Site icon Easy Prey Podcast

Women in Infosec with Eleanor Dallaway

Easy Prey
“It’s not a man’s world. It’s a people’s world.” - Eleanor Dallaway Click To Tweet

In this episode, we deviate a bit from our traditional topics to incorporate the growing diversity in the Infosec world. In the past, this has been a male dominated field, but the culture is changing. 

Our guest today is Eleanor Dallaway. Eleanor is the Editorial Director at Infosecurity Magazine, and she is at the front of the security industry. She has more than 15 years of online job experience and knows more about information security than most English Literature graduates should. She spends her working days interviewing industry professionals, keeping the website updated with news on a regular basis, editing the magazine, and attending industry events. 

“What’s interesting about infosec is it is a bit like fashion. It’s cyclical in trends and everything goes around again.” - Eleanor Dallaway Click To Tweet

Show Notes:

“Threats are not for the stupid and the vulnerable. They are a danger to everyone.” - Eleanor Dallaway Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Eleanor:  I joined Infosecurity Magazine in 2006. I started as an assistant to the editor. I've worked my way up in 15 years to deputy editor, editor, publisher, and then eventually now, my title is editorial director.

I actually have three magazines in my portfolio. One of which is Infosecurity. I have quite a double portfolio because I also have magazines in the wine and spirits industry and retail technology.

Chris: That's quite a wide range of topics to cover.

Eleanor: I know, and some are a little bit cooler than others. When you attend a dinner party, you may want to pull out the wine and spirits magazine as your lead. When people ask you what you do, keep the cybersecurity topic.

All of my editors know Infosecurity got a special place in my heart because I've been reporting on it for the longest and I've completely fallen in love with the tech industry. I've become addicted to how fast-paced it isthe people, the connections, the networkand how just every day is unpredictable in the industry. It may not be the coolest, but it's certainly my favorite.

Chris: Well, that's great. Let's talk about some interesting interviews that you've had with people in the tech industry over this 15-year span. Is there any particular person that stands out as a very unique interview?

Eleanor: Yeah. My favorite part of my job is interviewing. It feels very strange today to be on the other side of these questions because I feel very comfortable when I'm in control of asking the questions. But when they're being asked of me, it feels really strange.

Interviewing people is my passion. Over the last 15 years, I've had the pleasure of interviewing some huge names in security. It's hard to pick a couple. 

My most recent, very enjoyable interview is with Katie Moussouris. She's just wildly famous in the industry as a hacker. She calls herself a future president and is convinced she's going to run for president in four years’ time. Having met her, I absolutely had no doubt she would. She has become very famous in the bug bounty space. She worked for Microsoft. She has taken Microsoft to court in an ongoing battle with them on gender pay disparity. We spoke a lot about that. I felt truly inspired by her as a woman, as a technologist. Hearing her experiences and what shaped her career has been really mesmerizing. She's a mesmerizing person to interview.

Another person that sticks out is Kevin Mitnick. I was absolutely petrified when I went to interview Kevin Mitnick. I'm going to be honest with you, I’ve had a few negative reviews around what he was like as an interviewee from some friends of minejournalists in the industry. I went to meet him in San Francisco at the RSA Conference, which I've been to pretty much every year with one exception since 2006. I was petrified. This is a guy that spent time in solitary confinement, in prison. This is a guy that laws have since been made for promiscuous acts because of him. He was quite a big name and is someone that I'd always thought would be great to meet. 

I went in there really petrified. He was amazing and he was incredibly open. He wanted to talk about everything, including being in solitary confinement, his strained relationship with his mother, and all sorts of things. He did little magic tricks for me which is amazing. Just sort of telling me how similar magic is to cybersecurity and being a con artist effectively. 

Actually, he's perfect for your podcast because he started his career by hacking. The first one was the bus system where he grew up and found a way to not have to buy tickets. He once hacked the drive-thru of McDonald's so that he was the voice that people heard when they would try and order their takeout in their car. He would respond as if he was a McDonald's staff and be completely rude and outrageous to these people. It was a lot of con artistry and incredible stories. 

Again, just left me thinking what an incredibly talented guy he is and how he really has reformed his life. Actually, the best interviews to do are when you see people that have been through hard times. There has been a lot of jeopardy in their life. There have been challenges to overcome like Katie with Microsoft. I came out of the interview breathing a huge sigh of relief but feeling incredibly lucky.

