 From Miami Beach, Florida, it's theCUBE, covering Acronis Global Cyber Summit 2019. Brought to you by Acronis. Okay, welcome back everyone. This is theCUBE's coverage here at Acronis's Global Cyber Summit 2019. It's their inaugural event of round cyber protection. I'm John Furrier, host of theCUBE. We're talking to all the thought leaders, experts, talking about the platforms. We've got a great guest here, security analyst, author and TED speaker, Karen Elzari, who runs the B-Sides Tel Aviv. She gave a keynote here. Welcome to theCUBE. Thanks for coming on. Oh, thanks for having me. It's a pleasure. Love to have you on security. Obviously, it's hot. You've been on that wave. You've been talking a lot about it. You gave a talk here at Acronis and Conference. Yes, right this morning. But Fours, before we get into that, I want to get in and explore what you've been doing at B-Sides Tel Aviv. This is a global community. Tel Aviv runs Cyber Week. You've got a big thing there. So that's something that's really important to me. So 10 years ago, hackers and security researchers started something called Security B-Sides, which was an alternative community event for hackers that couldn't find their voice in their space in the more mainstream events like RSA Conference or Black Hat, for example. That's when Security B-Sides was born, 10 years ago. Now it's a global movement and there's been more than 100 B-Sides events just this year alone, just in 2019. Anywhere from Sao Paulo to Cairo, Mexico City, Athens, Colorado, Zurich, London, and in my hometown of Tel Aviv, I was very proud to bring the B-Sides idea and the concept to Tel Aviv five years ago. This year, 2020 will be our fifth year and will be, I hope, our biggest year yet. Last summer we had more than 1200 participants. We take place during something called Tel Aviv Cyber Week, which, if you've never visited Tel Aviv, that's your opportunity next year. Tel Aviv Cyber Week brings 9,000 people to Israel. It's hosted by Tel Aviv University, where I'm also a researcher. And all of these events are free. They're in English. They're welcoming to people from all sorts of places and all walks of life. We bring people from more than 70 countries. And I think it's great that we can have that platform in Israel, in Tel Aviv, to share not just our knowledge, but also our points of view, our different opinions about the future of cybersecurity. And it's run by the Tel Aviv University. Yes, so Tel Aviv University hosts Tel Aviv Cyber Week and they're also the gracious hosts for B-Sides Tel Aviv, which runs as a nonprofit separate from the university. You know, I love these movements where you have organic, just organic growth and we saw that with the unconference wave a couple years ago where, you know, the fancy conferences got too stuffy, too sponsor-oriented, more marketing pitches. People weren't comfortable just going up there so they want to have more face-to-face income. More community-oriented conversations. Is that how B-Sides' work is more organic? Yeah, so B-Sides, actually, the first one was absolutely an unconference and to this day, we maintain some of that vibe, that important community aspect of providing a stage for people that really may not have the opportunity to speak at Black Hat or here or there. They may not feel comfortable in a huge stage with all those lights on them, so we really need to have that community aspect with them. And believe it or not, an unconference is how I got on the TED stage because a producer from TED actually came all the way to Israel to an unconference in the northern city of Nazareth in Israel and she was sitting in the room while I was giving a talk to 15 people in the lobby of a hotel. And it wasn't that, I didn't have a big projector, it wasn't a fancy production on any scale, but that's where that TED producer found me and my perspective and decided that this sort of point of view deserves to have a bigger stage. You know, now with digital technology is the lobby conference, we call it the lobby con. Lobby con. All the actions in the hallways, it's always kind of, because you have a program, it's not about learning anymore at these events because all you can learn online, it's a face-to-face communal activity. I think it's a difference between people talking at you to people talking with you. And that's why I'm very happy to give talks and I'm here focused on sharing my point of view, but I also want to focus on having conversations with people and that's what I've been doing this morning, sharing my point of view, teaching people about how I think the security world could look like, learning from them, listening to them, and it's really about creating that sort of an atmosphere. There's a lot of tension right now in the security space. I want to get your thoughts on this because my personal passion is I really believe that communities is where the action is and a lot of problems can be solved if tapped properly, if they're not used, or if the collective intelligence of a community can be harnessed. I think the security community right now has an imperative mandate which is there's a lot of good that could be happening. The adversaries are at scale, you're seeing zero day out there, you've got digital warfare going on, you've got all kinds of things on a national global scale happening and people are worried. You know, a malware injection. There's a lot of fear, there's a lot of panic going on these days. If you're an average individual, you hear about cybersecurity, you're about hackers, you're thinking, oh my God, I should turn all of my devices off, go live in the woods with some sheep and that's going to be my future, otherwise I'm at risk. And I agree with you, it's the responsibility of the security industry and the security community to come together and also harness the power and the potential of the many friendly hackers out there, friendly hackers such as myself, security researchers, and not all security researchers are working in a lab at a university or in a big company and they might want to be wherever they are in the world but still contribute. This is why I talk about the hackers' immune system, how hackers can actually contribute to an immune system, helping us identify vulnerabilities and fix