Sarah Young shares invaluable insights on foundational security training strategies, highlighting the importance of continuous learning and practical skill development in cybersecurity.
Guest: Sarah Young, Senior Cloud Security Advocate, Microsoft [@Microsoft]
On LinkedIn | https://www.linkedin.com/in/sarahyo16/
On Twitter | https://twitter.com/_sarahyo
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast hosted by Sean Martin, the focus was on "Security 101 training with Sarah Young." The discussion explored the foundational aspects of security training led by Sarah Young, an esteemed security educator with years of experience in the field.
Throughout the episode, Sarah Young shared her insights on the importance of establishing a strong security training program within organizations. As a seasoned professional in the realm of cybersecurity education, Sarah emphasized the critical role of continuous learning and development in building a resilient security posture.
Listeners are treated to a thought-provoking dialogue that highlighted the significance of equipping employees with the necessary knowledge and skills to combat evolving cyber threats effectively. Sarah's expertise in crafting comprehensive training modules tailored to various organizational needs was evident, showcasing her dedication to empowering individuals with the tools to safeguard sensitive information.
Moreover, the episode shed light on the practical strategies and approaches that Sarah employs to make security training engaging and impactful. From interactive workshops to scenario-based simulations, Sarah's innovative methods ensure that participants not only grasp fundamental security concepts but also cultivate a security-conscious mindset in their day-to-day operations.
This episode encapsulated the essence of effective security training and serves as a reminder of the pivotal role that dedicated professionals like Sarah Young play in shaping a resilient cybersecurity culture.
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
The Art of Security Education: Security 101 Training Essentials | A Conversation with Sarah Young | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] And hello, everybody. You're very welcome to a new episode of redefining cyber security. I am Sean Martin, your host for this, uh, for this podcast, where, as you know, if you listen to the show, I get to talk to all kinds of cool people about cool things to help organizations better secure the business so it can grow safely.
And, uh, no question, uh, the, the founding of, of ITSB magazine with my co founder, Marco, we, uh, We dove straight in, this is 10 years ago now, straight into the human element and it's a connection between technology and society and, and wrapped up in that is, uh, yeah, wrapped around that I guess maybe is a better way to say it is security culture within an organization.
And I'm thrilled to have Sarah Young on today from Microsoft. Sarah, good to, good to have you on the show.
Sarah Young: Hello, thanks for having me.
Sean Martin: This is going to be fun. Uh, we're going to talk about security awareness, security 101 training for [00:01:00] organizations. And, uh, you've done some work, as many of my episodes come to fruition, they're usually sparked by something I see on social media, typically LinkedIn.
And this is no different to, uh, you put a post out about security 101 for beginners, uh, looking at explaining some foundational cybersecurity concepts. Organizations to help their, their staff understand, uh, what's involved. And so that, that piqued my interest. And we're going to talk a bit about that, but before we do a few words about.
What you're up to these days, Sarah?
Sarah Young: Yes. So, uh, hello everybody. My name's Sarah Young. I am a, uh, cloud security advocate at Microsoft. Um, I live in Melbourne, in Australia, so, but I, I get to, I'm very lucky I get to travel all around the world, um, as part of my job. I, um, but what is a security advocate? So, uh, we are, [00:02:00] uh, part of, uh, in Microsoft you might.
You might be more familiar with the phrase, uh, developer relations or dev rel. So we do that, but for security specifically, and, uh, it's really cool. Cause what we do is we go out and talk to, uh, security communities on behalf of Microsoft. Uh, I have been in the. The security community doing things like attending conferences and handing out swag and all those things for years before I actually started this job.
Uh, but we also, and I think this is probably my favorite bit of the role. We go and advocate to Microsoft on behalf of our communities. So, um, that can involve things like, uh, uh, that can involve things like just Just, um, just, uh, I lose my words this morning. Uh, it's very early here in Australia when we're recording this, that that's why, if anyone's [00:03:00] wondering why there's no video, it is very early and no one wants to see me at this time in the morning.
Uh, but we do things like, uh, when we have Microsoft events or when we have feedback about products that doesn't always. Uh, Microsoft's a huge organization that doesn't always get back to where it is. Um, so we also try and feed those things back in. We help create, curate our first party events like Ignite and Build to try and, uh, you know, from, from a security perspective, uh, give people the content that they're interested in.
