The cover image for this post is Leeds Cyber Security Conference logo
Yesterday (September 21st, 2023) was Leeds Cyber Security Conference at The Tetley - an important building for modern history in Leeds - and I wanted to write about some of my key take aways from this event, and why I think it’s important to attend industry events like this.
What Is Leeds Cyber Security Conference?
The organisers of the event (YorCyberSec) described the conference as:
Free one-day event looking at all things cyber security, information security, and digital. ISO 27001 to Email Security, Microsoft Tools to Threat Intelligence.
Unlike most conferences, the talks were not salesy. This meant that each of the eight talks were straight to the point and filled with practical advice and information for the audience. This was a very refreshing take on conference talks, which can sometimes become 40-50 minutes of “here’s why our product is amazing, see me after the talk for licensing information.”
Whilst there’s nothing wrong with a sales-based conference talk - companies have to justify giving their employees the time to attend these events - they can sometimes become a little laborious. But the talks at Leeds Cyber Security Conference where completely different. I walked away from every single talk with knowledge and thoughts that challenged my views on cyber security, software development, adn the IT industry as a whole.
Which Talks Where The Best?
It’s a bit of a nothing answer, but all of the talks were amazing. I actually walked away from every single one with something new - and that doesn’t happen at many conferences that I’ve attended. Here is the list of talks which were given during the conference:
- Security and M365, a Perfect Match? by Scott Riley
- GDPR an Update on How to Prepare by Phil Parkinson and Pete Konieczko-Hansom
- Real World Insights From Cyber Incident Responders - Arctic Wolf
- The Emerging Threat of AI in Cyber Security by Jeff Watkins
- Compromising Positions: An anthro-centric look at organisational security culture by Lianne Potter
- Penetration Testing and Why Context is Important by Jordan Carter
- The Security Behaviour Data - What? by Ben Donaldson
- Big Data Wins World Records by James MacDonald
Whilst the target audience for this conference was primarily cyber security experts, I found the talks incredibly interesting and useful. Over the past few years I’ve been thinking a lot about where cyber security fits in the standard software development life cycle. This is something you can hear in a few episodes of The Modern .NET Show, namely:
- 77 - Application Security with Tanya Janca
- 105 - More App Security with Tanya Janca
- 115 - How We Got Into Security with Ashley Burke, Karla Reffold, and Divya Mudgal
- 116 - Pivoting into Cybersecurity with John Westgarth
I often use the points in the above episodes and those found in The Phoenix Project to advocate for pushing security left: the earlier in the development of a system that security is discussed, the easier it will be to implement it. And it was very refreshing to hear (from both the speakers and the other attendees) that this is definitely the case. As such, I’ll be using the points that were raised at the conference to back up my ideas.
Speaking of attendees, some of them were cyber security experts, some were non-technical employees of software companies, some were students, and there was at least one person who was interested in cyber security after having been personally hacked. And the speakers respected the different backgrounds that the audience had - which is another thing that a lot of other conferences seem to not do brilliantly, but something that Leeds Cyber Security Conference did fanatically.
Where Are the talk recordings?
None of the talks were recorded, which was another interesting decision.
Whilst it means that if you weren’t there, you were not likely to learn the lessons from the talks - giving the event a “you had to be there” feeling. But it also meant that the conference could have a slight more relaxed feeling: without having cameras running, the speakers knew that they could take their time to make their points. Because of that, there were a lot of people taking notes (including me), and lots of questions where asked. I’m convinced that more than a few questions wouldn’t have been asked, if there were cameras rolling.
Due to the fact that I knew the talks were not going to be recorded, I made a point of trying to take in as much information as possible. I also asked more questions than I would normally do during a conference - either during a talk or afterwards, in person with the speaker. I was also in a fantastic position of being able to share my own knowledge and experience with some of the other attendees - including people who were looking to pivot into cyber security, and with a few new connections who work in the industry.
Key Take Aways
Whilst I’m not going to share all the notes that I took during the conference, I wanted to share two of my key take aways.
- Multi-Factor Authentication (MFA) is a must
This is very important, and something that came up in almost every talk. MFA has become the standard across a lot of companies, bolstering their auth processes. Sadly not enough companies, though. Scott Riley shared a statistic from Microsoft during his talk:
Microsoft reckon that 99.9% of all brute-force credential attacks can be mitigated by enabling MFA
In fact, he told the story of a company who had been hacked more than ten times in three years due to not having MFA set up at all.
And if almost all brute-force login attacks can be mitigated by it, why don’t a lot of companies enable it? The short answer, from my conversations with attendees and with Scott, is that it’s not an easy user experience. Supplying a username and password, then dropping out to a second device to get a code or to authorise a login, to then return to the first device isn’t a wonderful experience. But it’s way more secure than just the username and password.
If you don’t have MFA set up, please do consider enabling it wherever you can.
- Empathy, Collaboration, and Respect
In her talk (Compromising Positions: An anthro-centric look at organisational security culture) Lianne Potter focussed on the human side of IT and cyber security. She has done a lot of research for her upcoming podcast (Compromising Positions), which contains conversations about cyber security topics but with people who are not cyber security experts.
Her thesis was that the IT industry tends to treat people badly when cyber security incidents happen. When a cyber security incidents are often reported (internally or externally) using name calling, language designed to inflict pain or embarrassment (“idiot”, “stupid”, and “foolish” often being used). This resonated with me, as it fits with the research I had done for my talk and podcast episode called “Empathy, Sympathy, and Compassion For Our Users” - which is also related to some of the work that Dr. Jessica Barker has written about (with her collaborators) in “Cybersecurity ABCs”; I would definitely recommend this book, by the way.
Lianne also said that the IT industry also uses very militaristic language, and that we should walk away from that, where we can. “breach”, “attack”, “vulnerability”, etc. are all words which are both militaristic but also have a forceful connotation to them. If we change this words, we can bring a more relaxed atmosphere to discussions about security.
It’s not just about what we say; it’s about how we say it, and to whom we say it
Those are just two of my take aways from the talks. There are so many others, but I don’t have the space here to go into them all.
Leeds Cyber Security Conference was an amazing event, and I would recommend that people in and around the area keep an eye open for next year’s event. The speakers were amazing, and the attendees were fantastic.
I would definitely recommend attending next year, and would recommend attending any similar events that happen in your area.