Inside The Global Push For Offensive Cyber And Smarter Defense Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Inside The Global Push For Offensive Cyber And Smarter Defense

November 17, 2025 • Joe South • Episode 212

Send us a text

We trace how cyber policy tries to catch up with fast-moving threats, from decades-old laws to a new push for offensive capabilities. Along the way, we unpack what real resilience looks like for SMEs, critical infrastructure, and the talent pipeline that holds it all together.

• Verona’s route from public policy to cybersecurity
• Why slow law and fast threats collide
• Updating the Computer Misuse Act and research protections
• Offensive cyber, deterrence, and ethical guardrails
• Zero days, decision latency, and operational windows
• SMEs and supply chains as systemic risk
• Secure by design and secure by default at scale
• State cyber reserves and public–private secondments
• Talent gaps, pay gaps, and global accreditation
• EU and UK moves to standardize skills and tighten rules
• Government roles in funding, convening, and capability building

Find Verona on LinkedIn: Verona Johnstone Hulse. Read NCC Group’s Global Cyber Policy Radar on the NCC Group website or via Verona’s LinkedIn posts

Inspiring Tech Leaders - The Technology Podcast
Interviews with Tech Leaders and insights on the latest emerging technology trends.

Listen on: Apple Podcasts Spotify

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_01: 0:53

How's it going, Verona? It's great to get you on the podcast. I'm actually really excited for our conversation today.

SPEAKER_00: 0:58

Awesome. No, thank you so much for having me. Really, really excited to be here.

SPEAKER_01: 1:02

Yeah, yeah, absolutely. It's uh it's an interesting time of the year for me. I'm normally kind of like burnt out from everything by this point. And so, like, I like I don't know. The years past, I've scheduled a huge amount of podcasts in September and October just to like, you know, have content for November, December, January. But like this year I'm actually feeling good. I don't know if I did something different or what, but recordings are going longer this year's. But I'm really happy to have you on. I'm really excited to talk about this report that you put out on just cybersecurity globally overall.

SPEAKER_00: 1:41

Yeah, no, very happy to be here. And as I say, we've uh think it's it's a bit of a weird time for me. So I've I've I've I operate in the kind of public policy space of cyber policy, and it's always pretty intense this time of year. A lot of governments and think tanks and that sort of thing have a lot of their their conferences in the run up to Christmas, so it's always a bit of an insane run in the two months up to Christmas, and then we all collapse in a big heap on the uh 25th of December.

SPEAKER_01: 2:11

Yeah. Yeah, there was a couple that I wanted to go to. They were like related to like space and cybersecurity, and it was like so last minute. It was like one's in November, like right around the holidays, the other one's in December. You know, it's just like, do I want to go to it? Yes, but I also have like little kids and I don't want to like, you know, like bring them along. It's just a complete mess, you know, with doing it like last minute like that.

SPEAKER_00: 2:38

I think if I feel like the geography of kind of being near London makes it a little bit easier. Uh so I've just got back from Brussels, and so the kind of geography of Europe makes it a little bit easier to kind of get around to those sort of things last minute. But yeah, can I can imagine? Don't have kids. So yeah, the the I have the more flexibility and I guess more sleep to give me the energy to to go to those sort of things.

SPEAKER_01: 3:02

Yeah, it's it was interesting to me. So I went to Europe for the very first time. I think I mean it was over 10 years ago at this point. It was like 12 years ago. I did, you know, a short study abroad session in Germany just in time for beer fest. That was amazing. And I was talking to someone from Russia, and you know, he he was saying, like, you know, oh, like how much of the United States have you seen, have you seen, have you been to, and everything? And I was told, I was like, man, I've been to like maybe, I don't know, 10, 12 states. And like that was a good amount. You know, that's probably like the average amount for someone my age at that time. I mean, it's probably the average amount for someone of any age in America. And he was he was completely shocked. He was like, Oh my god, you haven't even seen like 50% of your country. I was like, You have any clue how big the country is? Like, I can drive for eight hours in my state and not be out of my state. Like, that's how big my state is, you know, like that that's insane. And he goes, Oh, I didn't even realize because if you drive for eight hours anywhere in Europe, like you're going over two, three, four countries, you know, like with ease, you know, like with traffic and everything, like with no traffic, I'm still in Illinois. It's crazy.

SPEAKER_00: 4:16

Yeah, no, absolutely. I um I often get accused as I'm I'm someone that grew up in London and so maybe have sometimes a bit of a London-centric view, even of the UK. So I mean, I really have no excuse, but there's a lot of the UK I haven't even seen.