And this is what my other colleagues do in other areas of advocacy as well. Um, but. Uh, uh, but most of the time, most people will see me like up on stage doing something, uh, and giving a talk or a demo or, or doing a workshop, but that's actually only a teeny tiny part of what we do. It's just the most visible bit, but yeah, it's a really cool job.
Uh, very, very busy as most people are. And yeah, that, that's kind of what I do in a nutshell.
Sean Martin: Yeah, I love it. And the, of course the visible bit of what, [00:04:00] what people see and, uh, I I've seen, seen some of the stuff you've done and. I'm grateful for the work that you do there. And then there's the deep down behind the scenes stuff, which I think, I think we're going to spend some time on.
So this, the resources here actually live on, on GitHub and there's a bunch of. A bunch of documents and, uh, learning, learning materials. So what it's called, uh, security one on one and it's, uh, yeah, there's, I'll include the link to the post on LinkedIn. So people can access this aka. ms security one on one beginners.
Um, what, what was the catalyst behind putting that collection of resources together? Who's it for? What, what was, what was the goal?
Sarah Young: Yeah. So the security one on one is. It's something I put together because I felt now there's a lot, I have to say from the word go, there is lots of security content out there and lots [00:05:00] of it is great.
So if I, uh, so I don't want anyone, I'm definitely not denigrating anybody else's work. Um, but what I found was that there wasn't, uh, a, that I could find any material that was just, Hey. You're interested in security. Well, let's talk about a really basic foundational concepts of security. Um, and not in the sense, mostly when you find material like this, it's usually very tied to a particular exam or study path, like a CISSP, um, or, or something similar.
And actually I do draw on some of the, the curriculum from those, um, From the, from the, from those, uh, exams. But the whole point is that it's actually, it's, well, it's now eight lessons cause we just added one. Um, it's eight lessons.
Sean Martin: I saw that. Yeah. I'm like, I'm one off.
Sarah Young: Yes. Yeah. It's okay. That only got added last week.
So, um, you didn't miss [00:06:00] it. Um, we didn't get it wrong. It did. It was seven. Um, and it's just some really basic concepts. Uh, because I think that there is a lot of training material out there, but it's usually directed towards achieving a particular goal, like getting a job, achieving a certificate, whereas I think there's a lot of folks out there that just want, or it's often tied to maybe learning a particular product of a vendor and again, any vendor, uh, there's a lot of stuff out there and I, I don't, and, and a lot of it's also very complicated because when I was doing a bit of a survey, uh, about.
material out there. Some of it's like very, very detailed and long winded. And I think when you're a real beginner, it might be a bit much. So the idea was, this was very, very, very foundational. I'm going to teach you in a relatively short period of time, just some concepts like the CIA triad, uh, um, you know, what is non repudiation?
Some of those really, really core things before we. And [00:07:00] let's talk about capabilities. So, you know, what, what is security operations? What are the capabilities? So we talk about a seam. I know in the U S it's more SIM you say, but we talk about that, but it's not like, let's talk about a particular product or a particular vendor, whether it's Microsoft or anybody else, let's just talk about what that is as a concept.
Um, and what it is as a tool and a capability. And because I think that there is. A lot of, and the reason I think this is important, and there was a bit of a gap was that there are now a lot of people out there who are being, I don't want to use the word forced, but let's face it for some people it is becoming a necessity that they're having to up their security knowledge and a lot of employers will be like, here, go and do this course.
Sometimes it'll be a vendor course. Sometimes it's more broad, but some folks are like, look, I just need to understand the absolute basics of this to get my head around it. Because, uh, I, I just think that's been a gap. So that's why I put this together. [00:08:00] It's just based on kind of me working in security for the last.
Uh, 13, what, 12, 13 years. Uh, some of it is sort of inspired by some of the, uh, foundational things that come out of some exams. Um, I, like, I'm quite happy to, to say that. That's not, that's because these are just foundational concepts. But, uh, Like, I've taken the load of stuff out that I don't think you necessarily need right at the beginning just to get your head around the concepts because what I found as well is that you'll find people who can talk about a product, um, because they've been taught about a particular product or a problem, but they don't understand holistically the rest of the, The problem.
So it's kind of designed for beginners and that's like students, um, or anyone in it, who's kind of, you know, whether they've had through choice or not, because let's face it, it's not always through choice that they are having to get their head more around security things. But without that being tied [00:09:00] to a specific product or a vendor or anything, because I do think there was a bit of a gap there.
