Interview: The Security Queens

It’s always promising when people in this industry collaborate, especially when they are those still in education with promising futures ahead. Infosecurity recently learned of the Security Queens – three friends who study and work in cybersecurity that have come together to promote growth and inclusion in the sector – via a weekly technical blog and social media profiles, and virtually sat down with them to find out more about the group.

What are you currently studying/working on?

Morgan: I’m an information security consultant in the finance sector, also studying part-time on the MSc Information Security program at Royal Holloway. I have a BA in English literature, so coming from a non-technical background, my current focus is on continuously developing my technical skills to become as well-rounded as possible.

My main interests at the moment are cloud infrastructure, vulnerability management and cryptography. I’ve recently been accepted to give my first conference talk on the rookie track at BSides London later this year, so I’ll be working on that too.

Sarah: I am in my final year of university studying BSc (Hons) Forensic Computing and Security. Currently I am in the thick of completing my dissertation; if you need someone to talk mobile browser security with, I’m your gal. The next project will be beefing up my notes on penetration testing, ready to start my new graduate role at NCC with Sophia!

Sophia: I am in my final year of my undergraduate degree in BSc (Hons) Cyber Security Management. For my final year of study, I was the president for the Bournemouth University Computing and Security Society (BUCSS) and I was also involved with the ECHO project as part of the BU-CERT team. After my graduation, I am due to start a technical junior security consultant role (primarily penetration testing) in September with NCC.

How was the Security Queens group formed?
We all met at BSides London last year (2019), Sarah was speaking on the rookie track (and won the award for best rookie talk!). Morgan was an attendee at the conference, and Sophia tagged along to the after party. We all met at the after party, and since then have been close friends.

Security Queens was an organic progression; we’re all really passionate about our personal development and want to support and contribute to the community as much as we’re able to. As we are all still fairly new to the industry, we wanted to create a brand that would help promote inclusion in security and create a space where we could document our own personal career journeys, but also help others break into the industry too.

Originally, we planned to focus on the conference circuit, delivering talks as a group; however at the start of the COVID-19 lockdown we realized conferences wouldn’t be possible for a while, and decided to launch a blog to be able to engage with people outside the conference arena.

Is there a long-term intention for this group?
It’s only been a matter of weeks since we launched Security Queens, but we have already seen a real uptake in interest in our posts. At the moment we are still establishing our brand, and working on producing exciting and interesting content, with the hopes that even just one person will learn something.

Ideally, it would be amazing to encourage more diversity in the security industry, and engage new and wider audiences through the Security Queens. As it stands we plan to continue developing and publishing content regularly on our blog, and as initially planned we are still yet to collectively talk at a conference! Ideas on how to give back more to the community are a constant topic of discussion for us, and we’d like to keep this going for the foreseeable future.

“As we are all still fairly new to the industry, we wanted to create a brand that would help promote inclusion in security”

What do you feel you all bring to the Security Queens?
Morgan: I think a huge strength of ours is that we try to be really supportive, approachable people. We have quite different interests and individual goals, but we’re always championing and trying to build up not just each other but other fascinating, hard-working people we come across.

I have quite a different academic background to Sarah and Sophia, so I’m always learning from them, but having a grounding for the last few years in the financial sector I also have an awareness of broader issues related to information and cybersecurity like fraud, which I’m keen to use our platform to educate people on.

Sarah: We all have different backgrounds and interests within the group, so we can each cater to different audiences for the blog. Sophia and Morgan are both enthusiastic about security and together we have fun in learning and sharing our interests. Personally, I have found myself recently enjoying the development side of building security tools.

Thanks to my dissertation on building a web filtering proxy (and facing countless errors), I have a new love for Docker. I plan to write more about this in the blog, however, what lit my fire for security was the difference in security for mobile devices. With my rookie track talk touching on topics such as malicious APK files, there is so much I am yet to delve into, learn about and eventually share.

Sophia: My academic background is in security management, which I hope I can write about in the future alongside my technical blogs. However, in addition to this, I also have technical experience in pen testing from my placement last year and through the competitions that I have taken part in (such as the European Cyber Security Challenge).

I also aim to get more clued up on automotive hacking, and hope to make that a specialty in the future. I feel that automotive hacking is a slightly niche area, which I would love to write about in the future. It’s great that, as a collective, we all have different backgrounds and interests, and hopefully you’ll see this reflected in the variety and strength of our blog posts and future conference talks.

Are there are enough collaborative efforts like this, and how would you recommend others replicate what you’ve done?
We initially bonded over our passion for security and wanting to encourage people aiming to move into the industry. We’re based in different parts of the UK but still speak daily and make the effort to learn about each other’s areas of interest. With that approach, we think anyone can do what we’ve done.

Starting the conversation with someone you enjoyed a talk from or even appreciating someone's work could be the start of a really fruitful relationship. If you have an aim or idea and you’re committed to it, keep the conversation going and you’ll find like-minded people. It would be great to see others collaborate on projects and knowledge sharing in general.

“It’s great that, as a collective, we all have different backgrounds and interests, and hopefully you’ll see this reflected in the variety and strength of our blog posts and future conference talks”

Are you open to other members joining the Security Queens?
With our blog being so new, and this being a totally organic situation, it’s not something we’d really considered! We do have a couple of WhatsApp groups and Discord servers for women/people in security that we try to use to keep in touch with people and support their work in this space, and we’re always open to friendly, curious new faces in that respect.

In the longer term, once we’re a bit more established, if we met some like-minded people who were really keen to get involved, that could be a possibility. Our foundation is one of strong friendship and support for other people, so if we met someone who fit well with that, it certainly wouldn’t be off the table. Either way, we’re open to collaborating with people. Sarah recently worked with TheCyberViking on an OSINT (Open Source Intelligence) themed post, which turned out really well, so we’d love to do more of that.

The blogs you’ve done so far have been rather technical. Is this a deliberate effort to prove that younger people do have the technical skills?
We wouldn’t say it was deliberate as such, but a lot of people had been requesting technical content/walkthroughs. We want to write content based on what people will engage with, however we also want to make our blog as varied and accessible as possible and therefore plan to post on non-technical concepts as well in the future.

We’ve consciously included an “estimated difficulty” rating at the beginning of each post so people can more easily find content at a level they’re able to understand and take value from. Something else we’re also doing is trying to create posts on the fundamentals of subjects people usually find difficult to understand (like cryptography), so that we can de-mystify intimidating topics. One of Morgan’s key drivers is to breathe a bit of life into topics such as security and risk management and fraud awareness, so there will definitely be some less technical content coming soon.

What’s Hot on Infosecurity Magazine?