Podcast episode 5: Cyber 101 with Dr Justin McKeown

• Apple iTunes
• Anchor
• Breaker
• Google Podcasts
• Pocket Casts
• RadioPublic
• Spotify

In this episode, Lee introduces you to our fabulous new host, Victoria Vorobeva. Victoria is our talented content editor and is responsible for creating the audio and visual content across the website. Together, Lee and Victoria delve into the fascinating world of cyber security with this week's guest Dr Justin McKeown.

Justin is the founder of cyber security company, Arkiotec and architect to our computing courses at Ravensbourne University. He has a rich career history in which his interests in the arts, computer science and politics have converged, to lead him down some fascinating avenues.

Leave any preconceptions you might have about cyber security by the door, as Justin explores the subject in detail and looks at the modern role of a cyber expert. He also discusses the fundamental role he played in creating our exciting new computing courses.

Don't miss this exciting and revelatory episode - we hope you enjoy it! 

Follow us:

• Instagram
• Facebook
• LinkedIn
• Twitter
• YouTube

00:00:00,225 --> 00:00:04,025

Lee: Hello, and welcome to episode of the new podcast from Ravensbourne University London. I am your host Lee as always, and I'm so excited to be joined by a new co-host Victoria Vorobeva.

Hi Victoria. How are you?

Victoria: Hello. Thank you for introducing me, Lee. I'm very excited to be starting to host The Ravecast, but I'm also extremely nervous. But let's see how that goes.

Lee: Absolutely. What's been the highlight of your time so far?

Victoria: Yes, i've been in Ravensbourne for a couple of months now and my experience so far has been absolutely fantastic. I got to meet a lot of talented people, and everyone has been super helpful. I am yeah, genuinely grateful to be working in such an inspiring place.

Lee: And for everyone listening to. Let them know what your job is. What you do? What's your day-to-day kind of role here?

Victoria: Absolutely. So, I'm in the marketing team at Ravensbourne. And I am responsible for creating the visual and audio content, which our audience can see on our Instagram and our YouTube and Tik-Tok and other social media pages. My every day is very different and there is never two similar things on my agenda. I produce the interviews as well as our In conversation series and I’m working on the podcast. And it's yeah, been very busy, but I'm very excited to see what else happens in the future. And looking forward to a lot of exciting projects that are happening soon.

Lee: I think you have a really good job. And a lot of those who look at social media will probably see some of your work at some point. I saw it firsthand at our graduation that we had over the Christmas period. You produced that amazing video that was kind of like a real, eye opener into the kind of life and times of our students over the last 18 months, and the work they've produced in light of all the challenges that we've had with Covid and just kind of celebrating all their successes. So it was, it was amazing to see their work and it was amazing to see how you presented that work. And that was really cool! Do you want to tell us who we've got on today and what who we’re interviewing? - because he's pretty cool.

Victoria: We have a very exciting guest today with us - Dr. Justin McKeown who is a curriculum creator of Ravensbourne, computing courses, and the cybersecurity expert. Welcome, Justin.

Justin: Hi Victoria. Thanks for having me on.

Victoria: Shall we start with you sort of introducing yourself and telling me a bit about your experience in the industry and your area of expertise.

Justin: Yeah. Sure. So I see background wise, I'm founder and CEO of company called Arkiotech and we are a cyber security firm, based in the north of England. Prior to starting the company I had worked in higher education for 16 years. So I did my doctorate at the University of Ulster. I studied software and systems security at the University of Oxford. I’m senior fellow of higher education academy as an associate professor in another HE university’s computer science department. I was also head of computer science there. So, and I've, I think I was trying to count the other day, I think I've developed about 14 courses to date in the field of computing. And that's me doing the development and working on stuff and then I've input into so many other courses that other people have been developing and I just can't count those all in that space. So yeah, I've kind of I've got this skill set that sits at the intersection of computer science specifically cybersecurity and curriculum, which I care quite a bit about actually.