So that, that's kind of what I was doing.
Sean Martin: Yeah. And I've had, I had the privilege, it's been a few weeks now, to sit on a workshop. It was a three day workshop with, uh, IC Squared. I'm the CISSP. So they constantly revamp. Uh, the, the exam to be relevant and current and, and all that stuff. So I was, I was able to contribute for three days, which was pretty, it was intense, but very rewarding and interesting to collaborate with others.
Looking at, um, yeah, some of the topics, the way we, the way we speak about things. Uh, I mean, I got my CSSP what, 15, 20 years ago, so a lot has changed since then. And I try to keep up with it and the exam is trying to do that as well. And so what I like about what you're describing is. I mean, that's the CISSP is pretty intense and pretty [00:10:00] deep.
This sounds like it's a, it's a great foundation from which one can take a different path if they're into networking, they're into identity, if they're into, uh, protection, or you mentioned the SIM. So security response, whatever their, whatever their passion might be, they can, they can jump from this, um, So you mentioned students and, and IT folks who want to get their, let's say their beak wet in security.
Do you, I don't know, can you maybe run through some of the modules? There are eight now. Nobody will be surprised what number eight is.
Sarah Young: Oh, I know, I know, I know. So, um, yeah,
yeah.
So the, the modules are, we'll, we'll, we'll leave everyone on tenterhooks for number eight, although I'm sure people can guess. So, uh, the first module is about those.
I mean, I call it, uh, I just call it the, uh, basic security concept. So that's the CIA triad. So confidentiality, [00:11:00] availability, and integrity. Uh, these are words that we throw around a lot. Uh, and what I find as well is that people who have only. Learned about security, possibly not less formally, and I've just like, listened to things in the media that everyone knows about confidentiality, but they don't realize that availability and integrity.
Often, they often don't realize that that is also part of security. And that's why we care about all three of those things and arguably equally. But I think most people think just confidentiality, of course, cause we talk a lot about data breaches, et cetera. Um, then, so we also talk about some common cyber security threats.
Again, we're just talking about those basic, basic, uh, concepts of what. Kind of attacks are what's out there. And then this is probably, uh, the one that I want, I'll talk about some of the other ones, but ones I want to highlight is risk management. Now I know a lot of people go, Oh, risk. And then they roll their eyes because they're like, Oh, risk is boring.
Sean Martin: Unless you're like me who geeks out on it. [00:12:00] Yeah.
Sarah Young: Yeah. And then there's some people who geek out on it, but I think a lot of security folks, uh, just go, Oh, risk, whatever. Uh, that's really boring. But the thing that is most important in there is, uh, like. what they call the circle of risk, which is using a lot of terms properly.
So it's threats are materialized by attacks that are, that exploit vulnerabilities in a system that expose you to risks that are mitigated by countermeasures that protect assets that can be compromised by threats. And it goes round and round and round, but also What we find, and I find this with plenty of security professionals, myself included, that we don't use the word threat, attack, vulnerabilities, risk.
We sometimes use some of those things interchangeably. We don't use them technically correctly. And I think, uh, like I don't accept that. I don't expect that to change anytime soon in the future. Uh, I think we'll still probably have, uh, you know, people not using them correctly, but I do think it's important that [00:13:00] people understand that there are, that there is specific language and they do mean something specific because that is kind of how we do security all the time.
Um, we also talk about, of course, um, more high level, um, the, uh, The other lessons in there are identity and access management. What is that? What's the principle of least privilege, et cetera? Uh, we talk about networks, security fundamentals. I mean, I was a network engineer before I did security. I mean, I was like, Oh, this is a lot to go through in a very short period of time.
Uh, because of course. You know, networking is a big thing in itself, but we sort of just talk about some networking concepts. Um, if you've never worked on it before, I'd like to think at least it people probably have done a bit of networking cause of course it's not new. Uh, we talk about security operations, fundamentals, uh, application security fundamentals.
So, you know, we're talking about, uh, patient security tooling, I was top 10, et cetera. Infrastructure security, data security, uh, [00:14:00] which I think is one that is, It's getting more and more prevalent at the moment. I mean, data security is not a new thing, but use it with the advent of AI, uh, data security, like breaching data has become much easier with AI.
So now people are caring about it a lot more than they used to. Uh, it, it, it's interesting cause, um, I hear this all the time, you know, What about my data with AI? What's the AI doing with my data, et cetera, et cetera. You know, are you training your model on my data? And they're like very, very legitimate concerns to have, but in fact, data security, all our AI is doing, this isn't a new problem.
