>>From Miami beach, Florida. It's the queue covering a Chronis global cyber summit 2019. Brought to you by Acronis. >>Okay. Welcome back. Everyone's cubes coverage here and the Kronos is global cyber summit 2019 and Sarah inaugural event around cyber protection. I'm John Forrey hosted the cube. We're talking to all the thought leaders, experts talking about the platforms. We've got a great guest here, security analyst, author and Ted speaker. Karen Ellis, Zari who runs the besides Tel Aviv. Um, she gave a keynote here. Welcome to the queue. Thanks for coming on. >>Oh, thanks for having me. It's a pleasure. >>Love to have you on. Security obviously is hot. You've been on that wave. Even talking a lot about it. You had talked here and opposed the conference. But for us, before we get into that, I want to get in and explore what you've been doing that besides Tel Aviv, this is the global community that would be runs a cyber week. He wrote a big thing there. >>So that's something that's really important to me. So 10 years ago, hackers and security researchers thing start that somebody called security besides which was an alternative community event for hackers that couldn't find their voice in their space. In the more mainstream events like RSA conference or black hat for example. That's when security besides was born 10 years ago. Now it's a global movement and there's been more than a hundred besides events. Just this year alone, just in 2019 anywhere from Sao Paolo to Cairo, Mexico city, Athens, Colorado, Zurich, London, and in my hometown of Tel Aviv. I was very proud to bring the besides idea and the concept to Tel Aviv five years ago. This year, 2020 will be our fifth year and we'll be, I hope our biggest year yet last summer we had more than 1200 participants. We take place during something called Telaviv cyber week, which if you've never visited Tel Aviv, that's your opportunity next year of Bellevue cyber Wade brings 9,000 people to Israel. >>It's hosted by Tel Aviv university where I'm also a researcher and all of these events are free. They're in English, they are welcoming to people from all sorts of places in all walks of life. We bring people from more than 70 countries and I think it's great that we can have that platform in Israel, in Tel Aviv to share not just our knowledge but also our points of view, our different opinions about the future of cyber security. Tel Aviv university. Yeah. So Tel Aviv university hosts me cyber week and they're also the gracious hosts for the sites televi which runs as a nonprofit separate from the university. >>You know, I love these movements where you have organic, just organic growth. And then we saw that with the unconference wave couple years ago where you know, the fancy conferences got too stuffy to sponsor oriented, right? That's >>right. Yeah. Up there too. They want to have more face to face, more community oriented conversations, more or, yeah. So besides actually the first one was absolutely an unconference and to this day we maintain some of that vibe, that important community aspect of providing a stage for people that really may not have the opportunity to speak at Blackhat or here or there. They may not feel comfortable on a huge with all those lights on them. So we really need to have that community aspect of them and believe it or not. And unconference is how I got on the Ted stage because a producer from Ted actually came all the way to Israel to an unconference in the Northern city of Nazareth in Israel, and she was sitting in the room while I was giving a talk to 15 people in the lobby of a hotel. And it wasn't that, it wasn't, you know, I didn't have a big projector. >>It wasn't a fancy production on any scale, but that's where that took for loser found me and my perspective and decided that this was this sort of point of view deserves to have a bigger stage. Now with digital technologies, the lobby conference, we call it the lobby copy, cons, actions in the hallway, just always kind of cause do you have a programs? It's not about learning anymore at these events because if all you can learn online, it's a face to face communal activity. I think it's a difference between people talking at you. Two people talking with you and that's why I'm very happy to give talks and I'm here focused on sharing my point of view. But I also want to focus on having conversations with people and that's what I've been doing this morning, sharing my points of view, teaching people about how I think the security worlds could look like, learning from them, listening to them. >>And it's really about creating that sort of an atmosphere and there's a lot of tension right now in the security space. I want to get your thoughts on this because you know, I have my personal passion is I really believe that communities is where the action is in a lot of problems can be solved if tapped properly, if they want, if they're not used or if they're, if the collective intelligence of a community can be harnessed. Yes, absolutely. Purity community right now has a imperative mandate, which is there's a lot of to do better. I think good that could be happening. The adversaries are at scale. You seeing, um, you know, zero day out there yet digital warfare going on, you got all kinds of things on a national global scale happening and people are worried. Absolutely. So there's directions, there's a lot of fear, there's a lot of panic going on these days. >>If you're an average individual, you hear about cybersecurity, you're of all hackers, you're thinking, Oh my God, they should turn all of my devices off, go live in the woods with some sheep and that's going to be my future. Otherwise I'm a twist and I agree with you. It's the responsibility, all the security industry and the security community to come together and also harness the power and the potential of the many friendly hackers out there. Friendly hackers such as myself, security researchers and not all security researchers are working in a lab at the university or in the big company and they might want to, you know, be wherever they are in the world, but still contributing. This is why I talk about the hackers immune system, how hackers can