Saving McDonald’s from a possible data breach

This week we chat with Connor Greig of CreatorSphere about beginning a career in IT at age 17 when he joined Hewlett Packard as an applications engineer, but after just a few weeks, was promoted to project manager. He went on to work on secure projects for the British government and was a project manager for secure cloud computing and software development modernization during the WannaCry, Spectre and Meltdown vulnerabilities that were found.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 – Intro
  • 3:00 – Origin story
  • 4:58 – Getting into IT
  • 8:53 – Being scouted by HP at 17
  • 11:34 – What did HP see in you?
  • 15:42 – Working with the British government
  • 17:49 – Being fast on your feet
  • 19:51 – Area of specialty
  • 21:30 – Balancing work and management
  • 25:25 – Saving McDonald’s from a data breach
  • 31:58 – McDonald’s reaction
  • 38:56 – Starting your own company
  • 45:25 – Advice for starting your own company
  • 49:15 – How to learn new concepts and skills
  • 53:15 – What’s it like being a gay man in cybersecurity?
  • 55:30 – Making cybersecurity more welcoming
  • 58:15 – Cybersecurity career advice
  • 1:00:33 – Outro

  • Transcript
    • [00:00:00] CS: Today on Cyber Work, my guest is 22 year old CEO, Connor Greig. You heard that right. Connor was recruited by HP at age 17 to be an applications engineer. Worked for the British government soon after, and started CreatorSphere at the age of 22. He also recently saved McDonald’s corporation from what could have been a massive data breach. Find out how it all went down today on Cyber Work.

      [00:00:28] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

      Connor Greg’s career in it started at age 17 when he joined Hewlett-Packard as an applications engineer, but after just a few weeks was promoted to project manager. He went on to work on secure projects for the British government and was a project manager for secure cloud computing and software development modernization during the WannaCry spectre and meltdown vulnerabilities when those were found.

      Connor has already accomplished a lot in his new career. So we’re going to talk about his cyber security journey, the ups and downs of running his own startup, CreatorSphere, and as a proud member of the LGBTQ+ community, the ways in which cybersecurity industry can more actively recruit, promote and support professionals from the community.

      Also, if you’re not uh closely following Cyber Security news in England, you may have missed Connor’s moment in the media spotlight when he spotted that a contest from McDonald’s that he won inadvertently sent their database credentials out in the prize email. So we’re going to talk about his journey through this surprising news story and the ramifications as well.

      Connor, thanks very much for joining me today. Welcome to Cyber Work.

      [00:01:47] CG: Thanks, Chris. I really appreciate it.

      [00:01:49] CS: So we always like to start by getting the story of our guest’s cyber security journey in their own words. So for certain years, you must have started quite early. So what were your earliest memories of being drawn into the presence of computers and other tech and what sort of brought you to the belief that that’s something you want to do with your life?

      [00:02:11] CG: Yeah, I think. So it was a little bit weird for me because I grew up in a household that didn’t really have computers or Internet until quite later on. And when we did, it was really old age computer. So it was like Windows 95, old cathode ray tube kind of desktop, old school.

      [00:02:27] CS: So that was old. So what was new at the time? Because, I mean, old for me is Commodore 64.

      [00:02:34] CG: Yeah. I mean, so like back then, IBM Thinkpad laptops were all the rage. And you could get a laptop. I mean, it was still the size of a small house. But I mean we’re talking like I guess 2007-8, maybe 2006. So I was about seven or eight at the time. And I think the first kind of thing that drew me in about it was just I think it was the creativity side of it, because with computers, you get kind of free reign. And I think I just simply remember the first application I’ve probably ever used was something like paint, like every kid does. And you draw lines and you fill it in with colors and you make a little Picasso. At least I like think it’s Picasso. But that’s when I learned the importance of saving documents, because I know that was a thing.

      But yeah, and then as time went on with computers and the reason why I think I got semi-decent I like to think at it, was because I found myself – Because we didn’t have Internet. So the computer had maybe three or four applications. Microsoft Office was on it. There’s nothing really to do with it. So I found myself typing verbatim word for word The Line, the Witch and the Wardrobe in the right text in Word documents. And that’s how I learned how to type properly. Because at school at the time they weren’t really teaching computers, and then eventually, as time got on a little bit and I got a little bit older, maybe a year or two later after I did that, I was way ahead of everybody else when it comes to typing. And that’s when I really started to like computers.

      [00:03:57] CS: Love it. Yeah, the older I get the more I think that my typing class in high school may have been the most valuable thing that they ever taught. So you said a little bit about, what were some of the first things you started to do once you had access to computers? So you said the painting program. When did you sort of like break into sort of finding more unconventional uses for your computer apart from using as a Word processor like you say?

      [00:04:22] CG: Yeah. So my uncle, he works in IT, and he still works in IT. So I eventually got an IBM Thinkpad. It was back when IBM actually made them. It wasn’t Lenovo. And it had a little dot in the middle. And that’s when I started to do some fun stuff. It was XP. So it was still a while ago. And that’s when I got Internet access. and I found myself going out and watching all – I can’t remember what hacker movies it would have been. But it would have been some hacker movie somewhere.

      [00:04:48] CS: Sneakers?

      [00:04:49] CG: Yeah, yeah. Yeah, exactly. And I was trying to work out how to hack things in command prompts, changing the color of it, that kind of thing. But as time got on a little bit more in schools when I kind of found the first unconventional use, and it was it was merely by accident, I found myself in middle school about maybe 11 years old and saving a word document. I’d learned how to save at this point. So saving a Word document and suddenly have access to the whole domain of users. So I could see everyone’s documents including teachers. Yeah, not so nice.

      [00:05:26] CS: Fun anyway.

      [00:05:26] CG: I took it upon myself back then to leave a message on some of my fellow students’ desktop. It wasn’t anything inappropriate like that. But the school didn’t take lightly too. But I admitted to it. That’s the way I always like to look at it, is I actually told them. So I got banned for a year from touching computers. I wasn’t allowed to be in the vicinity of a computer.

      [00:05:47] CS: Even at home?

      [00:05:48] CG: Yeah, even at home. That was part of the agreement was that the school took it way too serious. But I think it’s because like there was the first incident of that ever happening for them, because really –

      [00:05:57] CS: They probably didn’t know what to do because there’s no precedent for it.

      [00:06:01] CG: Yeah. And obviously, communication between head teacher and IT staff, as one man in a cupboard somewhere was the IT stuff. So the communication breakdown was like I had done something miraculously amazing, but really it was just a permission error somewhere. So I got banned for a year. I couldn’t touch computers at home. I couldn’t touch computers in school. In fact, whenever I had like a substitute teacher, I’d have to openly kind of inform them as the lesson begins, “I’m not allowed to touch computers,” which was really a weird experience. So I spent a year – I think that’s when it got interesting, was for a whole year I couldn’t use them. So I was thinking of more and more ways to use them. So yeah, that’s like kind of my –

      [00:06:39] CS: What was your year off like then? What were you doing? Were you reading books about computers? Were you still skimming? Or did you like really just like stop thinking about them for a year and then come back to it? And if so, did that sort of deepen your obsession?

      [00:06:51] CG: Yeah, I think so. I’ve never read on computers my whole life. That’s the weird bit about my education, is that it seems quite natural for me. So I’ve never read anything.

      [00:06:59] CS: Yeah. You’re learning by doing.

