Shownotes
Summary
In this episode of the Web Usability podcast, Lucy Collins speaks with Aliyu Yisa a cybersecurity professional and accessibility advocate. They discuss Ali's journey from software engineering to focusing on accessible cybersecurity through his work with Pheasant and Cyblack. The conversation highlights the importance of making cybersecurity accessible to all, the challenges faced in the industry, and the legal implications of accessibility. Ali emphasizes the need for organisations to prioritize accessibility in their cybersecurity practices and offers practical advice for getting started. The episode concludes with a call to action for organizations to consider the business benefits of accessibility and to partner with initiatives like Cyblack to support diversity in the cybersecurity field.
Takeaways
- Accessibility is crucial for effective cybersecurity t111177araining.
- Cybersecurity tools must be accessible to all users.
- Disability can affect anyone at any time, making accessibility essential.
- Organizations must prioritize accessibility in their cybersecurity practices.
- The purple pound represents significant economic power for people with disabilities.
- Legal requirements for accessibility are becoming stricter.
- Awareness and education about accessibility are key first steps for organizations.
- Accessibility benefits everyone, not just those with disabilities.
- Partnerships with organizations like Cyblack can enhance diversity in cybersecurity.
- Making cybersecurity accessible can improve user experience and security compliance.
Sound Bites
- "Cybersecurity and accessibility are intertwined."
- "Accessibility is not rocket science."
- "Disability is not an us versus them thing."
- "Accessibility is a basic human right."
- "The purple pound is worth 250 billion pounds."
- "Let's make the web a better place for everyone."
Chapters
00:00 Introduction to Web Usability and Accessibility
01:34 Ali Uyasa's Journey in Cybersecurity and Accessibility
05:50 The Importance of Accessible Cybersecurity
12:50 Challenges in Cybersecurity Accessibility
18:07 Legal Aspects of Accessibility in Cybersecurity
20:01 Starting Points for Organizations on Accessibility
23:53 Cyblack: Supporting Black Talent in Cybersecurity
27:42 Conclusion and Call to Action
Want to dive deeper? Check out:
Aliyu Yisa at NCSC for Startups Showcase, December 2022 https://www.youtube.com/live/sIa-_PUn3AM?si=t6DB1L-DTXVCQCfT&t=1707
NCSC: Accessibility as a cyber security priority: https://www.ncsc.gov.uk/blog-post/accessibility-as-a-cyber-security-priority
Accessibility in Cyber at infosec.live https://www.youtube.com/watch?v=7WQVRSQBXUQ
Accessibility in cybersecurity at Axe-Con, largest digital accessibility
conference online: https://www.deque.com/axe-con/presenters/aliyu-yisa/
Accessible and inclusive cyber security, a research paper by Dr Karen Renaud https://link.springer.com/article/10.1007/s42979-022-01239-1
Fezzant Accessibility Scanner (free) - https://chromewebstore.google.com/detail/fezzant-accessibility-sca/nngholkdjmoikkjbljnljddagnllmgbh
Inaccessible Bytes: Hurdles and Hopes for Accessible Cybersecurity Education by
Connect with Aliyu Yisa:
Linkedin: https://linkedin.com/in/aligorithm
Fezzant website: https://fezzant.com
CyBlack: https://linkedin.com/company/cyblack
The Cyber Helpline: https://thecyberhelpline.com
Transcripts
Ep24. How to make cyber security accessible
Lucy Collins
Welcome to the Web Usability podcast, where we explore what it takes to make the web a more accessible and enjoyable place for everyone. Whether you're a website owner, developer, or just a curious mind, we're here to share insights, tips, and stories that can help you improve the user experience of your digital world. I'm Lucy Collins, Director of Web Usability and your guide on this journey to better usability. If you need a transcript of this podcast, just visit our website at www.webusability.co.uk.
Now, let's dive in!
Lucy Collins
So welcome back to the podcast. Today I'm delighted to be joined by Ali Uyasa, cybersecurity professional, accessibility advocate and co-founder of Pheasant. Pheasant is on a mission to create a world where everyone can be safe online by making cybersecurity and learning experiences accessible to all. Alongside this, Ali is also co-founder of Psy Black, a nonprofit organisation growing the next generation of black cybersecurity talent. This is all in addition to a day job as a cybersecurity practitioner at GIFGaff. So, I am delighted he has found time in his incredibly busy schedule to join me on the podcast today. Ali, hi, how are you?
