Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

5/26/2016
11:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Wish List For The Security Conference Stage

All the world may be a stage, but in the theater of cybersecurity, we need a more relevant dialogue of fresh ideas, novel approaches, and new ways of thinking.

William Shakespeare’s play “As You Like It” contains one of most oft-quoted phrases in the English language. One of the monologues in the play begins with the words “All the world’s a stage.” I’ve always found this phrase to be quite interesting and captivating. But what does this have to do with information security? 

There is quite a bit of buzz around information security (sometimes referred to as cybersecurity) these days. Where there is buzz, there is often hype. And where there is hype it seems, there are a nearly innumerable amount of conferences. In fact, I was once in a meeting where someone remarked: “We could attend a security conference every week if we wanted to.” That was in 2007. In 2016, I think one could probably attend five security conferences each week and still not cover them all.

Sometimes it seems that people organize conferences for the sole purpose of creating another stage upon which a select group of individuals can present. This can be frustrating, or perhaps a bit aggravating for people on the outside for a number of reasons. I’d like to discuss this concept in additional detail, but before I do so, I think it’s important to remember the famous Groucho Marx quote: “I wouldn’t want to belong to a club that would have me as a member.”

Once thing I’ve noticed over the course of my career is that many of us watch presentations, rather than listen to them. If we actually listen to a presentation, we can dig a bit deeper than what we see on the surface. When we do this, we find that many of the presentations out there are full of hot air. In other words, the delivery is good, the slides are attractive, the buzzwords are there, but no actionable information that a viewer of the presentation can take back and implement operationally.

The tragedy in what has become of some security conferences (though not all, of course) is that those on the inside are most often offered the stage, irrespective of what they may or may not bring to that very stage. Fresh ideas, novel approaches, and new ways of thinking don’t always get to see the light of day. Unfortunately, this impedes our progress as a security community.

What I wish some speakers would realize is that access to the stage comes with a tremendous amount of responsibility. Or, at least it should. How often do we hear about security celebrities, thought leaders, and rock stars who will be appearing at a given conference or in a given forum? But what happens when those on the stage:

  • May not have written anything new in 5, 10, 15, or perhaps even 20 years?
  • Harp on the news items and buzzwords of the day rather than provoking deep intellectual thought and debate?
  • Intentionally, or unintentionally, distract the community from the long-term, strategic issues we need to remain focused on in favor of issues that suit their agenda?
  • Seek a sound byte or news clip at the expense of the greater good of the community?
  • Pursue self-promotion and populism at the expense of outreach, education, communication, and real change?

As someone who travels quite a bit and is fortunate enough to meet with so many security professionals on a continual basis, I have many opportunities to discuss the issues of the day. I have noticed many common patterns and themes during the course of my discussions, but one subject in particular stands out. The amount of bad information, misinformation, biased information, hype, FUD, etc., that exists is overwhelming.

The message I hear day after day is that it is hard to sift through the noise, difficult to navigate the hype, and nearly impossible to reconcile the misinformation. Bear in mind that this is coming from security professionals. Imagine what this landscape looks like to business leaders who are likely not security professionals, but nonetheless have security as a top priority.

Dare I say that the point of climbing on stage is to add to the collective knowledge of the security community? In other words, if there is no new thinking, actionable knowledge, or operationalizable information in a talk, was it really a good use of the stage?

Security professionals, and particularly security leaders, want to and need to focus on vision, strategy, risk mitigation, security operations, incident response, staffing, and any of the many other challenges they face. When rock stars use their platforms to harp on populist issues or bring attention to themselves or their agendas, it comes at the expense of all of these challenges by distracting people from what’s truly important. In my view, this does not help advance the state of security. In fact, it impedes it, sadly.

If someone finds that he or she has attained access to a stage, that access should bring with it a tremendous amount of humility and responsibility. That responsibility should be to the very security community that put that person on that stage. And as members of the security community, we should demand better from our speakers.

Anyone can create another stage upon which to present. Bringing value to the security dialogue and adding to the collective discussion is something else entirely. All the world may indeed be a stage, but that doesn’t mean I shouldn’t yearn for more than that.

Related Content:

 

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13643
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-13644
PUBLISHED: 2020-05-28
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accord...
CVE-2020-13641
PUBLISHED: 2020-05-28
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allow...
CVE-2020-13642
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-8603
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...