Call for action: Building a hub for effective cybersecurity | IGF 2023

8 Oct 2023 04:35h - 06:35h UTC

Event report

Speakers and Moderators

Speakers:
  • Maciej Groń, NASK, technical community, Eastern Europe
  • Anna Rywczyńska, NASK, technical community, Eastern Europe
  • Janice Richardson, InSight, civil society, Australia, Oceania
  • Awo Aidam Amenyah, child online Africa, civil society, African Group
  • Wout de Natris, De Natris Consult – private sector, Western Europe
  • Juwang Zhu, intergovernmental organization, UN DESA
  • MAEMURA Akinori, JPNIC, JPCERT/CC, DotAsia, technical community, Japan, Asia-Pacific Group
  • Mohammad A. Jauhar, YIGF, Internet Society Youth Standing Group, civil society, India, Asia-Pacific Group
Moderators:
  • Wout de Natris, De Natris Consult

Table of contents

Disclaimer: It should be noted that the reporting, analysis and chatbot answers are generated automatically by DiploGPT from the official UN transcripts and, in case of just-in-time reporting, the audiovisual recordings on UN Web TV. The accuracy and completeness of the resources and results can therefore not be guaranteed.

Full session report

Yuki Tadobayashi

A significant disparity exists between the content taught within universities and the fundamental needs of industries, specifically concerning cybersecurity education. It has been observed, with certain negativity, that universities are becoming entrenched in outdated teaching methodologies. These institutions often prompt students to demonstrate individual brilliance and foster innovation. However, this approach might inadvertently impede teamwork – an integral ingredient for problem-solving in cybersecurity. Moreover, they put an undue emphasis on inventing new technologies, such as AI, instead of instructing students on their secure usage.

Conversely, it is laudable how industry training programmes in Japan effectively cater to the necessities of the rapidly evolving cyber landscape. With an annual budget of $20m, these programmes concentrate on the future of technology. They focus on providing practical education on secure applications of cutting-edge technologies such as cloud security and AI implementation, among others. An outstanding aspect of these programmes is their emphatic endorsement of teamwork, acknowledging the multidimensional nature of tech issues within corporate structures.

Parallelly, attention ought to be drawn towards the untapped potential within industries possessing notable digital aspects. Notwithstanding the escalating level of digitisation within factories, individuals within these workforces frequently fail to recognise potential opportunities to shift towards a career in cybersecurity. To address this issue, a myriad of industry-sponsored training programmes has been initiated in a bid to arm individuals with essential cybersecurity skills. These comprehensive programmes stretch across a year, operating from Monday to Friday, and cover an array of topics including programming, penetration testing, and defence exercises. Intriguingly, they also conduct business-oriented drills, involving briefings to Chief Information Security Officers (CISOs), board members, accountants, and lawyers.

Conversely, the switch to a cybersecurity profession necessitates a substantial commitment of a year, considering the intricate nature of both technological adaptations and legal/regulatory developments. This has triggered a backlash from certain industrial contingents, leading to the suggestion that the demanding duration could potentially deter prospective aspirants.

Lastly, it’s worth considering the ‘security hub’ – a proposed global collaboration platform designed to bolster internet safety. Ideally, this hub should promote less strenuous participation, encouraging involvement across various scales. However, the success of such an endeavour would heavily rely on establishing a network of trust. This brings associated risk as malevolent entities could potential exploit this network, hence careful strategic planning alongside stringent safeguards are indispensable to its development.

To summarise, whilst academia must endeavour to bridge the gap with industrial necessities in cybersecurity education, industry-sponsored training and innovative propositions like the ‘security hub’ offer unique opportunities to enhance cybersecurity skills and facilitate global teamwork. Nevertheless, elements such as the duration of training and trust issues in a collaborative platform require thorough analysis to ensure sustained engagement in these initiatives.

Review and Edit: Look for any grammatical mistakes, issues with sentence structure, typographical errors, or omitted details and rectify them. Ensure that UK spelling and grammar are employed in the text, and correct the same if not. The comprehensive summary should reflect the primary analysis text as accurately as possible. When summarising, aim to incorporate as many long-tail keywords as feasible without compromising the quality of the summary.

Ismalia Jawara

Ismalia Jawara, serving as the chair of the cybersecurity group named Gambia Information Security, has ardently championed the causes of diversity and women’s inclusion in the cybersecurity workforce. This testifies to her dedication to ‘SDG 5: Gender Equality’ and ‘SDG 8: Decent Work and Economic Growth’. Under her stewardship, educational initiatives such as bootcamps have enabled approximately 50 university students to graduate with vital competencies in the cybersecurity sector. The fact that fifteen out of twenty-five individuals holding IC2 cybersecurity certifications are women serves as a powerful testament to the strides taken towards women empowerment within this domain.

Moreover, Jawara advocates for increased cooperation across disparate levels, while also encouraging greater involvement from the global south. Her influential role as a senior security analyst for the Gambia government further allows her to foster partnerships and collaborations with the aim of equipping more people with cybersecurity skills. She explicitly acknowledges Cisco’s contributions in providing free cybersecurity scholarships to disadvantaged communities, a commendable step towards fulfilling ‘SDG 17: Partnership for the Goals’.

Despite these affirmative actions, there remain considerable hurdles in achieving gender equality and workforce diversity in the cybersecurity field. Societal constructs such as gendered toys can have subtle, yet profound, impacts on career choices from an early age. Furthermore, despite concerted recruitment efforts, the quantity of women entering the cybersecurity industry remains remarkably low, necessitating an exploration into underlying issues.

Businesses are now being urged to re-evaluate their practices and prioritise the induction of women in the cybersecurity terrain. Such a shift would not only adhere to ‘SDG 5: Gender Equality’, but also cultivate diversity in the corporate ecosystem. The current recruitment stratagems are often interpreted as intimidating, potentially discouraging prospective female recruits. The exceedingly high benchmarks set also compound entry barriers.

Thus, there is a clear demand for the re-examination and adaptation of recruitment strategies. Emphasising inclusivity in hiring, evidenced when a woman with a legal background performed well in the offered position, could be an enlightened approach. Lowering entry-level requisites may render positions less daunting and far more approachable, thus enticing a higher number of female applications. Such measures could significantly bolster not only workforce diversity and gender parity but also embellish the cybersecurity workforce with a broader selection of viewpoints.

Larry CEO of connect safely

Larry is the dedicated CEO of Connect Safely, a non-governmental organisation (NGO) situated in the heart of innovation—Silicon Valley. This NGO is earnestly committed to issues concerning child safety, privacy, and security for all stakeholders. Larry’s roles are not limited to his leadership at Connect Safely. He is also an influential member of the Youth Standing Group, where he steadfastly focuses on advocating similar protections.

There is a deep-rooted concern about the ever-expanding gap in the cybersecurity field. Despite technological advances, the human capacity to develop solutions is not evolving at the same pace as the escalating complexity of cybersecurity threats. This imbalance emphasises a pressing requirement for further focus in this sector to certify the security of our digital environments.

A notable element is the explicit relevance of diversity, creativity, critical thinking, and holistic cognition skills in tackling cybersecurity complications. It is recognised that a diverse workforce is better positioned to cater to a varied community. Importantly, the possession of holistic and critical thinking abilities, often neglected over technical capabilities, can lead to more effective troubleshooting strategies in this sector.

The active involvement and early exposure of high-school students to the realities of the cybersecurity domain are enthusiastically endorsed. With numerous opportunities available, young individuals could potentially transition directly into cybersecurity roles post-schooling. This practical experience not only guarantees a thorough understanding of cyber infrastructure functions, but it also equips them with valuable skills that supplement their theoretical knowledge.

The significance of real-world interaction, networking, and practical experience in accelerating learning is undeniable. Insights from informal exchanges and networking at events often offer learning experiences far beyond traditional classrooms, enabling an intensified understanding of the sphere.

Despite being known for its stress-inducing nature, cybersecurity is identified as a critical sector offering significant and important jobs. Adequate measures such as satisfactory compensation and clear career advancement options are deemed imperative to maintain a motivated and committed workforce.

These findings intricately link with several Sustainable Development Goals (SDGs), namely Peace, Justice and Strong Institutions, Good Health and Well-being, Quality Education, and Decent Work and Economic Growth. These observations act as a vital reminder of the interconnectedness of various socio-economic, and political aspects in our pursuit of a secure, just, and sustainable future.

Hikohiro Lin

Hikohiro Lin from PwC Japan has specialised in product security, with a special focus on manufacturers and IoT devices. His efforts align with the ‘Industry, Innovation and Infrastructure’ Sustainable Development Goal (SDG), demonstrating a positive stance towards enhancing technological infrastructure. Furthermore, Lin actively advocates for strengthening ties with Japanese manufacturers, thus creating a platform for investment in product security and IoT devices.

In addition to his work with manufacturers, Lin emphasises the importance of quality education in the cybersecurity sector. He deems the collaboration between industry and educational institutions as pivotal in implementing robust cybersecurity training modules. He also underscores the value of experiential learning initiatives such as internships, hackathons and industry conferences in augmenting understanding of the industry landscape and fostering networking among cybersecurity aspirants, thus facilitating decent work and economic growth.

Despite his optimistic outlook, Lin addresses the issue of high job turnover in cybersecurity due to the stressful nature of the work, which often requires 24-hour incident response. Instead of merely increasing salaries as a temporary solution, he advocates for improving the quality of life within the sector. He suggests this could be achieved by providing better professional development opportunities, such as conference attendance and training courses, and promoting a more comfortable work environment.

As a vocal proponent of cybersecurity as a career, Lin describes it as an enjoyable, essential, challenging, and prestigious field, offering job security and constant novelty. He aims to dispel misconceptions and portray it as an attractive profession. He also engages in constructive discussions with high school students, positioning cybersecurity as an exciting career prospect.

In keeping with his belief in continuous development and growth, Lin urges organisations within the cybersecurity hub ecosystem to consider their contributions towards achieving Sustainable Development Goals. This sentiment implies an ongoing self-reflection and conversation on the societal and environmental impacts of the industry.

In summary, Hikohiro Lin’s discourse underlines the importance and potential of cybersecurity in today’s digital landscape, putting emphasis on education, improved working conditions, and its crucial role in attaining Sustainable Development Goals.

Maciej Groń

Maciej Groń expresses robust positivity towards the initiatives of hotlines and help lines, viewed as instrumental in contributing to good health, wellbeing, and fortifying peace, justice, and robust institutions. He recognises these platforms’ crucial role in offering support and guidance to individuals, thereby enhancing societal welfare.

Groń underscores the significant role of universities in achieving quality education and crafting strategic partnerships to achieve broader goals. His belief in co-operating with educational institutions is rooted in the innovative ideas and diverse perspectives emanating from the academic space. Groń sees such collaboration as pivotal in driving progress and achieving sustainable development goals.

He places extraordinary emphasis on cybersecurity awareness and education in our digital age. Groń shows positivity towards cybersecurity training programmes spearheaded by NASC, credited with educating thousands of individuals. Further milestones encompass establishing a cyber science centre and partnering with three universities, collectively working towards bolstering cybersecurity education. These initiatives are reported to have facilitated responsible digital interactions, thereby fostering decent work and economic growth.

Groń also highlights the necessity for international cooperation in cybersecurity. He suggests that such cooperation leads to mutual learning and shared resources, improving cybersecurity measures globally. Policymakers and cybersecurity professionals, according to Groń, must strive to foster international collaborations to combat evolving threats in the digital landscape.

Mirroring sentiments of comprehensive engagement, Groń advocates for strategic cooperation between private and public sectors. He imagines this fusion as a combination of educational efforts and business interests, promoting decent work opportunities and economic growth. He highlights a partnership platform created specifically for cybersecurity, underlining its potential for fostering public-private collaborations.

