Good morning, good afternoon, and good evening to everyone out there and welcome to Hack to the Future at Connect 2025. My name is Don Isabelle. I'm the vice president of research here at NowSecure. And I've brought together three esteemed members of the cyber security and hacking communities to talk a little bit about what's top of mind for them in 2025. So, I'm going to let each of our panelists do introductions. Uh, starting off with Jasmine Jackson. Jasmine. Thank you, Don. Hello everyone. Jasmine Jackson, founder and executive director of the Accelerated Training Program, a nonprofit focused on exposing underserved youth in cyber security education, computer science, cyber hygiene, and digital literacy. That's sounds like a lot, but it's so much fun. And I just recently started a doctorate program and finished my first in-person week. And I don't know how to feel. You should be feel very very proud. That's She's like, "Oh, this is real." So, yeah, that's amazing. Thank you, Jasmine. Uh, Tanisha, hello. Good morning. My name is Tanisha Martin. I am the executive director of the GH Foundation, Black Girls Hack. Um, we are a nonprofit set up to provide uh training and resources to people trying to get into IT and cyber security. And I'm super excited to be here again. What is this year three? I think four actually. Yeah, the fourth year that you've been here and the fifth year uh for Jasmine, Dr. Katie Paxton Fear, who I will let introduce herself next. Hi, my name is Dr. Katie Paxton Fear. I'm a principal security researcher at Harness. I am a cyber security YouTuber and I'm really passionate get about getting people into cyber security. Oh, I also work for university part-time as well. So, I juggle many things, but they all kind of revolve around one theme, which is getting more people into cyber security. Yeah. Amen. Yeah. I I'm 100% on board with that. So, um as we just mentioned, we've been doing this a long time. This is the fifth year for Hack to the Future and Tanisha, you joined us in our second year. Uh so yeah, we've seen a lot happen in the last five years uh in cyber security in tech in the world. Uh so if I'm going to ask you this, if you could go back five years and talk to your past self and I don't know give some advice, uh tell your past self something. No fair with no lottery numbers or anything like that. Okay. But you know what would what would you tell your past self? Jasmine, I'm gonna start with you. Oh, I would the main thing would be trust your intuition. Um, that would be number one and then embrace AI because I was I was seeing it and I was like h I don't know but yeah I would be like definitely embrace it and run towards the light not away from it. Yeah. And back at our first panel I actually looked back at some of our discussion and we were just starting to talk about just machine learning at that point. I don't think we had any idea what was coming. Uh Tanisha, what would you tell your past self? I would say the same thing. Um embrace machine learning. You know, start taking a look at AI. Um you know, I think all of those things are super important. Um especially um as we get ready to go towards so many, I think, exciting things in the future. Yeah, absolutely. Katie, what about you? I I got say I wouldn't tell myself to think about AI. What I would be telling myself is probably a look, I know there's a pandemic on and it's bad and you're stuck inside. However, you are going to have so many opportunities. Go for it. Like run straight ahead at every single opportunity, you know, do that conference talk, stay up all night, you know, do it anyway and just, you know, this is a bad experience, but actually there's a lot of opportunity here if you run for it. Yeah, I think that's so important to remember. We've talked a little bit about over the years about burnout and you know how to to keep your focus and and I do think that's really important is to grab those opportunities and to find that little bit of joy that you can even when things are really chaotic and uh you're not sure what's going on whether it's it's co or just you know global affairs. Um, so let's talk a little bit about career from here because we've all been here for a bit, a hot minute. We don't need to name any numbers specifically, but we've seen a lot. Um, and one thing that I think seems to be changing a little bit like cyber security has always been ever expansive. Every year gets bigger, you know, more topics. It seems like there's no u end to the number of things that you can learn and do. And we always hear about there's a shortage of people who have the skills, but what I've been hearing in the last maybe year anecdotally is it seems to be getting a lot harder for folks who are new to cyber security to break into the industry um and even some of those early career folks getting their second or their third job. So are you also seeing this? Is this a a new trend that we have to be concerned about? And Tanisha, I'm going to start with you on this one. Yeah, I think I'm I'm also seeing um that trend. um we see a lot of people who are trying to um you know get into the industry um and the real and the reality is especially as we've had a lot of layoffs you know recently in the tech industry over the past six months of the year is that there's been influx of very experienced people into the the industry um and the reality is is that with when you have experienced people in the workforce it doesn't necessarily make sense for you to spend the training budget if you can get people who are already experienced so you know I think it makes it a little bit more difficult in the the bar for what is entry level, you know, kind of shifts up a little bit. The more experienced people, I