In this eye-opening episode, we delve into the dynamic realm of cybersecurity, a field at the forefront of safeguarding our digital future. Join us as we explore the ins and outs of stepping into cybersecurity, from the essential skills and qualifications to the thrilling challenges and opportunities awaiting aspiring professionals.
Sonia Kumar, Global Head of Cyber Defence at Element Materials Technology shares her own personal journey, offering invaluable insights and advice on breaking into this rapidly evolving field and her experience of stepping into a leadership role. Whether you're a tech enthusiast looking to pivot into cybersecurity or a student eager to map out your career path, this episode equips you with the knowledge and inspiration you need to navigate the exciting landscape of cybersecurity and reveals why we need more women in this field.
Sonia Kumar is the Global Head of Cyber Defence for Element Materials Technology. Sonia’s mission is to build and lead a global 24/7 cyber defence capability. Before that, she was responsible for Cyber Security Incident management globally across Vodafone where she spent six years and led a global team of incident responders to provide a fast and structured response to cyber-attacks.
Before joining Vodafone, Sonia spent sixteen years in different roles within HMG Intelligence and Security departments. Her responsibilities included maintaining national security interests, and she played a pivotal role in maintaining public safety and security during the London 2012 Olympics. After some part-time study and during her time at Vodafone, Sonia gained a Postgraduate Diploma in Cyber Defence and Information Assurance from Cranfield University.
SheCanCode is a collaborative community of women in tech working together to tackle the tech gender gap.
Join our community to find a supportive network, opportunities, guidance and jobs, so you can excel in your tech career.
In this eye-opening episode, we delve into the dynamic realm of cybersecurity, a field at the forefront of safeguarding our digital future. Join us as we explore the ins and outs of stepping into cybersecurity, from the essential skills and qualifications to the thrilling challenges and opportunities awaiting aspiring professionals.
Sonia Kumar, Global Head of Cyber Defence at Element Materials Technology shares her own personal journey, offering invaluable insights and advice on breaking into this rapidly evolving field and her experience of stepping into a leadership role. Whether you're a tech enthusiast looking to pivot into cybersecurity or a student eager to map out your career path, this episode equips you with the knowledge and inspiration you need to navigate the exciting landscape of cybersecurity and reveals why we need more women in this field.
Sonia Kumar is the Global Head of Cyber Defence for Element Materials Technology. Sonia’s mission is to build and lead a global 24/7 cyber defence capability. Before that, she was responsible for Cyber Security Incident management globally across Vodafone where she spent six years and led a global team of incident responders to provide a fast and structured response to cyber-attacks.
Before joining Vodafone, Sonia spent sixteen years in different roles within HMG Intelligence and Security departments. Her responsibilities included maintaining national security interests, and she played a pivotal role in maintaining public safety and security during the London 2012 Olympics. After some part-time study and during her time at Vodafone, Sonia gained a Postgraduate Diploma in Cyber Defence and Information Assurance from Cranfield University.
SheCanCode is a collaborative community of women in tech working together to tackle the tech gender gap.
Join our community to find a supportive network, opportunities, guidance and jobs, so you can excel in your tech career.
Hello everyone, thank you for tuning in Again. I am Kaye Batesman, the content director at she Can Code, and today we're discussing careers in tech, stepping into cyber security. In this episode, we're going to dive into the dynamic realm of cyber security, a field at the forefront of safeguarding our digital future, and I've got the amazing Sonya Kumar, global head of cyber defense at Element Materials Technology, who is here to share her own personal journey, her invaluable insights and offer some advice on breaking into this rapidly evolving field and all of her experience of stepping into a leadership role. Welcome, sonya. Thank you so much for joining us.
Speaker 2:Thanks, kaye Batesman, for having me. Thank you.
Speaker 1:Thank you. Can we kick off with a little bit about yourself, please? We've got a lot to cover today, but it would be great to kick off with a little bit of background about you.