Aliyu Yisa
Hi, thank you very much. It's good to be here. And yeah, thanks for that. Very nice intro. Not at all. Makes me sound much more impressive than I am.
Lucy Collins
I think you are quite impressive, Ali. I mean, don't do yourself a disservice. You've got an awful lot going on, but I'd love to know a little bit more about yourself and your journey so far, because obviously there are lots of different strands.
your life right now. So tell me a bit about it. depends on how far back you want me to go. Yeah, maybe the short version.
Aliyu Yisa
So yeah, I actually started out my career as a software engineer, know, building applications, websites and things like that. I was always interested in cybersecurity because my older brother was into cybersecurity, and it sounded really cool. So I always like worked on researching like web security risks and making sure what I was building was secure. I was always like an advocate as well. Even if where I used to work didn't have a security team, I kind of became like security advocates where if anything security related comes up, call Ali, that kind of thing. You know, after many abandoned projects and a previous startup, which I'm not going to get into because it'll take too much time, I finally decided to do a master's in cyber security, which I did at the University of Salford.
And my background has been super, super technical right from the start. the more I learned about like how, you know, what we do affects people, humans, like the people side of things, I became much more fascinated and started doing a lot more research around like the human side of cybersecurity. And that's where I started pheasants after, right after my masters actually. Initially I was trying to build a security awareness platform. security, employee security training and things like that. But I quickly found out that the market was like super, super saturated. Everybody and their grandma was doing a security training platform. So it's kind of like, okay, what exactly can we offer here that's like unique? You know, after a while it felt like, okay, what we should be doing is cybersecurity awareness, but accessible. Right. So that was when we got onto the NCSA for Startups program and started doing lots more research. In fact, like the process of getting into the program where we had like interviews and several meetings with like the mentors there, they asked like so many questions. was like dragons then, but the questions that they asked started pushing our thinking into new directions and almost throughout the NCSE for Startups program, it was like the process of us pivoting. Right. There were like other startups that had like revenue, they raised investments and then there was us trying to figure out like, yeah, we know there's a problem here. We know accessibility is something that's a huge gap in cybersecurity. Where exactly is our solution to that problem? We didn't know at that time. And like at the end of the program, they said we should do like a pitch for the end of program showcase. Again, I was like, where exactly am I pitching? What's the play here? So I did a presentation where I was telling the story of like how we started Fezant, how we got to where we were, but also kind of
bringing that issue of cyber security, accessibility to the perspective of the audience, it went really, really well. We got really good feedback. And that's really where the journey started. I went into a very deep rabbit hole with learning about accessibility and learning about how it affects cyber security and how security affects accessibility, how intertwined the whole thing is. And yeah, I've been doing lots of advocacy since then. We built an accessibility scanner that integrates some of these security issues freely available for now. And here I am.
Lucy Collins
And here you are. Wow. What a journey. sounds like, I mean, fascinating route into accessibility. And I think this is the thing I love about this field is that there's no one way in to working in accessibility. People come at this from such different perspectives. And for you to have had that very technical background and then to kind of have gone through this company development incubator experience and come out the other end with accessibility as your focus, I think must be quite unique and special because often people don't see accessibility as a moneymaker, as a way to make profit. And I think that it's wonderful that that's kind of where you have ended up through that process. I'd love to understand a bit more about why accessible cybersecurity is so important. And it's probably an obvious question to you but I feel sometimes we need to spell out these obvious, obvious questions. So tell me, why is it so important that we make cybersecurity accessible?
Aliyu Yisa
Very good question. And don't worry, I never get tired of talking about this. If we look at cybersecurity, like what is security, what are we actually trying to achieve with security? We're trying to help businesses and people be able to work and live in a secure manner. But it's not only about like restricting access and making sure the right person has the right access or like making sure confidential information stays confidential. It's also about making sure that the right people are not blocked out from accessing something. I think that's where accessibility comes into play because there many different dimensions. Let's start from the security awareness training dimension. Why do we do security awareness training? We do it to make sure that all our staff, everyone that's working in the organisation is equipped with the right knowledge and you know, there's all sorts of new stuff going on around human risk management. But at end of the day, you're trying to make people have the right behaviours and the right knowledge to stay safe while they're working. You can't really do that if a portion or percentage of your employees or your people that you're trying to take care of cannot like to engage with that training that you've developed. Yeah.
