Notes and responses to questions from #CyberFest 21

These are the questionand answers, as well as comments from the #CyberFest 21 events. The document will grow over the following weeks and will become more relevant when the videos from the events are published in October.

Cyber Security in a Rapidly Changing World (Sep  7)

Q1 – What are the qualities a cyber security aspirant must possess without any prior experience?

There are a broad range of interpersonal and business skills which can be transferred to a cyber security role. Critical thinking, analytical, people &report writing skills are all examples. Employers will often look for demonstratable passion and aspiration for the field – if a candidate does not have cyber specific experience in cyber sector, one suggestion would be to join and become involved in one or more of the available cyber forums. For example both (ISC)2 and OWASP North East chapters are free to join – these both provide great opportunities to network and learn. Membership is of mixed ranges of experience and new entrees to the sector are very much supported.

Q2 – How can I start a career in IT Security being recent fresher Computer Science Engineer. I do have basic security knowledge but cant afford certification like CEH as of now.

If you are in an existing organisation, look to see if any cyber opportunities are available, even if not talk to your security team lead to discuss career options and entry opportunities into the team. Many organisations today will recruit internally and often will consider employees from other areas of the business – recognising the wider skills that can be transferred to a role. Additionally, prepare a long term plan for certifications that are appropriate to your area of interest – this can then be pitched to potential recruiters to demonstrate a commitment to achieving professional certifications.  If you are not currently employed, as in Q.1 – join your local security forums to become involved and recognised in the community, also it can be beneficial to talk to local recruiter agencies.

General advice 

The (ISC)² Cybersecurity Qualification Pathfinder will match you with the certifications that can help you most in your career right now.

Example result for someone who does not currently have experience:

You May Not Have the Right Experience… Yet

While you may not have the required experience right now to earn an (ISC)² certification, we can assist in your professional development.

Learn more about our alternative pathway to certification through the Associate of (ISC)² program.

Try our free Security Awareness Training at Coursera to learn more about basic cybersecurity principles.

Join an (ISC)² Chapter near you or our online Community to meet cybersecurity professionals for guidance and support.

Attend our free Webinars or take advantage of other online events.

The following book may also be of interest to get you started. 

CAKE 41: #CyberFest – Innovating In Cyber Security Through Art (Sep 8)

Cyber-security and data streams as inspiration. Artists and designers produce work and commentary on the world around them, and since digital data feeds and the associated risks are increasingly prevalent so artists are creating works on these themes, for example, as we see in the pieces and installations of the University of Sunderland/ Creative Fuse North East/ Cyberfest project, ‘Cyber Eyes Wide Open’. This may take the form of digital content itself, which is prone to piracy except with controversial encryption such as NFTs with their high energy usage, or expressing through traditional works. Rhonda Fenwick’s piece is adapted from Hokusai’s Great Wave, which we all agreed is an apt image representing the information overload of the age the disruption of cyber attacks. Robert Campbell who is a cyber security professional who was also involved with the project and he counterposes the double-edged benefits and and risks of digital technologies.

Cyber-security and the Business of Art. Artists and creatives typically work in microbusinesses or as freelancers, and nevertheless increasingly need to be aware of the risks of cyber attack with regards to holding data on their customers, as well as vulnerabilities in their own online financial affairs. Some of those present had already experienced attacks on their bank accounts. They are also conscious of the need to be updated with regard to GDPR practice, and the various options for digital transactions channels. Artists and small firms are not reassured to see that these platforms have also been hacked and that large organisations with great resources seem unable to protect their data continuously. It adds to the anxieties of the business side of arts and creative work.

Everyone learns in a different way yet we tend to approach the training and advice on cyber security in one way. People can feel overwhelmed by the threats and the information that bombards them. There is a need for more calls for art engagement, commissions from businesses via a brief, creative campaigns that raise awareness and cut through more corporate imagery. We need modern day cyber security fairy tales.


National Cyber Stratecgy (Sep 9)

Q1 – Can we get an e-copy of this Government publication, National Cyber Security Strategy 2016-2021?

The 2016-2021 strategy can be found here.

Q2 – What’s areas where there is more work still to do for the next strategy? Encryption & protection of data, getting orgs to address legacy computing (vs every other priority).