Speaker 2:Yeah, so stop me if I go on for too long, but so I'm currently the global head of cyber defense for Element Materials, just to let our listeners know what we do. So Element Materials we're basically 300 laboratories around the world. We're one of the biggest organisations in the testing, inspection and certification sector and we do all that for nuclear, aerospace defense, pharmaceutical industry, connected technologies pretty much any company you've heard of you can guarantee Element is in the background somewhere. So I came into that role in May as the head of cyber defense and my job is to build from scratch a 24 seven cyber defense capability. So I'm sure we'll talk about that later, but I came from seven years in Vodafone Group where I led the global cyber defense incident management team and that was basically I was accountable for our global collective response to big cyber attacks at Vodafone.
Speaker 2:And but before that I came from 16 years in government, a long time in intelligence and security for government, which was great. So I made the jump to the private sector about eight years ago and what I should say, actually, because it's relevant for our listeners, is that I moved into cybersecurity eight years ago with no cyber background, no IT background, no certifications, not technical bit of a gamble that Vodafone took on me, which is great and has paid off. But you know again, and I'm sure we'll talk about it, but good things can happen with determination. So so that was that. And actually I went to university in Edinburgh and graduated with an honors degree in biomedical sciences. So I was a scientist at heart and I went off after university. I took a bit of time out, mucked about and then went off to be a trainee expert witness, so forensic scientist, for three years, training in sexually motivated crime and DNA interpretation. So I've come on a bit of a journey, I would say, to get where I am today. Yeah, yes, but it's been a great one.
Speaker 1:I love that. I love that you've you've got a brilliant journey and you're absolutely right. Our listeners love to hear that you can come in at any point with any background and you don't have to be technical and you can just fall into the tech industry. And I mean you're from a STEM background and we have lots of ladies that have studied similar subjects to yourself and then later they think you know, I'm going to go into the tech industry and it's something on this podcast that we talk about often. More people should know that you can do that, that you can transition into the tech sector.
Speaker 1:And I mean your job. It sounds like it's it would be technical and you would have to have lots of technical skills and have come from a computer science background Also. It just sounds super cool. The way that you describe your job is so cool and I think a lot of people would think, oh no, I have to have, you know, certain qualifications to get into a job. That is that cool and that you make such an impact. I mean the way you described even working at Vodafone and you were like stopping big cyber attacks, and did you? You know, eight years ago, when you, when you, went into this area. Did you think that you would be saying those words? Like that, you stopped big cyber attacks happening at big companies.
Speaker 2:No, no, I didn't you know. And then how I got into cyber, I, like I said, I was in government and at the time I was working with the military very closely and I was working on a military base about eight, nine years ago and everyone was talking about cyber warfare and cyber this and I get FOMO. So for those of you who don't know what that is, it's like fear of missing out. I like to be in the mix and I was like what is this cyber stuff? I want to do it. And I remember somebody said oh well, you know, you can't. You need these certifications, you need to be technical. And actually that made me more determined to think right, I am going to go and do that.
Speaker 2:And I I took up a masters in cyber defense and information assurance, which actually, on reflection, I probably didn't need to be honest, but it was a bit of a joke and I sent my CV off off to Vodafone and another company for two jobs that I thought I wasn't qualified to do and actually, like I say, vodafone took a bit of a gamble. They must have seen something. I had a good background in risk and intelligence and they placed me in the threat intelligence team, in the cyber threat intelligence team as an analyst. So you know, never having done any cyber, just learned very quickly, had a real passion for it and kind of progressed from there. So so you're right, kayleigh, I, I, you know you don't have to write code, you don't have to be a technical expert. You can be, that's what you choose to go into, but it's you know, you need to have common sense, very logical approach to things and it helps if you can understand risk, I would say as well.
Speaker 1:Yes definitely. Yeah, and so today's discussion is about stepping into the cyber security industry, so can we kick off a little bit with a brief overview of the current landscape of cyber security and its significance in the tech industry.