I could go on. You have to stop me because I met so many incredible people in the last 15 years. I've got a really bad habit of, when I write these interviews, calling them all my favorites. I was like, that's the best thing I've ever done. Then, the next time I'll be like, no, that's my favorite. It is definitely the highlight of my jobbeing able to meet these incredible minds, pick apart a story right from day one, and follow their lives.

What I always try to do is get onto the page, the side of them that isn't normally seen through tech press certainly, and B2B media so that when somebody reads the interview, they feel like they themselves have met that person. If I can achieve that, I feel like I've done my job.

Chris: That's awesome. Kevin Mitnick is definitely on my list of people that I would love to interview. Probably my most outrageous interview that I have published so far is obviously John McAfee. He's just such a character and really likes to live up to his, I'm not going to tell you where I am, I'm going to be evasive and elusive—a really interesting character. 

What would you pay for privacy?

It was neat just to hear him talk about his stance on privacy and what it costs. That he talked a little bit about how it's hard when you have to lie to friends and family about where you are because you don't want them to accidentally let slip where you actually are. I started thinking about that. I'm like, oh gosh, that's going to be a tough life to live. Whether it's true or not for him, I don't know that. But if someone truly wants to have that sense of privacy and doesn't want anybody in the world to know where they are, you really do have to not tell people stuff or lie to them about your life.

Eleanor: Right. Actually, you're telling a very similar part of Kevin Mitnick’s story which was when he was on the run from the Feds. He spent four years and relocated to Denver. It’s essentially Colorado. He said he gave himself a new name, a completely new identity, and he could not see or contact his family. 

Sadly, he didn't actually lose his mom a few years later after he had been able to reconnect with her. He is haunted by the fact that he lost those years. Like what you’re with John McAfee, he was really, truly on the run. That’s sacrificing. That really struck a chord. 

I have actually met John McAfee a few times. The first time I met him, I was in Vegas for a Black Hat Conference. I have a friend of a friend in the industry say, guys, John McAfee is going to turn up at some BSides. I’m not sure if you know the BSides event but it's a community conference that travels around the globe. It's a very clever business model and sits next to the huge conferences and exhibitions in the industry. They're very corporate and they attract crowds of 20,000, 30,000 people sometimes. 

What BSides does is it puts a smaller event right next door to it, maybe in a day or two running up to it, and also some overlap. They attract really great speakers because the community feels like it's an event that's run by them for them. It's got a great following.

John McAfee just turned up on the stage there one day at 5:00 PM and I think he accidentally on purpose leaked that he was going to be turning up. We all fell for it. I got in a cab, went straight there, and watched him up on stage for 20, 25 minutes in what can only be described as an unscripted but highly intelligent rant about not the industry, but his own story and being on the run. I remember him talking about a neighbor being shot and a dog in the yard. It stayed with me. This was years ago. He must have told it in quite a way.

I've seen him speak at an event in Infosecurity Europe, in London. I introduced him on the stage and looked up at him backstage. I've spent some time with John and as you said, he's quite a character. I continue to follow him through social media and watch what he's up to.

Chris: At a minimum, he's a very entertaining gentleman.

Eleanor: Absolutely.

Chris: Are there any big trends you've seen in infosec over your brief time in infosec?

Eleanor: Yeah, my brief 15 years so far, of course, has big trends. What's interesting about infosec is it is a bit like fashion and it's quite cyclical. There are the trends, you move through those trends, you develop for a few years, and the industry evolves. And then, you find yourself writing headlines three years later that are remarkably similar and recognizable to ones that you wrote a few years before. It is a bit like fashion. Everything comes around again.

People have high expectations of mobile technology.

There are a few trends over the last 15 years that have driven the industry mobilization. People expect technology to be mobile. We've gone from computers and being stationary in offices to just the power of our iPhones or Google devices, whatever it is we have, holding data the whole day and having the intelligence that you’ve never imagined. 

