There was so much covered in such a brief (well 45 min, so not that short) talk that while this is bit long, there was so much more that isn't mentioned here.
Cyber Essentials, a basic cyber security certification, and training and workspace improvement to increase the diversity of people, particularly of neurodivergent, in the cyber security industry were the main focuses of the open talk hosted by the Central London Local Network, at Savoy Place, on 8th March.
Dr Emma Philpott (MBE), the CEO of IASME, presented a fascinating talk followed by a great Q&A session and the subsequent, obligatory, networking drinks. IASME had developed a series of corporate cyber security certifications when it developed the Cyber Essentials certification in concert with the NCSC (National Cyber Security Centre). Originally developed to address the poor security of government suppliers, Cyber Essentials has become a baseline certification that has become a necessity for many companies to prove that they have applied a basic level of cyber security to their operations.
Covering the basics of Firewalls, having a Secure Configuration, Access Controls, Malware Protection, and Patching, both OS and software, questions were raised during the Q&A about how such simple aspects of Cyber Security could really affect a determined actor. However, considering that most of the startups I've worked in haven't made real efforts in many of these areas, I completely understand that even having something that can meet the requirements of the Cyber Essentials certification would help.
The talk continued with a more detailed breakdown of the verified self-assessed Cyber Essentials, such as cost (only about £300 - £500) and how it encourages honesty in the review by having a director sign off on it, and the more detailed Audited Cyber Essentials, where a cyber security professional performs a review. There were lots of stats about the increasing interest in the certification, how many companies had just the Cyber Essentials certification and how many had more than one, about 25% (sometimes the other being a different IASME certification). The basic take-home was that there was significant increase in the number of SMEs using Cyber Essentials and that it was not difficult to implement, with many of the people undertaking the self-assessment not being from cyber security or IT background.
There was a decent introduction to how IASME and Cyber Essentials had led to a massive increase in the number of trained cyber security professionals and that many who started out doing cyber essentials assessments had then developed their cyber security business further.
This then led onto the final part of the talk where Emma introduced the work that IASME has been doing to develop and optimise training courses that enable neurodivergent people to get into the cyber security field and then how they've adapted their own workplace and culture to improve the working environment for neurodiverse and, even further, people with long-term illnesses that are normally removed from the workforce. Emma used many examples of how neurodiverse people can be incredibly beneficial to an organisation where detail and focus can be vital, not just from a technical perspective, and that sometimes that focus could be detrimental and therefore, as with any other employee, care should be taken. The first cohort of 14 people from the course were so good that IASME hired them all and since then 90% of trainees have moved to full-time employment. Some personal stories were presented that showed once they were hired, the real learning started, primarily for the company doing the hiring, but that the benefits far outweighed any costs and were as much about acceptance of small changes to the working environment.
The Q&A showed the level of interest, both positive and negative. Though as mentioned, the negative was purely about the simplicity of the Cyber Essentials approach compared to the complexity of approaches a threat might take. There was also discussion of the level of expertise of assessors and the changes that might be necessary to improve the workplace for neurodiverse people.
For those who wish to see the talk for themselves, a recording is available to view below or at https://tv.theiet.org/?videoid=16435.