Victoria: Thank you Justin and let's talk a bit about the industry. So for our listeners who are not very familiar with cybersecurity. How would you best explain it to them?

Justin: I think it's a really, really good question because it can mean so much to so many different people. I was having this discussion actually, with someone the other day. I was down the pub explaining to somebody who doesn't do this type of thing for a living. I think it's fair to say that cybersecurity is about reducing the risk of being the victim of a cyberattack. I've just used the word cyber twice to explain that. This, you know, the things are doesn't really own pocket. I think one of the things I'd often refer to if people said, “what is this thing called ‘cyber’?” would be just what Fred Kaplan, who wrote a book called The Dark territory (and it's a kind of Haunted history of cyber war and I use the term war loosely). But in his book, the kind of things which I find quite useful, actually the popular use of the word cyber, as we use it for a prefix to things like security, crying threats, arises in the late 90s and the American Department of Justice. And the story goes to resist lawyer in the DOJ, the Department of Justice, called Michael Vitus, and he was part of quite an important working group looking. At threats among other things to Industrial control systems in America and and he'd been reading William Gibson's Neuromancer, which is quite a famous work of Science Fiction. And in Neuromancer, Gibson introduced this concept of cyberspace. And, you know, it's as if this kind of space arises from widespread interconnected digital technologies. So that has advocated for you, for the use of the term, cyber to describe the types of things the working group is dealing with. It got traction in the working group and other people around the working group who interacted with it. People started using it as a prefix, the word cyber to describe kind of malevolent activities that require utilised networked information technologies, hence cybercrime, cyber threats, cyber war and that’s really in the popular use in defence and security where the term seems to arise from. But as I say, it's about by reducing the risk of being a victim of cyber-attack and also, it’s maybe worth adding to that. By saying that cybersecurity isn't a goal, it’s not a tick box exercise. If you like it, it's a state. And as a state, it's something that has to be maintained. This is really helpful.

Victoria: Thank you Justin. You would probably agree with me that cybersecurity is sort of more relevant than ever these days with a lot of users on the internet and the companies being more interested in the cyber safety. How do you think it's changed in the recent times?

And what do you think is one thing that people going into cyber security or maybe more thing should know about that they're probably not aware of?

Justin: That’s a really, really interesting question. I think one of the things we can say if we look at the history of the cyber security is that it's gone from being maybe this niche thing, that people who work for the government or security firms, non-cybersecurity firms would have dealt with. And certain gifted criminals shall we say with technical skills. It's moved from that to becoming this more mainstream thing, where, you know, in 2016 GCHQ, gave birth to the National Cyber Security Centre, the end State, the NCSC, and then in 2020, the UK government introduced the National Cyber Force, which is a kind of offensive cyber body, from what I can say.

And I've recently read the 2021 integrated defence review, which makes an awful lot of mention of this concept of you know, not just cyber security but the saving of power. And so I think what's happened is some, the idea, the understanding what cybersecurity is has become more mainstream. It's a term that more people find tangible. So with this, what kind of happened is, we're seeing, you know organisations who previously wouldn't really have thought about any of this stuff, if at all, starting to now think about how they can better protect themselves and especially how they protect their businesses. It’s not even just businesses, you know, organisations such as charities equally are taking their cybersecurity seriously and I think all this stuff is a really, really good thing. But I still think we've got a way to go on that front in terms of making sure thinking about cybersecurity is embedded in organisations, but I think we’re on the right track with this stuff. So I think we've got this emergence into that space in terms of what we're likely to see in 2022. No, I think it's a really interesting question. One of the things that happens in cyber is you've got a kind of arms race between people are trying to defend organisations and networks and on the other side of that attackers and what's happening in the UK at the minute is there's a lot of work going on to develop frameworks and certification process. This is for people to be able to say “Hey, I've got the skills. And please give me a job in cyber”. But criminals don't need any of that. They just need a skill set. So I think there's a really interesting landscape developing between people who aspire to defend, and keep network secure and people who, you know, who want to use their skills for criminal activities and I'm interested to see how the frameworks develop. Whether they actually a help or a hindrance in terms of ensuring good with cyber.