Mobilization is a big one. I get a bit bored, to be completely honest, with the Cloud when I think about it. It's a trend that comes up every single year in our trends report that we write and will continue to do so. Artificial intelligence and machine learning stories, that's certainly one that's become a lot bigger in the last couple of years and will continue to. When you talk about quantum computing, artificial intelligence, you'll get people to say, I don't know why I was talking about this as something that's going to happen. It's already happening. It's already here.  Actually, I love the things that we do. I love the things we write about. We have had elements about them for a long time. Again, a trend is continuing to drive the industry.

In really positive terms, the focus on the human side of securityand that's something I'm really interested inhas got a lot more time over the last 15 years. People have understood the importance of the human equation, whether that's inside a threat that's malicious and intentional, whether it's justI'm not going to say stupidity. I'm not one of these people that always begs the user for things that go wrong because it absolutely is. We should be making technology that doesn't go wrong and that doesn't encourage users to make it go wrong. 

There are, obviously, two sides to the human element. That's the intentional side and the accidental. I think that's something that's gained a huge deal of momentum and awareness. It’s become something that 15 years ago, I would say to my mom, I've got this job on a magazine and it's about cybersecurity. In fact, back then it would’ve been information security, it wouldn’t have been cybersecurity. Now, it is headline news. In fact, there are probably not many days that go by when the main newspapers over here aren’t reporting in headlines about a data breach, something on privacy, something on social media, or election hacking. It’s mainstream news.

That's interesting from a journalist's point of view. We've got the attention of the public and people get it now in a way that they didn't before. But it also means we're competing. We're not just competing with other B2Bs and niche publishers by writing about it. We're competing with the BBC and I'm talking British here but you know what I mean. Everyone is covering it.

Vogue, my latest issue of Vogue is covering social media scams. It's become incredibly mainstream. It’s an industry that has changed unbelievably, but it's also an industry that continues to have the same bones and the same threats. I can't go a day without reading scams and getting phishing scams. Our company puts in software to test it and I love that because whenever I saw that and it reported and it says, congratulations, this was a phishing attempt.

I know this stuff. I’ve been writing about it for 15 years, but it's so sophisticated now. Even when you write about this stuff day in, day out, there's been a few times where I've been that close to getting fooled. It's not for the stupid or the vulnerable anymore since everyone is affected by it.

Chris: I know here in the States, it ebbs and it flows. Last week I probably got, over the course of five days, 30-35 phone calls on my cell phone that were government tax scam calls. Hey, there's something going on with your tax ID. You better talk to us. 

The funny thing to me is that anytime I get a phone call and I don't know who it is, I immediately just assume it's a scam, even if it's my vet calling from a different number. I just assume it's a scam and very careful just to confirm who I am, very cautious to say the word, yes, assuming that I am being recorded. What are the consequences of the words that I'm saying when I'm talking to this scam artist? 

I'm surprised that in a lot of these tax scam calls, within less than a minute of me engaging with them, they will hang up on me and I'm trying to figure out like, what? You're not very good at your scam. It's not like I'm saying, hey, I know you're a scammer. You're horrible. It's not like I'm confronting them on it. I'm just trying to play along with the scam and they end up hanging up on me. Is there another scam going on that I'm not aware of that they're doing? Are they trying to record pieces of audio of me over and over to build some library or something like that? Are they trying to engineer more information out of me?

I've never really told them anything. I just start asking them what would seem to be very reasonable questions based on what they're saying is going on but they always hang up on me. Yes, this very clearly is a scam but is it a different scam than what they're really pretending to be. It makes me wonder sometimes.

Eleanor: We start to distrust people that are actually trustworthy. Certainly in my position, I find myself becoming unattractively cynical sometimes about things and about emails. My bank will actually call me and meet me, and I'll be like, hang on a second in there. You have to. You can just really say about the phone. A lot of these scams you’ve been getting are by phone. I definitely experience a lot more by email and text. In the UK that seems to be bigger than the phone at the moment. Do you think that's the same in the US? 

Chris: I think it ebbs and flows. I suspect that my mail filter filters out a lot of the phishing attempts. Occasionally, when I look at my spam folder, I'll see some pretty poor ones in there. Like you, occasionally, I've got a legitimate call from my bank and I'm like, well, you need to prove that you really are my bank. Or, thanks for letting me know. I'm going to hang up and call you back.

We are now suspicious of every unknown caller.