For example, if the platform doesn't support screen readers, the way it's structured, or the content doesn't have accurate captions, or the language itself that we use. So, for instance, we might say things like, you should use your mouse to hover over a button to see where the link actually goes to. Like heavily relying on visuals, and using visual means of passing information across, well If I'm like visually impaired or blind, how am I supposed to know like, you know, what to do here? So, it's about the learning platform itself, but the content has to be created in a way that, you know, everyone is able to engage with and understand what's going on. So that's already a risk if it doesn't cover everyone, but it's also a compliance problem as well, because if you're doing it for compliance and you're not covering everyone, then you're not compliant. There's also the other aspect of things like your authentication. So, let's say you're trying to log into a website or you're trying to fill in like sensitive personal information, like your card details. And if those pages are not accessible in the sense that they don't have the right structure or they're not following the right accessibility standards, then it means that people with disabilities are going to have a hard time or even find it impossible to be able to interact with your website or your application. And what that means is you're losing business because people just bounce and just go find something else to do. Or they might be forced to use that particular platform if it's for work or something critical like healthcare or banking. It could just be shopping as well, just to be able to live, right? They might be forced to have someone else help them with that process of logging in, which exposes their login details. Now that is a threat to their security, their privacy.
their independence to begin with, that is not a good experience to give your customers or people that work for your organization. that's another dimension of how security and accessibility are linked. There's another thing, which is security tools. the security tools that our cybersecurity professionals use to either assess a system's security posture or to respond to security incidents or to analyse some data need to be accessible because again, cybersecurity, we like to talk about how inclusive and diverse we are. And I believe that we actually have the right intentions and we're doing our best, right? But I wouldn't even say we're doing our best really, because we're not. I mean, we're even doing the bare minimum from not, certainly not everybody. You can't really have that if the tools of the trade are not accessible because that creates a barrier for people with disabilities being able to work in cyber security. I know, you know, someone, actually several people, but someone in particular who really couldn't complete her degree because like the tools, like digital forensics tools were just not accessible. And she ended up doing research, like a paper talking about just how not accessible they are, like the gaps. And she had to like to change it to something else. So, she couldn't, literally couldn't complete the degree because the university couldn't provide the right tools or maybe the right tools didn't even exist when it comes to accessibility. Really, you're working in cybersecurity, I want you to ask yourself this question. If your top security analyst or security engineer were to become disabled, like let's say they become blind, would you be able to confidently say that they would be able to use the tools that you currently have? If you can't confidently say that, then you need to start talking to your vendors because guess what?
All people with disabilities are not born with disabilities, like some are born with disabilities, but huge number of people become disabled. It's not a static thing. It's also something that changes like there's temporary needs, there's like long term, there's some of them are permanent. So, it's really something that we all should be doing our best to make a reality.
Lucy Collins
It's one of the things I find, I guess, maybe odd's not the right word, but interesting about this accessibility space is that often accessibility gets talked about as this sort of standalone thing. It's like them and us, know, the people with disabilities and people that don't have disabilities. But as you say, I think the stat is something like 84 % of people develop their disability during their working life. So, it's a community that you could become part of at any point. And that might be a permanent change, or it might be, as you say, a temporary incapacitation, a broken arm surgery or some description that might just temporarily mean that you're not able or you have additional access requirements. And so, for us to not think in an accessible first way always strikes me as a bit wild because it benefits everybody. And also, it's something, as you say, at any moment, one of your senior staff could develop an accessibility requirement. And if you haven't thought about that, or you haven't managed it, or if you recruit someone who has an additional accessibility requirement, then you are disadvantaging them. So, I think it's fascinating to think about cybersecurity and those kinds of different channels. So you've got the training side of things and making sure people can access the information because obviously so much of cybersecurity is that behavioural change and making sure that we're all being vigilant and aware of what the threats are. You've then, as you say, got the actual kind of technical accessibility of, can you have multifactor authentication?