Groń acknowledges NASC’s positive contributions to establishing a robust national cybersecurity system in Poland. He commends their influential role in steering related legislation, providing informed opinions and recommendations. Notably, he mentions their effective co-operation with the chamber of lawyers, indicating increasingly synchronised work among varied legal entities.

In summary, Maciej Groń emphasises the importance of comprehensive efforts, incorporating diverse sectors, educational institutions, and legal entities to bolster cybersecurity learning, devise efficacious legislation, and construct robust cybersecurity infrastructures. His comments reflect the collective efforts required to navigate complex cybersecurity terrains, accentuating the significance of effective partnerships in accomplishing these goals.

Anna Rywczyńska

Anna Rywczyńska is noted for her legal undertakings at an international research institute, concentrating on aspects of law, research and multinational privacy. She boasts wide-ranging contacts within the multinational privacy and security resource sector, crucial to SDG 16, which encourages peace, justice and robust institutions. Furthermore, since 2006, Rywczyńska has held the significant position of coordinator at the Polish Internet Centre, demonstrating her extensive experience and knowledge in the realm of technology and internet, aligning with SDG 9 which encompasses Industry, Innovation and Infrastructure.

Rywczyńska is a vocal advocate for educational reforms, particularly concerning cybersecurity. She maintains that cybersecurity education should be integrated into both primary and secondary school curricula. Her arguments are underpinned by her participation in a hub focussed on the creation of recommendations for school curricula adaptations to digital transformation. As part of her continued efforts, she retains a productive dialogue with schools to prepare educational materials, organise events, and provide consultation.

However, she also addresses concerns about Poland’s current education system. Rywczyńska highlights that 57% of teachers reportedly believe that the existing curriculum does not sufficiently adapt to the swift progress of technological advancement, with 30% conceding to a lack of awareness regarding complex internet usage among students. These figures support Rywczyńska’s sentiments about the impracticality of the school curriculum, highlighting obstacles including lack of time, unsuitability of the curriculum, and inadequate parental cooperation, obstructing the integration of media education in schools.

Educators, she points out, acknowledge the necessity to include digital competences from the early years of education. This is believed to effectively equip students with the required skills for a digital world, falling in line with SDG 4’s target of quality education for all.

Regarding career prospects in the cybersecurity field, the perception of it being akin to a ‘war zone’ incites negative sentiments. This impression may deter both males and females from entering the field. However, the diversity of competences required in the cybersecurity field is positively received, with the clarification that these skills are not exclusively related to the gaming arena.

Rywczyńska points out the prominent gender gap in IT, stating that more needs to be done to inspire young girls to consider a career in cybersecurity. Educating parents about opportunities in the field and encouraging their daughters to see cybersecurity as a viable career option are essential steps towards achieving gender equality, supporting the SDG 5 goals and ensuring robust economic growth under SDG 8. Unconscious biases often determine student interests, with boys usually opting for coding classes while girls prefer dance classes. As such, challenging these stereotypes forms part of the broader strategy in advancing gender equality in the field of cybersecurity.

Julia Piechna

The importance of involving young individuals in cybersecurity is an issue at the forefront of international discussions, given the ever-rising threats in the cyber domain. Specifically, the Internet Governance Forum (IGF) in Poland has been integral in marketing this involvement. Affiliated with the esteemed United Nations, the IGF in Poland placed a special focus on youth engagement, highlighting the importance of their active participation in this crucial issue.

Tertiary education students’ perspective on cybersecurity is noteworthy, revealing a solid interest and propensity for the subject. Meetings were organised between March and June of 2023 that brought these students into discussions on topics such as cyber policy, internet governance, and human rights in the digital realm. Importantly, 15% of student respondents in the questionnaire had attended university cybersecurity courses, whilst a staggering 71% endorsed that cybersecurity training should be a mandatory part of their tertiary studies.

It is particularly interesting to note from the questionnaire that an emerging academic interest exists among the youth in fields such as artificial intelligence (AI) and cybersecurity. This finding indicates an urgent need for high-quality education and training programmes in these sectors, especially considering that digital careers are expected to dominate the future job market.

However, such enthusiasm is somewhat cooled by a considerable sense of apprehension and concern about potential cyber attacks. Notably, 63% of questionnaire respondents expressed concern about this issue, with 99% pinpointing cybercrime and 97% data leaks as substantial cybersecurity threats.

Julia Piechna’s professional experience presents a compelling argument for incorporating cybersecurity and safety education into the earliest stages of curriculum design. She suggested moving away from traditional teaching methods in favour of more unconventional and engaging approaches. This innovative perspective aligns with the argument that educational methodologies need to adapt quickly to the rapid advancements in technology and the evolving dynamics of the industry.

In summing up, it is clear that equipping young individuals with the knowledge and tools to navigate the cyber domain is of utmost importance. Not only does it prepare them for the future job market, but it also instils a profound understanding of the seriousness of cyber threats. The shift towards more innovative educational methods, coupled with fostering youth participation in forums such as the IGF, offers a promising path for addressing the multifaceted challenges within cybersecurity.

Katarzyna Kaliszewicz

A comprehensive analysis underscores the critical importance of proactive online participant engagement in driving strategic development and policy decisions. This level of involvement was facilitated through digital platforms like menti.com, which engendered an interactive environment for individuals to articulate their opinions. Participants’ collective interaction was enabled using a QR code, and they were invited to join the platform through a shared code.

The necessity of formulating a well-defined strategic plan emerged as a primary area of concern, alongside the requirement for an enhanced online presence. Participants highlighted this through their feedback and prioritisation, demonstrating a strong need for an online platform delivering comprehensive training and workshops, syncing with adult education needs.

The feedback signalled that promoting collaboration among industry professionals, universities, and the cybersecurity workforce is the top priority. This viewpoint indicates a broad consensus on the need to foster partnerships and establish direct links between these sectors to drive innovation, catalyse skills development, and enhance industry-university engagement.

Another top priority identified across all educational levels is the enhancement of cybersecurity skills, underscoring the pivotal role of cybersecurity in contemporary life. This necessity of integrating cybersecurity training at all stages of the educational pathway, from primary school to professional development, has emerged as a core recommendation, aiming at a universally cyber-literate society.

Participants also emphasised the importance of harnessing best practice from the cybersecurity and tertiary sectors. This attention to fostering a culture of knowledge sharing and standardising effective, secure practices is essential for prioritising infrastructure and network security in the broader educational and industrial context.

Raising interest in the cybersecurity industry, both in academia and the vocational space, is another crucial recommendation from the analysis. The promotion of this field is pivotal in harnessing a diverse talent pool, given the escalating demand for cybersecurity professionals.

Significant interest was also voiced in providing online training on emerging topics via digital platforms, with leadership from industry experts. This exhibits the need to maintain a contemporary repository of knowledge and expertise and demonstrates the appeal of accessible, high-quality professional development.

These priorities are notably endorsed by Katarzyna Kaliszewicz, further reinforcing their relevance and signalling the strategic focus that these preferences propose.

The analysis also reveals a growing consensus around the need to have specialised cybersecurity roles within corporate organisations. This perspective is underpinned by the universal interaction with digital technology and data across industries. The comparison with workplace safety specialists, which are commonplace in organisations, substantiates this viewpoint. Especially in sectors like the medical industry, where the integration of digital tools is rapidly increasing, the need for cybersecurity specialisation is paramount.

Lastly, the analysis foresees an impending need for an increased number of trained cybersecurity professionals. A call to action is thereby made to augment and amplify cybersecurity training in anticipation of this demand, mitigating the risk of a significant talent deficit. Emphasising these specific priorities at the core of strategic decision making is imperative, given the ever-evolving cybersecurity landscape.

Wout de Natris

This discourse is centered around two UN Sustainable Development Goals (SDGs) – SDG 4 and SDG 9. SDG 4 seeks Quality Education, advocating lifelong learning opportunities, whilst SDG 9 promotes the development of resilient infrastructure and the nourishing of innovation. In this context, the discussion’s focus is on the practical implementation of cybersecurity and enhanced education.

The dialogue is informed by the International Society of Service Innovation Professionals, Cybersecurity, and Cybercrime Advisors (IS3C), a dynamic coalition within the Internet Governance Forum (IGF) system. This coalition has stressed the diligent efforts of its two working groups, each centring on a distinct facet of cybersecurity.

The first of these groups is set to produce a comprehensive report on the security design of the Internet of Things (IoT). As IoT devices multiply, their security has transformed into a critical focus. The second working group is targeting government procurement and supply chain management, two areas crucial for a secure digital economy. Additionally, the creation of a tool designed to assist governments procuring ICT securely is seen as a adjunctive value addition to bolster cybersecurity.

The discussion unfailingly identified the persistent gap in cyber security education: a gap showing no signs of reducing, thus posing a concerning hindrance to cybersecurity progress. In response, the formation of a cybersecurity hub has been suggested, tapping into the IGF’s vast potential for creating connections and educational opportunities.

Throughout the conversation, a positive sentiment prevailed, suggesting an optimistic outlook towards these proposed strategies aimed at enhancing cybersecurity and education. This positivity underlined the general consensus on the urgent need for pragmatically implementing the knowledge produced in these reports.

Joao Falcão

The cybersecurity sphere offers a myriad of opportunities and challenges. Success in this field requires a profound understanding of a variety of systems, especially in the industrial sector, as demonstrated by Joao Falcao’s visit to a factory. The task of quickly comprehending how different machines operate within a constrained timetable was a significant challenge, emphasising the need to grasp how systems should and should not operate to pinpoint potential security weak points.

Transitioning into the cybersecurity industry, especially for young people, can often be an isolating experience. Joao’s solitary journey of self-education, spent with his computer, encapsulates the daunting task facing newcomers. His struggles on an industrial cybersecurity course, due to his unfamiliarity with machinery and ‘space’, highlight the urgent necessity of practical experience to complement theoretical knowledge. Conversely, individuals switching careers can utilise their previous experience, an advantage often out of reach for those at the start of their careers.

Interestingly, a distinct shift has been observed in the demography of the cybersecurity field. Once mainly drawing the interest of the curious, the sector now predominantly attracts mature professionals. Joao observed that cybersecurity events, previously dominated by interested individuals, are now primarily attended by professionals, spurring the field’s evolution through peer sharing and community building.

Efforts must be significantly ramped up to provide a welcoming avenue for new entrants into the cybersecurity field, particularly the younger generation. Knowledge sharing initiatives and bridging the gap between theoretical understanding and practical, hands-on experience could encourage interest and foster growth in the industry.

Furthermore, company dynamics play a pivotal role in shaping the cybersecurity landscape. Small security-focused teams often shoulder the entire responsibility for company security, which can precipitate relational difficulties due to the imposition of necessary security measures. To mitigate this, a shift in company culture towards a more encompassing acceptance of cybersecurity is needed. A more distributed responsibility for cybersecurity across the entire workforce could promote this shift.

Media depictions of cybersecurity also wield considerable influence, shaping perceptions and fostering interest in the field. Films such as ‘Hackers’ and ‘War Games’ have inspired the ’80s generation. Lastly, a distinct gender gap exists in the cybersecurity realm, underscored by Joao’s failed attempts to hire a woman for an open position. This situation, where the post remained empty until a man filled the gap, illustrates the need for proactive action to improve gender diversity within the industry.

Audience

The discussion encompassed a broad scope of subjects, relating primarily to the domains of education, policy development, and cybersecurity. The principal argument articulated the intimate connection between education and diverse sectors such as policy formulation and cybersecurity. This overlap precipitates an intersectional understanding of these sectors and their importance within our swiftly evolving landscape. The sentiment throughout this discourse remained neutral, delineating an equilibrium in the interconnectedness of these sectors.