We agree these are important priorities. Other areas we’re focused on include cyber skills, tackling ransomware and influencing international debates about the governance of cyberspace

Q3 – Can we get e-copies of the progress reports on Cyber Security Strategy?

The progress report on the 2016-2021 strategy can be found here.

Q4 – Building business and generating growth appears to be missing from the vision – more about defence? is that missing a trick?

Driving the continued growth of the cyber sector is a key ambition of the strategy. In terms of growth in the wider economy, we see better cyber security and resilience as a key enabler of that (hence one of the five goals being to “build a more resilient and prosperous digital UK”) but other parts of the Government’s digital agenda such as the Innovation Strategy and Digital Strategy will also be important parts of how we drive that growth.

Q5 – What will generate a large uk revenue base from cyber and services provided by cloud orgs / microsoft licences?

If this question is about how we grow the domestic ecosystem of cyber security / IT services providers, the strategy will build on existing DCMS initiatives to support businesses at the different stages of growth.

Q6 – Where will the UK tax take be from all of the spend ? & how will it feed back into investment.

In general there is no link between tax generated by cyber spending directly to further cyber investment.

Q7 –  When will NCSC get more regional presence – extended to regions rather than Cheltenham / Manchester / London

CyberNorth is working with NCSC on a number of initiatives in the region. The development of a strong NE cluster will support these relationships

Q8 – Where will dosh come from for Legacy upgrades when Govt and economy is cash strapped ? & Licencing costs are going up ?

This is obviously a challenge – the current Spending Review will consider where Government should direct its investment, and alongside that businesses will need to consider their investment priorities based on their assessment of risk.

Q9 – Treasury office location going to Darlington. What are integration opportunities for other parts to move up too ? Advertising of roles across UK and outside of london ?

The Civil Service is continuing to consider what opportunities there are to expand its presence outside London (for example the Cabinet Office has established a second HQ in Glasgow) but insight into specific plans is not available.

Q10 – How will the strategy affect budgets to come here ?

A key part of the strategy will be to continue supporting regional capacity building across the different parts of the UK, including through the clusters, but budgets will not be known until the Spending Review is complete.

Q11 – Integration with board toolkit ?

The board toolkit is an important part of the suite of measures NCSC uses to help businesses improve their cyber security and we wil continue to strengthen the range of services they offer as part of the next strategy.

Q12 – How will you harness the ideas from across the regions and build via a shared document / plan that captures budget, ideas and priorities over time ?

We will continue to look to the clusters and UKC3 to build a shared picture of priorities for building cyber capacity across the regions as we implement the strategy.


Cyber Security and Fraud (Sep 16)


What are considerations to which reports are actually acted upon, once reported via action fraud and to local police & banks?

Actionfaud does nothing when reports are made.

Such great points. The portrayal should totally be moved away from victim-blaming. Like Sharon says these ‘scams’ can be incredibly sophisticated and use new technologies that it’s very difficult to spot.

I agree, I deliver cyber security awareness sessions to the public as part of my role as the Cyber Protect Officer for Northumbria Police and I always share my experience of falling for a Facebook phishing scam while I was actually working in my current role! Always makes the audience feel more comfortable sharing their own experiences. 🙂

Jim Browning who is YouTube famous for “hacking” in to scammers CCTV was recently victim of someone taking over his YouTube channel – he admits it only takes the right message at the right time and anyone/everyone could be a victim

Yes I think young people are more trusting of tech, and older people have more experience of old style ‘analogue’ scams.

Here in the Northumbria Police cyber crime team we educate the younger ones around using their tech skills (programming, coding etc.) for safe and legal use and emphasise they can work towards a really good career in cyber if they stay on the right side of the law….we also educate them from a protect side as well to ensure they stay safe as possible from these cyber threats – they’re very receptive to both sides which is great!

Criminals are not going to stop once they have one victim – it may be unfortunate for the individual or organisation but by involving legal and law enforcement (and other organisations) we can work towards protecting other people and businesses

You can get free cyber security advice from the police, we have services and tools which can help – all our advice and guidance is free as we just want to reduce the chances of people becoming a victim of crime

We have cyber crime units in each North East police force, Cleveland, Durham and Northumbria and a regional cyber crime unit

One of the benefits of the Police CyberAlarm tool is sharing intelligence about attacks that have been defended against not just the attacks that have been successful

What do you think of the IT Acceptable Use Policies / Cyber training of your organisations, and how beneficial they are for user behaviours ?