The real bank, they're never upset about that because they’re like, that's the right thing to do. Thank you. I don't have a problem with that. I think it ebbs and flows. There was a period where I was getting several text messages a day saying we’re this particular package delivery service. We tried to deliver a package and no one was there to sign for it. Click on this link to reschedule delivery. It's XYZF52.info and I’m like, no. I know the carrier. The package number is not 12345. It's way longer than that. 

I think those are the ones that I'm currently seeing. The email phishing attacks, at least for me, have been very fairly low recently. In the past, it used to be several a day that would get through the mail filters.

Eleanor: The clever ones, when they look at the landscape of what's happening in the world, they adapt their messaging to that. It's interesting you mentioned about the parcel delivery. I've seen a huge amount of that since lockdown because they realize that everybody's shopping online, and everybody is getting a criminal amount of shopping delivery on most days. They recognize that. They know that if they send you an email pretending to be DHL, the old site, you’re going to have a DHL parcel due the next week or so. I think that's funny. It’s worrying when they target either based on the person or based on just what's going on in the general landscape. 

COVID-19 has brought a whole new raft of phishing scams and general scams. We saw earlier in the year an email campaign in the UK where they targeted people saying you might be infected. It was like results pending based on your doctor's surgery. It was targeted and it was really effective. That's when I get really cautious about it because they are preying on people's vulnerabilities and they are taking what's already an awful situation. We're in a pandemic. Life is pretty bad for a lot of people right now. They're taking that and using it to hurt people. That's when I get emotional about the industry I write about because it's real lives and it's real people that are being affected. It's painful. It hurts.

Chris: That's the thing that always frustrated me as well. At least in the US, very frequently, the elderly are the victims of scams. It's just like, how can you live with yourself? How can you sleep at night knowing that you've taken money from some elderly person who needs that money to buy their groceries and their food to feed themselves? Which is part of the reason why I'm doing the podcast. It's just ridiculous.

Eleanor: Yeah, totally. When somebody targets me, it’s okay. When they target my mom or dad, I don't like it. But I can still get my head around it. Then, when I talk to my nan and she has a targeted attack, then I get really mad. I'm like, you don’t mess with my nan. Honestly, it infuriates me. You’re probably the same as me. You’ve become the go-to person for all of your friends and family. My dad’s always sending me constant screenshots. Is this a scam? What about this?

Just like people who work in the tech industry, you become a helpdesk for everyone in the street and everybody that they've ever met like their cousin and the postman. It’s the same with recognizing scams. I get people coming to me all the time. You have these steps. You say, well, have you checked where it comes from? Have you done this? Have you done that? Ninety-nine percent of the time, if they think it's a scam, it is a scam and maybe even more than that.

Chris: You talked about having been to infosec conferences pretty consistently for a period of time. What are the security steps that you take going to infosec conferences? 

I know someone who’s like you've got to go there. I'm not too far from Las Vegas. You've got to go to one of the Black Hat Conferences. I'm like, yeah, but I like my tech. I don't want to leave all my tech at home. I just think of it like, man, I'd have to bring cash because I don't want to use a credit card. All the things that I think through about even being in the same city when an infosec conference is just happening, I'm like, I don't know if it's worth it.

As someone who's in the industry and reporting on the industry, are there steps that you take when you go to the conferences, or do you just live and let be?

Eleanor: Yeah, that's a really good question. It completely depends on what event you're going to. There are sorts of techy conferences and then there are more business-focused, corporate-y conferences. Like I described, the one in San Francisco is one of the more business-driven corporate conferences. Then, Black Hat in Las Vegas is certainly one of the techy conferences. 

When I go to RSA or Infosecurity Europe, or any of the big events like that, I don't typically worry about it too much. I take all the normal steps. I don't use the WiFi there. I make sure my Bluetooth is off. Just basic things like that. I don't worry about it too much. 

When I go to Vegas, either Black Hat or DEF CON, it’s a completely different ball game. The first year I went there, it would’ve been about in 2007, they had the press room. The conference attendees hacked the press room. That was a real eye-opener. I was like, okay, this is serious stuff now.

I learned quite quickly to leave whatever I could behind. But it's just basic things. When I was in the press room, I’m on airplane mode, using VPNs—all the basic things you do anywhere else. You have to be really mindful and really careful.