SPEAKER_01: 4:30

I really want to go to London. Me and my wife, we keep on talking about it, and we definitely want to go. And when we go, I think we want to go for like two weeks at least. Because, like, you know, when I go to a like I have a rule where when I go to another country, like if I don't know exactly when I'm going back, like the basically the the second trip has to already be booked. So if that doesn't happen, then like I do absolutely everything. I mean, I come back from these vacations and I'm just like completely beat up. And it's because like every minute of the day I have something planned. Like I'm eating at this restaurant that I want to go to, I'm doing this event, I'm going and seeing this museum or whatever it is, you know. It's I do vacations a little bit differently. I I had a friend with me on my last trip to Germany, and you know, I billed in like one day of like doing nothing. And uh we just like, I mean, it was like from the time we got off the plane, you know, there was like so of course there's construction on the on the S-Bahn, and now we have to like get off and find a bus and you know get to our hotel and everything. And then, you know, literally from the time we get off the plane, we're doing something the entire time. And then we get to that one day and he's like, What are we doing? I was like, I don't know, sleeping. Like we were literally out until 3 a.m. last night. Like, I'm chilling.

SPEAKER_00: 5:49

Yeah, my my husband, I think, has gotten so used to me having like a really detailed spreadsheet of what we're doing hour by hour on our holidays, and often often feels like a lot of the stuff that we end up doing is quite spontaneous, but absolutely not. It's been kind of planned for several weeks in advance because to your point, I want to make the most of going there because I never know when I'm gonna go back.

SPEAKER_01: 6:09

So Right. But why don't we why don't we circle back, you know, to how you kind of got into the space, right? Because you're kind of in like a parallel space to cybersecurity, but you're close enough to know quite a bit about the space. Tell me about your journey.

SPEAKER_00: 6:25

Yeah, sure. So I I've kind of my background is very much in kind of public policy, government relations, that sort of thing. So I've been doing that for many, many years now, and spent quite a lot of time working across different organizations, across different sectors, understanding the policy issues, helping organisations navigate that. So literally everything from energy to transport to kind of broader tech and working for little companies and big companies, both in-house and as a consultant, then eventually uh sort of, you know, ended up at NCC groups and the kind of UK headquartered global cybersecurity firm, and they kind of had a specific role within within their government affairs. Some of it joined maybe four or five years ago. And I honestly feel like I have found my absolute cultural home when it comes to operating within within cybersecurity. So I think where I'd been kind of going through kind of different roles and you know, gaining experience across different sorts of sort of sort of organizations and different policy issues, kind of eventually get quite bored quite quickly because kind of once you know a sector, it's you know, you understand the issues and you know that kind of continuous learning stops after about a year. But so far it hasn't stopped at all at kind of within cybersecurity, and I really, really love it. Um and I will never leave the sector, I'm sure, because you know, it's uh such an awesome space to be working in in terms of the decisions that that that governments are making and how much it's impacting how we can all operate in cyberspace, but also you know, some of the standards and stuff that we have to kind of comply with across the board as organizations and how quickly kind of the space is moving, and also just all of the really awesome, very clever people that I get to work with on a day-to-day basis, and the stuff that they're doing being kind of genuinely beneficial and for the for the greater good of a more secure cyberspace. So yeah, it kind of ticks all the buttons in terms of purpose and a space that's evolving so rapidly, never getting bored, continuously learning, and uh, you know, really feeling like within my kind of current role, having the opportunity to to make that link between policymakers and politicians and government and the world of cybersecurity, and often acting as a bit of a a translator, I guess, between those two worlds, because they speak very different languages a lot of the time, but bringing the the kind of insights and learnings from the the awesome work that that my colleagues do into some of the kind of decision-making processes that that governments and and policy makers are looking at when they're looking to kind of legislate or regulate or or implement kind of broader government policies is is something that I really, really enjoy every day and get a lot of purpose and and a sense of fulfillment from it.

