Although it is by relative numbers, a small subsection of the IT industry in Calgary, cybersecurity experts have become increasingly important in the face of increasingly sophisticated hacks and attacks.
Tackling the skills gap in cybersecurity was the goal of the annual BSides cybersecurity conference, which was held at Bow Valley College on Nov. 16 and 17.
The goal, said lead organizer for the conference James Cairns, was to connect students, early career graduates, mid-level professionals, and long-term experts together to build skills, network—and even hack a few networks.
“We’re trying to make sure that we get those skills, those students that are skilled, into these roles in an efficient manner, because that’s probably one of the most crucial things we’re seeing in the industry,” said Cairns.
“Cybersecurity is not just one thing, it’s not just hackers. It is people that are on the defensive side of things, so security operations centre analysts doing work in secure operations centres and doing digital forensics and responses, to those that are on the offensive side. They’re learning and finding where these holes and vulnerabilities are.”
The growth in the number of attendees at BSides, both in person and virtually, has mirrored the importance that has been placed by industry on being cyber secure. This year 680 people attended in person, and 120 virtually—up by more than 25 per cent from the previous year.
According to data from Statistics Canada, the number of cybercrimes reported to police has risen dramatically, going from 1,706 in 2017 in Calgary to 3,179 in 2022. Across Canada, the total has risen from 27,829 to 74,073 in the same period.
Conference a melting pot of ideas, challenges
Cairns said that this year was a real melting pot of different perspectives and skills, reflecting on how cybersecurity has a role in government, the private sector, and non-profits—anywhere where people are connected to networks or the internet.
"We even have the person that is on the Tesla Hall of Fame for hacking Tesla, and actually working alongside them to get this vulnerability spec," he said.
Part of the weekend involved what organizers called "capture the flag" challenges, which were a series of hacking challenges that mirror what exists in the real world.
"The capture the flag concept that we've adopted here for BSides is to get as close as we can to a real-life organization while keeping things safe," said Doug Leece, a cybersecurity professional and creator of many of the challenges.
Among the challenges that Leece created for the conference was a Lego train set that was running on real-world ICS protocols that are similar to what could be found managing rail infrastructure or even oil pipelines.
He said that part of teaching ethical hacking skills in a controlled environment like the conference was to help professionals have a better understanding of the vulnerabilities they will have to defend against.
"The adversary already knows this. It would be foolish for us not to train the defenders," Leece said.
"It's the same thing where you get on a real computer and you try stuff. You read about a tool online, try it, see what it does, but do it in a safe place and now measure what can you do around that to detect it sooner."
The obvious has already been addressed, but cybersecurity is about going outside the box
Often what is needed to address the needs of industry, said Adam McMath, Director of Cybersecurity for CGI, was that combination of the exchange of ideas and the practical hands-on experience.
"Over my career, I've seen the shift in the ratio of technology devices to people shift from four-to-one in the form of people to technology devices. Now, we're often at 10- to-one of technology devices to people," McMath said.
"We have introduced technology into all aspects of our lives, sometimes not necessarily understanding the implications of doing that. That's where as cybersecurity professionals, we want to become educators, want to become leaders in the world so that we can help people understand how they're exposing their information, their business processes, and their valued assets to people who might want to do bad things to them."
He said that the solution, beyond hiring trained professionals in the field, was to reduce exposure to threats.
"The students that are coming out of our schools right now are exceptionally well-skilled. I am very impressed with the skills that I'm seeing, in the performance they can achieve... they're here for that interaction with the greater cybersecurity community to help them with that image and that exposure, it's a thing of beauty," McMath said.
Leece offered some advice to the industry: Trust that just because a cybersecurity expert might not look like the people they expect to show up, diversity is a strength.
"I'm not just talking about they'd prefer not to wear a suit and tie every day, but also some of them may have different hair colours and piercings and stuff, but we want people that are thinking outside the box," he said.
"We used to call them fringe people—like they think differently—but we need people to think differently. All of the conventional ways to do stuff have already been addressed, but people are still experiencing data breaches. Often it's because of some unconventional path that nobody thought of before."
For more information on BSides, see www.bsidescalgary.org.