But, yeah, we'll see. That's, I guess that's because I've got quite an interest in education, in this space. But, yeah, that that's, that's that, that would be some of the stuff that I'd be most interested in seeing kind of emerging at the minute in 2022. In terms of stuff. People don't know that cyber is a really big field and you don't need to be technical for all the jobs that exist within it. I think most people imagine that you, you know, you need some kind of, you know, have a dark hoodie and be really good at hacking and understand a Linux terminal, but that's not the case at all. There are of course those rules and things like ethical hacking offensive security, but there's equally rules and things like risk management, business continuity and other things. And so I think yes. If you're interested in getting into cyber, you have a look and understand the expansiveness and the different types of rules that exist and we're using individuals that might feel comfortable, might be able to make a meaningful contribution.

Victoria: Since you mentioned it yourself, I know that more and more people are getting excited about the idea of the ethical hacking, and from your experience, how ethical can it get, and what is your opinion on this in general?

Justin: Oh, that's a really interesting question. Sometimes, I think ethical hacking is an oxymoron. You know, what does that actually mean? I mean, there is the ethical hacker certification and I think you know that people understand what that is and then some organisations that can be a precursor to a job. And there's a skill set and a framework aligned to that. So that makes sense, but I'm not sure everyone who uses the term “ethical hackers” necessarily thinking about it in terms of that professional certification. And the skill set that aligns to that. I think ethical hacking for most people, they're imagining it some form of offensive cyber security. So, you know, open up a Terminal Scanner Target machine, or Scanner Network, see what services are running, see what's vulnerable and they figure out. If there's any, you know, no one common vulnerable exposures that you can exploit digitally, explode and then see if you can get a foothold in a box and then root it, that I think is what most people thinks think. But of when they think about ethical hacking and that gets people excited about cyber. That's great. But hopefully once they get excited about it and they step into the field a little bit and they see what other stuff exists, there’s other things there. They can get equally excited about that. Perhaps, or I don't want to say more valuable because I don't want to knock people who do that kind of work because I think that kind of work is really good fun. That's exciting. But there's more skills required than just being able to do that. And if you have that skill set you can be very valuable doing other things because you understand an attackers mindset.

Victoria: Thank you Justin for telling us a bit about the industry and I'm gonna let Lee take over from now.

Lee: So Justin, in terms of what the industry needs, when creating our computing curriculum, I am sure it was based on your experience of the current job market, so in your opinion what are the most essential skills needed to get work in the professional cyber world?

Justin:  Yes, absolutely. So in terms of the work we've done developing the courses for Ravensbourne - absolutely, that’s informed that one of the things I think that's been absolutely key is trying to develop a curriculum, that ensures a skill set and a mindset because those are the two fundamental elements of the puzzle. You need the skills to do, what you need to be able to do. But you need the mindset to be able, especially in a field like cyber to think, laterally and problem-solving and develop tenacity and some stamina in the face of taking on challenges and problems. And being able to say, well, you know, I tried to solve it this way, if I can't solve it this way, say - what other options are available to me? How else may I be able to think about this problem? So, I've that's definitely informed all the work I've done for Ravensbourne actually, not just cyber, but beyond cyber, because I think in a field like cyber well indeed, anything technical like this, you're only as good as your skill set and therefore, it’s really, really important that curriculums are designed to understand where people are in their journey and then really help them to develop skills that at the end of their degree, they are technically proficient and they have a mindset that enables them to use those skills. And therefore, what we've tried to do is look at those fundamentals in relation to the various spaces that the courses are within, rather than simply focus on saying, it will teach you how to use a tool. But you also know, if the tool stops doing that, what needs to be done and how you might go about it. And you can also maybe hopefully be able to well at least have the potential to notice a bit tool might be lying to you in terms of what it's telling you.

