Data breaches and other security incidents have become a frequent, severe problem for organizations. But with incident responders in short supply, there are fewer professionals available to help organizations in their hour of need. For episode 58 of Cyber Security Sauna, we were joined by F-Secure incident response consultant Eliza Bolton, who successfully transitioned to cybersecurity from the nursing profession, and F-Secure’s head of incident response, Matt Lawrence. Matt and Eliza share their views on tackling the cyber skills shortage, why diverse teams are more adaptable, and why Eliza’s background as a nursing assistant is an asset in the world of incident response.
Janne: Eliza and Matt, welcome to the show.
Matt: Thanks, Janne.
Eliza: Thank you.
So we’ve been reading news articles about the cybersecurity talent shortage for years, and some people say that this is the result of unrealistic expectations meeting ineffective recruitment practices. What’s your take on this?
Matt: It’s interesting. When we’re talking about the skills shortage, we’re looking at forward predictions, and I always want to point out that nobody in 2019 was really predicting 2020.
But if you look at all the figures, currently there’s somewhere in the region of three million cyber security professionals globally today. Most of these estimate that there’s a skill shortage of around four million roles, and that’s in both the public and private sector, and that’s only in the eleven major world economies. So it’s reasonable to assume that it goes much further than this. And beyond the situation we’re in today, the skills shortage is expected to peak in around about five years’ time, if reports are to be believed.
So simply put, we have a big problem and it’s getting bigger. And in incident response, I think, ransomware over the past couple of years has been a wake-up call for many organizations because it’s impossible to avoid the impact of your entire network being encrypted. And more companies are waking up to the fact that they need people with these skills at their disposal when they need it most.
And yet quite broadly, the industry, as we stand today, isn’t prepared for this. And we really need to do more, now, to cope with this upswell of attacks that we’re expecting to see.
So we can’t just sit back and expect the universities to turn out quality skilled people for us. So we need to take steps ourselves.
Matt: Absolutely. We have to take an active responsibility in ensuring that we’re able to defeat this. And of course, there’s many different approaches here. It’s not just simply about hiring people. Although I would argue that that is of course the most significant issue here. We do need to diversify our sources of hiring beyond graduates and purely experienced people.
And there are a range of benefits to doing that. It’s not just about filling headcounts, particularly in incident response. That phone can go on at any time of day. And you cannot generally predict that, particularly for a service like ours that is global. You cannot predict the organization that’s going to be calling that number at any given time. And having a greater mix of skills and life experiences is fundamental to enable us to be more sustainable in how we provide services.
But that really comes from, I feel, the whole industry reviewing and updating the hiring practices to fit more with the modern world. And for me, Eliza is somebody who definitely speaks to that.
Eliza, can you tell us a little bit about yourself, your background, before you began your career in incident response?
Eliza: I come from a rural village in Norfolk, where internet is basically non-existent. Even just to get this recording, I’ve had to ferret around to try and get somewhere so I got steady internet.
I thought I wanted to follow in my mom’s footsteps into nursing. And I did get a place at uni to do general nursing. And then before that, mum was like, “Look, just to make sure that you want to do this, please, go and work as a nursing assistant.” So I got a nursing assistant job at our local hospital, and I worked around for a bit in different departments. And I found that I absolutely loved working in A&E.
That’s the emergency department, for our international listeners.
Eliza: Yeah. So it was such a lovely place, you’ve got doctors, you’ve got the consultants, you’ve got the nurses, you’ve got the HCAs, to me. And we were all such a big family and worked together, because you never knew what came through those doors, and it was just really great.
And then I did some traveling, and then I was very lucky to be introduced to Matt by my brother, because my brother actually works for F-Secure too, but in the sales side. And he said to me… “Look I think this would be really good for you. You love problem solving, you have a logical way of thinking, you love your maths, you love reasoning. I think going into something like incident response would be really good for you and you’d really enjoy it.”
So I was then lucky to meet Matt, and I had a coffee and met some of the team, and was just fascinated by what they were talking about and thought, “This sounds really cool. I would love to go into this.”