Speaker 2:Yeah, I think, I think. I think you have to think about the significance of the tech industry first, right, so why is the tech industry so important? Well, there's nothing that technology doesn't touch, right? We know that. And then we focus on the UK. I was reading something that was really interesting in terms of the global tech sector, the UK came in last year at number one in Europe and number three in the world, behind US and China, and that is amazing. So the tech sector globally and in the UK is having a massive positive impact on revenue growth, on people, society, so it's very important. It's also becoming a hub for something called impact tech, which are companies that create technological solutions to reach the United Nations sustainable development goals, which are very important, as we all know. So we want to protect that sector and if we strip things back and think about what cyber security is, that's protecting that infrastructure, the data that sits on that infrastructure, the connected technology, the systems. Right, we want to protect all that. We want to protect our people from harm and society. So what's I got to do with the cyber security threat landscape? Now you can go online and read lots of reports about the threat landscape.
Speaker 2:I'm going to maybe just pick on some things that I've seen and that I've noticed. So I've definitely, over the past year or two, seen an increase in an impact through attacks on the supply chain. So either through suppliers, partners, business customers and, to give an example, kayleigh, let's imagine I'm a big organization, you're a big organization, you're my customer and you suffer from big ransomware attack. What the attackers might be doing is attacking your systems to actually get access to my data and my organization, and we're seeing a definite, significant increase in those types of attacks. And in social engineering, you know, tricking people into doing stuff that's been there for ages, that's still there, particularly fishing attacks, and people are becoming more and more aware of those attacks. But they'll always be there and be there in the future.
Speaker 2:And then the other thing that I've picked out is something called the insider threat. So that's where you might have somebody who works in an organisation and they might accidentally do something to cause a cyber incident, or they might do something maliciously with intent. So I've seen those things in terms of the recent landscape. And then the last thing to pick out is probably attackers. These days they don't need to be sophisticated, they don't need to be big nation-state sponsored groups from China or from Russia or North Korea or whatever. If we think about something quite recent, there's a group called Lapsis. They were based predominantly in Brazil and the UK and they were teenagers, very young, a very young group of people, under 16 mostly, and they brought down global organisations through their cyber attacks. So if you take all that, that's the landscape. We talk about the significance of the tech sector. That's why they're all relevant and connected and that's why we want to protect the tech sector.
Speaker 1:Yes, definitely, and it sounds as though you're a part of such a big mission there, not just within your company but as a whole, and the way that you described and the way that you work. You said you used the word protection and all of those things as well, because I wanted to ask you a little bit about why you came into cybersecurity you mentioned before you had FOMO Because you also think as well that you make such an impact in cybersecurity that you can really see the difference that you make in the things that you do. Is that something that kind of drew you to the industry, that you can actually protect people, and protect not just systems but people? You can see what you're doing day to day makes a big difference.
Speaker 2:Yeah, I've done that since I graduated, as we talked about. So I went from forensic science as a trainee expert witness, protecting people through forensics, and then moving into government, security and intelligence, always driven by this desire to protect and defend our society, and I guess that's why cybersecurity drew me in as well. For the same reasons, I'm very passionate about protecting people generally. I always have been, since I was younger.
Speaker 1:I think in technology as well, people can really struggle to see that they'll be making such a difference as well. I think you come in, you might work for a tech company, probably work on your own, and they can't always make that a real world connection, whereas in cyber, actually, that's quite an easy connection. Most tech roles do make an impact. It's just connecting the dots sometimes and showing people what they do. But cyber is one of those industries where you can say this is what I did and the difference that I'm making. It's far, far easier. We are going to touch upon leadership a little bit today and you're moving to leadership role. How do you define effective leadership in the realm of cyber defense?
Speaker 2:I think effective leadership is not too different within cyber defense than it is anywhere else. It's the first thing I'd say. There are nuances which we can talk about, but I think, to start with specifically with cyber defense being a cyber defender that's what I like to call us it's really. It is tough. It is tough. It's a fast-paced, pressured environment. You have to work, sometimes long hours at speed. To give you an example, if you're dealing with a cyber attack, you don't know when that attack is going to end. As an example, I've had to deal with an attack that lasted over a year. It can be tough. You're protecting, you're responding, you're defending.