Lee: And that's really interesting and it's something that I find interesting you know. What, I guess what? When you're building the course, and when a student is coming onto the course, What are the essential skills? That you think that they need to learn to be successful, you know, if you had to pick three three skills, I guess that someone in cyber security needs to to know fundamentally, what would they be?

Justin: That’s a really good question. I'll try and talk in terms of the Ravensbourne course because one of the things because it's such a big field, like I was trying to comment the other day and I think I came up with it by 14 different rules in cyber. I anticipate these things will expand. So with the Ravensbourne course, what I really wanted to do was focus on the notion of cyber defence and say, rather than making you a cyber journalist, if we started to focus on the skill set for defence, what would that look like? So, one an approach to systems thinking, can I look at a system and think about it as nuts-and-bolts components. Can I think about how it works as a whole? Can I analyse it and think about where the vulnerabilities exist within that system and how I might go about thinking about how I might reduce its attack surface? So then building on that, we're needing skills in network security because you need to understand how a network functions from the wire level right up to the application layer. If you want to be able to look at a system and really understand how information is being constructed and it's flowing through it. And then along with that, we also orientated towards the defence. One of the things I wanted to do was design a module in cyber incident response. So we're looking at the important frameworks that people going into the job market, would have to apply. So that modules work to really focus in around ISO 27001, which is the standard for, you know, cyber incident response. You would be modelling a response model based on that standard, making sure students understand that. And then also understand the broader aspects of cyber incidents response and then building beyond that thinking, “okay, if you've protected your network, you know, how to then respond, if there's some type of cyber incident occurs, what process is might you be engaged in in the other side of that to try and understand what has happened?”. So we wrote a module in forensics. Specifically, computer, forensics being able to say, “okay - how would I begin to analyse a computer to try and understand?”. And what's happened on it and also open source intelligence, I’ve added as well which I really like. It's not normally taught in cyber degrees as far as I can see, but if you analyse a hard disk, for example, and you find some quite interesting information on it, you may want to, as part of an investigation into that try and resolve it to something, you might want to build on it. You might want to take that information. So well I know, x, y and Z here. What else can I find either by x y and Z? What type of picture can I establish? So the open source intelligence module is really geared towards giving people the skill set to do that and also to think analytically so I can get this information. But on what basis can I assert that the things I think are true. So just because I've discovered it doesn't mean it's true. It could be a you know, several things.

This means how do I properly analyse information? You make sense of it and draw conclusions.

So the degrees wrote to talk to that specifically to defensive cyber and to give people an core understanding in that skill set because I think especially because things like ethical hacking can

sometimes be so glamorous. It's not till you get into cyber that you start to understand actually, how much fun defensive stuff really is, and those types of analytical processes. So we want it to kind of talk to the need for that skill set because I think there's more of a need for that skill set than for anything else in the UK at the minute.

Lee: No, I totally agree. And you know, those listeners that keep an eye on the news will know that the Foreign Office seemed to get hacked a couple of months ago and we only found out because there was a massive bill that was that was released that they had to pay for the services of people like you're talking about to come in and say oh right, this thing happened, you know, and I guess almost like an investigator trying to piece together. You know, how did this happen? How can we prevent it again? So, you know, it sounds like more of those people are needed in the industry. And I really like that, you mentioned the word specialist, because we’re a creative specialist as a university. So, all of our degrees in some way, shape, or form, kind of narrow themselves into a specific field. So it's really nice to hear that in the broad world of cyber. There's still that specialist notion within the degree and you think that's what our I guess our unique proposition is as a, you know, we're a creative university doing a computer course. So, you know, if you're a young person, you're probably thinking, why should you come to us? And do you think that, that specialist nature is kind of one of the reasons?