actually contribute to an immune system helping us identify vulnerabilities and fix them. And in many cases I found that it's not just a friendly hackers, even the unfriendly ones, even the criminals have a lot to teach us and we can actually not afford not to pay attention, not to be really more immersed, more closely connected with what is happening in the hacker's world, whether it's criminal hackers underground or the friendly hackers who get together at community events, who share their work, who participate on bug bounty platforms, which is a big part of my personal work and my passion bug bounty programs for the viewers who are not familiar with it are frameworks that will help companies that you might rely on like Google or Facebook, United airlines or Starbucks or any company that you can imagine. >>So many big companies now have bug bounty programs in place, allowing them to actively reward individual hackers that are identifying vulnerabilities. Yeah. And they pay him a lot of money to up to millions of dollars. Yes, they do, but it's not just about the money, you know, don't, it's not just amount of money. There's all kinds of other rewards that place as well. Whether it's a fancy, you know, a tee shirt or a sticker, or in the case of Tesla for example, they give out challenge coins, the challenge coins that only go out to the top hackers. I've worked with them now you can't find anything with these challenge coins. You keep the tray, you can trade them in in the store for money. But what you can do is that you get a lot of reputational and you know, unmonitored value out of that as well. Additionally, you know another organization that's called them, the Pentagon has a similar program, so depending on his giving out, not just monetary rewards but challenge coins for hackers that are working with them. >>This reputation kind of system is really cutting edge and I think that's a great point. I personally believe that that will be a big movement in all community behavior because when you start getting into having people arbitrator who's reputable, that's an incentive beyond money. Well, what I've found great I guess, but like reputation also is important. I can tell you this because I've, I've this, I've really dissected and researched this in my academic work and the look at the data from several bug bounty programs and the data that was available. There's all kinds of value on the table. Some of the value is money and you get paid. And you know, last month I heard about the first bug bounty millionaire and he's a guy from Argentina. But the value is not just in the money, it's also reputational value. It's also work value. So some hackers, some security researchers just want to build up their resume and then they get job offers and they start working for companies that may have never looked at them before because they're not graduates of this and that school didn't have this or that upbringing. >>We have to remember that from, from the global perspective, not everybody has access to, you know, the American school system or the Israeli school system. They can't just sign up for a college degree in cybersecurity or engineering if they live in parts of the world where that's not accessible to them. But through being a researcher on the bug bounty platform, they gain up their experience, they gain up their knowhow, and then companies want to work with them and want to hire them. So that's contributing to the, you've seen this really? Yeah. We've seen this and the reports are showing this. The data is showing this, all of the bug bounty programs that ha have reports that come out that show this information as well. Do you see that the hackers on bug bounty pack platforms that usually under 30 a lot of them are. They're 30 they're young people. >>They're making their way into this industry. Now, let me tell you something. When I was growing up in Israel, that was a young hacker. I didn't know any bug bounty programs. None of that stuff was around. Granted, we also didn't have a cyber crime law, so anything I did wasn't officially illegal because we didn't have, yeah, it wouldn't necessarily. Fermentation is good. It certainly was and I was very driven by curiosity, but the point I'm trying to make is that I didn't actually have a legal, legitimate alternative to, you know, the type of hacking that I was doing. There wasn't any other option for me until it was time for me to serve in the Israeli military, which is where I really got my chops. But for people living in parts of the world where they don't have any legitimate legal way to work in cybersecurity, previously, they would have turned to criminal activities to using their knowhow to make money as a cybercriminal. >>Now that alternative of being part of a global immune system is available to them on a legitimate legal pathway, and that's really important for our workforce as well. A lot of people will tell you that cybersecurity workforce needs all the help it can get. There's a shortage of talent gap. A lot of people talk about the talent gap. I believe a big part of the solution is going to come from all of these hackers all over the world that are now accessing the legitimate legal world of cybersecurity or something. I want to amplify that. Certainly after this interview, I'd love to follow up with you. Really, we will come to Tel Aviv. It's on our list for the cube stuff. We'll be there. We'd love to launch loving mutation. What you're talking about is an unforeseen democratization, the positive impact of the world. I want you to just take a minute to explain how this all came together for this. >>With your view on this reputational thing. I talk about the impact. Where does it go beyond just reputational for jobs? What? How does a community flex and organically grow from this and so one thing that I'm very happy to see, I think in the past couple of years, the reputations generally of hackers have become important and that the concept of a hacker is not what we used to think about in the past where we would automatically go to somebody who was a criminal or a bad guy. Did you know that the girl Scouts organization, the U S girl Scouts are now teaching girls