Speaker 2:Yes, as a leader, we have advanced technologies at our fingertips, but ultimately, we can't do anything without our people. That's what I always think of people. I expect trust and integrity from others and so, as a leader, others should expect that from me. Really important, I think, from my experience within cyber and cyber defense, is people and my teams really want to feel and know that I've got their back, no matter what. So, because we're making some tough, risk-based decisions all the time at speed, and what the teams that I lead don't want to feel like is that I'm going to blame them if they make a mistake, and that I really do have their back. You know, no matter what, and the buck stops with me, so I think that's part of really good leadership within Cyber Defence.
Speaker 1:And then throwing them under the bus. It was them. Well, I didn't tell them to do it.
Speaker 2:Yeah, and I've seen it. I've seen other leaders do that. So I very much try to be accountable so people can make. I've made mistakes right and I've had great leaders who have supported me through those mistakes. I try to do the same, and then my views have changed over the years of being a leader. I used to think and I used to say, if you'd asked me this question 10 years ago, I'd say I've been a good leader. Is treating everyone the same? Actually, I'd say different. Now, being a good leader is about treating everyone fairly differently if needed, because people are different and actually you might have to treat them differently to be a good leader.
Speaker 2:And then it would be remiss of me not to talk about building an inclusive culture, and I don't think all leaders know what that means and I just I think really simply, I'm quite passionate about this. All it is. It's it's you know people look up to you as a leader and it's just making sure you don't do anything or say anything or participate in anything that might make anyone feel uncomfortable. That's for me, that's all. An inclusive culture is those things, because if you do do that as a leader, people won't be able to be themselves, and then I guarantee they won't be able to perform to the best of their abilities if they can't be themselves. So that's really important in cyber defense and diversity of thought.
Speaker 2:And then the other thing I think is important and again very passionate about this one doing quite a bit of work on this is, as a leader, don't be a passive bystander. People are looking up to you and you know you can. It doesn't mean you have to be confrontational, but challenge things that are inappropriate, challenge behaviors that shouldn't happen or anything that shouldn't happen. Be that, be that role model. And then be authentic. I think you know I've had great teams working with me because I'm very much authentic. Everybody knows where they stand with me, whether that can be a good or bad thing at times. And I think if being authentic means showing your vulnerable side, particularly in those operational, fast paced environments and that's fine as well. And you know I cried several times in front of teams, my leaders, I think people appreciate seeing a vulnerable and sort of human side to a senior leader.
Speaker 2:And then the last thing this really other important thing is just have a bit of fun. You don't have to be serious all the time. Honestly, it doesn't mean you have to be inappropriate, but you can. You can be working in a very serious environment, but you can take the edge off by having a bit of fun as well. So for me as leaders, as a leader in cyber defense, all those things are important.
Speaker 2:I just want to say one thing, because I recently, like six months ago, joined Element and then really committed to cultivating a culture of psychological safety. We've all heard that term and today it's a coincidence Today is the start of the focus groups that they're running and hopefully I can get to that later on and what we're going to do at Element is research, what we call the colleague resource networks, and each of those networks will represent or stand for an underrepresented community. So there's going to be a lot of work within Element and I think why I'm saying that is is for people who are listening and can take away ideas and do things in their organization Right, and, yeah, I think all those things will help being a leader in cyber security and cyber defense.
Speaker 1:Definitely. I, I completely, I love everything that you just said, but I think that, as well, all of those things come together to create a culture. It's sometimes, I think, people think, oh, it's a tick box of things that I have to do. But one important thing that you said was being that role model as well, because it does trickle down from the top and if you're not pointing things out and you're not leading the way, that culture that you're looking for, it just, it just can't be created amongst your team. So you're right, it is a mixture of lots of different things that creates a really good culture at a company, not just one or two things. And normally it's how you feel coming to work every day. It's not, you know, I'll, my employer ticked a box, we have a D and I group or whatever it may be, but actually it's how you feel every day when you're working and whether or not you feel comfortable or you can approach your manager if you need to approach them about something. I mean, all of that takes a lot of hard work and commitment, as you know.
