Rubix cube gave me the solution and outcome that was asked for, and got the job.
Karissa: I found that the best cybersecurity people think very differently, because without their brain of thinking differently, I don’t think we’d be where we are. If you are just run of the mill, average, don’t question or challenge, you’re not going to get far or add a lot of value, simply because you’re not thinking so wildly different to everyone else.
Fergus: I agree with this entirely, when I was in my early twenties and Windows 95 came out, we had the beta as soon as we could get our hands on it to test it on computers. Same happened with NT, NT4, and all that kind of stuff because I wanted to know how it worked and I wanted to get on top of it. That was fun learning for me, and that led to a career for me and continues for career development.
Bastien: What are the next steps that maybe the Government, learning institutions, and organisations should take in looking to hire these people? What should people who are considering getting into this industry do?
Karissa: The Government should be profiling the right people and doing it in a way that is palatable to people as well, not in an archaic way of addressing cybersecurity. From an education point of view, getting people out there to talk about it and being human about their experience in the industry. Being corporate will actually deter young people from getting into this industry. Lastly, having continuous meetups and events to talk about what type of roles actually exist out there. Someone might be hating their psychology degree, which makes them interested in social engineering because they understand people and their behaviours. Or you might be a software developer, so why can’t you do security engineering?
Bastien: Acting has, at the top of the field, really high salaries and glamorous lifestyles. But for the large majority of people in the acting community they’re struggling to find work. Maybe they can come over into our industry and practice their skills.
Karissa: I think it’s a very unique way of looking at it, it’s thinking outside of the box continuously. It’s still about getting the right calibre of people. What annoys me is seeing how some large corporations treat it as filling quotas. Are they actually hiring the right people, or just hiring people for the company to look better in the apparent marketplace?
That’s actually insulting to a female, I would always want to win on merit. If someone said to me that I won purely because I was a female, I would walk out of the room because it’s insulting to how I am, and to the whole female population. That’s not fair at all and no one wants to win like that anyway
Fergus: That’s why I think there’s been so much conversation on quotas, even at the board level. Do we set up gender quotas? Do we set up any kind of quotas for employment? Let’s say if we have a candidate who has the most qualifications but whom we don’t have a spot for because we have a quota, then you end up taking on a lesser quality candidate. It insults both the accepted and rejected candidates and it impacts their self-confidence as well. Quotas are a flawed argument if people are hiring for the sake of it.
Karissa: And we’re going to be compromising ourselves as an industry if we’re just hiring anyone for the sake of getting quotas up.
Bastien: My leadership team actively talks to the TAFEs and universities, but also we probably need to start talking at a younger school level. We start to look at perhaps roles that are more effective for certain types of people. A good example of that is when we first started the organization, we had technical people. We started doing ethical hacks and they were largely technology based. When we started asking our tech heads to go on site to breach a site and plug in some device they would freake out. Whereas another person might be more suited to that and would enjoy it and help us as an industry.
What is something that an individual could do if they wanted to get into the industry?
Karissa: Hang out at local meetups posted on platforms like Meetup.com or Eventbrite. Go along to some of those events to see what type of people there are in the industry. I think someone who is potentially looking to diversify their career would be at these events. Always be asking questions to people in the industry as well, and follow people that share different opinions. Go and do lots of reading, listen to podcasts, get the knowledge up. You might be surprised to find out that where you started is not actually what you’re doing now. That is exactly what happened to me.
Bastien: So find out what you enjoy and understand perhaps where that can fit into the cybersecurity field. I don’t think nowadays Seek, Indeed or other job boards are where people like myself are looking for talent. We’re going to groups, dinners, and other events where you meet individuals. If you come and hang out in that community then that’s where you’re going to find out a lot more about the industry and what we’re looking for.
Karissa: You have to be a very special, unique person to work in this industry and have a significant career because these people are the people that are helping defend data, our countries, our identity. Those people need to come from a very unique skill set to be able to help countermeasure that continuously.
Bastien: All the smart, interesting people that are curious about the world, we’re waiting for you in the cybersecurity industry! Governments, we’d love to see you educate at a younger level as much as possible in schools. All the learning institutions out there, wake up to the fact that you probably need more of a PR and marketing media effort to actually get diversity into your classrooms.