think we get, you know, just looking at the laws of supply and demand. Yeah, absolutely. Katie, as someone who's a principal, I imagine you are called upon to sort of mentor, you know, a lot of folks who are coming up the ladder. Is this something that you're also seeing? It's really dependent on the organization. So, I'm very fortunate that the organization that I work for, you know, we do take in things like internships and we do work to mentor them into full-time roles. That is definitely becoming more and more rare, especially when I think about, you know, some of my students when I'm teaching at the university. It's hard to get a job at the moment. The best advice I can give, I think, is, you know, networking is more important than ever. And actually, particularly if you're in like an underrepresented group and you wouldn't necessarily have the same access to, you know, mentorship, there are so many really great organizations like Black Girls Hack that are becoming like I don't know. I don't really know like the such a massive multiplier for a lot of people to actually meeting folks in the industry, getting opportunities and actually being able to network with senior folks. So while I think there is definitely like where entry- level roles are becoming, you know, a bit more competitive, I also think there are some great organizations that are lifting people up and offering people those opportunities as well. Yeah, I think definitely a lot more than I remember having a presence when I was starting out in the industry and I think that's such a boon for folks. Jasmine, I know you work a lot with people breaking in and people who are early career. Um, what do you have to say about this possibility that this is a trend? Yeah, it's definitely a trend and something I want to bring up is job requirements, right? I'm sure people have a lot of thoughts, but a entry-level person is not someone who has to have five years of experience, right? So, you're already um closing the door on those people. So, besides what Tanisha mentioned with the layoffs, that's very important. And then what Katie mentioned about the access, what I'm seeing is just job descriptions. And then with AI, it's like if you don't have keywords that are programmed in the back end and you're automatically out. So it's just a combination of things, but what I'm mostly seeing is like what they're looking for entry level, right? Because it's different from when we entered the field to what it is now. Yeah, absolutely. And and I think too that's what a lot of folks who are interviewing or they're just going out into the job market for the first time are asking like what is it that I need to know, you know, what should I be able to demonstrate as I'm looking for a job? So, do we think the minimum bar here has changed for people who are entry level? like, you know, disregarding the fact that technology is always moving faster and faster, are there things that we need to tell people you absolutely have to have this before you get into the job market that, you know, 5 10 years ago we would not have recommended? Um, Katie, how about we hear from you on this one? I think what I've really seen is that nowadays employers are looking for a breadth of experience. It's not so much about choosing a pathway and that's going to be the next 20 years of your career. Really, what folks want is somebody who is adaptable, somebody who has lots of different skill sets, has a lot to offer, um, and can kind of fit whatever role an organization needs. You know, if it's a job focusing on blue team stuff, then yeah, having act like knowledge of active directory is a must. But so is now knowing about offensive security. It's not so much that, you know, it's you're on this job path, you learn these skills. It's really important to get a very large breadth of experience where you can. Yeah, I think that's a really good point. Uh Tanisha, what about you? What do you think about this? Um I think that they need to work on, you know, expanding their network, you know, from the time that they start going to college or, you know, it could even start in high school. You know, making connections, being intentional about building your network as you, you know, traverse through um I think throughout your career. Um I think the other thing is also is I would say machine learning and like just data science just understanding like how to look at data because I I think a lot of jobs are going to move from being you know much lower level to a little bit of a more of a higher higher level and I think that the level of knowledge is going to be increased um you know at that level in terms of what you need in order to get in and I think being able to analyze data especially as we get in these much larger scales is going to be important. is going to separate I think humans from the things that uh types of things that AI can be used for for example. Yeah. So that's a really interesting point. And so I think when we start talking about AI in terms of careers, there's obviously a lot of fear of AI taking over jobs and putting people out of work. And how much of an influence do you think that sort of the rise of AI to do so-called tedious tasks is going to impact you know the things like the internships or getting people who are very early career and maybe have a degree but not a lot of hands-on experience. Is that going to impact uh the number of openings that we see for those types of roles? And if so then how do we grow the pipeline so that we eventually have senior folks again? Let's see. Jasmine, let's try you. Okay. Um, I'll preface my I'm really not into the AI. So, yeah. So, but I believe how I look at it as if AI with the more um tedious tasks, if