And I was then very lucky to be offered an internship in IR, being their first guinea pig. And yeah, from there I’ve just loved every minute. And it’s been very challenging, but a fantastic step that I took.
But no background in computer science or computers in general?
Eliza: No, no background at all. I actually didn’t have a computer before I started working for F-Secure. So I had…
That’s super interesting.
Eliza: I had a laptop when I was younger, but it had died.
Matt: The kids today, they’ve all got iPhones.
Eliza: Yep. I didn’t need a laptop.
So even in the industry, IR is considered very technical. So to me, it’s super interesting that somebody who has no prior technical background can just jump in and sort of get cracking. Were you apprehensive about that all? Did you understand what you were getting into?
Eliza: No, I had no idea. When I got into it, I thought, “Oh my God, what is going on? I don’t know any of this. There’s so much to learn. What are these guys talking about?” And it’s just been a lot of hard work and shadowing people, and I seem to find everything breaks that I try to use. So I’m always trying to fix things. So having to read up so much more about it and then going away. So I think that’s a really good way to learn.
I was just going to say, sounds like learning opportunities. What was the transition like for you? What went as expected, and what were the surprises?
Eliza: It was a huge transition, considering I came from working in A&E doing something very different, to then coming into the technical side. So it was a huge transition.
Surprises, I think it’s…there’s just so much to learn. There’s new things coming all the time, and just understanding something completely is very…I found it quite tricky. So having to go over it all the time, and then finding something new, and then seeing how it all links together. But yeah, it’s been a huge transition.
Do you think that the fact that you came from an emergency department helped in that? Because I would say that an emergency department sounds like real life IR, to me. So if you had come from a different field of nursing, for example, would that have been different?
Eliza: I suppose it would, because I suppose when you think about it, if you’ve got a client that’s being hacked or compromised, it’s like having somebody come through A&E who’s bleeding or got burns or fighting for their life, and you’re trying to figure out what you can do, and what’s going on if they can’t talk or something.
So I suppose it’s very similar because you’re still trying to think of it as like, “Right. We need to diagnose this. What do we do?” So yeah, I can see how they’re very much linked, and you get transferable skills, definitely.
And also for yourself, mentally. In incident response situations, when you first come across them, they’re very traumatic and stressful, as I would imagine first aid situations are as well. So there’s that mindset that there’s horrible things happening around you, but you have to be cool. You have to be calm and collected and the one in control. So do you think you you’re better off when you have that experience?
Eliza: Yeah, I think you definitely are. I suppose with working in A&E and having…I’ve seen some horrendous things in my time there. And I think I can be quite calm in those situations, and I’ve had to learn to be calm, because obviously you’ve got families around, and you’ve got to stay calm for them and put on a brave face and things, and try and calm them down.
So I think I’m kind of used to that whole stressful situation, and I do actually really like it. I enjoy having to just keep everyone around you happy and relaxed, and try and get through them. So I can see how that can really help, especially when an incident comes in, because you’ve got clients that are very agitated and nervous about things that are happening. So I think it, yeah, definitely helps coming from knowing things like that.
So Matt, were these the kinds of things you were thinking about when you were considering Eliza as a candidate? You’re going so far outside the usual field where we look for candidates.
Matt: I’m a big believer in sometimes just giving something a go and seeing what happens. And particularly with this situation, it was a perfect opportunity that emerged at the right time.
So we’ve been thinking a lot about things that we could do more in incident response, to enable people just getting a start in the industry. And we were working on, I guess perhaps incorrectly at first, the more formal aspects of that, trying to map out a career plan almost, a development plan.
But all the people who were doing that, including myself, are former graduates, and some of us have spent quite an extended amount of time within the industry. So this situation arrived and it was like, “Oh, well this is great.” We could now throw all of this stuff that we’re doing incorrectly in the bin and actually figure it out properly.
And it really also enabled me, I guess, to put my money where my mouth is. Because for years I’ve stated, and I firmly believe this, that the technical skills can be learned. It’s behaviors and we look for.
And some of the things Eliza’s just mentioned there, in terms of her experience with A&E, is very apt. Incident response is always about borrowing and stealing the best bits from other industries. And we stole the triage process within incident response from medical parlance.
