Fostering the next generation of InfoSec experts

Robert “Bull” Winkel, from UXC Saltbush, has found some of his best team members outside of traditional recruitment channels.



When I moved to Brisbane three years ago, one of the first things I did was consider my options for meeting local InfoSec types to share knowledge. I subsequently got involved in, and started, several local groups which I found to be a valuable way to foster security talent in the community.

Reading a recent article by my colleagues Dave Jarvis and Clem Colman on the Federal Government’s new Cyber Security Strategy – especially their evaluation of plans to raise InfoSec skills within Australia – got me thinking.

What can each of us in the InfoSec community do to foster the next generation of experts?

Traditional ways into InfoSec

We’re all well aware of the serious deficiency in InfoSec skills –it’s a global issue and acute here in Australia. A small number of universities offer advanced courses but, as Clem and Dave argue, there’s an urgent need for TAFE-level training to help fill this gaping hole.

Apart from formal tertiary-level training, today’s InfoSec professionals typically broke into the industry in one of four ways:

1. Military background

Like me, some security professionals started in Defence, gravitated into Intelligence and – having demonstrated technical skills – found their niche and passion. Private companies and other government departments now employ ex-military InfoSec specialists as employees or consultants.

2. ICT background

People with several years of sysadmin or developer experience may eventually migrate into security. If they have a passion for security, they can be given the opportunity to move into a security-focussed role.

3. Job boards

Yes, Seek and the like display ads for security professionals, but few roles are offered to those with no previous experience. For the would-be security professional, it’s a tough way to break into the industry.

4. Hacker past

We’ve all heard of infamous hackers who reformed and became White Hats. Less infamous hackers also mature with time, and many decide to get a ‘real’ job, legitimising their skills. They make for excellent penetration testers – because they understand the mindset and tools of the actors they are now working against.

But there is another way…

Security meet-ups foster new talent

I’m an active believer in getting together with my peers to immerse in everything InfoSec. We’re not precious as a group, and new faces are always welcome – and it’s an excellent way to foster new talent. People that have a passion and aptitude for security, but no experience, can hone their skills, build up their network, and get their foot into the InfoSec community by attending security conferences and meet-ups.

Here are some of the InfoSec related community events that I am involved in, where like folk gather to network with, learn from, and mentor each other:

SecTalks is a monthly meet-up group I organise in Brisbane. There are chapters in Melbourne, Sydney, Perth and Canberra – with London starting soon. We typically have a talk on a security topic followed by a hands-on hacking challenge, all over a few drinks and pizza. It’s fun and a great opportunity for people wanting to break into our industry. Up to 75% of the audience is made up of people new to the security industry.

CrikeyCon is a grass-roots, not-for-profit, community-led conference targeting security folk in Queensland and beyond. It’s informal, to encourage flow of information between attendees and speakers. As an organiser, one of my roles is as a ‘diversity officer’ – looking at ways to expand the demographics of our attendees, with a current focus on women in the security industry.

Security meet-ups also attract new talent from outside the industry. Some of those I’ve organised include:

  • Black Bag, a Ruxcon competition involving espionage, spy tradecraft, lock picking, hacking and social engineering
  • Operation Dropbear, a CrikeyCon spy-themed competition consisting of a scavenger hunt, trivia questions, puzzle solving, social engineering and OPSEC
  • Brisbane Locksport, a meet-up I created to satisfy my personal passion for physical security, as a related adjunct to my InfoSec career

Sometimes, more encouragement is needed

Being an ICT security professional requires intense focus and concentration. The fact is, many people with these capabilities feel awkward in social situations. They might be intense, shy, unassuming, considered ‘nerds’, or just generally lousy at small talk.

While InfoSec community meet-ups give them the opportunity to mingle with their own kind, many are reluctant, even amongst their peers, to ‘put themselves forward’ and contribute their opinion, knowledge, or skills. They might turn up, but they won’t interact unless prompted.

Attending conferences, we hear smart, articulate people talking confidently about specialist security topics – leaving many feeling inadequate and unable to value their own authority. ‘Imposter Syndrome’ is a recognised condition, and fairly prevalent among InfoSec people. It involves strong doubt of your abilities: “If I get up and talk about my project, other people will know more or think that I’m a fraud”. Imposter Syndrome can add to a person’s reluctance to talk to others in the community.

A ‘movement’ I am passionate about is Awkward Hugs – which is all about being inclusionary and making new connections with people in the security community. Once you submit to an awkward hug, you’re given a rubber bracelet. If you wear it, you agree to be an active participant. This gives permission for anyone to go up and give you an awkward hug – you’re essentially saying: “Let’s just admit and celebrate that we are awkward folk, and break the ice while having a bit of fun – by giving each other an awkward hug” The bracelet is not mandatory to be involved in the awkward hugs movement, and a lot of folk hug it out at conferences regardless.

An ‘awkward hug’ can involve a hug from behind, a one-armed hug, one person being lifted off the ground, etc – it doesn’t matter because it breaks down barriers and has a viral effect. Quite a lot of the security community are awkward in social situations, so why not acknowledge this and embrace it (pun intended)?

Awkward hugs were already a thing in the US, but it was informal and wasn’t designed to break down barriers (even if that’s what it did). I loved the concept, so reworked it and introduced Australian Awkward Hugs at CrikeyCon 2015. This Brisbane conference is dedicated to bringing hackers and security folk together, regardless of their notoriety in the security industry or their social abilities.

Finding new talent

My active involvement in InfoSec community groups has reaped rewards: I’ve met and hired several excellent team members through these groups.

One was a motor mechanic fascinated by security, who studied on his own but had no formal tech experience. I recognised his passion and aptitude and he now works in my team. Another is an ex-copper with the same passion. At the time, I was interviewing people already in the security industry – while they had the qualifications, they lacked this ‘passion’ which is so essential to excellence in InfoSec.

My conclusion: Those that attend hacker and security related conferences and meet-ups tend to show that inquisitive thirst to be challenged, which makes for excellent InfoSec professionals. It is here that the next generation of InfoSec experts will be produced.


Editor’s Note: Robert Winkel was a finalist for the AusCERT 2016 Individual Excellence in Information Security Award on the basis of his “contribution to growing and fostering information security events to benefit the InfoSec community and beyond”. The nomination cites SecTalks as “an extremely valuable event for the local InfoSec community”, as well as his leadership of CrikeyCon which “brings many benefits to the community”.

Further Reading

About the Author

Robert “Bull” Winkel is Queensland Regional Manager and Principal Security Consultant at UXC Saltbush. He has worked in the security and intelligence fields for 22 years. Technical security assurance is his particular interest, underpinned by his extensive experience in Digital Forensics, Reverse Engineering, Penetration Testing and Social Engineering. Based in Brisbane, he actively contributes to knowledge sharing and skills development within the local and Australian InfoSec community.