those are eliminated, there's going to be new tasks that's going to come up that AI would not be able to solve. So, I see this as a never- ending cycle. So, but I do from my experience from my opinion I think it will play a part in like internships because if I can automate that as a company then it's just like okay great like I can get this done this saves money. So it would have to be a way of um universities, community colleges, academia actually working with industry and figuring out what are you doing and best preparing their students of okay this is what we're seeing in industry. So the jobs maybe these jobs that we were doing two to three years ago are obsolete. So now we need to move over here. So I see it more as a um a relationship between academia and industry that's ever evolving. Yeah, that's really interesting because I I do think that one of the big criticisms of academia, especially with respect to cyber security, is um they haven't always done the best job of preparing people for the actual conditions in the market that they're going to face once they they graduate. Um Tanisha, what about you? Do you do you feel like the rise of AI is a threat to these entry-level positions in cyber security? Um, in a way, um, I I believe that a lot of the the low-level repeatable tasks that, you know, things that can be automated, I think a lot of those tasks will be taken over by automations, you know, or AI and things of that nature, right? Um, I think what that's going to do is it's going to, you know, I think as I mentioned before, raise the level of the demarcation point, if you will, of you know, what is considered to be entry level. So you'll be we'll be actually expecting at that point maybe some of the three to five years that we you know scoff at today we'll maybe be seeing that is what you know entry level looks like they we expect somebody to have you know years of experience through internships or whatever that that looks like before you know we accept them. Um so you know maybe that's like hey those mid-level people before now like are low-level you know demarcation point in the future. Yeah. So Katie, uh, you mentioned that you teach at a university. I know you've interacted with a lot of students. What are your thoughts on this? I would love for the answer to be that AI is not taking anyone's job. Believe you me, I would love to tell people that. Um, I think it's inevitable. I think the layoffs we're seeing now are a direct result of the fact that, you know, AI is generating more code than a human could ever possibly generate. Um but I think that it's an important time for especially folks who are more junior I think but people in who are in school to really grapple with AI and figure out what their value ad is to it. Right? If the only if all you can do is get AI to generate some code for you. Yes, your job will be replaced by AI because the AI costs $20 a month not 2,000 in your salary. But if you can show you know it's not just that I can write this code I can do like whatever architecture I have like I can get a big perspective I can do design that will be such a value ad that AI on its own could never I just really hope that organizations recognize that before we see situations like the customer service reps that all got laid off said we're replacing all them with AI and now they're rehiring for basically everybody but in more insecure jobs. Um, when like not full-time roles, but like Uber style roles, right, where you got the gig economy. I just really hope that employers and the industry realize it before that happens because that's going to affect an awful lot of people. Yeah, absolutely. So for folks who are either security practitioners now or they're looking to get into security, what do we recommend to them in terms of learning about um large language models and and the existing set of you know AI tools, AI being kind of an umbrella term obviously because that encompasses a lot of things. Um but that's kind of the point. there's so much out there like how how do you point out okay you absolutely have to know this and how much of that is using it just as a productivity tool and how much of it is offensive like you need to actually know how to attack these systems and dissect them uh and figure out how to take them apart in real time um Tanisha I'll start with you um so for me like you know I I think that the the what the bar for entry is going to be is going to be interesting And I think it's going to require that people become more niche in terms of their specialization. Like you know what is it that you are interested in? What approaches to problem solving can you actually bring? Um I I'm feeling very scirly this morning. So like I may be like a little bit off topic, but um so please feel free to redirect if that's not uh answering. No, absolutely. I think this is all very on topic for where we're at today. Um Jasmine, what about you? Don, can you repeat the question? I'm sorry. Yeah, absolutely. As as we're advising, you know, people getting into cyber security or the people like us who are already here, what what what is the bare minimum like absolute requirement that they need to learn about AI, AI technologies and is it just using them uh in their daily work or um how much of their time should they spend learning how to actually attack those systems as well? Yeah. So, I'm going to answer this kind of backwards. So, I definitely agree with Katie that using it just as a productivity tool, let's say I'm a software engineer and I and I use it to generate code, that's really not going to help me because then I could be, you know, they'll just get the AI. I would say and I'm a kinesthetic learner, so I learn by doing, right? So, and that's how