them. And in many cases, I've found that it's not just the friendly hackers, even the unfriendly ones, even the criminals, have a lot to teach us and we can actually not afford not to pay attention, not to be really more immersed, more closely connected with what is happening in the hackers' world, whether it's the criminal hackers' underground or the friendly hackers who get together community events, who share their work, who participate on bug bounty platforms, which is a big part of my personal research work and my passion, bug bounty programs for the viewers who are not familiar with it, are frameworks that allow companies that you might rely on, like Google or Facebook, United Airlines or Starbucks or any company that you can imagine, so many big companies now have bug bounty programs in place, allowing them to actively reward individual hackers that are identifying vulnerabilities. Yeah, and they pay a lot of money too, up to millions of dollars. Yes, they do, but it's not just about the money, you know John, it's not just about the money. There's all kinds of other rewards in place as well, whether it's a fancy, you know, a t-shirt or a sticker, or in the case of Tesla, for example, they give out challenge coins, the challenge coins that only go out to the top hackers that work with them. Now you can't buy anything with these challenge coins, you can trade them in in the store for money, but what you can do is that you get a lot of reputational and, you know, unmonetary value out of that as well. Additionally, you know, another organization that's called the Pentagon has a similar program, so the Pentagon is giving out not just monetary rewards, but challenge coins for hackers that are working with them. This reputation kind of system is really cutting edge, and I think that's a great point. I personally believe that that will be a big movement in all community behavior, because when you start getting into having people arbitrate between who's reputable, that's an incentive beyond money. Well, what I've found- It's great, I guess, but like reputation also is important too. I can tell you this because I've really dissected and researched this in my academic work, and I've looked at the data from several bug bounty programs and the data that was available. There's all kinds of value on the table. Some of the value is money and you get paid. And, you know, last month I heard about the first bug bounty millionaire, and he's a guy from Argentina. But the value is not just in the money, it's also reputational value, it's also work value. So some hackers, some security researchers just want to build up their resume and then they get job offers and they start working for companies that may have never looked at them before because they're not graduates of this and that school, they didn't have this or that upbringing. We have to remember that from the global perspective, not everybody has access to, you know, the American school system or the Israeli school system. They can't just sign up for a college degree in cybersecurity or engineering if they live in parts of the world where that's not accessible to them. But through being a researcher on the bug bounty platform, they gain up their experience, they gain up their know-how and then companies want to work with them and want to hire them. So that's contributing to the- You've seen that in the research. You've seen this, you've seen this research. Yeah, we've seen this and the reports are showing this, the data is showing this, all of the bug bounty programs have reports that come out that show this information as well. You see that the hackers on bug bounty platforms are usually under 30, a lot of them under 30, they're young people, they're making their way into this industry. Now let me tell you something, when I was growing up in Israel, I was a young hacker. I didn't know any bug bounty programs, none of that stuff was around. Granted, we also didn't have a cyber crime law. So anything I did wasn't officially illegal because we didn't necessarily have- That's good, experimentation's good. It certainly was and I was very driven by curiosity. But the point I'm trying to make is that I didn't actually have a legal legitimate alternative to the type of hacking that I was doing. There wasn't any other option for me until it was time for me to serve in the Israeli military which is where I really got my chops. But for people living in parts of the world where they don't have any legitimate legal way to work in cybersecurity, previously they would have turned to criminal activities, to using their know-how to make money as a cyber criminal. Now that alternative of being part of a global immune system is available to them on a legitimate legal pathway and that's really important for our workforce as well. A lot of people will tell you that cybersecurity workforce needs all the help it can get. There's a shortage, there's a talent gap. A lot of people talk about the talent gap. I believe a big part of the solution is going to come from all of these hackers all over the world that are now accessing the legitimate legal world of cybersecurity. I think you're really onto something. I want to amplify that. Certainly after this interview, I'd love to follow up with you. Certainly we will come to Tel Aviv, it's on our list, where the Cube stock will be there. Fabulous, we'd love to host from Tel Aviv. I think reputation, what you're talking about is an unforeseen democratization, positive impact of the world. I want you to just take a minute to explain how this all came together with your view on this reputational thing and talk about the impact. Where does it go beyond just reputational for jobs? How does a community flex and organically grow from this impact? So one thing that I'm very happy to see, I think in the past couple of years, the reputations generally of hackers have become important and that the concept of a hacker is not what we used to think about in the past where we would automatically go to somebody who's a criminal or a bad guy. Did you know that the Girl Scouts Organization, the U.S. Girl Scouts, are now teaching Girl Scouts to be hackers. They're teaching them cybersecurity skills. Arguably, I would claim this is a more important skill than