      [00:07:01] CG: Yeah. So I spent a year off, which obviously is not great when it comes to learning by doing. So yeah, what I did in that year was I would find myself often things would break in the classroom and everybody else wasn’t computer literate. So the teacher would like stood there confused on what to do. So I’d be like, “Oh yeah, you can fix it this way. But I wouldn’t be allowed to touch it myself.” So I was finding ways to kind of do kind of level one tech support age 11, 12 m in school without being able to touch it. So I was seeing kind of issues. I was paying more attention to how things break.

      But I spent probably that whole year just focusing actually on school and doing school work. But more and more kind of getting jealous and annoyed that I couldn’t use a computer. And when that year ended, I kind of made a promise to myself, which is like I’m going to understand everything about computers. I want to know everything about how they work. Why we have them? How they started? Everything possible. So yeah, it was kind of a good thing, because you get taken away from something that you love and you can’t use it for a year, it makes you really want it.

      [00:07:58] CS: Absence did make the heart grow fonder.

      [00:08:00] CG: Yeah, exactly.

      [00:08:01] CS: So it’s not that many years from that. It’s five years later. Tell me about being scouted by Hewlett-Packard to be an applications engineer at age 17. Like what were you studying at the time and what were you doing that attracted their attention?

      [00:08:15] CG: Yeah. So I was in the first year of sixth form. So in the UK, we have two years before you go to university, which technically you ended high school. And you can go to a college or you can continue that within the high school. They call that a sixth form. So I was in sixth form. So I was studying to go to Cambridge University. Not studying IT, actually to go and study law. And I’d spent a summer school there where I was doing law firm. It was about two weeks. And I was completely set. I’m going to go to university. I was doing double business and double IT, which is a bit unconventional, because schools usually make you pick one four different subjects. But I had convinced my school that these were the two things that I wanted to focus my life on. So let me do double business. So I got four qualifications, completely unique ones, but was doing double. So I was doing all that.

      And then around about the end of the first year of sixth form, as you’re preparing to do your exams, Hewlett-Packard, I can’t quite remember how it exactly happened, but there was an email that had popped up with a job opportunity for apprentices at Hewlett-Packard. And I was like, “Okay, that seems interesting.” So I was asked to apply. So I went and applied for it. They offered to interview me. So I went in an interview. It was my first ever interview. I’d never been in an interview in my life. I didn’t think I’d done interview practice at this point. So I rocked up. I was the youngest there at the interview. Everyone else was like 19, 20, 21. I went in, I sat down and I got quizzed on kind of everything you can think about. So it was a very generic interview on purpose, because they want to see what your strong points were. And they were asking what languages do you develop?

      And at that point in time, I didn’t develop in any languages at all. So my answer was none. But I’m sure if I gave it a shot I could work it out. And I think there was about maybe 30, 40 people there for that assessment day. And it went on for about six weeks, maybe eight weeks afterwards. I didn’t hear anything. I just assumed I’d absolutely bottled it. But no, I then got offered the job. So I got invited back. And they said you know can you start next week? So I was in school the Friday. And they want me to start on the Tuesday or Wednesday. So I had like five days of – If not in five days, four days of having to get used to the fact I’m a child in school to an adult earning an adult wage at 17. I joined.

      And to be honest with you, I wasn’t surprised, because obviously I had seen who interviewed, but I was the youngest there. In fact, I was the youngest in miles in the whole country and potentially the world at Hewlett-Packard for a very small period when I worked there. And I got assigned to the UK government.

      [00:10:42] CS: Now, I want to definitely go to that, but do you have a sense of what it was that they saw in you at that age or what you what you provided that none of the older kids were able to provide? Did they tell you that at all?

      [00:11:00] CG: Yeah. So I actually asked why me, because I think that’s always something people ask, “Why did you pick me out?” And one of the feedback was that my way of thinking and articulating kind of solutions to problems, because they do a lot of problem-based questioning and scenario-based was probably the best they had seen. And they couldn’t turn that down, because a lot of what Hewlett-Packard does, Hewlett-Packard enterprise does is problem solving. Organizations come to us and they say, “We have to solve this problem, but we don’t know how to do it. And we need somebody like you to do it.” So they needed people that were able to take something with absolutely no guidance and come up with a solution. And that was one of the reasons.

      The other reason was that when they looked at my age for all my qualifications, that was something they took a lot of interest in was that my kind of study route was very IT-focused. So they knew I kind of lived in and breathed IT. That was the consignment.

      [00:11:53] CS: What was your study route? What did you show them in terms of how you would learn things? Was it mostly self-directed or were you taking computer classes in like sixth form and everything?

      [00:12:02] CG: Yeah. So it was double IT and double business in sixth form. And I was showing them the modules I’d already done. And we already had at that time presumptive grades. So they were saying this is – because I’d already done my assessment. This is what we think you’re going to end up with. So I showed them that. And they were asking, “How did you find that?” And I explained, it’s great, I love it. I enjoy it a lot.” And with that I think they saw – Because the whole idea of how apprenticeships work in the UK, they’re kind of government sponsored. So the government create a framework for apprentices. And you can fit into different frameworks and you have to apply for funding, lots of other things. But part of it is continuing education. So they pay for more qualifications. That’s part of the whole deal. So you actually have to learn more. So what they want to see was somebody who was passionate about learning but also knew enough to work the job. And that was an important thing to have.

      [00:12:51] CS: Yeah. Now, what were your responsibilities initially at HP?

      [00:12:56] CG: So initially, I started out in what they call change management, so a bit of an idle function. The role was looking after cloud changes. So it was assessing them how they would impact our private cloud that we ran for the British government. What that would look like? It was more of an administrative role with a bit of technical knowledge. A lot of the team were not technical. So when there was stuff that the kind of non-technical team didn’t understand, I would often jump in and try and kind of provide some feedback. But what I noticed about that team is it’s a very rigid way of working. So it didn’t work out too great for me because the team were very focused on passing the stuff to another team when it was technical and letting them deal with it, because they were worried about liability and worried about me saying I know the answer to something when maybe I don’t, because I’m just a 17 year old kid.

      But what happened that was really good was that we had some project managers who were really quite terrible at making sure that changes were scheduled on time, different project managers. And they were really bad at kind of keeping track when stuff was supposed to be done. So instead I got assigned to them. And my job was to create their changes. Make sure they get approved. Chase them. And it was kind of like you don’t fit very well for this team. This isn’t technically too much of a technical role, but you can still advise technically. So I did that, and that’s how I got in with project managers.

      So I got in with the program manager, the project managers. And as the time went on, they basically said, “Would you like to be a project manager?” And at 17 you say, “Yeah! Sure. I have no idea what a project manager did. But yeah, I’ll do it.”

      [00:14:23] CS: Especially since you saw people doing it poorly and you’re like, “I literally know what not to do.”

      [00:14:28] CG: Yeah. No. It was I don’t necessarily know exactly what they do, but I kind of know because I’m walking around with them all day. So I was like, “Yeah, I’ll give that shot.” And really, it started out covering. So whenever a project manager would go on a holiday or if a project manager was ill, I would still take –

      [00:14:43] CS: Oh, you were the substitute teacher.

      [00:14:46] CG: Yes, exactly. Now tell me about uh working for the government from there. Because you said that HP was working with the British Governor, whatever. Was that the project management part of it? Or was that something completely different?

