Image credit: Hannah from Manchester School of Art working with www.naimuri.com
It's hard to believe it's already been nearly two weeks since CyberUK 17. It was the busiest, but most exhilarating week of my career so far and when thinking of what highlights I should pick out to write about here, I'm spoiled for choice.
My People-Centred Security team, and the rest of the Sociotechnical Security Group, did themselves proud. Rachel, Sacha and Kate ran and took part in a variety of sessions, including (in Rachel's case) a whole STREAM of fantastic content on People: The Strongest Link. I was hugely impressed with the amount of skill, energy, and sheer hard graft they brought to making the conference a success. Well done everyone!
- We hosted a Sociotechnical Security Group Twitter Q&A, supported by our brilliant social media team. One question everyone always asks us is "What on earth does 'sociotechnical' mean?" Luckily, Geoff has now written a blog post that improves on the explanation we provided on the day!
- I met dozens of inspiring people. One company that deserves a particular shout-out is Naimuri. They share much of our philosophy on how to help SMEs effect real change in their approach to cyber security, by using creative methods to bust through some of the Fear, Uncertainty and Doubt that commonly dominates the narrative. They even use some similar techniques to those that have been developed and tested by our own RISCS.
- Most of all, I bonded with graphic artist Hannah over our comparably unconventional paths into working in cyber security. We both started out thinking that security wasn't for us, since it's super-technical and even a bit boring. What could we contribute to the profession? However, both of us have found our way into cyber security roles that we love, that use our skills to great effect, and which play an important role in making the cyber world a better place.
Raising our game on diversity and inclusion
There was a big focus on diversity at CyberUK 17. For me, the key message is really simple; equality is a noble goal in its own right, and in business diversity brings strength. We need maximum strength to solve the hardest cyber security problems. We can't afford to miss out on the best and brightest talent because girls think that STEM isn't for them, or unconscious bias gets CVs from BAME candidates filtered out at an early stage, or we don't understand why a dyslexic candidate may present a little differently at interview to how we may expect.
As a woman in a largely technical profession, I know firsthand that the working culture can be challenging. In fact, I honestly think it's one of the tougher problems we face in cyber security - because I know, from my day job, that organisational cultures are some of the hardest things you can try and change.
Well, the NCSC faces all the tough cyber problems head-on. In fact, we don't just face them, we run right towards them at full speed yelling "Come and have a go if you think you're hard enough!" (or maybe that's just Dr Levy...). Building healthy, inclusive working cultures in our profession - cultures we can all be proud of, in which everyone can give of their best - is one of these hard problems. And it's one that we're up for tackling. I feel enormously proud, and hugely valued as a woman member of the NCSC, that we've committed ourselves to providing real leadership in this space. Bring it on.
The. Big. Stage.
Getting on the plenary stage and sharing my vision of cyber security with 1,500 people was possibly the scariest thing I've ever done. But it was fantastic and surprisingly (to me), I really enjoyed it. I loved speaking to lots of people afterwards who'd liked what I said, and told me that it chimed with their own visions of what works in security at the moment and what we need to fix. I got a real sense of excitement, urgency and the possibility of significant change. Which is what we need, in the field of people-centred security. So, I'm glad I got up on that stage - and any day now, I might start to think about forgiving Jon L for persuading me to do it.
My personal exam question for the conference is: did we make people the strongest link? I think we did. One of our respected academic partners, Professor Adam Joinson, tweeted as he left:
- and I think he's right. People heard our vision, loud and clear:
- security has to work for people, or it doesn't work
- effective security means balancing all the different components, not expecting humans always to bend to meet the technology
- the phrase 'people are the weakest link in security' is now firmly in the swear box
We've set a really strong foundation for our future work, and I'm excited and energised for the challenges that lie ahead. Together, we can do this!