A formidable case was made regarding cybersecurity, distinguishing between the discrete entities of cyber-safety and cybersecurity. A former police officer with Europol experience vehemently embraced the interconnectedness of these two concepts. This assertion was fundamentally optimistic, alluding to the common significance of these two facets of digital safety.

The benefits of a well-rounded strategy addressing both aspects were emphasised, underpinned by the argument that a simultaneous addressal of cyber-safety and cybersecurity would optimise results for end users. This stance exhibited positivity, thus accentuating a forward-thinking projection for future cybersecurity strategies.

The discourse then transitioned to the issues faced by smaller island nations, suggesting indigenous cyber community groups as a solution to build and retain cyber skills. Convincing examples from the Samoa Information Technology Association and Tonga Women in ICT were presented, emphasising these groups’ crucial role in facilitating training, industry knowledge sharing, and networking. This viewpoint was positively empowering, fostering a sense of resilience within these small island nations.

The important balance between formal hubs and informal spaces for information sharing was highlighted, resonating with the consensus on the key connect between academia and the industry. This endorsement of both formal and informal information sharing fosters a unified and thorough approach towards cybersecurity.

The focus then shifted to policy formulation, featuring experiential insights from the EU policy cycle that bases its strategy on research findings was a prime exemplification of a research-based approach. The sentiment here was positive, grounded on the EU’s demonstrably effective strategic cycle.

However, a word of caution was raised regarding the necessity for policies to reflect the current online threats accurately. A negative sentiment percolated through during this point, attributable to anecdotal instances when irrelevant policies did not adequately address the evolving cyber threat landscape. The conclusion drawn from this analytical discourse underscored the critical need for adaptable policies that are responsive to the current realities of online threats. Taken together, the discussion offered significant insights into the intersecting nature of multiple sectors and emphasised the urgency for accurate policy creation in response to present cyber threats.

Raul Echeverria

In 2022, a disturbing trend was noted where almost 70% of companies in Latin America reported experiencing some form of cybersecurity problem. This painted a picture of inadequate preparedness for significant cybersecurity threats across the corporate landscape. Notably, the governments of Costa Rica and Colombia faced significant cyber attacks, further emphasising the gravity of the situation.

Interestingly, in challenging business times, companies often resort to cutting their security provisions in an attempt to save resources. However, this approach was questioned as these companies ended up losing millions in cyber attacks, predicaments that are not only costlier but also more disruptive and could have been effectively managed or even avoided with adequate security provisions in place.

On a positive note, awareness of the necessity for widespread, scalable solutions to enhance cybersecurity is increasing. More emphasis is being placed on robust, far-reaching education and training programmes to equip more professionals with essential cybersecurity skills. The adoption of these education and training initiatives are gradually increasing, with instances of new cybersecurity measures being implemented by companies increasing by approximately 10% per year.

However, this progress is overshadowed by the fact that cyber attacks continue to grow far more menacingly, increasing by a worrying 20%, thus pointing to a vast shortfall in the necessary measures. It is evident that current measures are failing to keep pace with the rapidly evolving threat landscape, with it being estimated that at least 200,000 professionals skilled in this sector are needed in Mexico alone to prevent such cyber intrudiations.

In response to these insights, a concerted effort among various stakeholders is being called for. The public sector, private enterprises, and academic institutions are all urged to collaborate to understand and subsequently tackle the cybersecurity challenge. This joint strategy advocates sector-wide implementation of educational programmes aiming to enlighten companies about latent cyber risks and how to prevent potential attacks.

Arguably, certain individuals within the industry have exhibited varying levels of commitment towards these challenges, exemplified by Raul Echeverria who appears not to prioritise cybersecurity as strongly as necessary. Nevertheless, this should not discourage the broader industry from setting appropriate and effective cyber defence strategies.

Additionally, it is suggested that existing corporate culture could also be remodelled. Companies are advised to adopt short-term hiring strategies, whilst simultaneously offering prospective employees a progressive growth plan which exposes them to various areas within the organisation. This would likely attract more professionals to the sector, effectively helping to bridge the existing skills gap.

In conclusion, collaboration involving the public sector, private enterprises, and academic institutions is crucial for the sector to remain secure and efficiently combat ongoing threats to their cyber infrastructure. While certain industry players have demonstrated lesser commitment, it is vital for all players to accord equal attention to these issues to not only thwart cyber attacks but also build a robust workforce for the future.

Denis Susar

The analysis underscores the paramount importance of areas such as e-government, digital skills, cybersecurity, digital harm, and ICTs in the journey towards accomplishing the ambitious Sustainable Development Goals (SDGs). SDGs 16 and 17, which focus on fostering peace, justice, strong institutions and partnerships for the goals, stand at the forefront of these conversations.

Firstly, a resounding call emerges to utilise a hub for capacity building in e-government, which would enhance digital competencies as well as cybersecurity consciousness amongst all 193 member nations. The success of this endeavour is believed to rely heavily on the level of digital literacy and awareness surrounding cybersecurity within the populace.

Secondly, a significant change in perception is presented, advocating the inclusion of digital harms as threats to peace and security. This shift in stance has been partly encouraged by a high-level advisory board’s recent recommendation to extend the definition of threats to include digital harms, thus acknowledging the evolving challenges of the digital age.

The need for cybersecurity within the public sector and ICTs is also given emphasis, with capacity building including engagements with local public officials, thus implying a comprehensive, grassroots approach to addressing these issues.

The report also addresses the vital importance of retaining skilled cybersecurity professionals within the industry. Citing job stress as a key factor causing specialists to leave, it articulates a clear need to establish methods to retain this invaluable talent.

At the heart of the discourse is the role of incentives in fostering a culture of cybersecurity. Large companies, such as Amazon, are highlighted as examples of stakeholders for whom cybersecurity breaches would prove catastrophic. This underlines the vital role that cybersecurity plays in maintaining the health of industries today.

Supporting this assertion are the forthcoming opportunities for global digital compact discussions, due to take place in 2024 and a review set for 2025. These discussions present significant stakes for industry players, policymakers, and cybersecurity professionals alike.

It further suggests that a well-developed cybersecurity hub would most likely be utilised by governments, implying that increasing the competency of such hubs could significantly strengthen national cybersecurity measures.

The need for engagement from the educational sector is also strongly emphasised. A call to break out of conventional silos supports cooperation beyond the IT sector, involving a myriad of sectors, including the motor, fashion, and food industries, amongst others. This integrated approach signals an inventive strategy and is backed by an expectation for more industry participants in the coming year, illustrating a desire for more diversity within cybersecurity dialogues.

Concluding on the note of Denis Susar’s exhortation for industries to “think out of the box”, it sets forth a challenge for industries to step up, collaborate more, and adopt innovative thinking in their quest for more effective cybersecurity solutions.

Janice Richardson

A notable gap exists between the skills fostered in cybersecurity education at universities and the capabilities required in the wider industry. Industry professionals attribute the absence of abilities such as comprehensive holistic thinking, effective communication, and diversity among recent graduates. The education sector recognises the importance of critical thinking, albeit the focus currently tilts heavier towards technical skills like coding and product-specific training.

Addressing this discord, the inception of a multifaceted ‘cybersecurity hub’ is proposed. This critical institution would stimulate synergy between industry, tertiary education, and the younger generation, extending its functions to an international level. Imagined as a nexus for fostering knowledge exchange, providing authentic educational resources, and nurturing understanding of industry-wide best practices – this hub is slated to play a key role in consolidating learning and progress within the cybersecurity arena.

Further insight suggests the essential requirement for the early induction of youngsters in comprehending the functionality of the internet and cybersecurity components. Many reports indicate that young professionals have a limited understanding of the internet’s mechanics, cloud security, and other basics. This finding highlights the necessity of a comprehensive educational base, enabling adaptability to the constantly shifting cybersecurity landscape.

A report citing as many as 67% of respondents from the business and industry sectors implied a deficiency in the transversal skills among cybersecurity graduates, further spotlighting the flaws in the existing education structure. Thus, this perceived insufficiency emphasises the need for the proposed cybersecurity hub.

In terms of diversity, a clarion call has been made for the cybersecurity field to encourage a higher female representation, fostering diversity and inclusivity in technical disciplines. Although explicit supporting facts are not provided, there’s a general positive consensus towards such measures, indicating their significance in catalysing industry growth.

Additionally, an audience speaker stressed the importance of incorporating real-world cases into the strategic planning for the hub, solidifying the requirement for practical applications within cybersecurity education. At the moment, the hub is still in its embryonic stage of development. However, key coordinators, including Janice, are actively seeking public feedback and suggestions, endorsing a collaborative and inclusive approach for this promising initiative. A shared understanding exists that open dialogue will propel the forward motion of the hub’s development, enhancing the strategic focus and operational effectiveness of this indispensable entity.

Session transcript

Anna Rywczyńska:
have general contacts of multinational privacy and security Resource and is operating under standard law under the international research institute that I am coordinated the Polish Internet Center since 2006.

Maciej Groń:
There’s also the hotline and the help line that we have. So I think it’s a good thing that we have the cooperation with the universities.

Hikohiro Lin :
Thank you. My name is Hikohiro Lin from the PwC Japan and my focus is product security, the manufacturers, IoT devices, security things, and I’m facing all the Japanese manufacturers and also hiring the students or something like that. Nice to see you guys.

Ismalia Jawara:
Thank you very much for having me. Thank you for having me. Thank you for having me. Hello, my name is Ismail, and I’m from the Gambia, you know, chair of the Gambia information security community and also work with the Gambia revenue authority.

Joao Falcão:
Hello, my name is Joao Falcão. I am Brazilian. I’m the vice chair of the youth standing group and I also work in cyber security

Janice Richardson:
and I’m also a member of the youth standing group and I’m also a member of the youth standing group. We can pass it along to the other side and introduce the rest of our speakers. We do have one speaker online. Is Emmanuel ready to introduce himself? Good afternoon, my name is Emmanuel, I’m the vice chair of the youth standing group and I’m also a member of the youth standing group. I go ahead while you wait for that.

Denis Susar:
My name is Denis Susar, I’m from the United Nations department of economic and social affairs. I mostly cover e-government and IGF in my work.

Julia Piechna:
Good afternoon, my name is Julia Piechna, I work at NASC in cyber

Larry CEO of connect safely:
security and I’m also a member of the youth standing group. Good afternoon, my name is Larry, I’m a member of the youth standing group and I’m also a member of the youth standing group. I’m a CEO of connect safely, an NGO based in Silicon Valley. We work in the areas of child safety and safety for all stakeholders as well as privacy and security. If you see me typing, I’m not checking my e-mail, I’m the rapporteur, so my job is to try to remember some of what people are saying and I’m also a member of the youth standing group and I’m also a member of the youth standing group.

Raul Echeverria:
Good afternoon, my name is Raul Echeverria, I’m the executive director of the Latin American Internet Association.

Yuki Tadobayashi:
This is Yuki Kadobayashi from science and technology, I also do cyber security education and research and I also lead some cyber security training program for industry.