We all have cyber security skills, knowledge and experience and we should use this to help other people.  Spiderman said “When you can do the things that I can, but you don’t and then the bad things happen they happen because of you”

There are regulators in the UK and abroad that require companies to report significant cyber security incidents for instance ones that could have a material impact on the value of the company. As an independent consultant working in cyber security for a number of years, I have been “forced” through contractual requirements to be “inactive” in reporting incidents. This has always made me uncomfortable and I haven’t remained with the companies for long! Are non-employees protected through whistle-blowing?

Genuinely self employed contractors don’t have wb rights, but there is a broad definition of worker in the law for whistleblowing.  We’re campaigning for change here because no one should be put in the position of being told not to report – and any clause in a contract that purports to stop whistleblowing is void.  Call our advice line if you want to find out more!


Building a Cyber Security Business (Sep 21)

Q1. Do you accept applications from Community Interest Companies (non-profit)? 

Hi – we would. However, we would need to understand the growth and job creation and the ability to service debt. It’s always worth an early conversation though… if you have a query just pick up the phone!

Q2. Are businesses located near Manchester considered? 

Our funds are only for NE businesses. There will be other funds over in the NW – check out the BBB website to see who the funders are. I know FW Capital operate over there.

Q3. What are funders looking for when you make a pitch?

From NEL’s point of view we are a local debt funder helping local businesses to grow and create jobs. We are looking for the journey to date and what the plans are going forward. We need to see a capable management team with good financial control, something that is fit for purpose. The business really needs to be profitable or at near profitability and therefore can demonstrate with confidence that the business can service debt out of trading profits. We are sector agnostic but clearly a product or service that is adding value and contributing to the low carbon agenda would be positive. Other funds look for different things eg equity, the focus will be on ability to scale ie the business model and the team to deliver. The key is know your audience ie who are you pitching to and what funding are you looking for.

Q4. What do people mean when they say ‘A’ funding etc.?

Series “A” financing refers to an investment in a privately-held, start-up company after it has shown progress in building its business model and demonstrates the potential to grow and generate revenue. So this is after proof of concept, early stage business. We talk about seed capital, angel investors and crowdfunding at this stage. So “B” financing is the next stage of funding after the company has had time to generate revenue from sales. Investors have a chance to see how the management team has performed and whether the investment is worth it or no. It’s all about risk and reward. The earlier the stage the higher the risk the higher the potential reward.

Q5. job descriptions and reflectiveness of the role ?

Answered within the event.

Q6. Are fees the reason that orgs seem to have now moved to internal recruiters ? 

Answered within the event.

Q7. advice on sifts ?

Answered within the event.

Q8. Where does the sale happen? 

Answered within the event.


Cyber Security across Manufacturing, Industry and Supply Chains (Sep 22)

Q1. How do you see the adaptation of OT Security for manufacturing.  Do manufacturers see the difference between IT and OT? 

Answered within the event.


Cyber Security Skills and Employment Opportunities (Sep 23)

Q1. What do you think the skills demand is for?

Answered wihin the event.

Q2. What is Zero-hour contracts? 

Contracts with no commitment to any guaranteed work or pay

Q3. Teching methods must improve in distance learning. In some cases people with no teaching abilities but good technical knowledge try to give clases. Content and method needs coherency. How do you assure that contract? 

Sunderland College – All lecturers are put through teacher training programmes and therefore have good pedological theory to education and in addition to this the technical knowledge required to deliver the lessons. All remote lessons will have an element of research/study within them which can then be placed into practice once a learner is in a physical classroom. If for any reasons e.g. In Covid-19 lockdown when a learner cannot attend then we have systems in place to do practical work from a distance.

Northumbria University – The University used current academic staff to deliver online material (through the pandemic). Recruitment and interview processes are rigorous and a key element of that is the ability to teach and demonstrating teaching experience. There needs to be a mix of academic (teaching and research) skills but also current industry knowledge and that is often a hard combination to find in one individual.

