My last series of interviews on women (and non-males) in information security was really popular. I spoke to some amazing minds in the cybersecurity field last fall. As spring arrived, I figured that there are probably a lot more professionals in our field who also have interesting stories to tell. Encouraging more non-males to enter the industry will inevitably benefit cybersecurity as a whole. In resuming my series, hopefully more readers will be inspired. This time, I spoke to Dr. Jessica Barker. She owns Cyber.uk, for which she blogs about news and ideas regarding the human element of cybersecurity. Human beings are the greatest vulnerability, after all! Since 2013, she has run her own firm, J L Barker Ltd., and she recently co-founded Redacted Firm. She is engaged by organisations of all sizes, from multi-national firms to SMEs. She has also appeared at important security events, such as SteelCon 2016 and Infosecurity Europe 2016. Kim Crawley: So you run Cyber.uk. What compelled you to start that venture? Dr. Jessica Barker: I wanted a place to write accessible articles on cybersecurity that people of any level of knowledge or understanding could hopefully engage with and get something from if they are interested in the subject. I do research from time to time, where I generally look at attitudes and behaviours online. For example, I surveyed 1,000 people in the UK about their attitudes towards biometrics replacing passwords; 1,000 people about whether they know of 2FA; and 3,000 people in the UK, US and Germany about their opinions of Edward Snowden's actions. KC: I think that's a great motive. Ignorance of cybersecurity is harming laypeople, and they need knowledge. JB: I totally agree. I think there is an onus on us in the cybersecurity profession to communicate more effectively about our work, the threats online, and what people and organizations can do to better protect themselves. KC: I try to write most of my articles with technical laypeople in mind. But when my non-IT friends read my articles, they say that they're still difficult to understand. Educating end users can be a challenge. I really appreciate how you recognize human beings as the most significant vulnerabilty. JB: We all get used to the language of our profession and can become detached from the level of understanding that most people have when it comes to the internet, security and privacy. KC: Yes, I think you're exactly correct. A lot of laypeople don't even know the word "malware." JB: You're absolutely right about malware. I was on a pretty popular radio show in the UK (the Jeremy Vine Show on BBC Radio 2) talking about ransomware. Even with my perspective and determination to keep in touch with what the average person knows about security, I was shocked at how low awareness of ransomware is. We all know in the industry that it's one of the biggest threats at the moment and has been that way for a while. But most people haven't heard of it. KC: That's incredible considering that I've seen ransomware in Windows clients since a decade ago. I had to deal with consumers freaking out about it. I think the greatest misconception laypeople have about "hacking" is that they believe how it's depicted in Hollywood. A "hacker" typing commands into a terminal at 300 words per minute overlooks the fact that social engineering is such a major attack method. JB: Yes, I agree. I work with organizations on social engineering awareness, and it's interesting to see how shocked people are by what we can find out about them via some OSINT and how that could be used in an attack. Most people still think hacking is about targeting technology and are not aware of the extent to which people are targeted. KC: Very true. Now let's shift gears a bit. I notice that you gave a talk about impostor syndrome at SteelCon last year. Do you think women get it more frequently? JB: It's tough. A lot of people in the industry struggle with it. I've had to work on my own issues with imposter syndrome, so that I don't let it hold me back. Instead, I use it as a motivator. The danger then, of course, is burnout. I think it impacts a lot of people in this industry because cybersecurity is so diverse. It's impossible to know everything, and we can become desensitised to how much we do know about our own area of expertise. So, you meet someone else and in conversation with them think, “They know so much more than me,” all the while forgetting that they have their own area of expertise, as you have yours. I also think that most people in the industry have a personality trait whereby they want to keep learning and keep challenging themselves – which is great, but it can mean people sometimes feel like there is a lot of stuff they don't know. There are also some cultural issues, which a lot of people commented about when I did a bit of research on it. We have a tendency in this community to tear people down if they don't know something or get something wrong. People often say that women get imposter syndrome more frequently, but I don't agree, to be honest. Studies have implied that in the past, but I think that could be because women are more likely to talk about it than men. From my research and conversations I've had with friends and colleagues in the industry, men can struggle with it just as much as women. That sums up why we all need to encourage each other in the industry. As much as there can be a culture of tearing people down, there are also a lot of people who will build others up, be supportive, and be encouraging. We need more of those people. KC: Well said! It's clear you've spoken at a lot of cons. What was your first con speaking experience? How did you prepare? How did you feel? How did the opportunity arise? JB: I think the first con I spoke at was Manchester BSides four years ago. I was speaking at events before that, on panels, and at more corporate events. But I think that was my first community con. I was approached by one of the organizers, which was great and really gave me the encouragement that I needed. I gave the closing keynote and spoke about the psychology of fear and cybersecurity. To be honest, I was really nervous speaking to a technical audience about something that's so human-focused. The response was great, and I was pleased to find that people were genuinely interested in the human side of cybersecurity. Around that same time, I spoke at SteelCon about how to communicate cybersecurity messages more effectively, and at IRISSCon about gender and age differences in cybersecurity attitudes and behaviours. I start prep for all