Wout de Natris:
Yes, thank you, Janice. The IS3C is a dynamic coalition within the IGF system and we announce ourselves at the virtual IGF of 2020. We made sure that we had something to announce and we did it in a way that was a little bit different than what we did in the past. I think it’s better, I think. Thank you, Raul, because I have no clue if you can hear me or not. So in Poland, we introduced our plans and last year in Addis Ababa, our first report was presented which was made by Janice Richardson and her team on education and skills. We did that in a way that we didn’t have the resources to do it in a way that we didn’t have in the past. So we are really hitting our stride, more or less. What we are going to discuss today is that it’s very nice to have a digital report on a fairly obscure website called Internet Governance Forum, but how to actually make sure that it moves into practice. So we have a lot of work to do, but we have a lot of work to do, but we have a lot of work to do. So what Janice is going to present on today and we are going to discuss together today is an idea of a cyber security hub. That’s where I will start to work and not that part of my introduction and not to take anything away from Janice. But how do we actually start moving? We have a working group on security by design of the Internet of Things that will produce this report over two days’ time in our dynamic coalition session. We have a working group on procurement, on government procurement and supply chain management. How are those ideas going to be translated into actions so that governments start procuring ICT in a secure way and not in an insecure way? We have a tool that is going to be developed to help them with that so that they have a list of the most urgent and most important Internet standards and ICT best practices that they can start using when procuring. I will stop there. There are more working groups. One that is going to start, hopefully, is on emerging technologies. What we’re discussing today is the report we produced last year on tertiary cyber security education. And what we found is that the curricula, most universities and higher education schools do not match what industry demands from them, let alone what society as a whole demands from them. And this is a gap that needs to close. And it needs to close in a few different ways. Obviously, it’s the content of these education curricula. But what about facilitating a mid-career change for people who may want to start working in this area? How to close a lack of experts in gender and how to make it more attractive for youth to work in cyber security? And that is something that is being discussed for probably two decades, but the gap is not closing. And we have some ideas to close that gap, and that’s what we’re doing. And we’re working on that, and we’re working on that, and we’re working on that, and we’re working on that, and we’re working on that, and we’re working on that, and we’re working on that, and we’re working on that. And that is what we will be discussing today. But how to proceed? We think that it’s important to bring the right people together, to create the context where people can start discussing this on an equal level. And what better place to do that is the IGF. It’s the place where people can discuss at the same level, at the same amount of importance and equality. So how to bring these people together and get them out of their silos? How to make something work that so far seems to have been beyond reach? And how to motivate people to join? How to find funding for this important work that determines all of our future? And how to move forward with this? So we have a group of panelists. We have a group of panelists, and we have a group of panelists with insight, which is the company of Janice, and NOSC, who presented themselves as well at this table. We present the concept of the cybersecurity hub, a hub where cooperation starts and concepts are turned into actions, and capacity-building is developed and supported. In this session, you will be invited to share your views on the subject of cybersecurity, and what you think about cybersecurity, and what you think about the potential issues that could not be solved. So I wish you a fruitful discussion, and I certainly look forward to see your input online when I look at the session. So instead of being the moderator, I’m handing over the microphone now to Janice, who will take the rest of the

Janice Richardson:
session, and when I leave, you know why I have to excuse myself. So thank you very much, and I hope we have a very good session. So, Janice, thank you very much for being here, and I’m very pleased to be here. And after each speaker, you can, you can ask questions. We would like this to be an interactive session. I’m going to tell you a little bit about the study that we did in 2021. We managed to reach 66 countries. We began by 30 interviews from countries as far-flung as Australia, Canada, and Canada, and we got a very clear idea of what we were looking for in cybersecurity. Firstly, from people from industry and business who participated, we got a very clear idea of the profile of what they’re looking for in cybersecurity. Firstly, creativity. Of course, critical thinking. That’s top of everyone’s list. We got a very clear idea of what we were looking for in cybersecurity. We got a big complaint. Young people who leave university, who come to the workforce, are not holistic thinkers. They do have good communication skills. This is very important. They are insufficiently diverse. Women are not joining the workforce. Young people don’t seem to be very involved in the workforce. We got a clear picture from the people from education who participated. Yes, they agreed, critical thinking. They agreed in theory, but where are we in practice? They seem to place a lot of focus on coding, on learning about specific products, and I’m glad to see that many of us agree here. We got a very clear picture of what we were looking for in cybersecurity. We got a very clear picture of teaching young people how things function. Young people arrive, they do not really understand how the Internet works, what is the backbone of the Internet, how does cloud security work. All of these issues remain the gap, I would say, between what industry wants from people who join the workforce, and what industry wants from young people. Of course, we know what is happening. Companies are training their own young people, school leavers. This leaves us with a workforce who know today’s products, but they don’t have that very broad education base to permit them to adapt to all of the changes. We have a lot of young people who are learning, and we have a lot of young people who are learning with chat, GPT, BAD, and all the rest of the generative AI that is rearing its head everywhere. So, what is the cybersecurity hub that we are dreaming of? It will be a place where industry and tertiary education sector are present, and as an educator, I would say, it is a place where young people are present, because if we don’t learn how things function from a very early age, we are not going to jump in and learn when we reach our teens. We need authentic resources for young people to learn with, and this could be an area of exchange also. We need to understand the best practice. We need to understand the best practice for young people, and we need to understand the best practice for young people. How can we do it at an international level? As Walt said, who are the people who should be involved? How do we get them around the table? These are some of the questions that we are hoping to answer during this session, and we are hoping that you will participate now, but as we move forward, I would like to invite you to join me in asking the question, unless anyone has any immediate questions, by handing the floor to the team at NASC. NASC has been our partners way back since we actually created the InSafe, Safer Internet Network, Safer Internet Day, et cetera. Once again, they have been our partners in the report, in the study, and as we move forward. I would like to invite you to join me in asking the question, what is the experience in the field of NASC?

Maciej Groń:
Thank you very much. I think that we are one of the few stakeholders that are, who came to the global IGF straight from the local IGF. Just this Wednesday, we had our local IGF in Poland, and we had a lot of participants. We had a lot of participants in Warsaw. But I can boast that our IGF in Poland, there was almost 800 registered people, and first time, the youth IGF constituted the majority of participants, so it’s a big difference, but it was also a big part of the discussion in Poland, which we had about the importance and education, I will tell you just a few words about the NASC, because the NASC, which is a research institute connected to, who has connected Poland to the Internet over 30 years ago, and today, it is a register of Internet domains, but also, we are part of the National Cyber Security Institute, which is responsible for cyber security. We are in our national cyber security system, we are the computer security incident response team. We are responsible for cyber security in Poland, and we are responsible for cyber security in Poland. That’s why education and building awareness is for us very, very, very important. The last years, we have trained thousands of people. We have our so-called secure VIP training. We have our so-called secure VIP training. We have trained more than 3,000 people, individual and multi-person training. We have trained the members of parliaments, of government, ministers, independent authorities, like financial supervision commission and others. We have also started training in the health care centers. We also have a large influence on the legislation. We work out our opinions and recommendations to the ministries, especially the Ministry of Digital Affairs. We also have a large influence on the law enforcement. We are entering into increasingly better and closer cooperation with the chamber of lawyers, especially the attorneys at law and barristers. Also, from our point of view, this has been a big challenge. We have also established a cybersecurity center. Also, we have, two years ago, we have established a cyber science center. This is the coalition of three universities in Silesia. We also provide with them, we have also established a partnership for cybersecurity. This is the new platform when we meet people from the private sector and the public sector, and we still see that, you know, the cooperation between private and public sector, and especially, we want to combine, you know, the education sector and the business, private business. We deeply think that it’s very important for us to cooperate with the rest of the world, and that’s why we want to cooperate with the rest of the world. Thank you. and that’s why we think that the hub is something that is very important. Thank you.

Janice Richardson:
Thank you. If you could please pass the microphone to Julia. I’ll pass this one along. Julia is in charge of IGF Youth Poland and wants to look at this from the perspective of tertiary students. Julia.

Julia Piechna:
Yes, I would like to share with you with our experience with involving young people, tertiary education students. So since 2020, under the patronage of NASK, we, the Youth IGF Poland has been run as a part of international global IGF that is operated under United Nations. And the main goal of Youth IGF Poland is to create an open forum for exchange of experience and views among young people and experts from different fields and backgrounds. And one of our main objective is also to create, to establish a community of young professionals interested in new technology, in internet governance, while encouraging youth participation in national and international events. For example, IGF, global IGF, or our national Polish IGF that was initiated in 2016. And just a few days ago, like Maciek mentioned, we organized IGF Poland. And actually the IGF Youth was a very focal and very important part of the event agenda. And this is a case actually each year. Since 2016. And this year, inspired strongly by the research that Janice presented you, we decided to strengthen our force and activities addressed to reach young people even stronger. And also to involve universities, involve representatives of academia in our activities. Because these are two very important and vital target groups that should be addressed by talking about bridging cyber security skills gap. And so from March to June 2023, we organized seven meetings with tertiary education students at several Polish universities. The topics covered during these gatherings involved, for example, cyber policy, internet governance, and privacy, and human rights in digital realm. We also presented them opportunities available to join IGF Youth. And we also discussed and presented them the opportunities that are available in professions connected to new technologies. And what is also very important, we invited them for joining competition with a prize being attendance here in Kyoto. So today, we are delighted to have two competition winners with us, Alexandra and Jakub. And the last very important thing is the questionnaire that we prepared and invited young people to participate. And this survey is not meant to be a representative one, but it’s rather serve us as initial analysis of students’ attitudes and concerns in online security and career prospects. So I will just present you a few findings from this questionnaire. For example, the top career interest for young people is artificial intelligence and cyber security. And 15% of our respondents attended university cyber security courses while 21 participated in external cyber security trainings. Cyber security trainings, 71% believed that cyber security training during their studies should be mandatory. Also, they think that education about cyber security should be involved in all educational levels, even in pre-school. What is also important, they think that according to soft skills like teamwork, communication, were considered by 89% as crucial as technical skills. Also, they think that cyber crime, according to 99%, and data leaks, according to 97%, were identified as major cyber security threats. And 63% expressed concern about future cyber attacks. These are only selected findings, and 139 respondents went and participated in this questionnaire. Thank you.

Janice Richardson:
So if I can now turn to Anja, and some of you may be thinking, but where is this initial report? How can we see the results? Well, you can very easily go to the IS3C website, and there you can get the report in English and in Polish. Anja.

Anna Rywczyńska:
Yes, in my few minutes, I would like to relate very strongly to what Jenny said in the very beginning, that the cyber security competence as education is not actually the question only for tertiary education, but it’s also the responsibility of primary and secondary education. And I think we strongly believe that the idea of the hub, that one of the goals of the hub, would be also to create recommendations on adopting school curriculums to the digital transformation. And having at NASK Cyber Threat Prevention Department, and having Cypher Internet Center for over almost 20 years or 17 years, we are in a permanent dialogue with schools. We prepare educational materials for them. We organize events for them. We have youth panelists that we talk a lot, and consult all the situations. And I’m very interested how it is in your countries. I hope to learn a lot during this workshop, but in Poland, there is really a significant need to focus more on media education in schools. And lately, when we were recently, when we were preparing educational materials for schools, the school scenarios, we did the research with our teachers. We asked them what are their needs just to prepare those scenarios exactly, meeting their needs. And I would like to share with you a couple of results that we got from them, like asking them what they think about actual media education at schools, and especially in the fields of cybersecurity. And according to the majority of teachers, it was 57%, they said the existing curriculum is not adapted to the realities of technological development. Almost 30% believe that they don’t have sufficient knowledge, like the teachers don’t have sufficient knowledge, even to recognize if something is happening bad for children, like if there is any sign of a problematic usage of internet among students. 57% of teachers that we asked, they say that they have only like two lessons, like twice for 45 minutes a year to talk about cybersecurity and internet safety. And of course, they think it should be multiplied. Mostly, when they talk about the obstacles, why they don’t raise media education at schools, they say that there is a lack of time, like that the curriculum of schools is totally not adjusted to the need of coming future. They also consider a big problem, the lack of cooperation with parents and the general kids environment. So I think in Poland at the moment is happening a lot, like there are many, many very good changes, but we need a bigger focus to change the curriculum and all what they say was that we need to include digital competences since first years of education. That was what the teachers and the questionnaires were talking to us. So I think we will talk a lot also about this, primary and secondary education in fields of cybersecurity competences.