Even when you take your devices, make sure that you're not doing things, or looking at things, or having things out that you wouldn't want to be exposed.  I've been in sessions where they have projected what people were looking at on their phone, just painful stuff. One year they hacked the hotel room cards to break into a room, I just thought, this is getting a bit scary now. 

Black Hat actually is heading in the same direction as the other RSA and it's becoming a lot more business-focused. But DEF CON, you have to be a techie to go to DEF CON. I went once and since then, I've found much more technical reporters being sent there in my place, and I stick to the more business-y style events. 

I remember turning up in stiletto heels and a pencil skirt. For sure, I just got laughed at the building because no one there was wearing anything other than ripped jeans and a T-shirt. I’m thinking, oh god, I'm so embarrassed. 

It's got such a great community. The people that go there, I've met so many people. I’ve got so many friends in the industry that love DEF CON. If you have that technical brain, and you're inquisitive, and you want to know about this stuff, this is the place to be. It’s great. 

In terms of conferences, basic stuff. Don't do anything you don’t want people to see. Bluetooth off, don't connect to the WiFijust basic stuff.

Chris: I know there was a person I was talking to that I had interviewed for another episode. I don't remember what we discussed in the episode, so I won't attach his name to it. When he would travel to certain countries, he would bring a laptop and a phone that he had just purchased, and basically, on the way out of the country, he would just throw them in the trash. When he was in the country, he would just assume that the laptop had been compromised and that the phone had been compromised. 

It was part of him. He’s just evaluating these trips including the cost of an inexpensive laptop and an inexpensive burner phone. He would only program his wife's phone number on the phone, nothing else. It would just be thrown in the trash on the way out of the country, assuming that he would be infected. 

He said that a couple of times he had gone, he had left his stuff in the hotel room and come back. Very clearly, the laptop had been opened, closed, and moved. A couple of other times he'd been there, he actually set up a camera, and people would come into the room, start messing around with the laptop. 

It wasn't housekeeping. I won't say what industry he was in. They were doing industrial espionage on him when he was in the country. He’s like, that's the point where when I try to visit certain countries, all my tech goes in the trash. I'm like, that's an expensive travel.

Eleanor: This guy, obviously, has some really good theories. Honestly, nothing on my phone or my laptop is that interesting.

Chris: I'm generally of the same philosophy. There's nothing going on in my life that's that interesting. My life is really uninteresting. You're not going to get any leverage on me because there's nothing going on.

Having been in the infosec industry and being at the conferences, I know at least for me, I've always kind of viewed infosec, and maybe this is back to Kevin Mitnick’s days, as really like a boys club. Has that changed a lot over the years or in some diversity now?

Eleanor: If you look at the numbers, it hasn't actually changed that much. It is moving in the right direction. When I first started, it was 8% women in the industry. I believe and this does change but they sit typically now between 10% and 20%. They’re baby steps, but the steps aren't great enough.

I would say that, personally, I've had a really positive experience in the industry. I have had the opportunity of meeting loads of incredible women, I've also had the opportunity of interviewing. Most of my contacts, most of my little black book for interviews are men. I've never received anything but great treatment from people in the industry. My reference point is growing.

However, I consider myself incredibly lucky. I've spent a lot of time with women that haven't had the same experience. It actually inspired me. I've done a lot of work outside of my day job. I’ve worked for The Guardian, The Times, the top broadsheets in the UK. I've also done reports, white papers, to the government on getting more girls into IT at high school age. Then later, encouraging more women to transfer from different industries and come into cybersecurity. 

We have a huge skill shortage in our industry and it doesn't help that we're getting less than 1 in 5 women. The pool that we're fishing for is so much smaller than it could be. It doesn't make sense. We need women in the industry because we need more people. We need more diversity because everybody knows more diverse teams make for better work and better output. 

Over the years, all the work I did, all the interviews, inspired me to set up a networking group called Women in Cybersecurity which I launched at Infosecurity Europe. Infosecurity Magazine and Infosecurity Europe are owned by the same company. We sit as a group.

I had that platform and was able to launch at a networking event in London which we ran for this year. It was the fifth, but it was virtual which was sad, but it was better than nothing. This year, actually, for the first time, we went global. I ran an event in San Francisco for the RSA conference. 

