Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/26/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Wish List For The Security Conference Stage

All the world may be a stage, but in the theater of cybersecurity, we need a more relevant dialogue of fresh ideas, novel approaches, and new ways of thinking.

William Shakespeare’s play “As You Like It” contains one of most oft-quoted phrases in the English language. One of the monologues in the play begins with the words “All the world’s a stage.” I’ve always found this phrase to be quite interesting and captivating. But what does this have to do with information security? 

There is quite a bit of buzz around information security (sometimes referred to as cybersecurity) these days. Where there is buzz, there is often hype. And where there is hype it seems, there are a nearly innumerable amount of conferences. In fact, I was once in a meeting where someone remarked: “We could attend a security conference every week if we wanted to.” That was in 2007. In 2016, I think one could probably attend five security conferences each week and still not cover them all.

Sometimes it seems that people organize conferences for the sole purpose of creating another stage upon which a select group of individuals can present. This can be frustrating, or perhaps a bit aggravating for people on the outside for a number of reasons. I’d like to discuss this concept in additional detail, but before I do so, I think it’s important to remember the famous Groucho Marx quote: “I wouldn’t want to belong to a club that would have me as a member.”

Once thing I’ve noticed over the course of my career is that many of us watch presentations, rather than listen to them. If we actually listen to a presentation, we can dig a bit deeper than what we see on the surface. When we do this, we find that many of the presentations out there are full of hot air. In other words, the delivery is good, the slides are attractive, the buzzwords are there, but no actionable information that a viewer of the presentation can take back and implement operationally.

The tragedy in what has become of some security conferences (though not all, of course) is that those on the inside are most often offered the stage, irrespective of what they may or may not bring to that very stage. Fresh ideas, novel approaches, and new ways of thinking don’t always get to see the light of day. Unfortunately, this impedes our progress as a security community.

What I wish some speakers would realize is that access to the stage comes with a tremendous amount of responsibility. Or, at least it should. How often do we hear about security celebrities, thought leaders, and rock stars who will be appearing at a given conference or in a given forum? But what happens when those on the stage:

  • May not have written anything new in 5, 10, 15, or perhaps even 20 years?
  • Harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate?
  • Intentionally, or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda?
  • Seek a sound byte or news clip at the expense of the greater good of the community?
  • Pursue self-promotion and populism at the expense of outreach, education, communication, and real change?

As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc., that exists is overwhelming.

The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals, but nonetheless have security as a top priority.

Dare I say that the point of climbing on stage is to add to the collective knowledge of the security community? In other words, if there is no new thinking, actionable knowledge, or operationalizable information in a talk, was it really a good use of the stage?

Security professionals, and particularly security leaders, want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the many other challenges they face. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges by distracting people from what’s truly important. In my view, this does not help advance the state of security. In fact, it impedes it, sadly.

If someone finds that he or she has attained access to a stage, that access should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that put that person on that stage. And as members of the security community, we should demand better from our speakers.

Anyone can create another stage upon which to present. Bringing value to the security dialogue and adding to the collective discussion is something else entirely. All the world may indeed be a stage, but that doesn’t mean I shouldn’t yearn for more than that.

Related Content:

 

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10987
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
CVE-2020-10988
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version 15.03.05.19 allows unauthenticated remote attackers to start a telnetd service on the device.
CVE-2020-10989
PUBLISHED: 2020-07-13
An XSS issue in the /goform/WifiBasicSet endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute malicious payloads via the WifiName POST parameter.
CVE-2020-10986
PUBLISHED: 2020-07-13
A CSRF issue in the /goform/SysToolReboot endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to reboot the device and cause denial of service via a payload hosted by an attacker-controlled web page.
CVE-2019-19338
PUBLISHED: 2020-07-13
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is ...