Speaker 1:I want to talk a little bit about challenges, because we covered a few off there about challenges of being a leader in this field. Is there anything that you kind of even before you stepped into this leadership role? Were there any challenges that you now realise that perhaps you didn't see before? We have ladies on here always tell me you know what. When I got into a leadership role, I thought everybody expected me to have the answer to everything. I got in the role and realised that's what my team is for. You know they're challenges that you kind of face every day.
Speaker 2:Yeah, I think I'm trying to think what are they that stand out? So definitely what you've just said and we can come on to that, but in terms of being in a leadership role, it's we touched on it right it's attracting talent. So we know there's a skills gap in cybersecurity. It's widely acknowledged there aren't enough people to do jobs within cybersecurity and I'm at the moment I'm trying to build a global cyber defense capability, as we mentioned, and struggling to get those candidates because there are less jobs in the number of candidates. So that's one, but, moreover, it's attracting diverse talent.
Speaker 1:Retaining them is the other thing.
Speaker 2:Yeah, so I don't have a team. I do have a team but I'm building them. So we're starting from scratch, which is great. So I don't have the retention issue yet and hopefully won't have, but I would like to see more diversity on the candidate plate and I'm struggling to see that and, to be honest, it's it's nearly all men which is behind this of great talent, but I would like to see a more diverse candidate plate. So that's a real challenge at the moment. Quite timely, yes, going back to what you said, yeah, I, you know, I still have it, those moments of doubt and thinking that I had to know everything and that I've become less, less. So my thinking is less of that now actually, and you know, I think if we can attract good talent, build great teams and that's what they're there for we hire great people to do great things right. So so that's fine. I think one of the challenges at the moment is, you know, I've come into this role.
Speaker 2:Cyber is quite new for the organization, it's a new function and it's trying to continuously and positively promote a cultural shift towards a more cyber, secure mindset. So, to give you an example, in my previous role because I was coordinating our collective response to cyber attacks, people would just see me as a harbinger of doom. So if I asked to have a call with someone or message him on teams, I could literally hear them going oh, what's she want? You know, and actually I might just be wanting to just chat about anything or have a coffee, right. But yeah, and it's trying to. It's trying to get people to see actually we're not harbingers of doom in cybersecurity. You know, we're trying to be enablers. We're not there to stop you from doing what you need to do, but we just want you to do a bit more safely and securely. That's all we're asking. So that's one of the challenges at the moment. People really want to be helpful, but they see, they see you with a big stick and I want to try and change that mindset.
Speaker 1:It's funny, isn't it, with the stereotypes, especially in cybersecurity, because you are right of people. If you were to call people, they think, oh my God, have I done something wrong? Am I doing something wrong? And also in terms of the imagery we've. We've touched upon that on this podcast before. When you see images of hackers, it's always a guy with his hood up. And when you're saying I'm struggling to find diversity in terms of candidates, I think some of that is down to who we think the hackers are, and that just doesn't always attract female candidates into the industry as well. You almost think of it as a male industry, male hackers and also men that are defending against the hackers as well. So all of that just kind of it doesn't help. There are so many stereotypes around cybersecurity. Also another great one that I heard in previous years that you're all incredibly paranoid as individuals. Is that true?
Speaker 2:Probably. To be honest, I think well for me. Everyone calls me a disaster thinker, but it's because it's my job to think of the worst case scenario. I think that's not a bad thing. So maybe another way of putting it is paranoid. But yeah, I've got it, I've always got it, and most people in cyber defense do have to think of the worst, because you're thinking about risk and impact and you do have to think what is the worst outcome here and what is it we need to try and prevent or stop. So, yes, we are a little bit paranoid, I guess.