SPEAKER_01: 9:16

Hmm. Yeah, it's fascinating that you have that experience, right? Because I have the I have the same experience from like a technical perspective, right? Where it's like never-ending learning. There's always something that you can specialize in. There's always something, you know, that that's going on that you didn't know that you know you have to learn and whatnot, which is very exciting for me. And like I I think that that's probably where like I joined and left so many other companies being on like their internal security team. Because for me, it's like as soon as I learn the environment and the and the tech behind it, it becomes uninteresting very quickly for me. And so now I'm on the other side where I'm you know doing consulting and I'm seeing new customers every single day, multiple times throughout the day, you know, learning new environments, learning new tech, you know, all this different stuff. And so it's it's like reignited that that fire in me to be to like keep going. Yeah, you know, and I always tell everyone that you know is considering getting into cybersecurity really in any capacity, is that you have to be ready to constantly be learning and feeling like you don't know enough. You know, like there's a certain level of imposter syndrome. Like I've had on, I've had on people that, you know, allegedly, I have to say allegedly because he'll be so mad at me, he'll text me if I don't, that have allegedly, you know, hacked airplanes mid-air while they're on the plane, right? And he even tells me the exact same thing, you know, where like you have to be always learning. And there's situations where he goes into it and he doesn't know everything, you know, and this is one of the most most well-known hackers, you know, in the entire world, where like this guy loses a job and within 24 hours, like he has seven offers in front of him, you know, of him him literally just saying, I lost my job, and you know, within 24 hours, companies are just throwing offers at him, not even him like applying or anything like that, not even him asking for a job. That's what happens, right? And so it's a space where something that I love about it too is that like you can learn these skills, you can take this knowledge and you can turn it into something so much more, right? Like I turned it into this podcast, you know. I I turned it into consulting on the side, right? Like I turned it into so many different things, and I feel like there's not that many fields where you can clock in for your nine to five, and your nine to five work directly relates to your side hustles, and your nine to five makes you better at your side hustles, and your side hustles make you better at your nine to five. Like, there's I don't know, I haven't seen any other industries or anything that kind of compare to that.

SPEAKER_00: 12:07

Yeah, no, it's so true. And I think it it could it points at a challenge that I have in my day job, which is that governments move pretty slowly. And and like legislatures and you know, and when they're looking to legislate or regulate, it's kind of a painfully so slow process. And I I think often kind of working with lots of my awesome colleagues, they get frustrated at kind of how slow things move and how long things take at a kind of government decision-making level because we are operating in this space and we're also used to the operating in a space that is is evolving so quickly and that we're having to to move quickly to keep keep up with it. I mean, there's there's a kind of long-standing campaign that we're running in the UK, for example, to to update the Computer Misuse Act, which is kind of our equivalent of the CFAA, and to provide better legal protections for security researchers. And, you know, we've made brilliant progress, but it it's taking years to do that because it takes such a long time to get government and kind of policymakers up to speed with the issue and looking to kind of prioritize it when they're looking to balance kind of other things that are that are often in the news. And you know, that piece of legislation now is 35 years old. It's the main piece of legislation which governs cybercrime in the UK. And the the fact that it hasn't necessarily been updated very much at all in those 35 years is just complete madness when we think kind of how far we've come in those three and a half decades. So yeah, it's the the kind of the challenge of uh keeping up and all of the effort that we all make to kind of keep keep up is something that I see really, really vividly in in my day job when I am engaging with governments and trying to you know get them to to move quickly. Obviously, moving with safeguards and moving with a level of looking to kind of legislate and regulate for the long term and with flexibility and all of that stuff, yeah, getting them to move quickly can sometimes be a frustrating process.

SPEAKER_01: 14:09

Yeah, that is a really good point. And I I feel like people don't really understand that that much because they don't work, you know, with the government in in their day-to-day job. And most people don't. When I was just getting started in IT, I've led the federal and the military contracts for a small company here in Chicago. And, you know, the government was they taught me this slogan very well is to hurry up and wait, right? And it's funny because like, yeah, you'll wait for years and then when they finally want to do something, it's well, we need it yesterday. Yeah, you know, like we need it done immediately, like right now. It's just a crazy way of doing it. And for you to for you to mention, you know, that piece of legislation has been talked about for 35 years, it's that that is absurd to me because like how quickly, just how quickly cybersecurity evolves, even within a year, you know, and like that's the problem that I have is that the legislation does not evolve as quick. And so we put these rules in place that kind of don't almost don't mean anything to to for the most part, in my opinion. And then, you know, when companies get breached, I mean, what what are we finding meta? We're finding meta like what 20 billion dollars. I mean, there's there's some mathematician at meta that does the calculation of, oh, okay, we'll make that back in two days. Yeah, we could pay the 20 billion. Like it doesn't, it doesn't matter, right? It's inconsequential. And so, like, it's just uh it's a weird place where it's really difficult to hold companies accountable, right? In terms of breaches, but then the governments also need to figure out how to act faster with this sort of thing because you know, there's looming threats over the horizon, and our adversaries are a bit more bold with their attacks than than we are, right? Like, I mean, if we just think about like the last you know major attack that America allegedly led, right, might have been Stuxnet. Maybe. Maybe I'm missing one or two, but like at least the one that you know sticks out the most is Stuxnet to me. And I mean that happened what 15 years ago at this point, 15 years ago, when we last like kind of publicly acted in that manner, and you look at the amount of attacks that Russia has done, right? Just on Ukraine. I mean, it's it's crazy. And as cybersecurity experts, you know, we we look at it, and there's some of these attacks that are like, oh, they're they're probing the network. They're the way that they're testing that is something that they're preparing for later on down the line, maybe not even with Ukraine, maybe with another country, but Ukraine is their target and they're testing this out right now, you know. Are you uh seeing the discussions around that at all in the political circles?