And that point about being calm in the cyber chaos is absolutely key. And I think sometimes your ability to cope with these situations is relative. If the worst situations you’ve ever experienced are organizations being cyber attacked, it’s going to be, for most people, an incredibly difficult situation to cope with mentally. But if you come from a different field with perhaps a different perspective, straight away, you’re at a distinct advantage there mentally, to be able to cope with the, sometimes, the stresses of this job.
But with Eliza, and to be honest, anybody who’s looking to enter the industry, it’s about personal dedication, and it’s much more about the individual’s willingness to commit to the opportunity that is put in front of them.
But with things like the UK Associate Scheme, which is another first step in this situation, which we released recently, is another example of progress that is being made here. But we need to and are going to be doing more over the next few years because otherwise this industry is not sustainable.
Yeah. So when somebody with Eliza’s background joins the team, what are some of the things that you guys have picked up from her?
Matt: It’s a really interesting question because learning is not a one-way street. In many ways the things that we assumed would take a long time to learn have perhaps been some of the quickest elements to learn. I guess the more challenging areas come with application of knowledge.
And we’ve learned a lot about that with Eliza. I think in the early days, we were almost just chucking information over the fence and it was approaching information overload. We took a step back and realized it’s actually a lot more to do with the application of the knowledge, and ensuring that it’s retrievable. Because when you’re facing a cyber crisis, sometimes you have to make some really quick decisions in that process. And retrievability, the actionability of the information that you hold in your head is paramount.
So it’s caused us to tweak hundreds of things in terms of how we train people and also how we operate the service operationally. It’s really kind of enabled us to take a step back and think, Well, instead of just thinking everybody’s going to join in and be an incident response unicorn and jump in and do everything to a high standard, we’ve got to accept that people learn at different speeds, and different levels of experience, meaning that they can contribute in different ways. And we took a step back and realized, well, our operation wasn’t facilitating and enabling people to contribute as quickly as they perhaps could have done.
So it has had a transformative impact on our service. Super rewarding. Not just brilliant working with Eliza, of course, but I think just the benefits that we’ve extracted as a team have been incredible. And I guess I encourage all incident response providers in the industry to think along similar lines, because the benefits are substantial.
Eliza, can you recall moment or a specific thing where you felt that you brought something to the table because of your background and who you are?
Eliza: Last year, so 2020, I did a talk about women in tech. And I did that with my manager, Joani, and I was so nervous to do it. We did a talk about our journeys, and how it is a little bit different, especially for women, and how it’s a very male-dominated field and basically how it felt and stuff, and our journeys and how we got there.
But I think, I don’t know if it’s just me, but I think…I went to a school where I was the only girl in my year, that was a local primary school. And then my mom and dad then sent me to an all-girls school, which I didn’t really like at all. I liked growing up with my brother, so all of his friends and stuff. So I don’t find that big bridge that some women do find in the field and I feel totally at home in, and happy to be in a group of guys. It doesn’t make any difference to me because obviously it’s what I’ve known, growing up with my brother and stuff. So I haven’t seen that bridge, but I know women have talked about that there is a huge bridge and that they’ve been treated differently, especially by clients and things, which I’ve never experienced that. But that was a significant part.
I did a boot camp as well with my manager, Joani. We did a Cyber Security 101 boot camp. And we went through the basics of cybersecurity to get people rolling and to see what was out there.
What were some of the biggest challenges in getting started in incident response, specifically?
Eliza: I think it was applying it. So I did a lot of shadowing on cases, and I had all this knowledge that had kind of been offloaded on me, and I’d been learning from people. And then it was actually applying it that I was struggling at.
So what I found really useful is one of my team members, they actually did a fake case for me on a VM. So a virtual machine, they basically put some ransomware on it and did a few other bits and pieces so that I could go through it and be the lead investigator on that fake case, and go through it and figure out what was going on basically. And it really helped me because I didn’t have that pressure from the client. I had to act like my colleague was the client. I had to go through it on my own. I didn’t have much help.