This is a small tangent that I will. Not go on because we'll be here all day, but data security isn't a new problem. In fact, most organizations, to be honest, haven't done data security well for a long time. But AI is just really, it's much better and quicker at finding things you haven't protected well in your estate.
And that's why it's [00:15:00] putting a spotlight on it. So that's, uh, just a. Random little tidbit, um, off data security. And then the lesson that we added very recently, cause I probably should have added it when I, uh, made this, uh, a few months ago is AI security. Um, because of course it's AI, everyone's talking about AI.
Um, and, and we, it was, it was probably an oversight and, uh, on my part to not add it originally. So we threw that in just last week, actually. Uh, and so we talk a little bit about why. That's a problem. Uh, um, why that's a problem, uh, and, and a challenge, uh, for, uh, you know, and, and what the, what the, the main problems are in the AI space and what responsible AI is as well, because responsible AI is a new concept, a new idea, and you can't really extricate it from security that they're massively entangled with each other.
So again, it's just sort of priming people for, uh, Understanding those [00:16:00] concepts and the main things we'll talk about. It's, it's not going into, this is how you fix everything. There's lots of other material out there for that. Uh, it's more of that just getting your head around some, some concepts and ideas, if you are like a complete, complete beginner and you need to go from scratch.
Sean Martin: Yeah. So, uh, so AI, of course, I was just looking at that, uh, the first module in there and you kind of touch on some of the other modules. Um, so I, I presume you had to have the other ones in place before you could obviously tie the AI back to those.
Sarah Young: Yes, that's right. I mean, AI security, uh, you know, security is a holistic thing and, and no, none of these security, although I have separated them out, you know, the reality is these different modules, none of this, that's just for people to get their heads around it.
The reality is that none of these things exist in isolation or shouldn't do because There is no [00:17:00] such thing as one security control to rule them all. It's you, you have to have multiple layers. That's defense in depth. So, uh, it, it is separated out, but you're right. I mean, all of these things like together and AI, in fact, AI security in particular.
It's actually not at least, you know, the, the field is changing very quickly. So I'll caveat this, but at least at the, at the moment we're still, you know, our main security controls for AI security are mostly things we've been doing for years and years, like we're still leaning back on our, you know, AI security.
AI is essentially, when we talk about AI, we're still talking about an application. It's just an application that has an AI. You know, that is using AI. So really we should be looking at it from an application security perspective with, with a couple of extra bits, you know, so we should still be looking at how do we build this, are we coding it in a secure way?
Are we, uh, you know, are we, are we. Connecting was the [00:18:00] application, uh, connecting, you know, if it's talking to a database, if it's talking to a data store, um, you know, are we doing that securely and are we doing that in a good practice way? Are we restricting the people can, who can access it? None of this stuff is new.
And I think that's probably one of my, uh, obviously, cause it's. The, the, the thing that everyone's talking about, or has been for a while now, is that I really want to impress on people that AI security is not, there's, there's less new stuff than you realize. It's not a brand new problem and there's not brand new security controls.
Most, lots of it is the, is still using the security controls that we have known and loved with a few extra bits on the side, a couple, a couple of things that are different.
Sean Martin: Yep. Absolutely. So, uh, have you, have you received any feedback from folks who've used this? I mean, oh yeah, go for it.
Sarah Young: Yes. I mean, do you know what?
I [00:19:00] was very, uh, I was extremely excited because, uh, the great thing about GitHub, of course, is you get to see, um, you know, how many people have looked at it, how many people have forked it and people who've watched it and favorited it. In fact, I do love the statistics you get, um. Out of GitHub repos for things like that.
And I was, uh, pretty shocked actually, uh, because I just felt it was a gap. Um, and, uh, I don't know, it got, um, I mean, it's only been out what the time we're recording this just under two months and we've already got, uh, 304 people have forked it, there's. Um, we've got, uh, uh, 3, 200 odd people who've starred it, favorited it.
So, you know, it seems pretty good. Uh, and, and so I, I really like that, of course. Um, so, uh, um, yeah, it seems like it is something that, that people, uh, people want and need. Something that's fairly [00:20:00] agnostic. I mean, I know I work for Microsoft and you can find this on the, uh, the Microsoft GitHub repo, but it is actually deliberately very agnostic.