      [00:15:02] CG: So what happened was HP had a contract to deliver quite a few services to the Department for Work and Pensions. It’s an unemployment agency in the UK. And what happened towards the end of that contract is the British government decided they were no longer going to outsource it. So a decision happened where Hewlett-Packard were to transfer some staff into the British government and work directly for them. And the idea behind that was that you would take all the knowledge from Hewlett-Packard and run it in-house inside the government. So I transferred to the British government around about I think it was about 2019 maybe, maybe earlier than that, 2018.

      And my job there when I got there was very similar to the old change management stuff I was doing. And that lasted maybe six weeks, because I hated it. And towards the end the six weeks of that there was like – I remember this guy, Andy his name is, and he was basically trying to fight about 600 different fires on his own and trying to solve so many problems on his own with hardly any funding. And what those problems were were we’ve left Hewlett-Packard but we still heavily depend on them for a lot of the functions that these teams do. And we somehow have to get those functions into the British government and do it in a way where we don’t have any downtime, we don’t affect any customers, and we do it very quickly with no budget.

      And doing that sounds fantastic. It’s like, “Oh, yeah. That sounds like a great challenge,” until you understand the scale of the fact that the British government, the department I worked in had 80,000 employees that use the systems every day. And 63.6 million citizens that were depending on us.

      So that’s how I got into project management again in the government was I am – I said to Andy, “I used to be a project manager. I mean, I’m not anymore into change management.” And he said, “Why did you never tell me this?” And it was that day that I was elected project manager for modernizing software development life cycle was the kind of the end of it. But the very beginning it was in-housing and transforming our secure development life cycle in cloud.

      [00:16:59] CS: I like all these stories specifically because we get so many comments from people who are just starting their cyber security journey and not really knowing how to sort of get a foothold in. And it seems like your story is such a combo of something opened up and I went for it even though I don’t necessarily have all the qualifications. And also just being sort of fast on your feet and saying like, “All right, I can learn this quickly. I’m willing to pivot to a new thing,” things like that. And I think those are like really good lessons to learn in terms of like making a mark for yourself. It’s not saying like, “Well, I’d love to do project management, but I’m the change management guy. There’s nothing I can do,” and stuff like that. So I hope people are listening closely to this story.

      [00:17:43] CG: I think one of the really important things that I learned very quickly at HP was that if you didn’t shout and you didn’t make a bit of a bother about something, it was never going to change. And that applies to your role, which is I had somebody that I worked with. I won’t say her name. But she wanted to become a project manager. She worked in change management for about five or six years at this point and had never got anywhere. And I turned up eight weeks or whatever it was later become a project manager from the team that she leads. And I can see her how infuriated she was by that, because that’s not a nice thing to be part of. At the same time, if you don’t kick up a fuss, because she hadn’t said anything to anyone, she may have mentioned it in performance reviews. But you all know how they go. They get forgotten. So she was never kind of trying to kick up a fuss or network. And my thing was really about being nice to people and saying, “Hi, I’m Connor,” when I’m being introduced, and taking note of what they do in the organization.

      People get big job titles sometimes, but little responsibility. You want to look for the people that you see doing stuff. They’re the ones, ones that are walking around kind of with their shirt rolled up. And they’re walking around, and they’re not necessarily shouting at people, but they’re trying to work out what went wrong. They’re the ones to get in with, because they’re the ones that the organization depends on. You become friends with them, you’ll find your way very easily.

      [00:18:54] CS: Yeah, you’re going to sort of – You can get into their tailwind of their current things like that that they’re doing. So what exactly is your area of specialty in cyber security? I know your degree is in ICT systems. Is that an area of cyber security still working regularly? And I know now that you’re a CEO, you run your own company and stuff. Like what do you like doing? You’ve done project management. You’ve done change management. You’ve done other things. Do you find yourself good at? What do you like doing? And what types of work would you still like to be doing as much as possible?

      [00:19:26] CG: Yeah. So my specialty is quite weird. So social engineering is something I take a lot of pride in being quite good at. But it’s kind of prevention is really what I specialize in. And what I mean by that is people develop things all day, and they do really great things. But sometimes they don’t see the risks that’s associated with that.

      So I’m really good at spotting out factors that could potentially result in a breach or something else. So it’s assessing problems that haven’t actually occurred yet. And you get a lot of kind of cyber risk and compliance people in organizations. And they’re great again, but they don’t often have a technical background.

      I was one of very few project managers that actually had a full technical background. I could do a lot of things when it comes to computers. I wasn’t a business guy. So I’m really good at spotting when somebody says, “Oh, I’m doing this thing with this database and doing it this way.” I’m able to quite quickly go, “Yeah, that’s not going to go well. And here’s why.”

      So my area especially is prevention of breaches, or attacks, or all that kind of thing, and spotting risks very easily. But I do enjoy on the side social engineering, a little bit of red team. And I dabble in everything, but certainly prevention is my specialty. It’s that blue team kind of stuff.

      [00:20:39] CS: Gotcha. Now, as someone who runs their own company and has probably some degree of managerial responsibilities, do you ever have a hard time balancing getting to do the stuff you want to do versus doing the stuff you have to do, and the, “Oh, I’d love to be doing that, but I got to deal with payroll right now, or I got to hire seven new people,” or things like that. Do you ever sort of wish that you can sort of like step backwards and sort of get your hands dirty more often? Or have you found a balance in that?

      [00:21:09] CG: So in CreatorSphere, we’re really lucky. We’re not too huge of a team. We’re quite new. So we’ve only been around since March, April of this year. Officially, mid-April is when we started actually working on the project. In that time we’ve done huge things and we’ve worked with some great people. And we have some great people inside of our organization.

      With that, I still get day-to-day the opportunity to sit. We have a virtual office. I get the opportunity to sit down for the people that are doing the stuff that I want to do that maybe day to day that I don’t get to do, which is the security stuff, or maybe getting a little bit involved in the development stuff.

      And I think one of the things is that you are right when you get into a managerial role and you progress through an organization, you’ll find yourself doing less and less and more kind of talking and more meetings. What’s important is you don’t forget the stuff that you used to do hands-on. As soon as you forget that stuff, then you actually make yourself vulnerable. And I don’t just mean from a security perspective. I just mean from a development perspective.

      If I forgot how long it took to develop something and somebody said to me it’s going to take six years. If I don’t know that that’s a ridiculous overestimation, I might say yes and allow it to happen. So part of it is, yes, you don’t get necessarily do the stuff day to day. But what you really get to do is mentor people inside the organization. I’ve had many a conversation with people that work with us about random stuff, about the threats that printers produce from working from home and stuff like that, and just random conversations that went on for two or three hours after work is finished. And what you see is coming out is the next day you see in your cyber briefing the printers have on the organization and the ways to prevent it.

      So you don’t necessarily get to do the stuff every single day. You don’t get hands-on, but you actually get impacted, and it’s really important. If you become a manager or go and manage your role and you’re not impacting, you’re not seeing the stuff that you’re talking about in your reports or in the stuff that people are producing, then you’re not doing it right. So you have to keep some hands-on.

      Often, I do side projects and personal projects that I get play around, like cloud environments and security groups. Because if I did it inside the organization, I get shouted at. So I don’t do it inside the organization. I get told off. So I do my little side game servers or whatever. And I learn kind of the different things. And I go, “Could we maybe try and do this for the organization?” Then I go and let the actual, the real people go and do it and I just sit and watch and all in the background.