Janice Richardson:
Thank you, Enya. So we’ve looked at some of the necessities and from what age we should start integrating these into education. We’ve also looked at the local or the national level, Poland. Let’s jump now to the international level, the United Nations. And I’d like to ask Denis Souza to take the floor, please, and to tell us a little bit about how we can push for this cooperation at the international level and the multi-sector level. Thank you.

Denis Susar:
Thank you, Janice. First of all, I would like to start thanking the National Research Institute, NASK, IS3C, and also Janice to you for inviting us here. I think it’s a very good learning opportunity for us as well, like turning this theory into practice and what can actually do in action with governments, with other stakeholders in the field. I think this is a very good example and it has great potential. So while listening to the participants, I was thinking like where we can use this actually, in which area. And I prepared some like major cybersecurity related activities from the ground, but I think this group here is very familiar with what I’m going to say. So instead of that, one thing that comes to mind is in our division, we look at e-government, how 193 member states are using ICTs to deliver services as well as the most populous city in each country. We look at them and we do a lot of capacity building in the area of e-government, including with the local public officials. And cybersecurity, both from the supply side, from the government, but also from digital skill side, from the demand, like how people is aware of the issues, the threats. I think this hub could be a great resource for both sides. So I just want to put that on the table. Other than that, please stop me when I run out because I think I just want to highlight the main things from my notes. This group is familiar with the UNGGG, an open-ended working group, et cetera. But one of the things that may not be familiar is the Secretary General recently, in 2022, established a high-level advisory board on effective multilateralism. One of the significant recommendations from the board is expanding the definition of threats to peace and security to include digital harms. And then in their recommendation, they also call for greater capacity building. So this is, again, it fits there. But other than that, the Global Digital Compact, et cetera, these are all security part of it, but I will not go to those principles. I see that this group is more action-oriented. So I’ll stop here, and if I have any other ideas,

Janice Richardson:
I’ll come back. Thank you very much, Dennis. And I think it’s important that we do look at e-government also, because that’s where the necessity is, and governments are also doing their own capacity building, as we hear. We are now going to turn to industry, and we’re going to call on Professor Yuki Tadobayashi. Is it right? Here is the microphone, please. Let’s hear about it from your point of view. Thank you.

Yuki Tadobayashi:
So this is Yuki, and I work for a graduate school, and I have many PhD students here. Also, I have many trainees from industry. I run cyber security education program in university, as well as cyber security training program for industry. So I would like to very much resonate what Janice said in the beginning. There is a huge gap between what university is doing and what industry wants. But there is a valid reason for that. For instance, university needs to innovate. University wants to, for instance, invent AI, whereas industry needs to use AI. So there is huge gap, because if we, for instance, try to develop industry training program, we teach them how to use AI securely, versus in the university, we teach them how to invent AI, right? So there is black box versus white box thinking. So there is a huge contrast, and this is with valid reason, and there is a huge gap. But I know, because I know, I do both, I mean white box teaching as well as black box teaching. And the industry training program, for instance, in Japan, which is huge program, which is funded by MITI, and $20 million every year, it’s huge program, and we actually teach them how to use devices, how to use cloud security, for instance, how to implement zero trust, how to implement DX with security. And this is kind of multidisciplinary, like you need to, how to use cloud, how to use zero trust, how to use AI securely, how to implement IoT securely, versus in the university, you have to implement IoT security, for instance, secure coding, et cetera. So this is like two phase sets of different, same problem, right? And in the industry training program also, we invite them to do a good teamwork, work in a team, to solve the huge problem, because the problem is multifaceted, IoT, AI, robotics, cloud, in a huge corporate system. So you need to intrinsically teamwork for problem solving. But in the university, you must be first author of some paper, you must insist, I did something, right? So you must prove that I’m innovator, I’m excellent. So because of that, I cannot invite every student to do teamwork and graduate all alone, because of the credit requirements and the graduation requirements, et cetera. So I think the university system is a bit old from the cybersecurity perspective. So I stop here, and for further question, thank you.

Janice Richardson:
So it seems that really we have a dilemma here. How do we put together the black box and the white box without getting a gray area? I’m wondering, is Emmanuel online now? Right, well, you’re going to do the work now. If you can take out your mobile phones, can we let you lead us on this, Katrina? Yes, do you have a microphone? Yes. So you’re going to have a question. You’re going to have to think about the various options that we give you, which will come up on the board. But first, we need to tell you where you go with your mobile phone.

Katarzyna Kaliszewicz:
Okay, give me a second. I need to, I need help. You need help, okay. Yeah, I need help because I need to share my screen. Where should I click? Oh, probably somewhere here. Oh, it’s here. If you tell them where to go, they will. Oh, I’m good, I’m good. You’re good, okay, great. Okay, so yeah. So we are going to have two questions for you. Let’s start with the first one. Can you enlarge the QR code a little bit, maybe? Yeah, let’s do it full screen. Yeah, I’m going to. So you can join us by using the QR code or just going to menti.com and. putting in the code 67413964. So let’s go more slowly, menti.com. That’s right, and the code is 67413964. It’s also here at the bottom. It’s there, very large now, they can see it. Yeah. Are you online, do you have the question? Yes. Yeah, we have 13 people online. Super. So what we would like you to do is to prioritize. Very good, good job. Yeah, so you have to drag the answers from the most important for you to the least important. And our question is, what should be the key functions of the hub in order of priority? And of course, we are relying on your input here so that we can really see what you think should be the priorities. Okay, we are still waiting for answers. Don’t be shy, we have 19 people and eight answers only. How many now? 13. We want to give you time because we do want you to think about it. Exactly. It’s a very complex question. If you have finished doing it, I’m wondering, is there anyone who has a question that they would like to ask at this point? We’ve been throwing information at you, but we haven’t heard very much from you yet. Okay, I think we are ready. Okay, we’ll move on then to the next question immediately. There is a second question, and I will give you the microphone, Jaou. Okay, let’s go to the second question. Which practical steps should be prioritized to launch and build the hub? And please vote on the most important. I know that here on the screen it looks small, but if you look at it on your phone, it’s probably more visible, but we have defined a strategic plan like goals and objectives, secure funding and resources to establish and maintain the hub, create an online platform to deliver training, workshops, and so on, seek accreditation or recognition from relevant industry bodies or government agencies, and develop marketing and outreach strategies to raise awareness and attract partnerships. You can pick only one here, yes. We are picking the one which is, in your opinion, the most important. Jaou, you want to get it? Thank you. Well, I would like just to comment on our last question because about the necessity of bringing the cybersecurity, well, the companies closer to the students because, well, I have the experience of learning and the problems I had because most of the systems that we try to test the security are very expensive, very specific, very difficult to put your hands on. So connecting the people that want to learn with these kinds of resources definitely eases the learning process. Well, it makes it possible. Thank you, and I think that’s an extremely pertinent comment and it’s one thing we hope that we’ll manage to do with the hub. I think we have our answer. Please tell us, what is the priority according to the people here? The priority is to define the strategic plan. So first we are going with goals, objectives, of course, long-term vision of the hub. This is the most important for 12 people. And then I think a good one is also create an online platform to deliver training workshops and networking opportunities.

Janice Richardson:
Great, and that’s really something that came up with the students, the PhD students that we were working with on the interviews and the survey. Samoa, for example, Nepal, both said there is no opportunity in our country to actually do this type of training. We are now going to move on to our speakers. As Dr. Emmanuelle is not online, I’m going to ask now, Raul Echiberria, if we could please hear from you.

Raul Echeverria:
Thank you very much. I was asked to speak about how prepared are the companies, private companies in Latin America. But let me provide some context. I think that’s everything that has been said here is applied to the whole world, I think. It’s not a regional issue. But in 2022, according to a study that was disseminated broadly in the region, almost 70% of the companies, different kind of companies, declared to have had some kind of security problems in the region. It was, unfortunately, we don’t have monthly studies, but to see how those issues are evolving. But everybody could see this year, just in the press, very big events, big security incidents in the regions, both the public and private sector. And two governments face a very big security problem. Two governments face serious attacks, Costa Rica and Colombia. In the case of Costa Rica, the government was really, it’s in difficult conditions to continue working in several areas. And the case of Colombia was very recent. But also, private companies have been in the press, even in dedicated areas, like law firms, very famous law firms that have been attacked and all the information of their customers have been compromised. And we don’t want to know what kind of information they had. So the point is that companies are becoming more concerned about this, what is good. They say in every survey, the companies seem to be more conscious about the risks and to consider the security risks as important issues. But the point is that it is not reflected at the time of allocating resources. And when in difficult times, as we faced the last couple of years, it was demonstrated by some studies that security is one of the areas where the resources were cut first. So there is a, at the end of the day, it seems that it means that they don’t understand really the risk that they are facing until they have a problem. Like usually the problems are in the form of RAT attacks and the access to information block and the criminals ask for randoms to ransom, sorry, to free the access to information. And in those cases, companies in average are losing a few millions, three, four millions in the for attack that is that they could have spent less money in trying to prevent those situations. I think that there is a need of massive programs. And I think that it is very interesting what we are discussing here about the skills and human resources because this is a problem. I have read in the news and in Mexico, the study says that only in Mexico, there is a need of 200,000 people to work in this area. Well, this really is an impressive number. But so we need to implement some scalable solutions and massive programs. It’s not enough that some with public resources, we support the companies to implement or try to educate, we need to do something massive. It is very interesting that the number of companies that say that they are adopting new measures is increasing approximately 10% per year, but the tax are increasing in 20%. So we will not win this battle in this. One of my hats is that I belong to the Uruguayan chapter of Internet Society. And we started to work with the Global Civil Alliance to disseminate some measures for SMEs. I think that this is something that could be done, one of the things, but we should try to find for solutions that are scalable, as I say before, and try to reach much more bigger audiences than we are doing now. Thank you.

Janice Richardson:
Thank you, sir. Here, I think a few important points came up that who are we talking about when we talk about the cybersecurity industry? Well, in fact, we all have to be cybersecure. The farmers, the trades, everyone needs this cybersecurity. The second thing I think of specific interest, a tax increasing by 20%, but resource allocation increasing by 10. So we are not going to get along very far if this situation continues. Our next speaker, I think, is going to tell us more about the expectations of the private sector, if I’m correct. And I’m going to pass the floor to Hiko, who works here in Japan. Over to you, Hiko.

