In this episode of the Masters of Data podcast, I speak with Ian Murphy, a journalist, editor, and analyst with 30 years of experience. Ian is currently an Editor at Enterprise Times and shares his varied and fascinating experience, how critical it is to have diversity on security teams, and his passion for working with veterans. As attacks begin to leverage social engineering to gain entry to organizations, there’s an increased need for security professionals from all walks of life that can identify the vectors across countries, cultures and age groups. Ian talks about the groups of people that can be engaged early on to in order to increase diversity in security, including gaming hackers and problem solvers, psychologists, and veterans. He explains how recruitment policies and practices are also being changed in order to focus more on skills, vocational training, and diversity, rather than a singular focus on traditional education.
Ian served in the British Royal Marines before transitioning to journalism and analyst work, and he now enjoys running around and being disruptive at conferences. In his first journalist position, Ian couldn’t understand why he had to use a typewriter when his Atari computer at home could do so much more. After being given a project for the company and contacting magazines to see if they wrote about computers and word processing software, he realized no one did and was offered the opportunity to become that writer. The result was an IBM PC being sent to his doorstep by an editor with a stack of one-sided floppy disks and a copy of Lotus 123. Since then, Ian has been a writer and analyst in the computing space, including work as a certified trainer for companies in the 80s and 90s. After it became too difficult to keep pace with the training, Ian focused more on being a writer and analyst for companies.
Ian has recently been discussing diversity in IT security because if you were to look around at the current landscape, you’d see mostly white, middle-class men with an ability to code and a university education. The stereotype and myth that security professionals need to be geeks in order to succeed in the field are then perpetuated. The problem is that hackers leverage social engineering and not just technology, a combination that can only be defended against by people, not technology. An example that Ian gives is that bad actors today will monitor a person’s social media feed to identify when they’ve been speaking with someone new and when they meet up so that they can send emails to you pretending to be that person and will embed attachments claiming to be photos taken together. Most people will click on the attachments.
When there’s a lack of diversity on security teams, it can be difficult to identify the phrasing or vector being used. For example, if there is an attack occurring in South Africa on businesses where employees are primarily aged 15–25, using specific terminology, the typical security team of middle-aged men may not be able to attack traits. Ian explains that there isn’t as large a skills shortage as people think when you eliminate the need for all employees to have a university degree. In fact, diversity is far more important in this age of social engineering. Companies can hire people with problem-solving skills, those that hacked higher versions of their video game because they couldn’t afford it, and were perhaps excluded from education because of their disruptive nature. The beauty here is that you can teach those employees the traditional education (writing, reading, and numeracy), but you can’t teach problem-solving.
In order to reach the potential employees that bring self-taught hacking or gaming problem-solving skills, security companies can engage with them in a way that doesn’t make them feel trapped. Paying them early when they find a way in is a way to show them that there’s a career out of what they’re already doing. European companies are beginning to engage with these people by meeting with them, going to where they are, and setting up apprenticeships to show the way forward. Other areas of expertise are also being investigated by companies, including psychologists, who can decipher phishing messages and understand how people are manipulated. Companies also struggle to recruit people from different social strata, which is required, but can often create an “us versus them” dynamic right away. In addition, companies struggle to retrain university graduates in “the real world”. Most graduates begin working with debt that they cannot pay off within 10 years. Europeans are beginning to change their approach to education, based on cost and workplace demand, to value more vocational training versus a bachelor’s degree.
As a veteran himself, Ian is passionate about supporting and working with organizations that improve veterans’ mental health. Veterans are fantastic employees because they are task-focused and will get the job done at all costs. To ease the transition from military life to civilian life, some companies will match new recruits with another employee who came from the military. The mentorship creates dialogue and allows for the new employees to understand the services available to them, including support for ongoing mental health issues or diagnoses. Many people outside the military also suffer from PTSD or other mental health disorders, and increasing diversity in the workplace can normalize conversations and seeking support. Making the security space more human and more diverse not only covers off gaps in visibility, but it also improves how employees treat one another and how companies become more socially responsible.
Outbound Links & Resources Mentioned
The Enterprise Times https://www.enterprisetimes.co.uk/
Connect with Ian Murphy on Twitter https://twitter.com/journoian
- Most SOCs today are filled with white middleclass men who have a formal education and coding experience.
- Hackers today are using social engineering, which requires people to defend against it.
- There is a lack of diversity in IT security based on age, culture, gender and race.
- Diversity is required in order to understand and identify the particular phrasing and vector being used in attacks across cultures, age groups and genders.
- There’s an obsession in the security industry right now that everyone must have a degree, which is hindering increased diversity.
- Organizations can teach employees traditional educational elements (e.g. writing, reading, numeracy), but they cannot teach problem solving.
- European companies are beginning to engage younger hackers to show them that there’s a way forward rather than increasing levels of crime.
- Many companies recruit people that look like them because it’s the safe thing to do.
- Companies complain that when people leave university, they need to be retrained in order to understand the real world, but education cannot adapt as quickly as business would like.
- Increasing levels of student debt are also contributing to a shift from companies focusing on degrees to now valuing vocational training as an equivalent.
- There is a problem on both sides of the Atlantic: veterans are dying daily, taking their own lives, because they don’t see a way out of their mental health crises.
- It’s not just veterans who are suffering from PTSD, and when workplace diversity increases, so too do conversations and acceptance around mental health issues and seeking support.
- Companies are beginning to move security from the home office into the local offices where the culture can better spot early phishing attacks.