It's not talking, uh, I'm not trying to sell you Defender, uh, or anything like that, because, uh, Uh, there's, like I said, it's kind of before that it's understanding conceptually what the problems are and what the kind of, the kind of tooling is, like if you go off and buy something else or go and learn more about a particular tool and decide it's for you, that's fine.
And that's that, uh, that this is not kind of a, uh, secret go, go buy all the Microsoft things, uh, because I think that, uh, you know, if it just, Understanding, uh, security problems from a product perspective, whether that's Microsoft or something else, isn't the way to go if you're trying to like understand holistically more what the security problems are.
And I think just because of the way of the world, a lot of security training, that's not [00:21:00] something like a CISSP. And as you said, that's very intense, right? It's a huge, I've, I've done it too. It's, you know, it's a huge body of knowledge and You know, there's so many people now who are being asked to take on security as part of their role.
They may not be a security, you know, their job may not be dedicated security, but they are being asked to take on some security. And I think it is unrealistic to expect that someone who may be, maybe a sysadmin or a developer, you're like, go and do your CISSP. That's not realistic. So, um, So it's like, kind of like, how can we like upskill your security knowledge a bit with, with these concepts?
So you understand also, so you can understand where a security person, uh, you know, say you're talking to your security architecture team or whatever team you have. So you can understand where they're coming from because a lot of the time, the conflicts or sometimes the friction that is there. that you see between security and other [00:22:00] parts of IT and the wider part of the business is more that, uh, it's more that people are not just speaking each other's languages.
It's, it's not that they don't understand. It's, it's just that. Many of the parts of it, they, they haven't had the knowledge and they don't look at it from the same perspective. Usually everyone's trying to get to the same place, but they don't speak the same language, they don't have the same perspective.
Um, for example, this is the example I always give. Years ago I was working, before I worked for Microsoft, I was working, um, as a kind of ex uh. Uh, I was working as kind of like an external contractor for a large, uh, uh, a large organization here in Australia. And I was working with, uh, uh, a load of devs and they were putting things in the cloud and it was relatively new what they were doing.
Uh, and they had a, what I would call quite an old school security team. So most of them had been there a very long time. Uh, [00:23:00] they were, um, all. Um, uh, they were all sort of fit a certain demographic. Um, and they really enjoyed saying no to things that were new because they didn't really understand it. Um, and, uh, they, and, and I was speaking and I, my job was to help the developers.
the developers had to bring them like a couple of pages on what they were going to migrate. They were, they were basically breaking up old applications, turning them into microservices and putting them in the cloud. But the security architecture team had to review what they were doing. And one of the devs brought me his, uh, his code.
Like the template that we had, it was a couple of pages long and they had to basically draw out the system and, and they had to put all the different, um, you know, how, how the, the different elements of, of this microservice we're talking to each other and the protocols, et cetera, et cetera. And some of these things were very old and they were essentially, for want of a better phrase, shoehorning them into the system.
The cloud, um, and, and some of these things were really old and didn't really like it and they were so old, they didn't [00:24:00] support anything like TLS. Uh, they had to talk in Telnet, which is just, you know, I, I weep, but these things happen in real life. And one of the developers had brought it to me and he'd put, cause obviously Telnet was contrary to security standards, but he'd put in the, uh, in, in the kind of justification, we can use Telnet because it is safe.
And I was like, you what? And I was like, I was like, you can't, I was like, what? And he said, well, it's safe because, I mean, that's all he'd written, because it is safe. And I was like, please tell me you don't think Telnet is safe. And he was like, oh no, I know it's not safe. And I was like, but why have you written that?
In the thing, the security architecture team will go nuts when they read that. Um, and, and he said, well, it's safe because, uh, it's not being exposed to the internet. It was actually, it's not, it's, it's all internal within this, um, you know, within this network group, within the cloud, um, it's not going to be [00:25:00] exposed externally.
So, you know, it, it, it's safe. And I was like, Okay, totally understand what you mean, but this is not what you have written here and this is not how security will interpret what you have written. So I, I explained to him, I said, what we would say here in security is we would say, um, you know, we get, you'd say something along the lines of, we get, tell them that's not great, but it's the only thing this application supports.
There is no way to To upgrade it because it was so old. I mean, I'm actually surprised we could get it into the cloud, but there you go. Um, but we could, they could, that's another story. And, um, but it is low risk because although telnet's not great and we know that we, we can't do anything else cause it just doesn't support it.