I would tell someone to learn AI is hey see if there are any tutorials look at YouTube videos like immerse yourself into the subject whichever flavor of AI you want to do because like being standoffish and fearful of it isn't going to help you. So, you have to find that comfortability level of like okay I like this and this is not it's not giving me any anxiety. I'm learning skills. I could be able to put this on a resume. I could be able to talk to it. So that's another thing is being able to talk because I think a lot of times people focus on the technical which is important don't get me wrong but then this the being able to communicate to different levels isn't there. So besides having the technical also being able to communicate to okay if this person is new what is your elevator spill that you would give on what you do that's going to be very important. Yeah, absolutely. Um Katie, as someone who, you know, is working with students, but also working with researchers, um how have you been approaching AI? Have you taken a more offensive um tack on it? Are you showing students like there are ways to subvert these systems? So, I will start by saying I've always been a bit of an AI skeptic, which is weird as someone who's got a PhD in AI. Um, I love AI, but uh I, you know, where a lot of people were picking it up, especially in the past year or so with chat GPT, if you'd asked me Casey G, I would said no, I'm not interested in AI. Like, it's cool. Like, I'm sure it's good, but no. Um, and this was wrong. This was like the wrong perspective to have. So, I have been vibe coding. Um because I think we as security practitioners, we're kind of like gatekeepers, right, to essentially stopping people's work from being done. If people want to use AI, we can't be in the situation saying like no AI ever, we need to keep our minds open and instead of being the people that close the door, instead of being the people who say no, you can't do that, turning security into the department of yes. So for me, one of the best piece of advice I can give folks is to like jump into it like exactly what Jasmine said is go into it and get your hands-on experience because I have learned so much about vibe coding from actually vibe coding myself about the security concerns with vibe coding because I know about security AI was generating that code. I didn't even think twice. I just let it do it. copy paste cursors doing it great you know implement this feature that's it and that gave me a lot of insight into some of the security issues around AI because I understood how it was created I understand the mindset that went into it so I think really jumping into how folks are using AI having a go at it yourself and then essentially applying your security brain to it like the critical thinking of what could go wrong securitywise and you don't need to be an expert to do that you don't need to be an expert at anything right it's so much about that kind of questioning the assumptions and like research. You'd have to be a researcher to do research, right? And understanding, you know, how this could go wrong, which I think is going to be really key. So, for me, my advice is to whatever's whatever's trending on like AI, Twitter, try it out for yourself and then you'll learn a lot about the security concerns about using it. Yeah. And I think what you said about assumptions is key because that's kind of what underpins all of hacking, right? is, you know, identifying the assumptions that people hold and then figuring out ways to subvert them or or challenge them. And and that's so true about AI because I think um no matter what aspect of it you're looking at or what tool, people do hold a lot of assumptions sometimes without even realizing that they're making those assumptions uh about what they're doing and what the output is is telling them. So yeah, I think that's really interesting. So as practitioners now that kind of leads us into governance, right? Because what I'm seeing in the enterprise now is as these have be these tools have become more mainstream and they've um they've kind of infiltrated organizations uh now we're seeing more of a need for policy around it you know and guidance and um regulation and stuff like that. So once you're in there and you've actually used the tools and you understand them, what's that next step of starting to guide uh customers, our employers as to how to safely deploy this across the enterprise? Um Tanisha, I'll start with you. So our our last question was talking about looking at defensive case capabilities and the reality is once that you understand I think what um attackers are able to do within these systems then I think that from a defensive perspective and from a training perspective that lets you know like how to kind of how to structure things to let people know what to look for and what it is that they should have as far as expectations um as far as like some of the the common exploits. Um, you know, because once we started teaching people, for example, like, hey, you know, it doesn't matter what the link looks like it says, you know, that may be not may not may not be where it's actually going. So therefore, you know, don't click on anything. You know, we've done really good about training people, things like that. You know, we need to figure out what that, you know, minimum subset of of good advice looks like in the AI space and then, you know, how do we disseminate that to to the end users? Yeah. And I feel like we definitely aren't there yet. It's probably going to take some time and hopefully the state-of-the-art doesn't advance so fast that we never catch up with it. That's my hope at least. Um so we're coming to the end of our time. Um usually we close this