Hikohiro Lin :
All right, thank you. I’m Hiko. I’d like to share something that graduates have to finish the school and join the companies. And currently, I’m working in the PWC, do the consulting for the cybersecurity for all the industries. So we are also hiring those people. And before that, before PWC, I was working for the Panasonic 18 years. So I was the interviewer for those grads, more than hundreds people. And what I think about, what I’d like to share is, well, those graduates, they have very plenty basic good knowledge for the cybersecurity, which means that it’s all pass, very good, very good. And why? Because I think maybe in Japan, we collaborate with those university, like Professor Katowice, and we go to all the university school to meet the professors and introduce those students. What we are doing, for example, what we are doing for the cybersecurity for the Panasonic or the PWC, we explain those people and let them understand what we are doing so that maybe make them interesting. And so we communicate, not the student, to communicate with the university, the academia, industry. It’s the very important things for the kids, I mean, not the kids, graduates. So I think this is the one good idea. And also, we are very encouraged the internship as well, for the not payment, not pay on we pay, but still, if those people are very interesting about to do something internship, we always open to let them work, to feel like what they are doing so that maybe they have some imagine for the cybersecurity job. So this is also important. So it’s make more opportunities, chance to give them. And also, what we can done to have more specialists that meet the business needs. I think this is a very interesting story. Three months ago, in Japan, there is one high school, major in technical high school, with the cybersecurity companies together, trying to do the workshop for the hacking the ship. The maritime, yes. With the real operation one for the ship, with the student and cybersecurity companies together, trying to attack and defense exercise for them. And I think it’s so very exciting. You can use the ship and trying to attack and feel like what they are doing. And so those high school students, very exciting, maybe we can do some maritime cybersecurity job in the future. So we need to give them some experience, real experience, which is very important. And also, usually the corporation doing some cybersecurity conference sponsor. So we also invite those students for free. You know, sometimes the cybersecurity conference is very expensive, right? 1,000 USD or 500 USD, I’m not sure, but I think it’s very expensive. But we get them for free to join. And of course, maybe let them do some brand here to do some small job, but let them also introduce those cybersecurity people, introduce them so that they can make the connection and maybe you can help support their future. I think I’m gonna stop right now, okay? Thank you so much. But I have a question for you because the cybersecurity industry or what we learned from the research is that they’re really looking for a very diverse workforce. They need the younger, the older, the males, the females. It seems to me that you’re talking about students. Do you have any great ideas to help along these mid-career shifts? How can we get a more diverse population involved? Do you have any ideas on that? You mean the mid-career shift? I mean, does that mean that once they work for different job, I’m trying to jump into the cybersecurity? Yes. Oh, okay. Well, I think this is a very important thing. Yes, actually, some people are not very good as software engineer or don’t know about the cybersecurity, but they’re trying to jump in to the cybersecurity job to carry a change. We also accept those people because I think the cybersecurity, they have very different point of view. I mean, they have the engineering technical and also the governance or regulation. And I think cybersecurity have many job involved. So I think I’m very encouraging those people to jump in. And if you need some training, we’re willing to support them and to let them make some different career for the cybersecurity. Yes, we do that.

Janice Richardson:
Okay, because it seems to me that a lot of people in their career aren’t aware that in fact they could do this switch. I think that you have something to say here. Yes, please do.

Yuki Tadobayashi:
Yeah, for such kind of a career change, actually, industry needs it, not the employee needs it. Because maybe they are, you know, have been working for factory for 10 years, but they’re not aware about the company needs cybersecurity people in factory because factory is becoming more digitized. And because of that, we have industry sponsored training program where a company chooses those nominees, not the individuals. And they send us the trainees to the one-year program. So it’s huge one-year program, right? Full-time one year from nine to five every day from Monday to Friday. They come to our facility and study and do cyber exercise, programming, penetration testing, defense exercises, everything from like July to August. July to June, it’s whole one year. And they do a lot of teamwork, and they do a lot of presentations. They do a lot of simulated exercises like briefing to CISOs, briefing to the boards, briefing to accountants, reporting to the lawyers. And lots of those business oriented exercises. So it’s one year program, it’s huge. But we have a lot of alumni by now, like more than 350 alumni. And everyone say, I was new to IT, but after finishing this program, I’m actually a cyber security specialist, and being able to defend the company. I’m very proud of it. But this requires one year. And there is huge industry backlash against management saying, do you actually require one year? But from our experience, this kind of cyber security training needs one year because of those huge technology stack and lots of regulatory and legal developments like standards and regulatory developments and lawsuit and case laws. And every complexity has to be taken into account in business context. So this requires a huge amount of time. But with this one year investment, one person can change from some person like lawyer or salesperson to cyber security professional. We have many, many living examples in Japan. Thank you.

Janice Richardson:
So that does seem a very interesting, good practice that other countries could benefit from. I’m going to pass the floor now to our youth. Joe, I’m sorry, I have a lot of trouble with your name. Can you please remind us where you come from and tell us your point of view on this?

Joao Falcão:
Hello, thank you, Janice. I think the best way to start talking right now is actually telling a story that happened to me last month. I was visiting a factory and as a cyber security specialist, I need to understand, to really understand what these factories work, how they work. And I sat with them and spent a couple of hours asking everything, how each one of the machines worked. And I said to the person, okay, well, we have two weeks for me to understand everything and point your errors. So the person looked to me and said, okay, so you are a generalist specialist. Yes, so to me, this shows the most difficult part of cyber security, which is that you need to have a transversal knowledge. You need to deeply understand how these machines work to know what they shouldn’t do. And this makes a huge barrier. So when we have people like pivoting their careers, you can take advantage of the knowing the sites, the factories. But when you are bringing young participants, you don’t have this advantage. So the person needs to learn all of it. And this is incredibly difficult. Like, I had the opportunity to sign up for a course on industrial security. And the first task was, okay, tell me more about the space you work for, because we are going to work on it. And I said, what? Space? Machines, I don’t have any experience with these machines. And the person said, oh, okay. And this became a major issue to me. So being a young person entering on this subject in the beginning was actually a very lonely task, because it was just only you and your computer learning how to work with these systems and how to exploit their vulnerabilities. And at least I am seeing a strong shift now. Like, when I used to go to security events, most of the people were just curious. And now they work in the field. And these experience shares really evolves the field, really evolves the community around it. But we really need to make closer the persons coming to this new field that have almost none prior knowledge, because, well, we know the basics of how to program, how to operate some machines. But this deep knowledge that you get from the experience of running it, we will not have. And this is a great barrier for us. Thank you.

Janice Richardson:
So you’re really underlining the importance of transversal knowledge. And yet in our report, 67% of people who responded from the business and industry sector consider that the cyber security graduates have insufficient capacity of transversal skills. So it’s really something that they picked up on. Ismalia is from Gambia. Where is Ismalia? Oh, sorry. Over to you. And I think that you’re going to tell us a little bit about how you think we can diversify the cyber security workforce and encourage more women into it.

Ismalia Jawara:
Of course. My name is Ismalia Jawara. And I am from the Gambia, West Africa. Small country, but a little over 2 million people, population. And I am the chair of a cyber security community called Gambia Information Security. And I also work as a security analyst, senior security analyst for the Gambia government. And I will share the same similar story as my brother here. I am from a developing country and a country where cyber security education is not offered in any university or college. And it’s literally impossible for someone to be encouraged to pursue a career in cyber security. And I stumbled upon it through one of my mentors, a peace cop, a US citizen, who was in the Gambia, actually on a boot camp. And being a curious guy, I always was with computers. And for some reason, which I regret, I had the computer network. And it was very, very serious, a little bit. And then she brought me in, mentored me. This was back in 2014, 2015. And this is where I kickstarted my cyber security career first, gave me some online courses. Now fast forward to 2019, when I started working for the Gambia government as a security analyst, first cyber security officer in that revenue authority, I realized over the years that women and youth are really interested in the industry, especially Africa in general. And this, obviously, looking at the skill gap and also the resources that are needed at the global level, cyber security expertise needed at the global level could be an opportunity for African governments to get youth into these industries, which is actually going to address youth unemployment at some point. So I started the community, Gambia Information Security Community, to see how best we can involve the academia and also the government and the youth leading that discourse and the initiative, organizing boot camps and cyber security education programs. And through our process, we were able to graduate about 50 university students. And this, obviously, there is this notion, as she mentioned, that many people think cyber security is an IT business or technical job. And that cross-cutting from moving from legal to cyber security, HR to cyber security, you will be surprised. When we first went to the Gambia University, University of the Gambia, we conducted a research to ask participants from cross-cutting departments, not just computer science, but also development studies students. You have the sciences, the legal department. And you will see almost 80% of the participants that actually show huge interest in cyber security are not more from the computer science department. Many of them want to become developers from the computer science department. They want to develop AI and some other programs. Then you see the legal department, GRC in place. They want to get into the industry. So what we did was the Tango to Cisco. And we have to give kudos to Cisco and the IC2 certification. I see it’s quite recently. They have actually done a great job recently by providing free cyber security scholarship for underprivileged communities and those that want to get into the industry. And we use that opportunity to train over 100 youth in getting this program. And I am really happy that we have 25 people that have done the IC2 certification. And obviously, out of these 25, 15 of them are, of course, female, women, and 10 male. And then they all get their cyber security certification that is IC2 initial certification. So literally, this is what I have to say. And then I also encourage collaboration and participating from a different level. When it comes to internationally, to involve the global south in these processes as well.

Janice Richardson:
So interesting, because the young people that we talked with during the research told us there was simply not enough online courses, not enough ways to access the cyber security sector. I’m wondering, how many people here, in all, raise your hand if you’re looking at cyber security from the point of view of industry, if your background or your workplace is industry. Please raise your hand so we can see who we are talking to. Industry? One hand. A big one. Yes, please, go ahead. Yes.

Raul Echeverria:
But people like, in my situation, for example, I’m not dedicated 100% to this topic. So it’s one of the things that I, so it’s less, this is why I don’t raise my hand.

Janice Richardson:
Well, does that mean that everyone in the room is more or less working in the education sector? Raise your hand if you consider that you are working in the education sector. There are some hands that weren’t raised, and I’m just wondering, which sector do you represent? Yes. Actually, I have a bit of a difficulty. Microphone.

Audience:
Thank you. Actually, I had a bit of difficulty to raise my hand because I’m half and half between education, because it’s hard to define, whereas either you provide some guidance or knowledge or you inspire policy or you educate as such. So I think there is an overlap between these two areas directly. Can you please tell us a little about yourself? What is your profile? My profile is, actually, I’m a former police officer. I used to work at Europol. And obviously, we are looking at cybersecurity from a bit different angle. But to this discussion, I think that this profile is especially of interest, because for us, police officers, there is no barrier between cybersecurity and cyber safety. And I think this is a dilemma here, that we should never look at either of each, but at both at the same time. Because whenever you take a perspective of a victim, it doesn’t matter, really. So I would appeal here that whatever is planned as far as the strategy is concerned, let’s address both. Because in the end, it will not matter to the end user or to the end victim. That’s the perspective of law enforcement, at least. Thank you.

Janice Richardson:
Thank you. And that is really interesting, because I think almost everyone here is involved in safety almost as much as the security. And you’ll remember that here we are, internet standards, safety, and security. But thank you for reminding us. I’m wondering, from those people that we haven’t heard from yet, do you have any really great examples, some good practice from your country that you think that we could all learn from and that it would help us as we go forward in building the cyber hub? Is there anyone who’d like to take the microphone and tell us about good practice in their country to add to what we’ve learned here so far? No? Would you like to take the microphone and tell us your point of view, anyone? Yes, take it around. No one? I’m sorry. I didn’t know there were people behind us.

Audience:
Thanks so much. I’m Clay from FIRST, the Forum of Incident Response and Security Teams. My previous job was working with the Pacific. And I think you mentioned Samoa earlier. So I can use an example from Samoa. But it’s an example that you can see in Tonga, Solomons, PNG, and across the Pacific. Obviously, being small island countries, they have a lot of challenges with retaining and building cyber skills, just like the rest of us, but almost more amplified just due to the size of the countries. And one of the most effective ways that we’ve seen to build a more sustainable cyber skill community is through organic cyber community groups, potentially like what you’ve been working on. So in Samoa, a few years ago, a bunch of folks came together just over breakfast and created something called Samoa Information Technology Association. This creates a space for training to occur, not just from external donors coming in and delivering training, but training between professionals within Samoa. It creates an informal space for industry knowledge to be shared, so similar to what happens in network operator groups, so very much an informal place to talk shop. For what we’ve seen, this space creates kind of that missing gap that folks were mentioning between the academic side and the industry side, because it’s where newcomers to the field can talk, and meet, and network, and learn lessons directly from current active operational experts. So yeah, Samoa Information Technology Association, you have Tonga Women in ICT. Again, that was just started over coffee at a coffee shop. So while hubs are really, really great, I think it’s really important to leave that space for informal information sharing as well, not just formal trainings and things like that.

Janice Richardson:
And that really is, I think, a very interesting idea, training each other, and this idea of community, which you mentioned. Is there anyone else who would like to tell us a little bit about good practice, something that they’ve been involved in, they think really made a difference, and we could take it on board? As we move off with this hub. Yes, please, take the floor again.