      [00:23:22] CS: So your job is cyber security and your hobbyist cyber security. That helps too.

      [00:23:26] CG: Yeah. Yeah, I like to play around with stuff. But the really great thing that we have is that, as an organization, because we’re basically a tech company, we don’t really provide anything other than tech. We are very heavily tech people. Everyone that works for us loves tech is involved in tech. So we all have our little passions. And really, our organization is quite different, because instead of us saying this is your job and this is what you’ll do every day, what we do is say , “Here’s a task who wants it,” right? And we let people kind of step up.

      Now obviously there’s some times where you can’t let somebody do something because somebody else has to do it. But in most cases we’re able to say, “Yes, your job tells this. But if you want to do this, go ahead.” So sometimes I find myself writing stuff for cyber security. Sometimes I find myself decommissioning users. Sometimes I find myself responding – Last night we had an outage, and I got called in to help fix it. And that happened the other week. So I do find myself getting involved sometimes. But most of the time I get told off and told not to touch it.

      [00:24:25] CS: I was going to say, I think people like the idea of the CEO having to get the mop out and actually clean the halls, but not always. So before we continue to talk about careers and your company and such, I want to hear more about the McDonald’s story. So I’ve read several accounts of the story. But for our listeners who are just hearing about it now, walk us through what happened. What you saw and what happened when you reported it?

      [00:24:50] CG: So I don’t eat McDonald’s a lot. I know my figure may say otherwise, but I don’t. I promise. The other day me and my partner, we decided we were going to get McDonald’s delivered to home. And we thought there’s the monopoly promotion on. So we’ll order a load of food and we’ll collect all the tokens. And it was just a bit of a laugh. It was just a bit distressing.

      And we had some of the food. To be honest with you, I didn’t eat most of it. I just had the token. So I was going through and going through the laborious process of typing the codes in to the claims form. And I typed them in and won things. And one of the things that I won was a comedy subscription, which is great, because I love comedy, one of my little things that I watch. And I went and go and look at the email. And because I’m so heavily connected to having an apple watch and having my iPhone, my emails are instantaneous. I can’t live without them. And I spotted the top bit of the email just past the subject. And it started with data. And I was like, “That’s a bit peculiar.” I thought, “Oh, it might be just some HTML classes.”

      So I clicked on it and then immediately at the top of the body of the email, just above the claim information, was the staging and production credentials to McDonald’s monopoly’s databases in the UK with the connection strings intact. So sending the username and password is bad enough but, also the location of the databases and the database name made it almost to the point where it was like this is ridiculous. So I was like, “Oh, crap!”

      [00:26:12] CS: It’s just like they just threw the doors wide open. Yeah.

      [00:26:15] CG: I was like, “Oh, crap.” McDonald’s is relentless for being quite heavy-handed when it comes to lawyers. So the first thing I did, I think it was within three minutes of receiving that I’d email their support email. I tried to call them, but I think it was a Saturday or a Sunday. And I couldn’t get through to anybody because they finished work an hour before something that I’d claimed the ticket. And I was like, “Really? Okay.” So I thought I’d give corporate a call, because usually there’s already somebody in. And I rang the US corporate office and got hit with not even a voicemail, just an answering machine that just said, “We’re all working from home.” Don’t call us basically, and hung up.

      And at that point kind of social engineering kicked in and like somebody must have leaked their phone number somewhere. So I managed to find a list of phone numbers for senior vice presidents inside of the organization. I rang every single one of them including their cellphone and got no answer, about 18 people. So at that point I thought, “Okay, this is getting a bit ridiculous now, because now it looks like I’m either not trying to contact them or like try to hold them ransom.”

      [00:27:18] CS: Exactly. Yeah, yeah.

      [00:27:20] CG: At that point, I turned to social media. So we have a TikTok account, which sometimes does really well in terms of content. So I posted on our CreatorSphere TikTok tock account and said, “McDonald’s have given me the keys to the kingdom,” and I really missed out on a pun, because I should’ve said the keys to the golden arches, but it doesn’t matter. The keys to the kingdom, and I screenshot the email. Yeah, I screenshot the email and I censored out the important stuff in the email and said, “Does anybody have an email address that I can email this to?” I tried LinkedIn, because I thought that’s where everyone is. They all had their profiles on private. So I couldn’t get through with them on LinkedIn.”

      And I thought for a company that has just sent me um the login details for the databases, they have privacy of their employees really –

      [00:27:59] CS: Astonishingly secure in other ways.

      [00:28:02] CG: Exactly. And some anonymous user messaged our account and give us an email address for the UK cyber security response team. So I emailed them. And that was that. And the next day I worked mostly US time. So I was asleep when I got the confirmation email that they had acknowledged it. But in the email they had sent two. So they’d sent me one email saying, “Can you give us some more information?” But they’d also sent an email to their suppliers saying we’ve received a suspicious email. We think we’re under attack.” And then try to recall the same email, because they weren’t supposed to send it to me. They copied me in the email that is sent.

      So I already knew at that point I was dealing with maybe a team that doesn’t necessarily deal with breaches a lot, and it’s mostly outsourced, because I looked at the company. So I reached out to the cyber security manager. I gave him a call because he said he couldn’t get in touch with me. So I called him. And I explained to him on the phone kind of what had happened and the steps. And the first thing he asked me was, “Were you doing SQL injection testing?” I said, “No. I was the end user usage of your site.” That’s the worrying path. That is the worrying part. I didn’t try to make this happen.

      And I said to him, “If you had a big bounty program, I would report it to the right methods.” He said, “Yeah. No. Global won’t let us have one.” And I said, “Oh, okay, right. So how do you want me to send you this email?” And he said, “Could you forward it to me?” I said, “I can’t send you live credentials over email, because I don’t know if you sent them to me and you’re the insider.” I didn’t quite know what to do. So I said, “Can you give me a PGP key and I’ll encrypt it at least?” He said, “No. I’ll send you a Sharepoint link.” So I uploaded it Sharepoint and I never heard back. I gave him a call an hour or two later and said, “Did you get it?” And he said, “Yes. It’s just we’re dealing with another thing right now. It’s also really bad.” And I was like, “Oh, okay. I’ll let you go.” And then that was it. That was it. Nothing happened. It was okay.

      And then I did notice when I reported to them that somebody else on Twitter around about the same time as me also received an email. They had posted on Twitter. Said, “You should contact them and see if their experience is any different.” And then about a day or two later the register reached out and said, “Troy Hunts posted about this. You seem to be the original reporter. Can we can we speak to you about it?” I said, “Well, yeah. I don’t mind.” And I told them kind of similar what I told you. But I kept getting asked by the reporters and everybody involved, “Did you try and log in?” I said, “No. Of course, I didn’t try and logged in.”

      [00:30:22] CS: Oh my God! Yeah.

      [00:30:24] CG: He said to me, he went, “Good. Because if you’d said yes, I would have to delete this recording.” I went, “No. I did not try and log in. I am not that stupid.” But what I did see though is that McDonald’s in their statement, and you might have to fact check me on this because I might get it wrong, but McDonald’s in their statement acknowledge that the staging database credentials were shared. But when they were reached back out by the register when they said, “Well, it was also production,” they refused to comment on that.