SPEAKER_00: 17:11

Yeah, definitely. I think principally a lot of this discussion is being driven at the moment out out of the US in terms of what does the what is offensive cyber look like in this current environment and and to what extent do you know democratic governments need to work more closely with the private sector on ensuring that they we do have the right offensive cyber capabilities in place and where does the kind of line get drawn between what should remain the provocative of the state and where should industry play a role and kind of what does that look like within an ethical framework? So it's definitely something that we're seeing ramping up and then kind of trickling down across the kind of other jurisdictions around the world. And even in here in the UK, we've had our security minister really ramping up the rhetoric around, you know, offensive cyber capabilities and the government investing one billion in kind of cyber command within their kind of military capabilities and and and looking more at cyber within the kind of context of deterrence as well, and and thinking about how do we ramp up investment in deterrence. So I think we're we're still relatively early days in that ramping up of the rhetoric and announcing kind of big big spending announcements. There was a another billion in in President Trump's big beautiful bill act, which talks about investment in in offensive cyber operations as well. And I think we just kind of need to see how that kind of plays out in practice. But at the moment the rhetoric does seem to be ramping up in terms of you know, governments moving to a war footing, this kind of level of uh distrust on the geopolitical landscape and and needing to develop their their own kind of core cyber capabilities. And so, yeah, that's going to be a really, really interesting thing to kind of observe over the next 12 months or so, how that plays out. And also how it impacts us all, right? Because, you know, what what would that mean if we do see a real kind of ramping up of activity beyond the kind of sanctions that we've seen in the last couple of years, but to ramping up of activity in terms of things like law enforcement takedowns and and working with the the private sector to develop offensive cyber capabilities? If if we are seeing an uptick of of sort of Western liberal democracies doing that, what does that mean for the the overall threat landscape? What does it mean for the the private sector if they are asked to be playing a more active role within those? And and how do we make sure that we do set the the right kind of safeguards and legal and ethical frameworks around that? So yeah, it's I I really I'm absolutely fascinated to see how how this one does does play out over the next 12 months or so.

SPEAKER_01: 19:47

Yeah, it's like it's like playing 4D chess almost, right? Like there's so much that goes into it, even just from you know, like from a capabilities perspective. When you look at the capabilities that America probably has and that Russia and China probably have, I mean, it's the equivalent of digital nukes. You know, if you could shut down the water supply of a country, that's potentially just as devastating as a nuke going off, right? I mean, it really is that significant, or shutting down the power grid. You know, like those are massive things that could happen that would not just like disrupt people's lives, it would change people's lives forever. Um, it would kill, it might kill more people than nukes. It may take longer, but it may actually kill more. And you know, I I was I was talking to a cyber warfare officer for for the NSA, and this was a couple years ago. You know, the episode actually never even went live because I was told very uh very firmly not to let it go live. And so I was very keen on not having you know the FBI come knocking on my door. It's not a very good look in my neighborhood. And you know, he he I asked him, was there ever, you know, like a target package that you were given that you couldn't find a way to, you know, complete the mission, right? Whether it's like tracking them or monitoring them or developing a a uh package, you know, a exploit package, whatever it might be. And he said, no, there's there's never been a single one. I've done over 200 of these, like there's never been a single one that I couldn't figure out how to hack in some way. It doesn't matter what the country was, doesn't matter if they were in China behind the the China's great firewall, right? He said the biggest problem for his side is actually getting someone to like pull the metaphorical trigger by the time you know the the exploit is actually found, discovered, weaponized, to have someone actually hit enter on their keyboard and launch it before it is patched or whatever it is. He because he he told me he's like, you know, sometimes like I'll go into the vault and find you know an iPhone zero day that isn't out yet, no one knows about it, and I'll build it into this exploit. And it's like, okay, well, it's on a timetable. Like if this gets gets taken out, you know, 90% of my attack doesn't even work, right? And you know, he he said most of the time, you know, these zero days are are being found out in time and being patched and whatnot. And uh it's it's an interesting delay because you know, in the article that I I was skimming through it, admittedly, I was skimming through it. I'm sorry, I did not read the entire thing.

