11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Connect Directly
E-Mail vvv

A Wish List For The Security Conference Stage

All the world may be a stage, but in the theater of cybersecurity, we need a more relevant dialogue of fresh ideas, novel approaches, and new ways of thinking.

William Shakespeare’s play “As You Like It” contains one of most oft-quoted phrases in the English language. One of the monologues in the play begins with the words “All the world’s a stage.” I’ve always found this phrase to be quite interesting and captivating. But what does this have to do with information security? 

There is quite a bit of buzz around information security (sometimes referred to as cybersecurity) these days. Where there is buzz, there is often hype. And where there is hype it seems, there are a nearly innumerable amount of conferences. In fact, I was once in a meeting where someone remarked: “We could attend a security conference every week if we wanted to.” That was in 2007. In 2016, I think one could probably attend five security conferences each week and still not cover them all.

Sometimes it seems that people organize conferences for the sole purpose of creating another stage upon which a select group of individuals can present. This can be frustrating, or perhaps a bit aggravating for people on the outside for a number of reasons. I’d like to discuss this concept in additional detail, but before I do so, I think it’s important to remember the famous Groucho Marx quote: “I wouldn’t want to belong to a club that would have me as a member.”

Once thing I’ve noticed over the course of my career is that many of us watch presentations, rather than listen to them. If we actually listen to a presentation, we can dig a bit deeper than what we see on the surface. When we do this, we find that many of the presentations out there are full of hot air. In other words, the delivery is good, the slides are attractive, the buzzwords are there, but no actionable information that a viewer of the presentation can take back and implement operationally.

The tragedy in what has become of some security conferences (though not all, of course) is that those on the inside are most often offered the stage, irrespective of what they may or may not bring to that very stage. Fresh ideas, novel approaches, and new ways of thinking don’t always get to see the light of day. Unfortunately, this impedes our progress as a security community.

What I wish some speakers would realize is that access to the stage comes with a tremendous amount of responsibility. Or, at least it should. How often do we hear about security celebrities, thought leaders, and rock stars who will be appearing at a given conference or in a given forum? But what happens when those on the stage:

  • May not have written anything new in 5, 10, 15, or perhaps even 20 years?
  • Harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate?
  • Intentionally, or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda?
  • Seek a sound byte or news clip at the expense of the greater good of the community?
  • Pursue self-promotion and populism at the expense of outreach, education, communication, and real change?

As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc., that exists is overwhelming.

The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals, but nonetheless have security as a top priority.

Dare I say that the point of climbing on stage is to add to the collective knowledge of the security community? In other words, if there is no new thinking, actionable knowledge, or operationalizable information in a talk, was it really a good use of the stage?

Security professionals, and particularly security leaders, want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the many other challenges they face. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges by distracting people from what’s truly important. In my view, this does not help advance the state of security. In fact, it impedes it, sadly.

If someone finds that he or she has attained access to a stage, that access should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that put that person on that stage. And as members of the security community, we should demand better from our speakers.

Anyone can create another stage upon which to present. Bringing value to the security dialogue and adding to the collective discussion is something else entirely. All the world may indeed be a stage, but that doesn’t mean I shouldn’t yearn for more than that.

Related Content:



Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Voice-Operated Devices, Enterprise Security & the 'Big Truck' Attack
Menny Barzilay, Co-founder & CEO, FortyTwo Global,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.