      So I know that somebody else has confirmed this trading credentials were correct and it was the same username and password for production. The only difference was the database name and the location. So my assumption is potentially that may have also been exposed. And that is an assumption. I can’t confirm or deny it. So yeah, that was my experience, McDonald’s monopoly for you.

      [00:31:06] CS: Yeah. I feel like I’ve already got the answer to this question, but do you think they took swift enough or appropriate action after it was made apparent to them? Do you know what sort of happened apart from, “Okay, thank you. Goodbye.” What they did if they plug whatever leak that was, or whatever mistake it was, or whatever problem? And I guess it’s worth asking, what could have happened if someone less honest than you had seen the credentials first inside that comment?

      [00:31:39] CG: Yeah. So I think the first thing is that in terms of response, it was a bit peculiar, because originally what it looked like was that it was some sort of debug output that had happened. Later on, the reporter that I spoke to from the register and actually some other screenshots have been provided by other people, it actually looks like we all received the exact same string, but it was at different times on different days, which would suggest it was actually embedded in the email manually by somebody accidentally pasting it there or some script at some point failing when it was generating the template. So this whole time it wasn’t actually a real-time output. It was an output from a different day with different claim codes in it that somehow managed to find itself in every single template email that was coming out for that redemption.

      So I think saying swift enough response would be very untrue. Because really, I mean, from what I’ve seen is actually it was actually probably said to customers that weren’t as tech savvy from maybe the Friday onward and they didn’t acknowledge it publicly until the end of Monday, I think, or maybe Tuesday. I spoke to them privately about midday or Monday, but at that point what I’d really realized was that they were quite unprepared, which is a bit worrying, because early in the year, McDonald’s had a data breach. I think it was the US or another franchise area. But they had a breach. So you would think something somewhere there was some preparation that could have been done. And it seemed that really what they were depending on was their MSP, their provider, to do it all for them.

      Don’t get me wrong. The gentleman I spoke on the phone sounded very qualified, but he also sounded like this was maybe the first or second time this has ever happened for him, which is obviously very difficult. Because we have major incidents that aren’t security instance when a server goes down because it happens regularly when something gets misconfigured, we’re so used to it that when your phone goes off it’s like, “Yeah, it’s bad, but you don’t feel kind of nervous or scared.” It sounded like he was maybe nervous and scared because it was good it was the first or second time it had happened, but also bad because the practice wasn’t there. So this question of response, probably not.

      [00:33:37] CS: Yeah, opening a door in your house and finding a large portion of your house is on fire is a little cause for concern.

      [00:33:43] CG: Yeah. And then the other side of it, which was if somebody was a bad actor, and that’s what I was really worried about, was obviously there’s the McMillions documentary that was on I think it was HBO in the US. The documentary goes into how for five or six or whatever years there was fraudulent claims on the winnings. My brain initially kicked in which was, “If somebody’s tech savvy enough to know what this is but it’s also malicious enough to sell it, I can’t confirm whether production credentials work or the staging once because I hadn’t used them.” What I do know is that the connection, the database URL does definitely work, because it’s an Azure database. So I knew that straight away. So if that was misconfigured and was Internet-facing, somebody could log in. And because of what was in the email content, it would suggest that all the unclaimed and claimed codes existed in there, their status. So whether they are wins or not, and what they win. So I’m malicious enough with two seconds on [inaudible 00:34:35] SQL or whatever could change the outcome of the game, which made me incredibly worried, because I didn’t want to be blamed for that. That’s why I was so eager to tell them that I had it and it wasn’t me, because that’s not the conversation I wanted with McDonald’s lawyers was that. So that’s the worrying thing.

      [00:34:53] CS: That’s a very weird place to be and where you’re trying to sort of like help them but know that if you don’t do it exactly right, like you become sort of public enemy number one.

      [00:35:03] CG: Yeah. And McDonald’s in their defense and also against them are very, very good with lawyers. It’s kind of firsthand they are burger chain, second hand they are a law firm basically. And I really did not want the cost of that lawsuit on my hands. And that was the really worrying thing, which was like it may have only been sent to 10 people, it could have been sent to thousands of people. But maybe one or two techies have seen it. It’s a huge promotion. They have millions of prizes. And considering that everybody often wins at least one small not so great prize, it would suggest that tens of millions play this or spending money on the promotion.

      What does anger me slightly is that the statement that they’ve made to the computer kind of journals and websites and gazettes, they haven’t actually publicly stated anything on their public channels to consumers. So as IT techies, we know what’s happened. But they’ve not actually said, “By the way, we did accidentally send credentials.” They maybe were or were not publicly-facing or whatever. And we’re sorry about that.”

      Really, what they said in their statement was they would contact all the people affected. But what I can say is although when I’ve contacted them, I’ve not been called back to say, “By the way, it was or wasn’t real, or it was a test.” I mean, if it was a test, it was a very poorly performed test. But whatever it was, it was, “Okay, so we’ve patched it now. We’re so sorry.” Not even really as much as a thank you, which is –

      [00:36:32] CS: Yeah, or a free pie.

      [00:36:34] CG: Yeah. And McDonald’s black card is something I take up. I don’t eat there a lot, but it’d be nice to have something to say thank you.

      [00:36:41] CS: I feel like that was the most poorly recorded part of the article that I read where it said that you were a regular consumer of McDonald’s.

      [00:36:50] CG: Meaty produce, yeah.

      [00:36:52] CS: I know. And then now I’m here, “Wait a minute. That doesn’t add up.”

      [00:36:56] CG: I know. I am not. I don’t eat there regularly. It’s one of those things that was like – He’s playing fun at me, because I said that and he wrote that in there to get me back for saying that. But yeah, it’s one of those things which is a bit upsetting, because it’s really important for organizations. We have a big bounty in CreatorSphere. I saw one of the comments on the article was like CreatorSphere doesn’t have a security txt. So they can’t say anything about McDonald’s not having one, which frustrated me slightly, because our security txt, we don’t have one, but it redirects to our bug bounty.

      In fact, if you go to CratorSphere and type /security, it redirects to the bug bounty page. The reason why we do that is because sending us stuff via email is fantastic, but we want to do it in a way that we can acknowledge it properly, triage it properly and treat it as an actual incident. Now if we’re doing that as a startup that isn’t funded we’re bootstrapping and working with an accelerator. If we’re doing that, why can’t a multinational huge organization do it? And in their defense, the US counterparts do have a security txt. The problem is it’s only for the US site. So if you’re in the UK, you get redirected to the UK site, and there is no way to get that security txt unless you push for it. And even then it’s going to go to the wrong people.

      [00:38:06] CS: Wow! Interesting. So let’s talk about your company, CreatorSphere is it?

      [00:38:12] CG: Yeah.

      [00:38:13] CS: CreatorSphere. What made you decide to start your own company? And like what need did you see that needed satisfying? Because I know you mentioned similar creator Patreon support portals like Patreon and Onlyfans. How does how CreatorSphere differ from those?

      [00:38:25] CG: Yeah, great question. So CreatorSphere started. I was conversing. So like I said, I’m on TikTok. Maybe a little bit too much than I should be. And back when CreatorSphere started, I found myself in this limbo of I didn’t know what to do career-wise. I had done a little bit of consulting after I left government. I was now in the position where we’re still in the pandemic, but we’re coming out of it. Slightly, cases are dropping. Testing is increasing. And I was like, “I don’t know quite what to do.”