SPEAKER_00: 22:35

There's still time, yeah.

SPEAKER_01: 22:37

Right. But you know, it was talking about how the policy is shifting towards taking a more offensive approach in cyber cyberspace, cyber warfare, whatever it is, right? Maybe cyber warfare is too strong of a term for the report, right? But when I when I hear that, it makes me nervous as a as someone that so I'm not a hacker, but I'm like as close to being a hacker without being a hacker as you possibly can be, where like I know how to do basically all of it, I just don't do it. And so like I can't call myself a hacker, right? But just seeing the capabilities and then knowing the people in the space that actually do it and the capabilities that they have, it's like we're going on the offensive, okay, but we're not even ready on the defense side to like defend a counter offensive, like we're not even close, you know? So it makes me nervous.

SPEAKER_00: 23:32

No, it's a really interesting point. And there's I mean, maybe there is some light in that. So they have the kind of the recent announcement around NATO spending kind of ramping up to to five percent and 1.5% of that being in kind of non-traditional defence spending. And I think that that governments are looking at how they they spend some of that money from a a cyber resilience perspective. And you know, there there has been some decent progress, a lot of it actually driven by by regulations around critical infrastructure resilience and uh resilience of financial institutions and and that sort of thing. But I think you know, we still got as you said, kind of point to we've got still got massive gaps that that need sorting, and kind of one of the areas that that that we're we're constantly seeing is and there is a that's a bit of a perennial question mark about about how we tackle it is when we're looking at small to to medium-sized businesses and enterprises, you know, they they how do we kind of uplift the resilience of those organizations when they don't have the same resources, they don't have the same skills or access to skills as as larger organizations. But ultimately, those sorts of organizations uh make up a a significant percentage of the global economy and the economy of kind of domestic economy of the US, UK, Europe and Australia, and also often form part of the supply chain into these uh kind of critical infrastructure organizations. So there is a bit of a question mark about how we tackle that at the moment and how we ensure that yes, we need to kind of kind of continue with the the efforts of recent years to to kind of uplift critical infrastructure resilience and you know, regulators and and national authorities doing, you know, good job of of working with those sorts of organizations to to address some of that. But but what's the kind of broader plan for the the supply chain and those smaller organizations or those organizations that might just kind of fit outside of critical infrastructure and so therefore not necessarily subject to the same standards and regulations? So, yeah, big question mark about how governments tackle that. And some of it will require government to to you know put some kind of money behind it in terms of providing some some more proactive support. Other parts of it is probably around making sure that the the technology that all of those sorts of businesses are relying on is secure by design and secure by default where where possible. But yeah, I think it's a bit of a head scratcher at the moment for a lot of a lot of policy makers. You know, hopefully I wasn't too harsh earlier when I was saying how slow governments move, but actually do have some level of sympathy for them because a lot of these challenges and stuff that they're they're dealing with, there aren't easy silver bullet solutions. And also there's you know, question marks about the extent to which how much government needs to be responsible versus businesses and yeah, and all that sort of stuff.