And. It's low risk because we're not exposing it to the internet. And there are all these other like compensating controls that mean it's not going to be exposed to the internet. And, and so I, he went away and he sort of rephrased everything came back and I was like, love it. Um, this looks great [00:26:00] because what you're showing here is that.
And they did understand, it's not that they thought Telnet was safe, it's just they didn't have the lang, they weren't looking at it from a security person's perspective, because why would they? They're devs, that's not what they've been trained to do. And I, and I said, but when you have that conversation with folks and you explain to them, like, hey, This is like, don't say it's safe because let's say they said it's not safe.
Um, but if you say it's, it's low risk and this is why it's low risk and you can show that you've actually thought about it, you're not going to give your security architecture people who are reviewing this a complete heart attack. Um, and, and, and then because, you know, um, you know, for a lot of security people, I think we're getting better as a.
As a, as an industry, but they would see something like that and they wouldn't question it and say, Hey, what are you actually trying to say here? Are you sure? Do you really think Telnet is safe? Um, they'd have probably just got being gone. Oh my goodness. What the heck are these people thinking about?
That's a no, [00:27:00] like go away. We're not allowing this, you know, your, your request to do this is denied. And, and I think that's a shame. The, uh, and, and you know what, after I sort of had a chat with the devs and they brought a few of these things to me because they were bringing them to me. These were very small microservices.
I was looking at them regularly, like four or five of them a week. After a couple of weeks, they'd still send them to me. And I'd be like, yeah, this looks fine. This looks good. You've got the hang of this. Like you get it. Um, and it wasn't that they didn't. Get it. It's just, they didn't know how to write it in a way or express themselves in a way that made sense.
That gave the security folks confidence that they actually had thought about what they were doing because they actually had, it's just, they didn't know how to put it down in a piece of paper for review. And I always talk about that example. And it always sticks in my mind because, you know, the, the. I think a lot of the time and we're IT folks, you know, a lot of us, I wouldn't say EQ and communication is necessarily a strong point.
Um, and, and, and I think there's sometimes just [00:28:00] a lot of, uh, being, uh, uh, that collaboration and communication and being curious rather than going, Oh my goodness, what is this idiot doing? Just know the answer is no, like red stamp it. I think that that's something that we all need to get better at. I think so.
My idea was, uh, for, for non security folks, uh, who work in IT or in other parts of organizations, because let's face it, everybody interacts with IT nowadays, that this could help give them some tools, um, around thinking and understanding the language that we use and how security comes at it. But I would say that, that I am not saying that.
security, we as security folks don't have work to do there as well. And that being a little bit more forgiving, being more curious, um, and asking questions rather than just jumping to conclusions about, uh, what, what we, you know, what other parts of the business are doing, because, um, I personally believe that we'll get on my, my soapbox a bit here.
Security is not that [00:29:00] hard. High level security concepts. Like, of course there are some niche bits of security. If you want to be a security researcher, if you want to be a penetration tester, a red teamer, of course that requires some very specific skill sets. But you understand security concepts at a high level, what we're trying to do, what we're trying to get to is actually very straightforward.
And I think, unfortunately, we as. Security folks, uh, for a long time have affected, have for want of a better phrase, been gatekeepy around security. Um, and then like, you know, to the rest of it and the rest of the business, all this is security, it's very difficult. It's very complicated. You wouldn't understand it.
And, and I hate that because it's not true. Uh, security is an awful lot of common sense and. I, I think that if you are explaining security to someone and they don't understand it, that's you're probably too in depth. You're probably trying to go too in depth, or you might just not be very good at explaining things.
Cause I [00:30:00] genuinely believe that, and because I spend a lot of time doing this, um, and even in my spare time, I'll love, love a chat about security with people. I think like, even to the everyday public, you can explain security. I just don't think, I just think we have been as an industry, quite gatekeepy being like, well, you know, this is very, Oh no, security.
Oh, it's very difficult. And I, I detest that because we have a shortage of security professionals. In the world, uh, all over the world, no matter where you are. And by bringing some people up to speed with some key security things, whether or not they want to go into security as a career is not going to affect your career prospects.
It's really not. Yeah. Um, and, and I, I, but I still think there's, um. Some reticence, uh, at least for some folks to, uh, try and kind of fix that a bit and bridge that gap. Um, and it's beneficial for everybody. If we all do security better, it doesn't mean that folks, uh, we who work [00:31:00] in security as specialists are going to lose our jobs, uh, because we've got a massive, there's a massive gap in how many folks we have anyway, but by bringing more people up to, up to speed, then we are just.