      And I was in a conversation with my friend who’s a TikTok creator and we were talking. He’s got a decently sized audience, and we were talking about kind of why this platform’s not very good, and the over-moderation here, and the wave approaching creators here. It’s like talking to a brick wall. And I’ve experienced that myself on TikTok are really bad for over-moderation. But I guess it’s probably better to over moderate than under-moderate.

      But he was telling me about Patreon’s fees were quite high for what they provided. They provide a great service. Only fans, it’s very adult-driven. There’s nothing wrong with that. We have an adult platform that’s similar to CreatorSphere. So we were like all these problems, I was like, “Oh, I could solve that.” And famous last words. I should never said that. But I can solve that. And originally we were going to create this small tech-based platform that was going to just allow people to subscribe to tech creators. And that was it. It was going to be a little side project. I was going to go out and go and do my other jobs or go do something else.

      But I got to speaking to more creators, not just tech creators, and they were telling me about, “Well, yes. I want to work with brands. I have to go and screenshot all my analytics. And it takes weeks to hear from them. Sometimes they never get back to me. I get really bad brand deals that are like, “We’ll pay six thousand dollars to say that this new energy drink is great, but it might also cause cancer.” All this stuff. And you’re like, “Wow! This is pretty brutal.” And I got another person telling me, “Yeah, my videos do great on TikTok, but I just can’t survive, because I might have a million subscribers or followers on TikTok and my videos might get tens of millions of views, but I get $100 payout from it.” It’s like that’s crazy.

      On YouTube, you get, I think it’s a 60/40 split. So 40 goes to YouTube. And sometimes you can get a decent income, but it’s not often sustainable. So we’re like, “Wow, this is a plethora of problems.” And actually we’re speaking with an investment partner today. They said, “Why are you trying to solve all these problems in one go?” And the simplicity is is because nobody else is doing it.

      So what we do is we provide a platform that links together four key components. The first component is analytics. So we help creators get all the analytics from Twitter, Facebook, Instagram, YouTube, Twitch, TikTok and we put it all in one place and we help them understand it. So we say, “Your audience on Twitter is mostly female, 16 to 24. On YouTube, it’s male. Their interests are these.” And what we’re doing is we’re helping creators understand who they should be directing their content to.

      And it’s often like you’re shooting out into the wild. And some people watch some videos and some people won’t watch the others. What we’re really trying to do is help them and say, “Here’s what your audience looks like, and here’s what they like. Here’s what they don’t like. Here’s when they’re online. So here’s when they like your stuff. Here’s when they’re not online. Don’t post them.”

      And we’re doing that by, one, analyzing their data, but also all the other creators’ data. And we’re using AI machine learning to give actionable suggestions to them on how to improve. And it’s about one of the things we often see creators doing is they’ll create content and then they’ll create different content, which is completely different to that to try and get into a new segment. But they often lose their original subscribers.

      What we’re trying to do is let them do both. Keep their original content viewers whilst also growing at the same time. That’s a hard thing to do as a creator. So that’s the first thing we do. The second thing we do is membership management. Very similar to Patreon and very similar to OnlyFans and very similar to those kind of platforms where you pay X amount each month and in return the credit gives you this.

      That’s because creators are – The barrier of entry we create today is mobile phone. So there’re thousands, hundreds of millions of creators that are currently unable to do their passion, which is being a content creator and producing good content, documentarians for example, because the money from it isn’t enough. When you’re posting one video every two months because it’s a high quality in-depth documentary exploring X, Y, Z, the advertising revenue from that one video doesn’t sustain you for that two or three months of researching and producing that content. So you need to find a way that the people who enjoy it can still have the stuff you produce whilst also sustaining an income. And that’s where the membership tiers come in. It’s not a case of just getting more money from your followers. It’s often for people that produce really, really good content that need to find a way to stay in that and make it a living. That’s the second thing we provide.

      The third the third thing that we do, which is a little bit different is Ecobus. So we give creators a way to create an ecommerce store in roughly about 10 minutes. And then from that we produce their products for them and we get it shipped to wherever their fans are. But we do it in a way where they don’t need a manager and they don’t need a graphic designer. So we work with partners like Fiverr for example. And we put them through to Fiverr. They’ll find a designer on there. That’s helping a small business on Fiverr. They’ll design the stuff. They’ll upload it to CreatorSphere. And when somebody buys it, we will print it, package it and deliver it to the customer on their behalf. We’ll deal with the returns. We’ll deal for the finances.

      And the last thing which really gets everybody going is the brand deals bit. So CreatorSphere is fantastic in two ways. The first way is brands love us because what we do is let them get directly in touch with creators and do their pitches through our platform. And they love that because it’s a lot cheaper than using a management agency and it’s a lot quicker. And then for creators, they love it because they’re getting a better deal often, because the amount that you give to a social media management company is huge. Often that gets tacked on with the amount that the creator gets. So they get a lot more money through us.

      The second thing of why they love it is because it gives them opportunity to quickly reject and accept offers, which we can take the time that usually takes six to eight, sometimes 12 weeks, and bringing that down to two weeks from idea pitch all the way to production and getting it delivered. And creators love that, because what we’re really doing is removing those huge barriers of entry.

      In the end of the day one of the things we always say is we’re just helping creators tap into revenue that is sat right in front of them and we’re doing it in a way that we’re not gobbling all the money up like a manager or a management company. We’re doing in a way that we make a decent – We’re not on charity. We make profit from it. But we do it in a way that’s sustainable so the creator enjoys it and it also provides a decent beneficial service to everybody involved.

      [00:44:35] CG: Okay. Now do you have any sort of advice for people who might be wanting to start their own companies? Any pitfalls that you had in in doing this? How old is CreatorSphere as a company? Is it a year old? Two years old?

      [00:44:49] CG: No. CreatorSphere has been around for six months.

      [00:44:51] CS: Six months? Okay.

      [00:44:53] CG: Six months.

      [00:44:54] CS: Yeah. Yeah, yeah.

      [00:44:54] CG: It’s wild.

      [00:44:55] CS: And you’re 22, 23 you say?

      [00:44:58] CG: I’m 22. Yeah.

      [00:44:58] CS: Yeah, yeah. So you started early. You got it going. Anything that you could advise people that don’t do what I did or do what I did or anything like that?

      [00:45:09] CG: Yeah. We’re actually making a small documentary. And one of the things we’ve said is that in the event that we fail or we succeed, no matter what, we’re making a documentary on what happened. That goes through kind of how it all started and stuff. But my top advice is, one, find people that you love working with. So the guys that I work with, the guys and girls I work with, they’re fantastic. They are passionate about what we’re doing. And because we’re a startup and we’re self-funded and as much as we’re working with accelerator, we’re not backed by any VCs at the moment. We’re doing this all out of our own pocket.

      A lot of our staff work, what we call equity. So they’re getting shares in the company. And they’re not substantial. They’re substantial that they’re worth something, but they’re not substantial to the point where they own 50 of the company. It’s a very small number. A lot of them are doing this on their spare time and producing work for us because they’re truly passionate about what we’re doing. So find people you love working with, because otherwise it’ll be awful.

      When we first started, we probably hired some people that probably wasn’t the best decision for us longer term. And those people are no longer with us. Now where we are at with our staff team, we’re able to have candid conversations a bit like what me and you are having right now. And we’re able to talk about when we think something’s been done right or when we think things aren’t progressing quick enough. We can actually sit down and just converse normally like friends.