out with some predictions and I I ask what do you think is going to happen next year in security or this year in security. Um but I I want to do something a little different this time given that this is our fifth year which is absolutely mind-blowing. So if you could hop forward in time this time uh 5 years and talk to your future self just considering how much has changed in the last 5 years. Okay. What would you ask your future self about technology and cyber security? Uh Jasmine I'll start with you. Okay. I would um ask like how far has the AI gone? Number one. And then number two, I will ask, did I finish this degree? Let me know. Did I make it out alive? All right, Katie, how about you? Oh, it's so hard. I would I would come up with like my three main technologies I'm interested, right? Model context protocol, which is this new way of AI interacting with tools. Does that take off? does it end up like kind of fizzling out? Um AI agents, do they end up taking off? Like are they now a thing? And um the third one is like do we ever see a backlash on AI art like from the wider community or is the AI slop on Facebook just getting worse? I need to know just for my own curiosity. Yeah. No, I I that's a whole that could be its own panel right there about art and uh copyright and all of those intersections with AI. So, yeah, that's a really good question, Tanisha. I'm going to let you have the last word on this one. Um I want to know like where we're at as far as uh quantum computing. Um I want to know if we've actually gotten to, you know, uh super intelligence um at that point, you know, five years from the down the line. Um and I want to know like what is the next technology that I need to be um learning about? I need myself to give me a heads up. Yeah, absolutely. Yeah. And and it doesn't sound like a lot of time, five years, but I I think when you consider all that has happened in the last 5 years from then to today, I I think we see that technology sometimes moves even faster now than it used to. and it can really change things uh in major ways especially with how connected I think we are today. It just it moves at the speed of light. So um I want to thank all of you for joining me today Jasmine, Tanisha, Katie. Um thank you for your time and your insights and wisdom. And uh thank you to all of you out there for taking the time uh to join us today as well. Just a reminder, if you have any questions, there will be a Q&A box for you to enter those into, and we will uh try to answer them as quickly as we can. If we don't have an answer, we will try and get back to you after the fact. So, thank you for joining us once again. We hope to see you next year when we have our sixth year of Hack to the Future. And in the meantime, happy hacking. [Music] Hello and welcome to your MARM minute. I'm Alan Snyder and today we're going to talk about the first step in the MARM program. We're going to talk about how you classify apps and put them into business impact tiers. The business impact tier is super simple. It's basically saying how important is this app to my business and what is the impact to my business if there is a cyber security incident. be that a data breach, be that a vulnerability, privacy issue, operational disruption, all sorts of things that can cause harm to the business. So, let's dive right in and let's take a look at some of the characteristics that we recommend. Now, what's important to understand about what we're going through here is that each company is going to come up with what is appropriate for them. We've created a best practice document to help you define these and serve as a template, but based on your threat model and based on your operations organization, it's probably going to vary a little bit, but you need to look at things like sensitive information. Does it have PII, health information, financial transactions? Does it have your brand on it? Is it the primary path to business? Does it collect geolocation data? Maybe have access to contacts and microphone and camera. So, it's collecting information that you have an obligation to protect. How many uh connections and endpoints does it have? In essence, where could that data that it's collecting be distributed to with or maybe without your knowledge? All of these things go into that factor in terms of how much of an impact, therefore, how much of a risk is it to your business. So, this has been the MARM minute. Super quick, but hopefully it helps you put together a better program. [Music] Hi, I'm Michael Krueger and here to talk to you about traditional pentesting versus pentesting as a service. Standalone pentesting is our traditional application of pentesting for mobile apps. experts uh conduct rigorous security testing against the application, provide a final report and then ultimately remediation consultation. However, there is a problem with that. Uh in this example, there may be an application that has uh three major releases throughout the year as well as a number of minor releases. Uh and we're conducting an annual pen test as well. The annual pen test in March, as you can see, may catch one of four bugs throughout the year. However, those other three bugs may introduce vulnerabilities that may not be caught until the following annual pentest if it's not uncovered during other rigorous testing. How do we fix this sort of application? Well, that's where we bring in pentesting as a service. Pentesting as a service modernizes the pentesting approach by utilizing SDLC integrations to allow and reduce developer friction by uploading binaries directly into uh a software as a service platform. Allow you to dynamically request pentest on demand from experts. go through that typical expertled pentest.