How does the authenticator app on your phone work, presumably? If you're doing SMS, two-step verification, does that work for you? And all these things that, I mean, they can be frustrating enough when you don't have a disability. And then if you're asking people to jump through these extra login hoops and then they're not accessible, God, I would be chucking my phone out the window with frustration. it's, can imagine how challenging that must be. And then as you say, the kind of the third strain of that being the vendors and making sure that the tools and the systems that we use to actually manage and report and remediate cybersecurity issues are also accessible. And it feels to me that it all goes back down to, well, we need to be considering accessibility right at the very beginning of these conversations, as is the case with everything, quite frankly. Is that something that's happening? It doesn't sound like it's the case from what you're saying.
Aliyu Yisa
Unfortunately, not. There's a lot of gaps in terms of like the security tools. It's not something that is typically prioritised as like, you know, a design requirement, like accessible by design. I mean, yeah, you have a few companies here and there that do accessibility, but it's not something that is industry-wide, something that's seen as a major priority. That's what we're trying to change with our advocacy, the services that we're offering in the security industry, and the talks that we do. Being here talking to you or having this conversation, it's all part of changing that narrative and bringing it to the attention of people not just talking about the problems, we're offering solutions. This thing is actually possible. It's not rocket science to do accessibility, right? If you have the right people and the right intentions and the right mindset, it's something that's possible. And I think earlier I talked about the business implications where, you know, you're not reaching your entire audience, well, your entire possible audience if you're not accessible. But also, if we look at the actual, like the human effects of this, let's look at authentication, for instance. If someone's say like in a vulnerable situation where they're being abused or like they're in like an abusive environment, if you're not able to be independent in your online life, which is, you know, more and more becoming just our life, like, it puts you at more risk of being abused because whoever you're forced to go to access your basic needs can weaponise that against you.
Yeah, absolutely. That's another dimension as well. But also, if you look at inclusion and diversity and like equality, trying to get into the cyber security industry, there's so many barriers to someone who has a disability rights. Like, let's say you're trying to learn cyber security. Well, if you go to the university, is the curriculum accessible? And the tools that are being used to teach cyber security accessible? Is learning materials accessible? Let's say you're able to
across that bridge somehow, and you're trying to get into the field. And our recruitment methods are accessible and without bias. Let's assume you've passed through all that and you've gotten employment. Well, the tools that you're going to be using to work, are they accessible or are you going to be disadvantaged? I think we talked earlier about the fact that disability is not an us versus them thing. It's like everyone really, because we all need accessibility. We're all going to go hopefully grow old at some points and the older you get, the more accessibility needs you're going to have. But also, it could be something sudden just happens and your life changes. But designing for accessibility means that everyone gets a better experience at the end of the day. Accessibility at the end of day is just all about user experience. You're not really doing user experience if you're not doing accessibility even physical things like ramps. think originally ramps were developed as accessibility. Well, they are accessibility tools for physical space, which allows people on wheels or like mobility vehicles to access buildings and areas in like the physical space. But, you know, if think about the last time you travelled or went to a train station on the airport, you use that to carry your luggage easily, like instead of like climbing, climbing through and lifting it through the stairs.
Lucy Collins
Yeah, because I've got two young kids and I spend my life pushing prams around and things like that. And I found that so much of what is typically coined an accessibility feature is brilliant in my situation. And also, you experience some of the challenges when people do leave bins out on the pavement and I have to swerve around with a pram or, you know, I'm often doing things one-handed because I've got a baby in one arm. I'm making use of a speech recognition software on my phone and all those sorts of things. Oh, so I think, yeah, it's such an important point to stress that if you make things accessible, you make them better for everyone. So, it's not a nice to have, it's a basic human right, but also it has the added benefit of improving those experiences. So yeah, do it.
Aliyu Yisa
Yeah. Also, it's the law, right? If you look at- that is true. is also the law. The equality act in the UK. The UK isn't as like-rife with lawsuits as the US, but it's there, right? You can't put people at a disadvantage on the basis of their disability. But also, if you look at the European Accessibility Act that's coming into effect in June of this year, if Brexit and all that were not in the EU, but if you're selling your products or your services in the EU, that law kind of applies to you as well. Not kind of, it does definitely apply to you as well. That's also something that...