      The other thing is don’t be scared to be remote. I know that sounds like something most organizations wouldn’t care about. But in a startup, one of the things we always get asked by anybody that we talk to in terms of investment, they would say, “And you’re all remote?” And they kind of look at you a bit funny. And they say, “Is that because of the pandemic or do you plan to keep it that way?” And we say, “We plan to keep it that way.” And what I mean is my two co-founders, Scott and Cody, they’re in the US. So they weren’t there day one. I found it on my own. They came in roughly about day 10 and worked their way up to co-founder and have helped enormously since then. They’re in the US and I’m in the UK. So don’t be scared to be remote. Find the best people you can. And actually being remote can often mean that you can find better people. So that’s my second piece of advice.

      The third thing is don’t rush into getting an investor. You don’t need hundreds of thousands of dollars to get your idea off the ground. You just need to know the right people to talk to. And that can often mean searching for emails. We’ve worked with AWS and Google Cloud and lots of other cloud providers and they’ve helped us out and obviously giving us credits, huge amounts of credits, not just the normal public amount, to help us sustain this vision without us paying for hosting. So find people like that. Find vendors that are happy to help you. Don’t go for the small mom and pops, because their margins are a lot slimmer. Go for the big organizations. They are likely going to throw you 20 to 30 thousand dollars your way in credit. Keep that. Use it. Build your platform on that. You don’t need cash to do it. CreatorSphere tries and finds any open source solution to any paid product. So we use mostly open source solutions inside of our organization. And then customer-facing, we try and use as much open source tools as possible. One, it has great security benefits, because it’s able to be audited a lot easier. And the other side of it is that because it’s open source, we’re getting continuous improvement and development from the community and we can also contribute back our part of that into that open source development and let other people use it. So that’s my three top tips. Keep it cheap, find great people and don’t be scared to be remote. You don’t need an investor straight away. Investment comes naturally.

      [00:48:24] CS: Good. Good stuff. Good concrete stuff here. So turning from that, you’ve talked about your love of cyber security and how when you’re not doing cyber security you’re doing cyber security and with the side of cyber security and so forth. What are your preferred methods of learning new concepts or skills? For someone who might be homebound or for a bit longer right now, what tips do you have for kick-starting your cyber security knowledge?

      [00:48:45] CG: Yeah, great question. I think there’s a YouTube channel, I think it’s called Fire Ship, and they do a explainer videos in 100 seconds. And it’s not actually 100 seconds. So they’ll explain what the concept is in 100 seconds. And then afterwards they’ll do an interview with an industry expert on it and they’ll go into it. So you can watch the first 100 seconds then jump off it.

      Find channels like that, which will explain concepts very quickly, because then you can go, “Oh, yeah, I do have an interest on that, or I don’t.” The worst thing you can do is go down a rabbit hole of learning something, at the end of it go, “Yeah. No, I really hate that.” Like when it comes to mine, like cisco, switching and routing comes to mind, like going down the rabbit hole of that, getting into it and going, “Wow! I really hate this.” But now I’m so far stuck in it and I’m studying it for the CCNA or whatever. I’m studying. I’ve paid for the books.” So find explainer videos for free on YouTube that explain the concept of what you’re trying to do. They might not educate you on it. You might not know it or learn from it, but you’ll know if it’s something you’re interested in. That’s really, really important.

      The second thing is that once you’ve got those videos and you know you’re interested, don’t immediately go out and buy all the books. Don’t do that. Don’t immediately go and schedule an exam and then work up to it. And certifications, I’ve hired people of the year. Certifications look good, but they’re not the be all and end end-all. And what we often find people doing is if you just study for the certification and continuously learn from that, that’s often more powerful than the certification itself. If I can see how you’re applying it, that’s important. So you don’t always have to go and pay for a certification. But if you do, make sure that when you’re paying for it that you’re paying for it so far out in advance that you’re able to actually learn. And if you get stuck on something that you haven’t got two weeks until you’re going to do the exam, it gives you enough time to learn it, because the worst thing you can do is just skim over something, because you’re stuck on it. Don’t do that. If you don’t understand that one word or that one sentence or that one chapter, you need to go and eat, live, breathe it, please. Because if you don’t do that, it’s going to be the one thing probably in your career somebody asked you about and then you’re going to go, “Oh, yeah. I don’t know that bit.” Or the exam will probably ask you it. I’ve had that before where I’ve got stuck on something. I’ve got to go do my certification. And then the exam – Literally, mostly examines on that one chapter and you’re like –

      [00:50:51] CS: Yeah, question one. Yeah.

      [00:50:53] CG: Yeah. So if you don’t understand something, you’re not stupid. That’s not what it is. There isn’t any stupid questions. But use the Internet. Stack Overflow is great, Server Fault is really great, Reddit is good, Hacker News from Y Combinator is really good. Go out and find the information. Get yourself in Discord servers. There’re lots of Discord communities out there for cyber security. And [inaudible 00:51:13] it comes to mind. There’re loads of other ones as well like Tech Talk. It’s about six thousand community members. I used to be an admin there. It’s great. You can literally ask any technology question from security, all the way to hardware, to electrical engineering. They will have an answer for you or some people try and help you. Find communities like that so that you can understand. That’s one of the best learning techniques I’ve seen.

      The amount of people that have come through a Discord server that I’ve spoken to that have found a new passion and then went and got qualified in it is ridiculous. So that’s one of my best learning methods. And then get yourself – Look for startups. I know that’s not necessarily the most glamorous of things. And some startups have ridiculous requirements where they’re going to ask you to work weekends and every single day of your life the next 16 years and pay you nothing. Don’t go for those ones. But find ones where you can work on the weekend and you can provide a little bit of knowledge. What you’re going to find is other people that are really passionate about what you want to do in there. And yes, you might not be getting paid. You might be getting equity. Or it could even be a volunteer role. But if you get involved in that, you can do it from home. You can do it on a laptop. You can often do it on a phone a lot of this stuff. And it gets you at least involved in talking to people. It’s all about knowing people. I think that’s important.

      [00:52:18] CS: Right, and you’re doing real work too.

      [00:52:20] CG: Yeah.

      [00:52:20] CS: Yeah, real concrete stuff. So to pivot a little a little further here, because I think it’s important that LGBTQ+ awareness in cyber security should go beyond one month of the year. Obviously, pride has come and gone now. But I wanted to talk to you about your experience as a gay man in the cyber security space. Have you met resistance or had setbacks as a result? And do you see friction in the hiring or promoting process where LGBTQ+ people are involved?

      [00:52:46] CG: Yeah. I think diversity as a whole is important. That goes with age, gender, sexuality. I know that if we just talk about age when, I joined HP, as great as HP as an organization, there were still people that have been doing it for 50 years that thought I was completely no use to them because I was so young. And that’s pretty brutal.

      I can’t say that I’ve had the same because of being a gay man. That’s not something. But what I have noticed is that sometimes people can be a bit too shy when it comes to the subject. So I remember talking to some of the team when I was in government. I can’t remember what it was, but eventually I was like, “Oh yeah, my partner or whatever,” and obviously he’s a man. And I said that. And they completely like shut down, because they didn’t know if they should engage with it or not. And my point is if you would do it for somebody that is in a relationship with a woman and they’re a man, then you should do it for everybody else, right? That’s the way it should be.