SPEAKER_01: 26:47

Yeah, yeah, there's there's like a hundred questions that you know still need to be answered with it, right? Something that I have found to be pretty interesting is there's a few states in America that that are spinning up like you know, the Texas Cyber Command, right? And there's a couple other states that are doing it too, where they're basically just you know enlisting cybersecurity experts into the reserves and then putting them on cyber command to help in the event that a massive cyber attack actually happens, which I actually think is a really good idea. That's probably the only way that you can do it at this point because you know you have to think about it, right? Who like what the what's the age range for someone entering you know the National Guard or military, just overall, right? It's your young, early 20s, right? Like when I was in my early 20s, I was trying to enlist as well, right? You're not gonna get people that are in their 40s enlisting or 30s, you know, because you have families by then. But by that time, if you're not in, your life is completely different from how it would be if you were in. And there's a lot of things that you would have to give up, you know, to be able to make that work, right? Like it just doesn't work any other way. And so something, something like the Texas Cyber Command or, you know, Illinois, if they ever, if they ever get one or whatever it might be, would be the best way to kind of get that talent that never enlisted, that went the professional route, that are experts in cybersecurity. You know, you enlist them, put them through a short boot camp, give me a nice sign-on bonus, right? Let me, you know, call off from work, I'll be happy to do it. Like that would be awesome. But I feel like that's almost that's almost like the only way to kind of manage it in America, at least, because America is so broad, it's so big. The government is literally not big enough to cover, you know, the entire country in terms of cyber infrastructure and cybersecurity. It's just not because it it can barely cover, you know, like the main utilities of the power grid and the water and everything else, right? So there's a lot, there's a lot to it. And I I wonder, is there is there anything like that spinning up in Europe right now, where countries are getting their own kind of version of a cyber command or something like that? I apologize. I just, you know, everyone over here in America are very America focused, not thinking of anything in Europe like, oh yeah, it's our cousins over there, you know?

SPEAKER_00: 29:22

No, I mean, yeah, I I, you know, I obviously you know keep a very close eye on what's going on over the Atlantic, but I would say I my bias too is probably skewed European, so you're off given the Yeah, that so there are some some efforts, so there's slightly different, but the the European Union Union is saying something called the cyber reserve, and what that essentially is is a pool of trusted, accredited instant response providers that in a kind of Ukraine level type situation they can immediately call upon those providers in order to provide the the kind of instant response capacity that you need in that that level of crisis. And I think part of that comes back to some of the the lessons learned with with the war in Ukraine, where um there was a need to access that sort of capability quite quickly, but kind of procurement processes were slow and they kind of didn't get stood up as quickly as as it necessarily could have. So you see efforts like that. There in the UK there are discussions, and I I'm not sure we've seen it kind of come to full fruition yet, but there are definitely discussions about how you bring in to kind of similar kind of army reservist type model where you bring in those sorts of individuals into the armed forces to support from a kind of cybersecurity point of view, and not least because I think the other the other aspect of it, right, is that the public sector can only pay so much and the the salaries that people can get in equivalent roles outside of the armed forces or outside of the the public sector or outside the government are kind of considerably higher, and so it's obviously quite attractive for those individuals to you know kind of move ship. Um so we are seeing things like that the the kind of reservist model, but we're also seeing a lot of um kind of secondment type schemes setting up. So um the the UK National Cybersecurity Centre who runs a that we've we've been we've participated in for I think since its inception a few several years ago. I'm called Industry 100, which is a which is a kind of public private sector succumbent scheme and brings in individuals from the private sector to do kind of succumbent type things across the kind of entire range of what the the National Cybersecurity Centre do. And it can kind of split between kind of really sort of intense succumbments around specific projects to actually kind of play more of an advisory role. And they've they've set up a really, really interesting and very flexible model that I know that other countries around the world are trying to learn from and look if they can set something similar up. But yeah, it's definitely I think it's always going to be a challenge in in our space, especially when we continuously have a skill shortage that we need to find creative ways of of sharing those brains and that talent across the kind of different needs of of the nation whether that's on the private sector or the public sector side.

SPEAKER_01: 32:15

Yeah you bring up a really good point and like I have I have direct experience with what you were mentioning with the pay disparity between going public and private. And you know when I was in my 20s I was trying to go into the agencies, the military and for one reason or another they just wouldn't select me right and the agencies basically all came back and said oh I have to wait until I'm 30 more life experience or something like that. Right. And my response was okay guys you do understand that like if I'm like mediocre in IT by the time I'm 30 I'm going to be making double what you would bring me in at like you understand that right and they were like yeah you still have to wait till you're 30. And you know for me it's like well that that doesn't make any sense because when I'm 30 I have a whole different set of priorities. Like I may have a family I may be married I may not even live in this part of the country. I may live in another country you know and if I'm making double why would I ever give that up to then go and be nothing in some agency you know be the like the lowest person on the totem pole have to wait 10 years to be able to like you know have like the same amount of tenure basically as I would in the in where I just left you know like it really doesn't make sense. So that's why I see like the reservist part of it as being like the only realistic option right and with like you said the the skills shortage the talent shortage in cybersecurity you know we hear about it constantly right like it's like five million you know unfilled roles or whatever it is right I probably overstated it quite a bit there but you get the point right there's millions of unfilled roles you know globally and they're not going to be filled because there's literally not enough professionals. And you know the market is weird right now. The job market is very weird in America right now because you know I'll give you an example so I've been in cybersecurity for like 10 or 12 years at this point. Basically every year up until maybe 2023 or 2024 you know like my inbox would just be flooded with people trying to interview me and hire me just nonstop. It's a nonstop thing. People just straight up willing to offer you more money just to get you in the door and everything else like that, you know? And now there's like nothing you know and so I'm not trying to say that like I'm the most experienced person in the world or the the most skilled or anything like that. But that's a very normal occurrence for people in this field where they were getting offers daily literally daily and now we're all getting nothing you know and you look at the jobs and there's over a hundred you know applying to these jobs within eight hours it's like okay well how does anyone actually stick out in these in these piles of resumes to get into these jobs like it it's just it's a weird situation right now. Did you did you touch on any of that in the in the report by chance?