I think a lot of security vendors are not really aware of, or even if they've come across it, they might not think it applies to them. So that's also part of like the things that we're trying to raise awareness of like, hey, this is law that's coming in in just a few months. Are you aware? Like what are you doing about it? It's kind of like accessibility is finally having its GDPR moment. But if you think about what happened to GDPR, it wasn't something that a lot of companies took very seriously until it, like, they usually give a few years before the law actually takes effect. But it's like, yeah, yeah, we still have time. But then when it comes into effect and then companies start getting fined, it's like, wow, we have to do this now. Which is kind of slowing things down in terms of uptake. But I think once you start seeing the EU like wielding its big stick, finding companies. you'll see a lot more companies trying to be accessible. It's just sad that it has to get to that point.
Lucy Collins
Yeah, I agree. So, for organizations starting down this path, when you begin working with someone, where do you suggest people start to ensure cybersecurity and the associated learning experiences are accessible?
Aliyu Yisa
It depends on what kind of organization you are and where you currently are. Cause some organisations have like, you know, they might be following, trying to follow WCAG and they're like, fixing automated issues, but they might not have like the right strategy for making accessible by design. But some organisations just don't know anything about accessibility. So it depends on where you're starting from. But I think one of the biggest things is awareness, like actually educating yourself about what is accessibility, how does it affect what we are doing as an organization, and what are the benefits to the organisation, because you might need to sell that to someone who's going to be spending like company resources or making a decision. So looking at the importance, looking at the benefits, how is this going to help your business to grow? After the awareness piece, I would say having like an accessibility audit. One of the first things I tell people to do is something I found out about a few months ago. It's called the no mouse challenge or the keyboard challenge. I can't remember where you try to navigate your website or your products without using a mouse, just using your keyboard, like tabs, spaces, arrow keys, enter, things like that. And if you can't navigate it using a keyboard, that's not a good sign. know, screen reader users navigate using keyboard, but also there's sighted people that only use keyboard to navigate the websites as well. It just shows that you have like good structure to the websites. That's like one of the easy things you can do. You can also use like a free accessibility scanner to get some perspective on like just how bad it is. Yeah, we actually offer one, Fresanto accessibility scanner, shameless plug.
Lucy Collins
Go for it. No, I mean, what's the point of doing a podcast if you don't shamelessly plug something? So yeah, we will, and of course include a link to it in the show notes, but do you want to tell us a bit about the scanner, what it does?
Aliyu Yisa
So we're still developing the more like advanced stuff, but currently what it does is it just checks your website, you just download it as a Chrome extension and it checks the web page that you're currently on for accessibility issues like WCAG, WCAG standards, web content accessibility guidelines. On top of that, it tells you, you have like inaccessible authentication. It tells you like if you have a login page or if you have some sensitive fields that have accessibility issues, it will tell you that as well. But
Yeah, we're still developing like some of the more advanced features. This just gives you a basic perspective on like some major issues that you might, obvious issues that you might have. But of course, this is not a replacement for like a full accessibility audit. You have to have people who know about accessibility to look at the application and try to use it from different like personas and find those issues. Like, you know, you have to mix both manual and automated methods, which would give you a much more accurate picture. And that would be a good starting point because you can then look at how do we prioritize this? are the low hanging fruits? What are the biggest things we can do to make impacts on the accessibility of our products? So those are the things that can start doing early on. Some of them even like low cost or no cost at all.
Lucy Collins
Yeah. Brilliant. thank you. That's really helpful advice. I'd like to finish up by talking a little bit about one of the other hats that you wear, which is as a co-founder of Cyblack. So can you tell me a bit more about Cyblack, what it is and what you do?
Aliyu Yisa
Yeah. Cyblack is a non-profit organization that supports black and African descent people who are trying to get into the cybersecurity industry. So we do like mentorship, free training sessions. And we have a few programs like our Cyblack internship and some other training programs just to equip people with the right skills and knowledge to be able to thrive in cybersecurity industry. So we also have some communities where people interact and share knowledge and support each other. And we have events as well. think the CyberLac conference is coming up in August of this year. I think we're going to announce the location very soon. So stay tuned if you're interested I think one of the biggest things with CYBLACK is that we're not just supporting people. We are growing leaders. We're equipping them with leadership skills and we're giving them the opportunity to make an impact on the next generation as well. when CYBLACK started, was the co-founders, like we were basically doing everything. And then we started getting like people volunteering. And usually when someone goes through one of our programs or when they get a job first thing they start, they ask is like, okay, how can I help? What can I do? How do I pay this forward? And we've seen people go create their own like communities and mentorship networks. There's cyber lawyers’ community that came out from people who've gone through CYBLAK. There's like so many other things that I'm not even aware of going on within the space of like people that we've mentored. And right now CYBLAK has so many things going on.