Audience:
I hope it will be useful. My experience originates from the EU policy cycle. So it very much helps as far as the strategy is concerned. We used to base, when I was working at the EU agency, we used to base our strategy on findings of the research. So first, as you’ve mentioned, the report is obviously very useful. But it’s necessary also to look at what is current experience and what are the threats of online threats. As you said, there is a nice bridge between practitioners and the learners. So it’s also. It’s always very important to look at the real cases and investigate them, research them, and then plan accordingly the research cycle or the policy cycle. Because I have also witnessed facts and instances when policy was not relevant to what’s happening online, for example, when there was a big gap and strategy was prepared in silos. This is the worst case scenario. So as far as EU policy cycle came into force, maybe this will be a useful good practice for this forum as well. Thank you.

Janice Richardson:
Yeah, I do think that’s extremely interesting. Because one of the first things that we were thinking of doing with the hub was going into universities, perhaps with a survey or beginning by interviews, to understand how cybersecurity is being taught. But what you’re telling us is that we should also be looking at the cases. And so our hub should have an easy mode of recording cases so that we can really link the two. Are there any other ideas? Because we’re really starting out now. We’re, over the next days, pushing forward to see how we’re going to develop this hub, what it will really look like. We really thank you for your input and your input. Are there any other ideas? We’d really love to hear from you. You’ve come to the session. I’m sure you’ve got ideas at the back of your mind. So please ask for the microphone or speakers. What have you got to add? Yes, please.

:
Thank you.

Denis Susar:
I can add a quick idea. Maybe what the hub can consider doing is like retaining the talent. As we know, maybe colleagues from the private sector can comment more, but the job is very stressful. And I think most of the cybersecurity experts leave their jobs. So what do we do to keep them at their posts? So this is something, a question for the table.

Hikohiro Lin :
Yes, the cybersecurity job is very stressful. Because there are many incident response. You need to take care. You need to do to the clients to be safe, to differentiate between the job and the client. Those attacks or something. So it’s very stressful and sometimes 24 hours. But sometimes some people are leaving that they don’t want to do this job anymore and go back to the software engineering, coding, or do some other job. And what we have to do is, of course, you can raise the salary is a good idea, but it’s just temporary. Yes, I think we need to think about their quality of life. Not to know pressures. You need to taking care of the quality of life, more something different ways to make them to be comfortable to work for the cybersecurity job. So I think that’s why we do like, if they want to attend this conference, let them go. Or if they want to do the training, I just let them do it. Or we always think of something, what they want, and maybe if we can accept, then we just give them that kind of offer. Yeah.

Joao Falcão:
I think we could have also a mind shift because usually the cybersecurity team is responsible for this cybersecurity. And if you put the whole responsibility into like this team, which are usually very small, you bring a lot of stress to them because it’s kind of difficult to work when you are in this cybersecurity team because everybody, even inside the company, see you as an enemy because you are trying to impose, you are trying to push things and make things harder, more difficult to them. And so you have this kind of difficult relation because you are responsible for the security and you also have very difficulty to implement the security changes. Right. I’m going to, and it’s really interesting.

Janice Richardson:
We haven’t talked about that stress, about that quality of life. So we see more and more things that the hub should take into account. Katarina, can you please remind us of the priorities? What were the answers of the first question, please? Yes, I think it’s- It’s the best idea. And then we’re going to have a brief summary of what we’ve looked at. Larry’s going to raise some of the points so that we can do some final discussion about these issues. So, yes.

Katarzyna Kaliszewicz:
Okay, so let’s, I think, the first one. Yeah, because we haven’t talked about the first one. So the key functions of the hub and the first priority for most of our audiences to promote collaboration between industry, universities, and the cybersecurity workforce. And I think that we all know that this is, this is something very popular here, that we are working between different stakeholders. Then the second one is enhance cybersecurity skills at all levels of education. The third one is gather and scale up good practice from cybersecurity and tertiary sectors. The fourth one, raise interest in careers in the cybersecurity industry. And the fifth one is provide online training from top experts on emerging topics, which I find is quite interesting because in our second question, creating an online platform for trainings and workshops is the second best, right? And here it’s the last one. And that is interesting.

Janice Richardson:
Yeah, it is. If we can get you to reflect on that, if we can figure out why that might be, I’m gonna ask you, Larry, to give us a brief rundown of what you’ve picked up. Larry is also from the United States and a CBIT. Well, come on, you should tell us a little bit of your background, a little more than what you’ve told us so that we can see the angle that you’re coming from.

Larry CEO of connect safely:
Well, I’m a recovering academic. It’s been many years since I’ve been at a university, but I came to technology from an academic perspective and then became a technical writer, wrote a newspaper column in the United States, actually still write it. It’s been running for almost 40 years, written for the Los Angeles Times, New York Times, now the Mercury News, been on national radio and television with CBS News. I’ve worked with the BBC and other news. So I’ve come in from a variety of angles. I guess I can’t keep a job, so I keep switching careers. I’m a mid-career person, changed myself. Really thinking about how you can take the kinds of things that we’re talking about here or the kinds of things we talk about at universities, the types of things that engineers talk about, the types of things that policy people talk about, and translate them to average people, to people who read at an eighth grade level, parents, kids, teachers, folks, the kind of people who listen to me on radio, which are just any everyday people, most of whom have never been to an Internet Governance Forum, most of whom have never taught at the university, most of whom have never worked in the tech industry, but they probably have a smartphone, they probably have a computer, they probably have kids that are using the technology, and so they have a very strong vested interest. So that’s where I come from this. But I have been listening carefully to your conversation today, and clearly my notes only reflect a small portion of what was said. And so if you said something brilliant and I didn’t get it down, accept my apologies, but this is sort of what I took away. One is making, well, first of all, I wanna put another context. About 20 years ago, I attended a conference at Carnegie Mellon University in Pittsburgh where this very problem was being articulated. So this is not a new conversation, as everybody in this room knows. It’s been an ongoing issue for many, many years. So I just wanted to kind of throw that in to the hopper, which is to why we need to make it more attractive to youth to work in cybersecurity. A couple people pointed out that the gap is not closing. I think it was that the problem grows by 20% a year. The human power to solve the problem grows by 10% a year. You don’t have to be an MIT graduate to figure out that that math is not working. So that was a really clear statement that was said. Also bringing the right people together to create the content. And that gets into something I’m gonna talk about in a few minutes, which is the interdisciplinary approach. What I heard over and over today is this is not something that simply comes out of the engineering side of the equation. You need to bring in youth social scientists, humanities, people from all walks of life and all disciplines need to be approaching this problem. You can’t solve it simply by code. Code’s important, but there’s so many other factors including social issues and norms, et cetera. Janice, I think, made a really good opening statement that I think it should be part of the overall discussion, sort of the foundation, which is what companies looking for critical thinking, creativity, holistic thinking, and diversity. And that’s so important. And those things tend to get overlooked when you’re looking for people who you think just have the right technical skills, but don’t necessarily have the creative skills, critical thinking skills, the holistic look at the world. And of course, as many people have talked about, don’t necessarily reflect the workforce and the communities that we should be serving. And that’s where diversity comes in. I love this comment someone made. I apologize, I don’t know who it was. Educators tend to focus on coding, but not teaching young people about how things function. What’s the backbone of the internet? How does cloud computing work? Understanding the gestalt, what it is you’re trying to fix is really important if you’re trying to fix it. It’d be like if you were a refrigerator repairman who’s never used a refrigerator. You might know where the parts go, but would you know what they do and why they’re there? I love the comment about cybersecurity. It’s important for primary and secondary education. Some think it should be mandatory, but clearly it needs to be something we start talking about very early and getting people excited about. I mean, we have, yeah, it’s true, we’ve got right now, at least in the United States, we have close to full employment, but that’s a temporary thing. There are many, many periods where we have far more applicants than we have jobs. And there are, I don’t know, thousands, hundreds of thousands of cybersecurity jobs that are open in the world, and certainly even in the country I come from. Also, I think another person, or several people made the comments, talked about factories, farms, that this is not just a tech sector problem, that no matter what it is you do, whatever industry you’re in, you need cybersecurity specialists. I mean, it’s almost like every company needs a chief financial officer or someone to do the books. Every company needs somebody to clean the floor, whatever it is. Well, every company needs somebody to watch cybersecurity. I don’t care if you’re a small organization or a multinational corporation, someone there needs to be thinking about cybersecurity. Even in my little NGO, we don’t have a dedicated person for it, but we sure have to pay attention to it, because like everybody, there are attacks against our infrastructure as well. Let me just find, okay, someone, a couple people mentioned creating opportunities in developing countries. Gosh, that’s important. First of all, there are problems in developing countries that need to be addressed, and second of all, there’s a huge talent pool in the world that is not being used, not being exploited. I don’t mean exploited in the negative term, but taking, you know, all the terms are negative, taking advantage of, but you know what I’m saying, not being utilized, that’s the word I’m looking for. And we really need to utilize people from around the world. You know, we tend to think about that. I pick up the phone, I call a company, and I get somebody with an accent somewhere in the world, usually doing a relatively entry-level position. Well, there are very smart people in other parts of the world besides the developed world who could be doing high-level work, and we just can’t afford not to take advantage of that talent. I really like the comment about giving high school students real experience, really getting them involved. There’s such talent among high school kids, and I shouldn’t even call them kids. Many of them are capable of actually doing serious work, and while I would never advocate child labor, I do advocate taking advantage of young people’s ability to be part of the solution, and young people, and also to see cybersecurity as a place where they can go into college, or maybe not even go to college, maybe find jobs in cybersecurity directly out of high school. There’s certainly plenty of work, and probably talented people who could work with or without a college education. Someone made the comment, and it gets back to the comment I made about the sort of joke I made about the refrigerator. Visiting a factory, the cybersecurity specialist needing to understand how the factory works, and how each machine, I believe it was you that made that point. And again, you can’t fix something in a vacuum. You really have to understand the context in which it works, and I think that should be generally very important to any kind of a hub based on what I heard today. Lots of graduates have insufficient knowledge about real world applications. Again, the same notion. You need to have a gestalt, a real understanding. Someone made the comment about networking, and I’m gonna combine that with the suggestion someone made that more young people should be coming to conferences like these. And I have to tell you something. 90% of what I learn at conferences like the IGF doesn’t happen in meetings like this. And with all due respect to the brilliant people who just spoke, and all of you were very good, it’s the conversations you have in the hallway. It’s the connections you make. That networking. Same thing you get at the university. Why do Harvard students tend to do better than people at other schools? Because they meet people who can open doors for them. In the last 12 hours, not even that, I guess I’ve been here probably eight hours, I’ve already opened so many doors and so many things that I can do with my little NGO based on people I’ve talked to since I got here this morning. It’s amazing to me what I’ve accomplished in the last few hours just walking around talking to people. And so getting young people as part of those conversations are so important. You know, connecting them with mentors, connecting them with each other. It’s just essential. The other, I guess the last one, which I thought was very interesting, is this comment about how cybersecurity is stressful. And I could see that. It’s probably one of those jobs, it’s like the joke they talk about airline pilots, a flight is six hours of pure boredom and three seconds of sheer terror. When the system goes down, and maybe it doesn’t go down that often, but when it does, it’s hard for you to imagine what the cybersecurity staff have to go through. I mean, I kind of imagine, because our systems have gone down and we had connectsafely.org go down literally an hour before Safer Internet Day event. And we had to panic. And luckily we found somebody who could bring our system back up in time for our event when we were going on national television, promoting what we were doing. And that was the worst possible time for our system to go down. Well, those moments are very, very stressful. And finding ways to encourage people, to retain them, to promote them, to compensate them properly, to provide them with career advancement, all the things you need to keep a workforce happy and productive is very important. I would say that, you know, for a hub, and again, I came into this knowing very little, just taking notes, what I think I learned today from listening to all of you is that this hub that you build has to be something that goes from the highest level conceptualization about what it is you’re trying to do, and we also learned this from your little survey, what it is you’re trying to accomplish, what are the goals, what are the frameworks, all the way down to the nitty gritty of how it operates. And I would even argue, maybe even some kind of a job bank where you help people, link people who are looking for work to the jobs that are out there. So, you know, it’s a big effort that you’re taking on, but it seems to me, despite what I said about going to sessions, this session was extremely productive because you came away with a very kind of rich blueprint of what you need to do, what we need to do, what the world needs to do to have a more secure cyber infrastructure, and to provide good paying, meaningful, and important jobs to probably millions of people around the world.