Justin: Yeah. Definitely. I think I think the ability to do something focused on that. You have a really concrete understanding of what the skill set is. Whenever you walk out the door on the, on the side, having completed that learning journey. I think, you know, it's a really, really tangible thing and we’ve designed it that way because we want to make sure that anyone who does that the values there in terms of the learning.

So, yes, absolutely. But I also think, you know, being a creative University, there is that relationship. Some people think that hacking can be more of sometimes that is more of an art than a science and you could equally say the same of cyber defence. But I think it's because I think people who've got an arts background, are really good at lateral thinking in a way that might surprise you when you move into other fields, and because I think it's part of your bread and butter in an arts background to be able to think laterally about problems. But I think it's an incredibly useful skill when you're dealing with cyber, especially if you're trying to look at a problem and quite often, if you know some of those big breaches like the Home Office thing that you're citing, you're looking at a problem that you don't understand. You're saying how did this happen? Because if you could predict if it wasn’t an unknown, you would be able to mitigate it but you're dealing with an unknown sort of going to Rumsfeld-isms. But so you're looking at problem with the space is ill-defined in, you're trying to solve it and lateral thinking is a really useful skill in that space when you're trying to go how could these people have done this? And then as you know, you start telling your tech the investigative process, I mean, it's not the only skill but it is a useful one. I think being not just in a I think being around creative people can help with that, simply by exposure of seeing, how your peers do things, and how they do things differently and part of how we designed the masters programs, as well, was to not just think about them in isolation. But to think about them as a culture and think about them in terms of being a community and that part of your value of studying something is in part of the network of people that you develop by being part of a community. There's a lot of things like that that I think are quite unique and hopefully the size aspect as well. In my academic career, I've taught courses where I can easily have three, four hundred All in front of me in a lecture theatre. And in those scenarios, you're just one face and many, but I think in smaller institutions where you're maybe one in 20 or something, then your lecturers get to know you as a person, the understand your aspirations, the understand why you're there studying and, and they can help you with that. Because the understand you, in a way that being in that you're not understood, when you're in a much bigger institution. I often it's a slight tangent but I think a useful one. And I've often said when people have talked to me about value of degree programs before I often use the analogy of a gym and I think you know some people, you know, if you're paying for a degree, some people can look at that and go “Well I'm paying for it and they almost imagine it as I'm paying for a certificate” and you're not.

What you're actually paying for is access to people with specialist knowledge, and specialist equipment and resources that can guide you to develop and improve yourself in the field that you want to improve yourself within so I think you get better value for money in a scenario like that whenever you’re on in 20 rather than 1 and 100, for example, because those people understand you and they can help you with your self-development to  become the person, you want to be both in terms of skill set and mindset. And I think I think Ravensbourne is got a lot of value to offer in that space because of size and scale.

Lee: Yeah, I think that's really interesting and being a face and not numbers is something I think that's increasingly more important to young people and they want to be seen. They want to be heard. They want to have contact time with their tutor.

They want their tutor to know their name. And, you know, they want to know a little bit about them, and I think there's a really nice opportunity at Ravensbourne for that to happen, because we are such a small tight-knit community. So it's good that that, you know, will continue on that on the cyber course. I just wanted to kind of pick up on what you were saying about the skill sets and stuff. And, you know, for someone who's listening to this, who maybe hasn’t dipped their toe into cyber or even coding to an extent. You know, what would your advice be to them? If you know someone is good at lateral thinking or do you know someone comes from a creative background but maybe wants to go into cyber but it's thinking I have no idea where to start. What would your advice be to them? You know, do they know how to code coming into the course or is that something that’s taught from day one?

Justin:  That's a really good question. I'm just trying to think through if there's any of the modules that have coding in.

Lee: And I probably show my own my own ignorance here by saying, you know, do they know the code when potentially you don't even need to in cyber security.