I'm only involved, like directly involved in a few of them. So we have like so many people supporting the growth of CyBlock and it's really good to see. Yeah, it's huge now. You've got like tens of thousands of members and people involved, haven't you? We do have tens and thousands of followers that engage directly or indirectly with the content that we put out there and things. And I would say tens of thousands, but definitely thousands of people have gone through at least one of our programs.
Lucy Collins
fantastic. I mean, what a brilliant organisation. And I'd love to know, because obviously you're very much focusing on the development of the individuals themselves, but what could organizations be doing more of to support young black talent thrive in this field as well?
Aliyu Yisa
I think one major thing is partnering with organizations like CYBLACK because we already have these communities, we already have access to these people. know, let's say you have an organization that has an opportunity or wants to do some good, you could easily just reach out to us and we could partner, do something together. And I think that's one thing I've noticed. There might be an opportunity. It could be government funded. It could be like a nonprofit that's sponsoring it. And they say, you know, we welcome applications from, you know, all communities, but how discoverable is this opportunity to people from those communities, right? It could be as simple as just reaching out and us like spreading it across within our community and then getting people applying, which we've done with, you know, many different organisations and had people starting to participate in those programs. But also it could be, you know, recently we had a partnership with let's defend it's a cybersecurity training platform and they give us like some licenses for their products. So we had like a program where people from our community or even people who just apply from outside our community were able to use the let's defend platform. But also in a structured program where side black mentors were guiding them through, you know, the tasks and helping them get experience. So, it could be anything like it just reach out. I'm sure we can work something else.
Lucy Collins
Um, well, I think on that note, I just a massive thank you. What a fascinating chat. mean, to go back to the meat of what we were discussing there, you know, accessibility and cyber security. It's clearly both crucial, both for the organization, but also for the users. mean, you get it wrong. I guess you open yourself up to cyber-attack and risk. You also risk disadvantages such a huge proportion of the population. This is 25 % of the UK population have a registered disability. So this is not a small number of people that you are disadvantaging if you're not considering accessibility in your cybersecurity. And this space definitely, definitely by the sounds of things needs to start thinking in an accessible first way. So thank goodness we have people like you out there having these conversations and leading this field. me, well, we're doing our bit, aren't we? Banging the drum. Ali, to finish us off, tell me where people can find out more about you.
Aliyu Yisa
So I'm on LinkedIn. can just search Aliyo G Yisa. You can connect with me, or you can go to pheasant.com to learn more about pheasant and what we're offering. To learn more about Psy Black, you can just search Psy Black on LinkedIn. That's the first thing you'll see. Or go to PsyBlack.org to learn about Psy Black. There's one thing I wanted to say, but I forgot to mention. I think more than a billion people in the world have a disability. Like if you think about it in those numbers, that's a huge markets. And in the UK, there's this thing called the purple pound, which kind of measures the spending power of people with disabilities. And it's I think it's worth like 250 billion pounds. So, let's assume which I I don't want to assume I want to assume people have good intentions and you want to do good and you want to do it because it's the right thing to do. But in addition to that, putting your business hat on, think about the potential to your business. If you're doing the right thing and you're making your platform or your product accessible, think about the potential for your business as well.
Lucy Collins
Well, what a brilliant note to end on there. Ali, thank you so much for joining me. This has been such a fantastic chat and we will share all of that in the show notes so people can find you and hopefully connect and continue the conversation. Ali, thank you so much. Thank you very much. It's been a really good discussion.
Thank you for tuning in to the Web Usability podcast. We really hope you enjoyed this episode. If you have any questions, comments or topics you'd like us to cover, reach out to me on lucy at webusability.co.uk or connect with us on LinkedIn. Please don't forget to like and subscribe so you never miss an episode. Until next time, keep making the web a better place one user at a time.