And it was just applying all that knowledge that I’ve accumulated, and putting it into practice. And it’s really helped to actually get my brain to link right. This is how you do it. And I think that’s a huge thing that we found that has really helped. I’d love to do another one just to get it quicker, because it took me time, because I had to use the tools on my own, and it’s inevitable that tool is going to break. So you need a backup tool.
Matt, does that sound typical? What do you find are the biggest challenges for new people in the business?
Matt: It is application. I call it the investigator’s mindset. On an IT service desk, they call it the troubleshooting mindset. It’s that thing that, I guess, sometimes experienced people can do, where they can look at a problem from almost a hundred miles away and have a sense of what needs to be done. But to my mind, a lot of that is down to confidence and the ability, when you’re faced with an incredibly stressful situation, to be able to take a step back and utilize your training.
Now, obviously if you’re just taking your first steps in the industry, you don’t have a whole lot of training to fall back on, but this is part of the reason, with people coming and changing careers, it’s about reminding people that application of knowledge is not just about learning new stuff about computers and incident response, and being able to apply that in the field. It’s sometimes remembering the skills and knowledge that have already been picked up and learned over the years and recognizing that, oh, the vast majority of the things that we’re doing here are common sense. It really is. It’s dealing with people.
It’s guiding people through sometimes extinction-level events for an organization, which obviously can be fairly traumatic, and the more people of more diverse backgrounds and experiences that we have in our team, the easier it is for us to adapt when substances are hitting fans and stuff needs to move quickly. It just makes us far more adaptable and more sustainable and gives us a greater platform with which to cope.
It certainly sounds like a very complex and wide-ranging topic. That would seem to be a lot to take on when you’re first starting in this. Eliza, was it easier or more difficult than you anticipated to sort of get started in IR?
Eliza: I think it was a lot harder than I thought it was going to be. I think because I hadn’t got that tech background knowledge or anything like that. I had to learn that first to basically understand what was going on, really. And still now I’m thinking, I don’t know what’s going on yet. But you’ve got to learn that Google is…it turns out to be your best friend, because if you don’t know, just Google it. And it’s inevitable that somebody has been in the same situation that you have, and they don’t understand something, and there’ll be a blog post, or there’ll be more blog posts, and there’ll be people talking about it. And there’ll be multiple ways that you can get around it, or something like that.
So it’s very important for people to think, right, if I don’t know it, Google will know it, or somebody else would have gone through it, to go and to find the answer. But yeah, I think it’s been a lot harder than I thought. And there’s a lot of effort that has to go into it, so much effort, more hours, everything, just to get that basic background knowledge, to then fully understand the rest of things going on.
Okay. What would you say are the sort of the best parts or the worst parts in your job, Eliza?
Eliza: I wouldn’t say there are any worst parts. I think there’s frustrating parts, I find. It’s more frustrating when things don’t work, because obviously, things break all the time, it’s computers. But I can find it really frustrating when you’re on track and you’re like, I need to use this tool, and then the tool doesn’t work, or the computer stops working, or you run out of space or something.
But I wouldn’t say there are any worst parts of this job, and I absolutely love it. I have a fantastic team that has been so supportive, and they’ve just been amazing. Whenever I’m stuck, they always help, even if it’s just being sent through a link to read through and just to develop my knowledge more. But I don’t think there’s any worst part of the job that I found so far. But it’s probably years to come. Isn’t it, Matt?
So Matt, now that you’ve been in this business for a minute, what do you think are the best and the most frustrating parts of your work?
Matt: The best part, it’s always the people. In my experience, the best teams are built in adversity, and that’s true the world over. Within incident response, obviously, you’re experiencing a great deal of adversity as a team on sometimes a daily basis. So it’s a fun team to be around…In this situation, humor plays a big part in how the team copes with life.
And it is a global team as well. We’re not just based in any one physical location. There are members of the team that have joined in the last year that have never even met each other yet. Eliza is a great example of this, her whole training’s been a a hundred percent remote. So that’s in my view, training on hard mode. It’s far more difficult than being together in person. So again, part of this experiment, which wasn’t intended, but it turned out to be well, okay, if we can also do this remotely, we know that we’re really onto something here.