Justin: I mean, it's like the assumption of art, isn't it? Everyone who does art paints? Right? And it's like, once you get into that field, you discover. There's a whole bunch of disciplines. Like, you know, textiles fashion can be an art form, sculpture, multimedia stuff and none of it's got anything to do with being handy with a brush and some paints. And I think, it's a similar misconceptions around the cyber skillset. Anything you learn improves what you understand. So for example, if I was testing web applications and I can write JavaScript. I understand better what I'm trying to hack because I can read the code I'm looking at. If it’s obfuscated - I can de-obfuscate it and I can understand different things about it in a way that I couldn’t if I didn’t have the skillset.

Frequently I find people are scared because of programming sounds too technical. For example, and you know, or maths sounds too technical. They tend to be the two things that put people off, cyber. I can't program. You don't need to program necessarily. Not all jobs are technical and not all the jobs are technical, require you to be able to program. Forensics for example, I love forensics. Um, you don't need to be able to program to do forensics. If you can program and you do forensics you can do what I do and build tools to do things for you. So as you can do the much quicker, but you don't have to be able to do that to perform forensic examinations. The best advice is one, don't be scared. Treat things like maths and programming as languages and it's much easier because programming is a language and math is the language and the ways of describing things and programming is a language you used to talk to machines, you say, excuse me, computer who normally speaks assembly and machine code. If I type this stuff in here, which is half English, half maths you can understand it enough to perform these functions for me, so that works correctly and it's just a language. There's many different ways of programming things and some are more efficient than others. But if you can do it in a way the computer understands, well, you’re already halfway there. Efficiency is just an improvement. But if you're starting out, you know, that willingness to have a go to expose yourself to learn, to not give up. When I started in this field. It is a hard field and people can give up because they find the initial steps difficult. But the thing I always told myself is you only have to learn this stuff once, like it's a field where once you figure out, and you understand a concept that underpins something you're trying to do, then you've won that knowledge. And as you win that knowledge and you build up that knowledge base, then actually you start to become really quite useful within the space and learning is a journey that lasts a lifetime. So your whole career, you will spend exposing yourself to new things and dealing with them quite often challenges to you, and learning them gaining various levels of degrees of mastery, and expanding, and to some extent becoming unique. Because in the stuff that you're interested in, you will develop skills that are unique and therefore can make you quite valuable in some aspects of the cyberspace or other spaces.

Lee: That’s great. And hopefully reassuring to people that, you know, haven't dipped a toe in this kind of field before. And to hear that you don't necessarily need to be an expert coming in because that's what my three years at university is here for, to help me become an expert in a sense. So great to hear that. I think that kind of wraps it up. So, you know, thank you so much for your time today Justin. It's been amazing talking to you and picking your brains. And you're such an asset for us to have, you know, and to be able to talk to. So yeah, thank you for coming in. Any sort of final words?

Justin: Thanks for having me. I really appreciate it. I think the thing is just have a go like, really have a go, you’re going to be scared. You know, courage is grace under pressure and all that.

Have a go. Be brave - If it's going to feel difficult will come a point when it doesn't, and you'll be really happy that you're the tenacity to stick with it and get what you wanted to be. That's, that's the whole thing, I think. Yeah, good luck to anyone applying. I hope they get in and I hope they do really well.

Lee: Thanks. Justin, always. Great to talk to you. And for anyone listening who wants to know more about our cybersecurity or any of our Computing courses, you can find all the information on the Ravensbourne website. Victoria -  Do you want to let everyone know what's coming up on next times, episode.

Victoria: Absolutely with pleasure. There is. In fact a lot of exciting content coming soon dedicated to the international women's day. So please make sure you follow us on Instagram to stay up to date with all the new stuff we're working on. And I'm really thrilled to announce that we will be interviewing a very exciting guest soon. So don't miss the next episode of Rave cast because I promise you it’s going to be very interesting.

Lee: Sounds great. We look forward to it and we'll see you all next time. Say bye

Victoria: Bye, and I hope you enjoyed this episode of Ravecast.

See you next time.