making cookies or selling cookies. Certainly a more important- You don't want to survive in the wilderness, why not the digital wilderness? Making a fire, counting out. More than that, it's about service. So the Girl Scouts Organization's always been very dedicated to values of service. Imagine these girls, they are now becoming very knowledgeable about cybersecurity. They can teach their peers, their families, so they can actually help spread a more, you know, build a more secure world. Certainly they could probably start a fire or track a rabbit in the forest or whatever it is that Girl Scouts used to do. Well, they can do that digitally too. That's called, you know, tracing. Yes, they could. So you're really a motivating person. I think that's aspiring to many young women. Thank you, that's very kind of you. I'm really passionate to have more voices out there. What can we do differently? What can I do as a guy in the industry? I have two daughters. Everyone has, as I get older, I have daughters because they care now, but most men want to help. What can we do as a group? So I think you're absolutely right that diversity and inclusivity within the technology workforce is not a problem that just the underrepresented groups need to solve, right? It's actually an issue for the entire group to solve, whether it's men or women or any underrepresented minority and overrepresented groups as well. Because diversity of the workforce will actually help build a more resilient, sustainable workforce that will help with that talent gap, that shortage of people, of skilled employees that we mentioned. There's a few things that you can do. I personally decided to do what I can, so I contributed to a book called Women in Tech, A Practical Guide. In that book, there's also a chapter for allies. So if you're a person that wants to help a woman or women in tech in your community, you're very welcome to check out the book. It's on Amazon, Women in Tech, A Practical Guide. I'm a contributor to that myself. I also started a group called Leading Cyber Ladies, which is a global meetup for women in cybersecurity. And we have chapters and events in Israel, in New York City, in Canada, and soon I believe in United Kingdom and Silicon Valley. And perhaps in your company or in your community, you could help start a similar group or maybe encourage some of the ladies that you know to start a group, help them by finding a space, creating a safe environment for them to create meetups like that, by providing resources, by sponsoring events, by mentoring, there's a few, a lot of things that- Just get started, do something. There's a lot of things that you can do and it's certainly most important to consider that diversity in the workforce is everybody's issue. It's not something just one gender or one group needs to take care of. And starting a group doesn't have to be a big bang theory. You can start with three people, two people. Absolutely. And just have an organic growth that could be small. Yes, certainly. And as men, if you don't want to start an event for women, because that may seem disingenuous, what you can do is certainly encourage the women that you find around you in your workforce to see if they want to maybe have a meetup and if they do what kind of help you can offer. Can you run the AV for them? Can you sponsor the cross-ons? Whatever kind of help that you can offer to create that sort of a space. The reason we started Cyber Ladies is because I didn't see enough women speaking at security events. So I wanted to create a meetup where the women in cybersecurity could share their work, network with one another and really build up also their speaking portfolio, their speaking powers so that they can really feel more comfortable speaking and sharing their work on other events as well. Good camaraderie there too, it's good community. It's very important. Awesome work that you're doing. What's exciting you now? What is on your professional and personal interest these days? What's getting you excited? What are some of the cool things you're looking at? That's a fantastic question. So one thing I'm super excited about is that I'm actually collaborating with my sister. So my sister, believe it or not, is a lawyer and she's a lawyer who's specializing in cyber law and intellectual property, privacy, security policy work, and I'm collaborating with her to create a new book which would be a guide to the future of cybersecurity from the hacker's perspective and the lawyer's perspective because we are seeing a lot of regulators, a lot of companies that are now really having to follow laws and guidelines and regulations around cybersecurity and we really want to bring these two points of view together. We've already collaborated in the past and in fact my sister has worked on the legal terms of many of the bug bounty programs that I mentioned earlier, including the Tesla program. So it's very exciting and very proud to be able to work with my younger sister who followed me into the cyber world. I'm the hacker, she's the lawyer and we're creating something together. Wow, what a dynamic duo that's going to be. I'm excited to interview her. Yeah, so in my family we call her the Torbo version. Can you imagine that? Together it's really unstoppable. We didn't have a chance to speak together at the RSA conference earlier this year and that was really unique and we're going to follow up on that with the book. Well our platform is your platform. Anything we can do to help you get the word out. Super exciting work that you're doing. We think cyber community will be one of the big answers to some of the challenges out there. I absolutely agree. And we need more education, lawmakers and global politicians have to get more tech savvy. Yes, absolutely, everybody, it's everybody's issue. Like I said in this morning's speech, everybody's on the front lines. It's not the cyber generals or the hackers in the basements that are fighting. We are on that digital battle front and we all have to be safer together. Karen, thanks for your great insights here and energy, bug bounties are hot, the community is growing. This is the cyber conference here that Acronis Global Cyber Summit 2019. I'm John Furrier. Be back with more coverage after this short break.