Scouts to be hackers. They're teaching them cybersecurity skills. Arguably, I would claim this is a more important skill than making cookies or you know, selling cookies. Certainly a more money to survive in the wilderness. Why not in the digital wilderness? Yes, in a fire counter than that. >>More than that, it's about service. So the girl Scouts organization's always been very dedicated to values of service. Imagine these girls, they're now becoming very knowledgeable about cybersecurity. They can teach their peers, their families, so they can actually help spread. The more you build a more secure world, certainly they could probably start the fire or track a rapid in the forest or whatever it is that girl Scouts used to do that digitally too. That's called tracing. Really motivating that person. I think that's aspiring to many young women. That's very kind of, you actually have to have more voices out there. What can we do differently? What help? What can I do as a guy, as in the industry, I have two daughters. Everyone has, as I get older, I have daughters because they care now, but most men want to help. What can we do as a group? >>So I think you're absolutely right that diversity and inclusivity within the technology workforce is not a problem there. Just the underrepresented groups need to solve by. It's actually an issue for the entire group to solve. It's men or women or any underrepresented minority and overrepresented groups as well because diversity of the workforce will actually help build a more resilient, sustainable workforce and will help with that talent gap, that shortage of people of skilled employees that we mentioned. Others, a few things that you can do. I personally decided to do what I can, so I contributed to a book called women in tech at practical guide and in that book there's also a chapter for allies. So if you're a person that wants to help a woman or women in tech in your community, you are very welcome to check out the book. It's on Amazon, women in tech, a practical guide. >>I'm a contributor to that and myself. I also started a group called leading cyber ladies, which is a global meetup for women in cyber security and we have chapters on events in Israel, in New York city, in Canada, and soon I believe in United Kingdom and Silicon Valley and perhaps in your company or in your community, you could help start a similar group or maybe encourage some of the ladies that you know to start a group, help them by finding a space, creating a safe environment for them to create meetups like that by providing resources, by sponsoring events, by mentoring does a few, a lot of things. Yeah, there's a lot of things that you can do and it's certainly most important to consider that diversity in the workforce is everybody's issue with Cod. Something just one gender or one group needs to figure out how to be a big bang theory. >>You can share with three people, two people, absolutely organic growth or conditional. Yes, certainly. And as men, if you don't want to, you know, start them an event for women because that may seem disingenuous, but you can do certainly encourage the women that you find around you. In your workforce to see if they want to maybe have a meetup and if they do, what kind of help you can offer? Can you run the AB for them? Can you as sponsored lacrosse songs, whatever kind of help that you can offer to create that sort of a space. The reason we we started cyber ladies is because I didn't see enough women speaking at security events, so I wanted to fray the meet up where the women in cybersecurity could share their work network with one another and really build up also their speaking port portfolio, their speaking powers so that they can really feel more comfortable speaking and sharing their work on other events as well. >>Camaraderie there too. Yes, it very important. Thank you so much to you now, what is your, your professional and personal interests these days? What's getting you excited? So there's some of the cool things. That's a fantastic question. So one thing I'm super excited about is that I'm actually collaborating with my sister. So my sister, believe it or not is a lawyer and she's a lawyer who specializing in cyber line, intellectual property privacy, security policy work, and I'm collaborating with her to create a new book which would be a guide to the future of cybersecurity from the hacker's perspective and the lawyers perspective because we are seeing a lot of regulators, a lot of companies that are now really having to follow laws and guidelines and regulations around cybersecurity and we really want to bring these two points of view together. We've already collaborated in the past and in fact my sister has worked on the legal terms of many of the bug bounty programs that I mentioned earlier, including the Tesla program. >>So it's very exciting. I'm very proud to be able to work with my younger sister who followed me into the cyber world. I'm the hacker, she's the lawyer and we are creating something together. Dynamic duo that's going to be, I'm excited to interview her. Yeah, so in my family we call her the tour Vogue version. Can you imagine that together? It's really unstoppable. We didn't have a chance to speak together at the RSA conference earlier this year and that was really unique. Am I going to fall off on that with the book? Well, our platform is your platform. Anything we can do to help you get the word out, super exciting work that you're doing. We think cyber community will be one of the big answers to some of the challenges out there. And we need more education. Law makers and global politicians have to get more tech savvy. Yes, this is a big, everybody, it's everybody's issue. Like I said in this morning speech, everybody's on the front lines. It's not the cyber generals or you know, the hackers in the basements that are fighting. We are on that digital Battlefront and we all have to be safer together. Karen, thanks for your great insights here in energy. Bug bounties are hot. The community is growing. This is the cyber conference here that, uh, Acronis global cyber summit 2019. I'm John Barry here to be back with more coverage after this short break.