Speaker 1:Conceptions, and there are so many around the tech industry as a whole, which doesn't help get people into tech, but lots more interesting around cyber, which we need to. We try to do our best on this podcast to dispel those myths of people that work in those certain areas. There are some emerging trends and technologies in cybersecurity that professionals should be aware of. It's a fast pace, isn't it? I mean, how do you keep up with that as well?
Speaker 2:Well, it blows my head off, to be honest, if I'm gonna get it and what I should say. There's probably other people and other professionals that have much better ideas to answer this question, but I'll try. I'll try my best. I guess the obvious one is and when we're talking about emerging trends and technologies, I'm thinking because I am that harbinger of doom, disaster thinker Kayleigh I'm thinking about threats and what the risks are. So threats and vulnerabilities and risks really. So in that context, I guess the obvious thing it would you know is artificial intelligence and machine learning. Now, I'm not an expert in those technologies, right, but what I do worry about is the use of those technologies by attackers to do harm. It's only going to become more sophisticated and easier for people to do those things. So that worries me quite a bit. And I had this vision. I don't know if you've seen Terminator 3, the rise of the machines.
Speaker 2:I actually do think one day we're going to end up like that, you know all these things, just like ruling the world, and hopefully I'm wrong and that's not going to happen, but that is how I see things going. So there's that. So there's AI and machine learning. And then the other couple of things I can think of is the internet of things. So, just for people who aren't sure what that means, you know the internet or things like IoT. It's the network of connected devices equipped with sensor software or other technologies to gather, store and share data via the internet. And I'm sure we've all got IoT devices. Now, most of us should have, probably do have, and I was reading a study the other day and there's going to be. There's predicted I've run a few years 30 billion IoT connections, which equates to about four IoT devices per person on average. So the point being is there'll be attackers looking to exploit IoT. So the internet of things. So that's a worry.
Speaker 2:And then the other thing I'd call out just because I find it fascinating and again I like to cite films as a way to relate things. You know the minority report I don't know if people have seen that with Tom Cruise and it's all a bit fancy but behavioral biometrics it's called. Now we should be familiar with physiological biometrics and that's face recognition and fingerprints for logging into applications, and that relies on bodily traits to authenticate our identity, but behavioral biometrics data. That's a measurement of how we move and act. It's quite passive, it works in the background. It monitors our behavior so that when we attempt to log in, for example, we'll be recognized from the way we move.
Speaker 2:That's quite frightening. We're quite great to think about. We're quite frightening. And then other examples include our keystroke rhythm, our gate, as in the way we walk and move, voice recognition and the way we might use our mouse, for example. So you know, all great things, all great technologies and gonna do a lot of good in the world, but actually the worry is what could bad people do with those technologies to cause harm?
Speaker 1:Yes, definitely, because I wanted to ask you a bit about the changing landscape of cybersecurity and how has it changed in the recent years and what do you anticipate for the future, and you touched upon it there as well, I think. Do you think the attackers have changed as well? I mentioned, you mentioned, some of the technology that has changed in some of the worries that the earlier you mentioned that they were teenagers in Brazil that were hacking and the attackers changed.
Speaker 2:did they become more sophisticated or I don't know, it's a debatable point. I don't think so. So you know, if you were to categorize attackers or threat actors, you would have what we call loan actors. So people work on their own, do things on their own, serious organized crime groups, state-sponsored groups, we call advanced persistent threat groups as well APT groups and, yeah, lots of other sort of attacker types, as we call them. But I think they've always been around. I don't think they've changed. I just think what they're doing.
Speaker 2:So, for example, we talked about lapses. You know we had young people or hackers, or whatever you want to call them, 10 years ago, 15 years ago, but I think then they didn't really seek to bring down global organizations and probably didn't quite understand their potential, because it's potential. So I don't think it's changed too much. And in terms of the landscape you said how has it changed in recent years? Honestly, I don't think it's changed that much really. You know, we still talk about social engineering today, which we did 10 years ago. We still talk about ransomware and malware today, which we talked about 10 years ago, 15 years ago I mentioned it before the threat from insiders. We talk about it now. It's as irrelevant today as it was 10 years ago. We still talk about deception and fraud today. I just think the technologies are changing, but ultimately the landscape is essentially remaining the same and quite consistent in my. That's just my opinion, though, yeah.
