Cyber Security Summit & Expo – My Experience

Summit Logo

Introduction

On the 16th of November, I attended the Cyber Security Summit & Expo at the Business and Design Center in Islington. I thought I may as well write a post about it and share my experience and information I gained.  I’ll break it down into the talks I visited and the companies I spoke to, just so it’s a little easier to read and find what you’re actually interested in.

The Event

Getting to the event was very easy and hassle-free. Being Staffordshire based, I got the train from London Euston, from there you just jump on the Northern Line(underground), and the second stop(Angel) was basically outside the Business Center.

I’ll start by relaying the information I received from the expo companies. I didn’t get chance to speak to many as I was in a conference or talks for most of the time, plus I got there at 12:30pm and wanted to focus on the conferences as much as I could. Anyway, I’ll talk about the most valuable information first, to the least last.

CompTIA & (ISC)

Probably the most valuable information regarding my studies come from CompTIA and ISC. If you are not aware, these are to certification providers that are globally recognised and are pretty handy to get if you plan on getting any job in the security industry. I was struggling to understand the benefits of particular certs and when to do them. Lucky for me both organisations had booths where I could ask questions. I found out, by a chap in the ISC booth who was extremely helpful,  that the best way to do it would be;

Get certification in CompTIA Security+ before my placement year(This is due to how good it looks on your CV with it also being an entry-level certification. I was already planning to do this. Though I was unsure due to the cost. I also found out that you can get a substantial student discount on both learning resources and the exam, via signing up with your university email). After my placement year, I should move onto getting the Associate of ISC Cert (you have to have at least one year of experience in the field before you can apply for any ISC Cert). Once I have achieved this, I finish my final year while looking for a grad job. While looking for one, I would state that I am looking to complete my ISC Cert (probably CISSP). This would let the company know that I would need at least four more years in the field before I could take the CISSP exam. Therefore I would be more inclined to stay with them for that four year period. Also, all of this would look great on a CV and make you stand out from a crowd.

DarkTrace & Symantec

I enquired to both of these companies regarding any possibilities of placement opportunities. Unfortunately neither do. However, I got two separate answers. For DarkTrace, I was told that they were not there for employment (understandable as everyone was trying to sell services rather than recruit) and that I should look on their jobs site.  After a quick look, they offer no placements at the moment. However, I have contacted their HR department, and I’m just waiting for a response.

Symantec, on the other hand, does not offer any internships/placements in the UK at all. This is apparently due to a move around they had. All their engineer positions are now in the states, which I really wouldn’t mind doing (I have been applying for internships in the states). However, a lot of companies seem to be put off when you need visa sponsorship. Anyway, through looking around and speaking to a few other booths, I quickly realised that no one was really looking for employees, and more just selling their products and services. By this time the next conference was ready anyway.

Talks

In this section I’ll talk about all the talks I visited, any questions I asked and pass on any handy information to you. I’ll start with the most valuable talks, heading to the least.

Developing the UK’s Cyber Skills for the Future (UK  Cyber Challenge)

This was one of the most valuable talks for me, as it contained a lot of information directed towards individuals attempting to get into the field. I knew about this project previously, however, my impression was that the project was aimed at well-established security professionals more than students or just anyone who wants to apply.

The program is an 8-month long competition that pits individuals against each other completing various security and forensic tasks.   About eight thousand people take place, and the best 42 get asked to an event called the “masterclass”. Here you fight in teams of 5 to win the overall competition. There are prizes for the best teams, this includes educational benefits such as free degrees and courses and also trip to Black Hat Vegas this year.

There were two contestants from 2015, who spoke a little of their experience. The main tasks they were completing were secure programming, finding vulnerabilities in networks and code and database queries. By the sounds of what they were saying, everything is CTF based. They had some great advice too. They noted studying is the key, and it needs to be done as much as possible to keep up with the times, pretty obvious if you know about the sector, keeping up with the bad guys is one of the hardest parts of this sector.

It the end of the talk, I asked the question “What level of experience did you have when entering the competition?”. The reply was pretty interesting to me, both said they had worked on a computer science degree (software dev) and then just applied with no security knowledge, and both of these contestants made it to the master class.  This surprised me quite a lot. Actually, I consider myself to have a decent level of knowledge in security but would be pretty nervous entering in a competition such as this. With that reply, I will definitely take part next year, it should start around Feb time.

Optimising Cyber Resilience – Board Room Insights

This talk was a panel of people, the security director of Trainline, CISO for RBS and a consultant from Practiq. These people were all high up in their respective companies and gave information on how they communicate with board members. This gave me some valuable insights into how I could approach situations in the future. For example, they all spoke about how initially the board of a company might put security on a back burner in favour of advertising etc. It was said that your job is to ensure they understand security, but in a language they understand, the best example of that was finance. If you were to talk about money, and how much would be lost, the board would react positively, then if you were to talk about core security issues.

According to the panel, companies “woke up” after the WannaCry attack on the NHS, all members said that companies started to realise the damage that could be done, and have started to take more action. This is a positive thing for me and anyone else trying to find jobs in the sector as there will be more jobs available with higher pay.  Overall this talk was a pretty decent insight into higher levels of companies and how they interact with security departments. Information such as this will be precious in my future career.

Conclusion

The day was great, I gained a lot of information and met a lot of people.  It has just proven to me that this is the right industry to go into and how much I’m looking forward to it.  I haven’t included all the talks I attended so if you want any more information, feel free to email me at josh@joshuaonsecurity.com. Thanks for reading, and see you in the next post.