      In terms of hiring people, I think the first and best thing that we are certainly trying to adopt in CreatorSphere, for example, is get rid of names on CVs, or resumes. Get rid of anything that indicates to age on CVs and resumes and try and get rid of any personal information on a resume so that when you are assessing that person you are purely assessing them on their skills and ability. If you can do that as an organization, what you’ll often see is you’ll get so much more of a diverse culture. You’ll get better talent, because you’re not being prejudiced and you’re not looking at someone’s name and trying to assess where they’re from or if they’re male or female. And what you’ll also get from it is naturally an organization you’ll mature and develop.

      I’ve seen it in different organizations, and it has such a positive effect. So I would say for hiring managers out there and people like that, it’s really important to just get rid of the stuff you don’t need. When you’re assessing a candidate, you’re assessing them for their suitability of the role. Their sexuality, their gender, their national origin their age does not play into that. You’re assessing purely on ability.

      [00:54:39] CS: Okay. So to go from the other side of that, from a hiring standpoint to a culture standpoint can you come up with any suggestions for – Because as you said, you have a situation where you said my partner and your fellow people, employees, shut down or what have you. Do you have any suggestions for making cyber security or tech culture more welcoming to people of diverse backgrounds? Because obviously that’s one of those things that’s going to change over time, but maybe it’s not okay to just let it happen. It needs to happen a little faster here. Do you have any suggestions in that regard?

      [00:55:16] CG: Yeah. I think don’t be scared to show that you’re diverse, but also be cautious. We have green washing when it comes to eco stuff. Be cautious of diversity washing. And we get organizations that will plaster diversity everywhere, whether it’s sexuality, or national origin, or whatever. They’ll plaster everywhere. And then when you get the organization, you can take a look around and see that’s not maybe. They just grouped people together in a room for it. So be cautious of how you go about it.

      But I think what’s really important is there’s like networks like um in the UK government, the Department for Work And Pensions thing called DWP Pride. It’s an organization inside the organization that looks out for LGBTQ+ employees. And it’s not just for LGBTQ+ employees. It’s for all employees to be part of. And the idea behind it is that it’s an ally organization. Think about stuff like that. If you join one of those, you don’t have to be a gay man. You have to be trans. You can be anybody. That’s the part of it. And you’re showing your support.

      I think another thing which is really important, and I’m going to get a bit personal with this one, which is organizations should try and have a presence at all different types of events. Pride’s one of them, women in tech, for example. They should try and have a presence on all these. Make an effort. Even if you’re not going to pay for a banner, you’re not going to pay for a stand, just buy a ticket and send one of your colleagues there to talk about your enterprise, because it’s just a small act like that that can really make a difference.

      One of the things I’ve noticed, which was in the UK this year of coronavirus, there’s a decently large festival called Manchester Pride. And they canceled the pride parade and they only did the music event. And that infuriated a lot of people including me. That kind of stuff is where we start the kind of diversity watch and we pretend to be something that we’re not. So try and get in with pride parades. Try and get in women in tech. Try and look at as an organization ways that you can be better and kind of reach out. It doesn’t have to be about whether someone’s black or white, whether they’re gay, lesbian. It doesn’t matter about any other stuff. Just try and be a better organization. And internally if you feel like you’re not making an effort personally as a human being and your organization doesn’t have a pride or whatever inside of it, be the first person to start it. You don’t have to be gay to do it.

      [00:57:24] CS: Yeah, absolutely. So as we wrap up today, thank you very much for your time. I know we’re running a little long here, but I appreciate you taking so much time with me here. But as we wrap up, can you give any advice for our listeners who might be considering cyber security as a career and who are just getting started but feeling a little intimidated by the possibilities?

      [00:57:41] CG: It’s never too late. That’s the first piece of advice. I’ve seen many, many people come in organizations at all ages. It’s never too late. The second thing is that if you are in IT right now and you want to switch to cyber security, great, you’ve already got your foot in the door. Try and work out a way to compile with them. You can offer suggestions. You can offer feedback. You can even be involved in some of the pen testing, some of the kind of social engineering stuff. Kind of be cautious of risks in your organization. Report them. That is the best way to get in, which is you’re kind of being very aware of the subsequent stance.

      If you’re outside of an organization and you’re trying to get into cyber security either learning it or trying to get a rule, in terms of learning, the Internet is your best friend, social media is your best friend, Discord your best friend. There’re loads of tools out there. Infosec Institute has them as well where you can learn skills from them. And then if you’ve done all that and now you’re trying to get a role, find a startup. I know I keep talking about startups, but I love the startup culture. Find a startup. They will take not everybody, but they will find anybody that has an interesting area and they need help with it. Find one of those.

      [00:58:39] CS: They’ll find something for you to do. There’s work for your hands to do.

      [00:58:42] CG: Yeah. And then the other thing as well is that if you’re looking at organizations like Accenture or HP and you want to get in there look, for educational outreach programs that they have. They often always do job fairs. Get your CV or your resume printed. Get it over to them at that job fair. Follow up with them, network, get business cards. Reach out to cyber security events. A lot of them, if you email them and say, “Hey, I’m a student. I don’t really have the money to pay for the 600 pound ticket.” They’ll often waive the fee and give you the ticket for free. So look for things like that. Just be kind of a hustler. Hustle as much as you can. There is no other way to do it. But if you want kind of an easy route in, find a startup, volunteer with them. Or even if they’re paying, take the really low pay, because often we don’t pay very well as startups. So take the really low pay not, until they’ve got investors anyway. So take the really low pay. Get in there. Make the organization as secure as possible from your expertise and then use that on your CV. If you want to use that as a leapfrog, then go to the big boys. Or stick around, you’d actually be really surprised at the kind of stuff that you get to do and start that you don’t get to do elsewhere.

      [00:59:38] CS: Yeah, yeah. Being there on the ground floor has worked out for a lot of people. So one last questions, for all the beans, if our listeners want to learn more about Connor Greig or CreatorSphere, where should they go online? Promote whatever you want.

      [00:59:51] CG: Yeah. So this is my time to plug more. So createsphere.com is our website. We’re at Creatorsphere.co on all social media other than Facebook, where it’s CreatorSphere. If you’re interested in working with us, get in touch with us through LinkedIn or our website. We have a live chat on there. You can also email us. We’re often always advertising roles, internships and university placements is something we do a lot. We are very, very key on how we do that in terms of time. We’re aware that you’re a student and we’re very flexible to the point where we don’t set the amount of hours you have to do. So you can just come in whenever you want and pop your head in and kind of learn.

      The other thing as well in terms of what we’re doing is keep an eye out for us on social media because we’re often giving things away on there, sometimes gift vouchers, that kind of thing. And yeah, there’ll be a documentary sooner or later with my face on it that you guys will be able to watch.

      [01:00:37] CS: We’ll have you back on after the documentary has been done if you’re interested.

      [01:00:41] CG: Yeah, absolutely. I’d love to come back.

      [01:00:42] CS: Okay. Well, Connor, thank you so much for joining me today and best of luck on your bountiful security career. It’s been so much fun.

      [01:00:48] CG: Thank you so much.

      [01:00:49] CS: And as always, thank you to everyone listening at home, or at work, or at work from home today. New episodes of the Cyber Work podcast are available every Monday at 1pm central both on video at our YouTube page and on audio wherever find podcasts are downloaded.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.