SPEAKER_00: 35:30

No, we don't but I think I think the report kind of touches more on the kind of broader capabilities rather than the kind of individual job market. So it's more around kind of where kind of how nation states are developing their their capabilities and something I didn't touch on the report but I'm just thinking as you were talking there that that that is interesting at the moment is the extent to which what the kind of nations and kind of like minded countries and allied nations are are trying or can even work together to kind of develop some of these capabilities and the kind of cross pollination of talent as well. So making sure that you know we do have that level of cooperation and collaboration on a on a global scale particularly when a lot of us is facing very similar threats, threat environments, very similar kind of changes. So it's but again I think that's something really tricky to achieve from a global talent perspective. And I think there have been some efforts though I don't know how successful they've been to try and create kind of talent frameworks and skills frameworks that that go across different countries. So the UK and the Sing and Singapore for example had kind of agreed to develop professional standards that that can be applied both in the UK and Singapore. So if you're buying somebody with a level of kind of accreditation in the UK that that is kind of applicable in Singapore and vice versa just to try and enable some of the that global movement of talent where where where nations do have shortages and they need to kind of bring in talent from aboard. So yeah I think it's it's a pretty complicated picture. And I think different different countries seem to be going through different phases in their their kind of talent pools and kind of where where they are seeing shortages. But yeah that doesn't sound great in the US at the moment I'm sorry.

SPEAKER_01: 37:17

Yeah it it's it's weird right now. Thankfully I'm employed but I know a lot of people that have been off of work for 10 plus months and it's like man like what are you talking about? Like I've worked with you you know you have all the right certifications it just doesn't make any sense. But that's really interesting that they're forming like a global you know kind of body of certification or regulation that people can you know immediately go into like an international capacity. I you know I always wondered how how like the certifications I have would translate to like me moving to Europe would if I move to Europe am I immediately you know not going to get a job or are people still looking for the certifications that I have or you know how does that work? Like that's that's definitely been something that's been on my mind for sure. Which I guess it's still like that American centric mentality where I kind of just assumed the industry wide certs that I have are kind of like respected everywhere, you know, but I don't know.

SPEAKER_00: 38:21

Yeah I'm sure you find AR I think the where a lot of these talent frameworks seem to be coming in is particularly any any work that's kind of related to government work or national infrastructure. So there are there are big efforts at the moment to kind of as government puts it professionalize the industry and create levels of kind of harmonized talent frameworks that governments kind of can more easily tap into and require either the people that they're hiring directly or the the organizations that they're kind of asking to kind of supply services into their market. They are asking them to meet a certain kind of government backed accreditations that have been been harmonised. So in the UK it's the kind of UK Cybersecurity council and this is kind of a new initiative to have kind of chartered professionals in the same way that you would have chartered professionals in accountancy or in medicine or those sorts of sectors. And so government really does want to create more of a kind of harmonised talent framework that it can go yes those people are sufficiently signed up to a a level of ethics and accreditation that that we as the government are happy with that they can kind of work for us. I think the the flip side of it is particularly in the UK at the moment the cybersecurity industry has been been recognised as a big potential growth sector not least because if you want to grow the other parts of the economy you need good cybersecurity, you need good digital security and so kind of I think is an underpinning element to that but also seen as as a sector that's going to grow and and deliver the economic growth that we're all after at the moment in its own right. And so as part of that we are seeing a lot of investment from governments in those sort of skills initiative skills frameworks because they not only see it as a way of creating a a clearer route for them to purchase trusted services and trusted people but also see it as a way of making it easier for individuals and graduates to find their way into the industry because sometimes it can be pretty complex and as we know you know a lot of people have had really interesting and really diverse kind of career routes very non-traditional a lot of people don't even necessarily hold accreditations and are now doing absolutely awesome things at the the the top of the industry and but I think the kind of flip side of that from the government's perspective is that it creates a bit of confusion about if you want to kind of enter the industry kind of what's the route so you can go. And so there's kind of these two elements to it. But yeah on the positive side we are we are really seeing at least in the UK the government ramping up its kind of backing of the industry and trying to invest more in the industry and create create opportunities. So I'm feeling relatively optimistic about about that at the moment but we'll see how it plays out over the next few months so we're gonna have a have a new national cyber strategy shortly which should set out more in more detail how the government's kind of backing its its rhetoric with proper policies and investment.