Cyber Security – It’s a Rural Issue as well (Sep 28)

Q1 – Organisational hiring attitudes need to change about commute to large cities / head offices? they still believe staff need to be in the office

Answered within the event.

Q2 – Will certification exam fees come within the courses to enable people to leave the courses certified?

Answered within the event.

Q3 – What microsoft qual would they be able to get?

Answered within the event.


Cyber Security for children and young people (Sep 29)


Kids want to use the services of tiktok and snapchat filters on pictures, insta.

Strong passwords are not going to be the answer for kids

Risk assessment is going to be part of the training for  kids

Interesting to think about teaching children about the persuasion techniques that are being used – knowing how they are potentially being manipulated

I work for a cluster of FE colleges in the South East. We have lots of digital students who take part in projects and are interested in cyber security. Would be great to roll out a reverse mentoring project where the students can help educate adults and younger learners about the risks, the legal elements etc.

What about “innocent” data collection eg. Fun Facebook surveys, seemingly educational tools?

We’ve done some work that looks at using technical demonstrations of the actual attacks (showing them how passwords are guessed, how phishing websites are cloned in seconds, etc.) and how they can help children be more aware of how these things happen and understand protective advice

The bystander effect is particularly prominent – not knowing who has witnessed a cyberbullying event, leads to an assumption that it is everyone

I have done some research in this space and found that children will not share with their parents that they are being bullied as response is to take the device away – perceived as punishing them as the victim.

This works both ways, as older adults are also perceived as vulnerable.

Elderly is a hard problem to deal with, especially vulnerable to letters, phone calls

Our example of educating older people so they can share and help other older adults:

Just this morning my grandparents were entering their details into a form from a link on an email as they thought they’d won a £500 gift card 😱 with things like this i feel confident on what to look for and how to intervene, but when it comes to what children are using i have no idea! Tiktok, fortnite, in-app purchases, roblox etc etc. Some practical tips for an average parent would be hugely appreciated!

What are the plans for budgets in funding the appetite gap within boards for IT expenditure, budgets and staffing ?

How can you modify the terms and conditions of use of the website? it’s not going to happen.

Most cookie notifications on websites are unhelpful and people just click through without reading. DCMS is currently consulting on reforming the law that requires this:

Thoughts on fitness tracker watches for kids and what is an appropriate level of sharing – or not of kids location or ipad ?

If orgs have users from EU using website will you also have to register with and EU country/organisation on your behalf? – i.e. representative in Ireland ?

Is there expectation that will be different/similar models coming out from other countries?

Ooh sharenting!

We may not incentivise but we do help manage risk – we restrict their behaviours to what we see as age appropriate – i wouldn’t leave a two year old to cross the road alone, but people do leave a two year old with an ipad on the internet

People do manage the content that is watched on youtube though.

Do kids want protecting from online content – no. They want to use the websites they want to use.

Children and young people need to influence the design of the message, they are the experts now!  

“Leave a 2 year with an ipad on the internet” – yes you do. with youtube, with videos they select.

Our risk assessment is that I & my wife don’t think there is a significant issue with access to apps and use of those apps – at age 6. video content is fine, taking pictures on snapchat with silly filters is fine. talking to their friends via facetime is fine. #

The increasing sophistication of cyber criminals is that everyone is at risk. We need a combination of education, regulation, better tech & design, law enforcement and incident recovery. No silver bullets here.

There are videos with subliminal messages in them for “child safety messages” and recycling & environmental messages – the hand that rocks the cradle rules the world.

The hardest thing for a parent is to be able to listen without judging or stepping in to protect your child. You want your child to feel confident to come and discuss anything they have seen on the internet (or otherwise) with you. That they would seek your support

What proportion of activity are you seeing as being bad ? what proportion is good – i’d say you’re talking about 99.9% brill and 0.1% bad – perhaps it’s important / need to get a wider perspective on things ?

People communicate in a good and bad way with each other all the time, in physical, telephone, video, and messaging . physical / cyber is similar about how to communicate and who to hang around with.

DCMS consultation – what of the principles are unsatisfactory ?

Need to build digital literacy and resilience in children – conversations with children are key, age appropriate understanding of the risks but also need to identify ways of coping that children agree to

New post: Northumbria students launch green awareness campaign for Metro operator…

Join our
mailing list