I definitely have aspirations to take this around the globe. The whole purpose of it is to create a community. For women, it's about finding like-minded people just to be heard and share those experiences. It sounds quite American using the word sisterhood, but it genuinely feels a bit like that. What I find every year is that everybody opens up and talks about their experiences. The people that have had negative experiences get cheered on by the people that haven’t. There's advice. It’s amazing. 

It's a great industry for women to be a part of. We need more women. It's about changing, it's about marketing, and the perception of our industry. I don't think we're very good at marketing cybersecurity. We still use all the wrong images and the wrong language. We use masculine language. We use masculine images. We use men in hoodies. Generally, men in hoodies on conference promos, and news sites.

It's time that we took ownership of that, and shouted about all the good things about the industry, and made it more of an attractive proposition. I don't think it's just that women don't feel welcomed. Sometimes they look at the industry and they don't really want to be a part of it. We have a responsibility to own that and to try and shout about how incredible our industry is. It's not a man's world. It's a people's world. 

People talk about it so much more. You read articles about it all the time. There are lots of women’s events. There is an event in the US called the EWF which is the Executive Women's Forum that meets in Arizona once a year. I was lucky enough to be thrown out there a couple of years. You just meet incredible women. There's a lot going on in the space and it is making a difference. You just need to make a difference a little bit quicker.

Chris: Based on all the news stories that we're seeing over and over about breaches and compromises, there's definitely a lot more work that needs to be done in infosec. There's a lot of opportunities there. What I'm seeing is a lot of companies are starting to incorporate security into their designs now in terms of we need to budget for security as we do things as opposed to it being, well, we had an incident. Now, we have to just do enough to keep the investors happy. But the world is changing. We need to really get out in front of this. 

I definitely see that need for more people in the industry, more people doing security, more people trying to keep us all safe on the internet.

Eleanor: Yeah, definitely. The current statistic is 1.8 million. There's a current skills gap of 1.8 million. We're at a time where unemployment is very high. I'm sure it's the same in the States as it is in the UK. It is at its peak because of COVID and because of the loss of industries. 

Infosecurity is resilient. It's in a really great position and it’s an industry that hasn't been hit that hard because it is needed more than ever. As people move to home working, and remote, and becomes more important, all of these trends have meant that we are going to surf this wave really well as an industry. 

We're 1.8 million short as it stands. That number is projected to get even higher. We've got a workforce. In the UK at the moment, it is 400,000 already who have been made unemployed because of COVID. 

Well, let's get these people into the jobs. It's a great industry. Tech is going to be home to a lot of people's careers. It's a perfect time, really, to start shouting about why people should be jumping ship and joining this crazy old industry.

Chris: I have been in tech for 30 years now. I love tech. It's just so interesting. It’s always constantly evolving and changing. If you're bored about things, get into tech because it's never the same thing from day-to-day.

Eleanor: Yeah. you're right. There is a lot of cynicism about it being quite a he/he industry. Everybody knows everybody and the people are really tight-knit. I found the people in the industry to be so open and so welcoming. Whenever you have a question or whenever you kind of go, I'm really sorry, I'm going to sound stupid, but I don't get it. There's no other industry like it. They want to help. They want to extend. They're so passionate about what they do. They’re so passionate about making a difference and actually making people safer. It’s just wonderful. 

Showing that side of it, it feels really social. It's like a herd industry, a cool herd industry. It's a social place. I really hope this is an opportunity for us to show the people of this industry and encourage more people to join them.

Chris: I'm sure it is. If people want to learn more about what you do at Infosecurity Magazine, how can they find you and the magazine?

Eleanor: Thank you very much. We are infosecurity-magazine.com. We are a daily news site. We have a print magazine. We are one of the very long-standing print magazines in this space. We do features. We do webinars. We do virtual summits. We do the whole lot. It’s @infosecuritymag on Twitter and I’m @infoseceditor on Twitter as well.

Chris: Great. Thank you so much for coming on the Easy Prey Podcast today.

Eleanor: Thank you so much, Chris.

Chris: Thank you for listening to this episode of the Easy Prey Podcast. If you found this episode beneficial, please take a moment and leave a review by visiting easyprey.com/review. Notes and a transcript of this episode with Eleanor Dallaway can be found at easyprey.com/46.

Exit mobile version