Operations

5/26/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Wish List For The Security Conference Stage

All the world may be a stage, but in the theater of cybersecurity, we need a more relevant dialogue of fresh ideas, novel approaches, and new ways of thinking.

William Shakespeare’s play “As You Like It” contains one of most oft-quoted phrases in the English language. One of the monologues in the play begins with the words “All the world’s a stage.” I’ve always found this phrase to be quite interesting and captivating. But what does this have to do with information security? 

There is quite a bit of buzz around information security (sometimes referred to as cybersecurity) these days. Where there is buzz, there is often hype. And where there is hype it seems, there are a nearly innumerable amount of conferences. In fact, I was once in a meeting where someone remarked: “We could attend a security conference every week if we wanted to.” That was in 2007. In 2016, I think one could probably attend five security conferences each week and still not cover them all.

Sometimes it seems that people organize conferences for the sole purpose of creating another stage upon which a select group of individuals can present. This can be frustrating, or perhaps a bit aggravating for people on the outside for a number of reasons. I’d like to discuss this concept in additional detail, but before I do so, I think it’s important to remember the famous Groucho Marx quote: “I wouldn’t want to belong to a club that would have me as a member.”

Once thing I’ve noticed over the course of my career is that many of us watch presentations, rather than listen to them. If we actually listen to a presentation, we can dig a bit deeper than what we see on the surface. When we do this, we find that many of the presentations out there are full of hot air. In other words, the delivery is good, the slides are attractive, the buzzwords are there, but no actionable information that a viewer of the presentation can take back and implement operationally.

The tragedy in what has become of some security conferences (though not all, of course) is that those on the inside are most often offered the stage, irrespective of what they may or may not bring to that very stage. Fresh ideas, novel approaches, and new ways of thinking don’t always get to see the light of day. Unfortunately, this impedes our progress as a security community.

What I wish some speakers would realize is that access to the stage comes with a tremendous amount of responsibility. Or, at least it should. How often do we hear about security celebrities, thought leaders, and rock stars who will be appearing at a given conference or in a given forum? But what happens when those on the stage:

  • May not have written anything new in 5, 10, 15, or perhaps even 20 years?
  • Harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate?
  • Intentionally, or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda?
  • Seek a sound byte or news clip at the expense of the greater good of the community?
  • Pursue self-promotion and populism at the expense of outreach, education, communication, and real change?

As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc., that exists is overwhelming.

The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals, but nonetheless have security as a top priority.

Dare I say that the point of climbing on stage is to add to the collective knowledge of the security community? In other words, if there is no new thinking, actionable knowledge, or operationalizable information in a talk, was it really a good use of the stage?

Security professionals, and particularly security leaders, want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the many other challenges they face. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges by distracting people from what’s truly important. In my view, this does not help advance the state of security. In fact, it impedes it, sadly.

If someone finds that he or she has attained access to a stage, that access should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that put that person on that stage. And as members of the security community, we should demand better from our speakers.

Anyone can create another stage upon which to present. Bringing value to the security dialogue and adding to the collective discussion is something else entirely. All the world may indeed be a stage, but that doesn’t mean I shouldn’t yearn for more than that.

Related Content:

 

 

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.
CVE-2018-20194
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...
CVE-2018-20195
PUBLISHED: 2018-12-18
A NULL pointer dereference was discovered in ic_predict of libfaad/ic_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-20196
PUBLISHED: 2018-12-18
There is a stack-based buffer overflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because the S_M array is mishandled.
CVE-2018-20197
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...