Speaker 1:Yeah, there's still the same risk. You're never going to be out of a job. That's a good thing, right?
Speaker 2:Hopefully not. No, unless the machines rise up and take over. Okay, Lee, then maybe.
Speaker 1:Of course, yeah, I think we should do a whole podcast just on that. All of our organisations how can they ensure cyber resiliency and prepare for incidents and mitigate risk?
Speaker 2:This is a difficult one, I think. For me it depends on where an organisation is on their cyber security journey. So you can have small, medium, large enterprises we call them, you know. So they're all going to be different in terms of trying to ensure their resiliency and preparing for risks. But I think you know there's some good guidance I would say for to answer that question as a whole focus on the risk and the potential impact of the risk. The organisation needs to focus on what they want to protect.
Speaker 2:We often hear the term I don't use it very much, but we often hear the term. You know the crown jewels, but essentially what that means is what's most precious to that company. You know whether it be data, whatever systems, etc. So focus on that. And then I think, in terms of preparation and mitigating risk, you know, for those of us who work in cyber and tech, we take for granted what people might know. So we, I would say we, should be encouraging people in organisations to do what we call the cyber security basics. But how do people know what those basics are? So have policies and plans and guidance in place. You know we expect our colleagues and our workforce to implement cyber security basics, but where do they go if there isn't anything to guide them? I think cyber awareness. So I've come into element. We've just, you know, in line with Cyber Awareness Month in October this month, just launched elements very first cyber awareness campaign and the feedback from that across the globe is incredible, right. So we talked about the laboratories earlier on. They don't get that exposure to cyber security awareness and they're getting that now. That's really helping. What else, yeah, have?
Speaker 2:The other thing is, from my experience I would suggest nearly all organisations, whether they know it or not, will experience a cyber attack or an incident or security incident of some kind and definitely have a policy, an incident response policy or an incident management policy in place and a plan in place. It might not always go to plan, but have something in place so that people can refer to. That's really, really important and some excellent guidance out there on how to do that. And then the other thing I would definitely recommend are cyber attack simulations or tabletop exercises. There are different things and a great example of that I was lucky enough to come into element in May and in June I took our board, our operating board, through a destructive simulated obviously destructive ransomware attack and the learnings that came out from that was incredible, right, and I think it was really. It was invaluable to the business. So lots and lots of things that people can do, but there's just some of the things that I picked out that stand out to me. Yeah, yeah.
Speaker 1:I mean incredibly important to simulate disaster. Is that how you got the disaster thinker name? By simulating what could happen, which obviously invaluable, but perhaps that's where it came from.
Speaker 2:No, it's been. That label's been around for a good 10 plus years, kayleigh. Yeah, no so. But actually it does help when you're designing simulations and tabletop exercises, because, again, you do have to think of the worst case scenario, right, that can happen and make it easily understandable, sort of to executive board level as well. So you know, and you can do those at any level, not just with the board, you can do them with your those simulations with your technical teams or whoever, whichever stakeholder group you choose, just practicing those scenarios really will help. Now, it's not a golden or silver bullet, as I call it in the industry, but it definitely will help. So, yeah, yeah.
Speaker 1:I mean, that's another thing as well. You mentioned communication. A lot of people that work in tech think you know they're not people that work in tech, that people that are outside of tech and looking in seem to think that you just you have to be highly technical and you don't really work with other people. And actually in your job you describe there communicating to the board or to other teams about you know things that could happen. It's not just you sitting on your own, you know, fending off attackers, that you have a whole host of soft skills that come into the mix as well.