my talks in the same way, which is to create a spider diagram on paper of all the key points I want to cover. Or sometimes I use a whiteboard or Post-It notes. I then flesh out all of the points before I start on the slides. I used to script my talks and then rehearse them until I had learned them. But as I've gotten more experience and more confidence, I no longer do that. I now prefer to think of the talks as more of a conversation I'm having with the audience. I will know the key point I want to make on each slide and overall for the talk. But I don't script them, and I practice to some extent but without rehearsing so much. KC: Did speaking at cons get easier as you got more experience? JB: Cons have definitely gotten easier as I've gotten more experience, more confidence, and more understanding of the fact that even technical audiences are interested in the human side of cybersecurity. KC: That's very different than what I did. For BSides Toronto, I made a PowerPoint presentation from research notes, then I discussed each slide spontaneously. It was amazing that I kept to the 20-minute time limit. I was co-presenting with my ex-husband, and he was going to go on a tangent on a totally unrelated topic. I had to stop him and redirect the presentation to the subject matter. JB: Everyone has their own style I think, and after a while, they find what works best for them, which is why giving advice to others can be tricky. KC: Definitely. Now on to another gender-related question. In previous blogs, I mentioned that I've found I've been discriminated against less often in cybersecurity than in my earlier jobs due to my gender. What has your experience been? JB: I've found the same, too. I definitely experienced more discrimination when I was just starting out in the industry than I do now. I don't know if that's because things are progressing or because we are more likely to face discrimination when we are in more junior positions and less established in the industry. Or maybe it's because we know the industry better now and know which people, companies, and events to avoid! KC: Yeah, I agree. Sexism is less of a problem, but it's still there. I've been pleased by how many women and transgender people I've met in our field, and articles like these help. JB: Very true. KC: I have to say, I find the topic of your talk at BSides London last year interesting. The history of the word "cyber." I wrote an article for Tripwire on the differences, similarities and origins of the concepts of information security, cybersecurity, computer security, etc. recently. I think sometimes people lose sight of the "meta" stuff, the cultural stuff. JB: Thanks. That's an example of a talk I'd been thinking about for a year or so before I did it. I felt like I was putting my head above the parapet with that one because a lot of people in the community obviously hate the word "cyber," which I understand but think we need to move on from. I found that when I was talking to senior executives or people in the media or the general public, they related to “cybersecurity” so much more than “information security.” And although they technically have their own distinct definitions, we often use them interchangeably. So, I wanted to look at the cultural issues around the language we use and encourage people to address the fact that cyber is the word people outside of the industry relate to. I did some research and found that most people in the community refer to what we do as “information security” but most people in the public call it “cybersecurity.” In fact, more people in the public call what we do “e-security” than "information security." When we're trying to raise awareness and change behaviours, the language we use really matters. KC: E-security? I've never heard of that term. Is it more common in the UK? JB: Not at all! It really surprised me, too, because I have never heard anyone actually use the term. KC: Wow. That's amazing. I would have thought information security was more common. On another note, what advantages do you believe there are to people who don't identify as male (women, nonbinary people) being in cybersecurity? How do you think we uniquely benefit the industry? JB: For me, it comes down to talent, representation and fairness. First and foremost, talent is equally distributed among the population; it does not discriminate. So, when groups are discriminated against or not equally represented in an industry, that industry is missing out on the talent that those individuals could provide. We deal with some really complicated issues in cyber security, and we need that talent to address those problems. Having diversity also facilitates the representation of different world views and different experiences. People with different life experiences will come at problems differently. Diversity also breeds diversity, so from a representation point of view, the more diversity we have the more that sends a message that “you can do it too.” From a fairness point of view, this is a really cool industry to work in, and I want people who would be interested in the field and who would contribute to it to know they are welcome regardless of their gender identity or any other factor! KC: That's an excellent answer. One final question... What do you think the greatest challenges will be in cybersecurity in the coming years? JB: I think we will continue to struggle with the same problems we have for decades, like patching, legacy systems, shadow IT, and of course human behaviour. But with the pace of technological change (or rather, the pace of change in how we use technology) continuing to grow so rapidly, we face the risk of still being challenged with how to keep up. With more connectivity comes more vulnerability, and so, of course, the Internet of Things is a big challenge that will continue to grow. Engaging with the average person, enabling them to understand the security and privacy concerns with, for example, “smart” devices in the home, is a big challenge. Responsibility for security with regards to the Internet of Things is a tricky issue. We need security built-in from the start, but in a global market with no incentive on manufacturers to do this, we are placing too much responsibility on consumers. Responsibility for cybersecurity is not a new issue, like most of the issues we deal with in cybersecurity, but as our use of the internet continues to grow, the challenges will also grow. KC: Excellent! It's been a pleasure chatting with you. I've learned a lot.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.