Janice Richardson:
Thanks very much, Larry. And I’m gonna start with Raul, and I would like each of our speakers to just have a few words. some last thoughts to wrap up this session, but of course, if there are people in the audience who also want to have a few words, you are most welcome. Yes, thank you. Oh, I found every comment

Raul Echeverria:
very interesting, but especially what Hiko said about that we have to understand that this is probably, this is very interesting because maybe the companies should start to hire people already with the idea that these are people that will work in this position just for a short term, and so maybe just to offer a plan, a growing plan to move to other area inside of the technology aid of the company. I think that’s all the, what really concerns me is that the idea of scalability is, because we speak about providing training on a platform, yes, but how many people we can train on a platform, is what we can do really to achieve things that are in a different dimension, quantitatively different. So I think we say that there is a demand of talents that is not satisfied, but at the same time, I don’t know how it’s being calculated, because if we calculate how many people we need to face those challenges, so yes, we need more people, but on the other hand, how many people, at least in Latin America, how many companies are really hiding, especially? So I think that’s probably if they look for more people, if the demand is increasing, so more people we want to work in this area, and so this is a complicated equation, because probably that’s we need public support for private sector to understand what the challenge is, what to do, but we have also the same problems at the public sector, because public sector don’t understand that’s the problem. I mentioned two cases in Latin America that were very serious in the last year, so maybe we should work with intergovernmental organizations more, trying to convince them about the dimension of the problem, and how we can involve them as to be part of the solution, instead of being part of the problem, say how we can work together to work with a private sector, but an education system, so really to understand that this is a problem for the country, for the region, for the world, and to elevate the level of the priority. Thank you. Yes, Catarina, also has

Janice Richardson:
anyone come online? Do you see anyone who has raised a question? Unfortunately not, but we have some listeners. Okay, great, and do you have anything you’d like to add to this discussion? I can have a question, okay. I think my opinion might be either controversial or very boring,

Katarzyna Kaliszewicz:
it depends how you look at it, but I think that we are at a point where each company should have a cyber security specialist, like we have a work safety specialist, yes, so we learn that when you see water on the floor, you should avoid it, because you will slip on it and fall over. I think it should be the same for cyber security now, because we all use computers at some points, and even if we think about industries that normally we would say, oh, they do not use computers, we have now a situation in our country, in Poland, that many, many more people in medical industry are starting to use computers, the system for doctors is in the computers, so nurses also should have access there, and we are going to continue to spread this thing, so I think it’s just necessary to have this awareness that there will be more and more specialists needed in the field, and we should start training those people, because it might shock us soon. Thanks, Katarina. Denis, do you, sorry,

Denis Susar:
there’s one here. Thank you. I think very quickly, at the end of today, it all comes to incentives, either to people or to companies, like a major company will not be able to afford their online, like Amazon, to be off because of cyber security, there are incentives there. From the UN perspective, if we want to reach out to stakeholders, global digital compact discussions coming up in 2024, this is plus 20 overall review, which is also coming up in 2025, I’m just putting those on the table, those are the areas that you can, we can hear your voices, and we can, you can lobby, and this cyber security hub, whatever you are developing, if it’s good, it will be used by governments, so it’s again back to incentives, if you put a good product out there, then it will be used, but it’s all, I think, all for all of us to improve it. Super, and that is an incentive.

Julia Piechna:
Yes, many important things were mentioned here, so maybe I will just focus on the thing that comes from my professional experience, so I think that what is really important, among, of course, other things is education from the beginning, and integrating cyber security, safety education into curricula, into education, and maybe resigning from traditional methods for the sake of unconventional and involving methods, to really, well, that was mentioned many times here, that really make these young people to understand the tools they are using, and like, understand the mechanism. Thank you. Thanks, Julia. I think, I don’t know if you want to, no? And I really love that

Janice Richardson:
fun idea. We have a project running in the Scandinavian countries, it’s been running for about four years, where we write a scenario about internet safety for 11 to 14 year olds, but then we find a local magician, and the magician and I work together to figure out what are the best tricks, and of course the tricks in Iceland are quite different from the ones we do in Finland or Norway, but this fun element seems to be so important. I’m really glad that, I think it was

Yuki Tadobayashi:
you who mentioned it. Yeah, so I think security hub is a very interesting concept, because in our training centre also, we were discussing internally, we should be collaborating with other global entities. We have some friends in the UK and France, etc, that we can have more possible diverse collaborations. But one thing about security hub is that we are all busy, so if security hub is going to be super complex stuff, then nobody will be involved. So I want to have it less demanding, or less workload. In terms of workload, it should be less binding, so that everybody from all scales, like non-profits and government agencies, etc, like IGF, everybody on all sides can join on a non-binding basis. But this should also be a network of trust, because this can be abused by criminals. So network of trust is very important for this project to be successful. Thank you.

Maciej Groń:
I have a message for industry, business and sector, and this is also the goal for us,

Denis Susar:
because I want to say that the education sector is open for cooperation. And I mean, not only the IT business, but also the motor company, fashion industry, food industry, and so on. And I deeply believe that next year, we will find more people from the industry, and think once again that you are with us. So let’s think out of the box.

Anna Rywczyńska:
Yes, and I would continue with this stress from Dennis that came with diversity. Some time ago, I took part in a panel about women in IT, and women participating in this panel, they also said that this kind of a stress and war field that is somehow related with work in cyber security discourage men and women to take part in this business, to go into these careers. So maybe extremely important is to repeat that not only you have to work really in this war field to be involved in the cyber security, that there’s so many different competences involved, like Janice started in the beginning, that you don’t really have to be in this gaming area that some people perceive the cyber security is. And second thing, I think it’s extremely important also talking about diversity, to open eyes of parents, to really be able to motivate their girls, their daughters, to see their future in this field. Because right now, you always see boys in the coding extra classes, and the girls go to dancing classes. So it needs parental awareness.

Hikohiro Lin :
All right, thank you for everything. Actually, I learned from you guys a lot about your insight, comment, and new information from me. And actually, next week, I have my daughter is high school, and high school principal asked me to talk about cyber security job. So actually, I have to do this, since we’ve discussed in this kind of session. So I want to tell them, I will tell them the cyber security is a very fun job, and it’s a very important job, and also it’s a very proud job, and it’s also a challenging job. It’s going to be a very interesting job forever. So I just want them to be more interested in the cyber security job. And also, I want to think about something, maybe we need something in the cyber security hub ecosystem, so that we can do more to the sustainable SDGs. We need to keep thinking, to keep maintaining this kind of conversation in the near future.

Joao Falcão:
Well, I will spend my last words talking about the importance of the culture on being this facilitator, how they help to create the imaginary, how they mold people to like cyber security. And for that, I would like to remember about two films, Hackers and War Games, which were very important for the 80s generation to see hackers as these very cool people that were hacking things, and how this created the cyber security imaginary. And also, when we talk about it, we need to think of the gender perspective, because, well, I opened a position in my crew to recruit a woman, and I couldn’t. Like, it stayed for one month open. When I gave up, I hired a man in the next day. So this is really a cultural thing, and we really need to work on it.

Ismalia Jawara:
next week. So, yes, so my last input will solely, you know, relate with what he said, but more importantly, having more women, you know, participating in this industry. And I think obviously this we are unaware of, but, you know, it’s some form of a cultural life. For example, when I take my niece and nephew to the shop, you know, to get toys for them, you know, for Christmas, you go to the boy’s shop, you get amazing stuff, you know, so many amazing cool toys. You go to the, you know, the guy, the girl’s shop, you get some unicorn. I’m not saying unicorns are not nice or whatsoever, but my point is, you know, culturally we need to also, it’s as if we are actually grooming, you know, them not to be innovative and also involved in these creative industries. And that being the case, you know, I think industries like companies or businesses should also be giving priorities to women, you know, to participate in, you know, in cybersecurity. And my advice for my brother, I also experienced similar in my office, but then what I did was rather than giving them, because it’s a stage level, you know, step by step, rather than looking for, you know, an expert in reverse engineering or someone who has, you know, years of experience, I, you know, went for GRC, you know, personnel. So when I was not able to get someone, you know, I just got a lady who studied law and then gave her, you know, opportunity and then she did tremendously well. So I think, you know, the bar also or how we get them on board, you know, need to be looked at. If you want to take them from a perspective where you’re looking for expert, we are going to chase them out. Thank you.

Janice Richardson:
And thank you. I’m wondering if the audience has any last word that they’d like to add. It’s really important that everyone feels that they’ve had their say. Anyone over that side want to take the microphone for a last thought about this hub? Because we’re going to be calling on all of you. Yes, someone behind me. We’re going to be calling on all of you to really support us in this, seems so important. Would you like? You would? There’s a microphone somewhere. No? No? No one further? Well, I hope that you’re going to join us in this enterprise. We are determined after what we learned with the report that we really have to move forward. We have to move forward together. And we talked about safety and security, but in French, security is the same word. And possibly in other languages also. No one can be safe if we don’t have this security. I hope we’re going to continue working together. If you have any ideas, please come up and tell us, because we’re chasing ideas now when we’re working on this strategic plan. Thank you very much for joining the session. Thank you, speakers. Thank you, Larry. And I, well, we’ll be meeting in the corridors and talking further about this. So thanks for a very interactive session. Thank you. We’ll be in touch. Should we go and join them somewhere? Yeah, we have 10 minutes.

Speech speed

122 words per minute

Speech length

3 words

Speech time

1 secs

Denis Susar

Speech speed

152 words per minute

Speech length

773 words

Speech time

305 secs

Anna Rywczyńska

Speech speed

171 words per minute

Speech length

783 words

Speech time

274 secs

Audience

Speech speed

167 words per minute

Speech length

778 words

Speech time

280 secs

Hikohiro Lin

Speech speed

163 words per minute

Speech length

1301 words

Speech time

478 secs

Ismalia Jawara

Speech speed

156 words per minute

Speech length

1080 words

Speech time

414 secs

Janice Richardson

Speech speed

168 words per minute

Speech length

2944 words

Speech time

1054 secs

Joao Falcão

Speech speed

119 words per minute

Speech length

774 words

Speech time

389 secs

Julia Piechna

Speech speed

121 words per minute

Speech length

736 words

Speech time

366 secs

Katarzyna Kaliszewicz

Speech speed

151 words per minute

Speech length

1122 words

Speech time

445 secs

Larry CEO of connect safely

Speech speed

220 words per minute

Speech length

2394 words

Speech time

652 secs

Maciej Groń

Speech speed

214 words per minute

Speech length

596 words

Speech time

167 secs

Raul Echeverria

Speech speed

145 words per minute

Speech length

1145 words

Speech time

475 secs

Wout de Natris

Speech speed

275 words per minute

Speech length

940 words

Speech time

205 secs

Yuki Tadobayashi

Speech speed

175 words per minute

Speech length

1035 words

Speech time

356 secs