No, I think the past year has taught a lot of people that careers we never thought could be done remotely actually can.
Matt: Yeah, absolutely. I put myself firmly into that bracket. You asked a question, what are the most difficult things? So obviously, we can never predict when attacks are going to happen, but some of the difficult things come when that call comes in at 2:00 AM, and it’s a Saturday. And within a few minutes, you realize, “Oh, the next three months of my life are going to be wrapped up in this situation. I didn’t know that 30 seconds ago, until that phone rang.”
That can sometimes have an immense impact on the individual, and that’s why topics like mental health are incredibly important to us as a company, of course, but incident response teams in particular. But yeah, I think that the most challenging impact is sometimes that the personal impact that this job has, but I think that’s then outweighed by the experience and the knowledge that you need to gain.
On the topic of advice, are there any specific words of wisdom for people looking to start a career in incident response? Things you wish you would have known when you were getting started, or things that surprised you, or anything like that.
Matt: With new people entering the industry, I always point out that, the thing with learning knowledge is, the more you know, it’s not as if you’re ever going to complete the domain knowledge. It’s impossible. This is why we need a team. The more steps you take, the more you realize the actual scope of things that you don’t know, and it increases exponentially – for practically every item that you learn, you realize the ten things that you don’t know beyond that item. But that’s really interesting and exciting to me.
And IR is all about using your knowledge in the field. It’s not about using it theoretically. It’s about actually using your knowledge to have an impact and an effect. And sometimes that impact can be tremendous. When we’re working with organizations that have been attacked, of course we’re thinking about the organization, but also we’re thinking about the people involved. And we’re thinking about the families and quite frankly, children attached to those people that who rely on this income and that career, and by extension, the health of the organization.
And we have that ability as incident responders to apply our knowledge at the worst possible moment for people in an organization, and use it to have an impact that turns out around and enables that company to go back and continue, and hopefully use the experience to then shore up the defenses a little bit more, so history doesn’t repeat itself. But it’s a tremendously rewarding career path, because you get to use your knowledge in anger and see the real world impacts of that. And it’s often in anger.
Yeah. What about you Eliza, any words of wisdom?
Eliza: I think, words of wisdom would be just take the leap and just go for it. My brother had been talking about it for at least a year. Then when I finally took that leap, I thought it is fantastic. It’s a great career. I have such a fantastic team, as Matt was talking about.
And it’s great that we all have such interesting backgrounds as well, because very few did university and did cyber or anything similar to a technical degree. So I think it’s great that we’ve got people that did English, an English degree, or an economics degree or history, and we’ve all come from different backgrounds.
And I think it’s great because I think you need that different view on things. And especially shadowing people, I’ve noticed that everybody does the analysis differently. Nobody does it exactly the same. They’ve all got their different takes on it. So especially when you’ve got a couple of our team members working together, it’s better to have that coming from different backgrounds and having the diversity and stuff, because you’re unlikely to miss certain things.
And also don’t get scared, because I was very nervous taking that huge leap. Things get challenging, but you’ve just got to keep going through and just trying to learn as much as you can. It’s one of those industries where things are changing all the time. So you never get bored because you’re learning something new all the time.
Working in A&E I thrived being challenged because you never knew what was going to walk through the door. And it’s exactly the same in cyber. You don’t know what’s going to come. You don’t know what attackers are going to find a way. You don’t know the next route that they’re going to find. So it’s so interesting to think, right, you don’t actually know what’s coming around the corner, but whatever we’ve got, whatever comes, you’ve got to be prepared and be learning continuously.
That’s amazing. You’ve almost convinced me to try my hand at incident response. So with that I want to thank you guys for being with us today. It’s been insightful to hear about your experiences and thoughts. Thanks.
Eliza: Thank you for having us. It’s been great.
Matt: Thank you so much.
That was the show for today. I hope you enjoyed it. Please get in touch with us through Twitter, with the hashtag #CyberSauna, with your feedback, comments and ideas. Thanks for listening. Be sure to subscribe.