Speaker 2:Yeah, that's a really good point. So one of the things I say in cyber defense, no matter what role you do, whether it's a technical or less technical role, two things I say from my experience that will make somebody successful in role is communication. So being able to not just communicate in a good way, but being able to spin up technical language into easily understandable language. And if you're in my team and someone's trying to explain something and it's a bit too technical, why always say to them and it's probably not too difficult for them to imagine I say, imagine I'm your granny, imagine I'm your mom, how would you tell your granny? And that seems to really work and for the listeners, I you know it's a bit of a tip actually. So that's the first thing, so communication, and the second thing I would say is stakeholder or colleague management. If you can do those two things well, the rest of your job will come easily. I have found and yes, they are soft skills. So, yeah, absolutely right.
Speaker 1:I've got one more question I wanted to ask you. We're almost out of time. The tech industry space challenges obviously related to diversity and inclusion. You mentioned yourself as well that you would like more diversity in the candidates that come forward. How is the cyber security field addressing these issues and what can be done to promote a more diverse workforce? Do you think?
Speaker 2:I think cyber security domain recognises the issue, which is always good, so it's widely recognised. I think that we need to do more because the cyber security is not diverse and it's not inclusive. That's the bottom line. So we need to do more. I think for me personally, it starts with what we talked about right create and you talked about it as well create that workplace culture where people from all walks of life want to come and be part of and want to wake up in the morning and do their job. That's the first thing. If you think like that, then you can't go wrong. And then again, if I use element as an example, last month we launched something called the accelerator programme for women and that's part of a commitment to getting 30% of women into leadership positions by 2025. So you don't necessarily have to do those initiatives related to women it could be any underrepresented group but really create those initiatives, drive them as much as you can, and you don't necessarily need to be in a leadership role to do that.
Speaker 2:And then there's other things I'm trying to think about, what I'm involved in. So I'm part of something called the empowering women to lead cybersecurity in Scotland programme. It's a unique leadership programme for women in cybersecurity and it's delivered in association with the Scottish Digital Academy and Scottish Government. So that's a local government-led initiative and there are many more for different groups of people. So get involved in those, impart your knowledge, take what you learn back to the workplace, to other organisations and actually to graduate in that programme.
Speaker 2:My group and I some of the other women in the group have to do a big presentation in Edinburgh in December to lots of senior leaders across other organisations and we've picked diversity and inclusion as our topic because it's so important to us and it's not just about gender or ethnicities. You know neurodiversity, sexuality is everything. So there's that. And then things like you know there are initiatives sponsored by the UK National Cyber Security Centre and UK Government. There's something called Cyber 912, that's a national competition that looks for potential across universities in the UK, not just for technical roles in cyber but for strategy-based roles as well, because UK Government recognises a skills shortage. So lots of different things to get involved in and do at lots of different levels, not just by leaders. I would say Get involved, be all. If you don't want to get too involved, be an ally or be that active bystander or be that supportive person to someone who's going through a rough time, whatever. Lots of things that you can get involved in and do.
Speaker 1:Yeah, you're absolutely right. So it's a whole host of things as well that goes on all year, not just one national day and that's it. And as a company, it sounds like you're working towards, you know, filling your year with lots of things. That is moving you in the right direction, and I love the fact that you said ally as well, because that is not always just females, and there are lots of male allies that come into that conversation and are really helping to try and move the needle there as well. So, yeah, I couldn't agree more with there is definitely more to do, but lots is being done.
Speaker 2:Yes, there is always more to do. Yes.
Speaker 1:And that is a lovely note to end it on, because we're already out of time. Thank you so much. I could talk to you for another couple of hours on this topic. It is such an interesting topic and it sounds like you have one of the coolest jobs that I've had on this podcast for some time. So thank you very much for taking the time out of your day to come and have a chat with us. I think that many of our listeners are going to love this and find it so, so useful if they're thinking about making that move into cybersecurity. I think it's just hearing that you're not from a technical background. Is it going to be so useful to so many of our listeners. So thank you very much for joining us.
Speaker 2:No, you're very welcome, kayleigh. Thank you, it's been a pleasure.
Speaker 1:Thank you and to everybody listening, as always, thank you so much for joining us and we hope to see you again next time.