SPEAKER_01: 41:16

I mean that's probably really the only way that you can do it you know is if if you're gonna take a more offensive approach towards cybersecurity overall for at the nation state level then you have to invest in you know the private sector to get the skills that you need to pull off you know the operations and to actually provide the defense on the on the back end of of your operations you know because I just I still feel like a country is too big for a government you know even in Europe to go and say okay we're gonna protect the water supply well how many companies are in between you and the actual water that gets to my house you know like there's probably a lot there's probably a lot of IoT controllers and you know all this other stuff right and so for any government to say oh yeah we're gonna secure it all it's not very realistic. If you're gonna secure it all that means that you have to like you know really bolster up these companies with talent that can actually do it and really drive it home to them that like hey you have to secure this no matter what you know?

SPEAKER_00: 42:26

Yeah no totally and I think we are seeing this kind of because we we are around the world in a in a period of austerity in public sector and government funding funding cuts coming and and obviously seeing it in the US but we are also seeing it across Europe and elsewhere in the world. And what that is kind of forcing governments to do is basically say these are the things that we're responsible for and these are the things that we're going to do to invest in and help with the resilience. So things like kind of investment in the the ecosystem, the skills, the capabilities, the talent and focusing on those areas that that they might have kind of direct responsibility over like defence or healthcare but also at the same time we are continuing to see the regulations that that a lot of organizations are are subject to tighten and strengthen. And then so in order to to meet that bar it's you you do need the kind of two sides of the coin because organizations need to kind of meet this resilience bar, both because it's the right thing to do and is necessary but also because increasingly regulations are dictating to them that they need to do that and dictating to more organisations as well that they need to do that. I think in Europe at the moment there's a couple of pieces of legislation that are going through or have gone through and that will basically mean that literally thousands and thousands more organisations that have never had to apply these rules before now have to apply them. But when you've got that, like you said, you also need the people and the capabilities to help deliver that level of resilience and meet the expectations that governments are expecting. And so you know I think it's it's a good thing that you know we are seeing some recognition from governments that they they do need to play that role from an ecosystem development perspective and and make sure that they they're acting as that kind of skills developer but also the kind of convener as well and bringing together the respective parts to collaborate and and develop those the the things that those organizations will need to be able to access in order to deliver on their their ever strengthening expectations of of businesses and organizations.

SPEAKER_01: 44:31

Unfortunately we're at the top of our time here but it's been a fantastic conversation I really appreciate you taking the time to come on. I I know it's later in your day so I really appreciate you taking the time you know especially now to come on and you know talk about this and everything you know it's it's fantastic.

SPEAKER_00: 44:48

No worries really enjoyed it.

SPEAKER_01: 44:50

Yeah definitely well before I let you go how about you tell my audience where they could find you if they wanted to connect with you and where they could find your report if they wanted to you know find it and read it and learn from it.

SPEAKER_00: 45:01

Yeah awesome so you can find me on LinkedIn Verona Johnstone Hulse is a pretty unique name so I'm I'm sure you'll find me if you you have a search and equally yes so our NCC groups published our our global cyber policy radar. So that explores some of the things that we've obviously chatted about in terms of the offensive cyber capabilities but also what's next for kind of cyber regulations, governments looking at things like banning ransomware payments and putting in kind of efforts to try and harmonize some some regulations whilst as I said also also strengthening the rules that underpin those regulations. So if you're you're interested in in learning more about where cyber regulations, government cyber policy etc is going, you can access that on NCC group's website or if you have me on LinkedIn, I've probably put three posts up about it already. So feel free to kind of go in through that route.

SPEAKER_01: 45:51

Awesome. Well thanks everyone I hope you enjoyed this episode cool

Joe South

Host