You know, reducing, we're uplifting security posture more generally, because people who are trying to do breaches generally go, they don't go for security users generally, right? They're probably going to go for somebody else, because that makes more sense. So it benefits all of us to, to, to help people understand, even, even if it's just at a very high level, those basic security concepts of what we're trying to do.
Because, you know, It's a lot of common sense. It really is.
Sean Martin: It is. It is. And I'm going to go back to a point you made on, on the conversation. Cause the goal for the business is to get from A to Z, right. And do it again, repeated repeatedly and more efficiently and effectively to grow revenue and make, make, uh, make everybody happy.
Um, If security is there stopping [00:32:00] at B, because the devs presented at step A with limited knowledge of what security is going to do at step B, that's, that's not very effective. So I think the better you can communicate, the more likely you'll move beyond step B and C and on through to Z. The other thing is, as you're moving through A to Z, um, You kind of, I think you spoke in the words of somebody said, well, what are they there?
What are they thinking here? This is really stupid. It's not safe, right? The lack of trust, uh, gets set as well. If you're not. You're not communicating on the scene. Let's go to your point goes both directions. So I think a common understanding that can be leveraged to move from A to B to C, I think is super powerful.
And I'm, uh, and I can see many, many cases where this, this repository that you put together, I don't know if that's the right word for it, but it's a collection of [00:33:00] resources with, uh, with exams at the end of each thing, I can see people sitting down at lunchtime. And going through a module and then at the end of the week, taking the exam together, and this could be folks in IT, it could be folks in legal, it could be folks in, uh, in procurement, looking at third party stuff, uh, up and down the organization, I can see value in having them at least have an understanding of.
The, the, yeah, the bare necessities of cybersecurity, if you will.
Sarah Young: Yeah, that's, that was basically the idea because like I said, it never hurts anybody to understand this stuff nowadays because like it or not, we, we all, we. And I know that some folks don't, but the fact is we all have to help out with security, you know, team sport and all of that.
Uh, but you know, so if we can, we can help. And this is something I think, uh, you know, it's a two way thing as well. I think some folks, you know, I think a lot of folks are curious about [00:34:00] security now as well. I just think that there's maybe, there's just not, the problem is a lot of training is too in depth, um, more product specific and it doesn't really, uh, lend itself to maybe sort of a casual browse or someone who's like really, really starting out and then they can go on to something else that's a bit more in depth.
That, cause I mean, when I did that, when I did this, I was super worried because I was like, is this too basic? I was like, this is. And of course, to me, who's worked in security a long time, of course, it's very foundational, but like, like I said, it seems to have been, been received really well. So I am very happy about that.
Sean Martin: Yeah. Well, it goes beyond, I mean, the super basic is don't click on crap, which doesn't do much. This actually provides some value. Um, I think the, obviously training in the other way does too, but I mean, this kind of lays it out there how. Hopefully people can see this, our business runs this way because we use [00:35:00] technology and these, these practices.
And I think, I think with the work you've done here, people can make that connection. I think that's super valuable. So Sarah, thank you for one, putting that together and be curious to know where all those forks are, are landing, who's updating it for what reason. Um, but yeah, if there are any stories, if anybody listening has used a resource, I'd love to hear, maybe throw, throw a comment in the, in the, uh, in the post chat there and, uh, Yeah, I think
Sarah Young: yes, I would yes because it is completely open sourced and you know people people are welcome to do whatever they want with it And so if if yeah, I would like to know if anyone's doing cool things with it because
it's
really awesome
Sean Martin: Yeah, so please do if you haven't heard it heard of it seen it go check it out if you have and you're playing with it, let us know and [00:36:00] Yeah.
If there's some cool story or program built around this thing, maybe another, another chat is in order, but for today, Sarah, I want to thank you for, uh, having an early start to your day to join me and, uh, for being flexible. I know I had, we had, uh, had some, uh, challenges in getting my schedule sorted. So thanks for being flexible for that and everybody listening.
Uh, take a look for the link for this and, uh, please do subscribe, share, follow Sarah as she does this and many other things, uh, for this, for the community at large. And, uh, Sarah, thanks again for joining and, uh, we'll see everybody on the next episode.