So far this year I think I’ve attended 20+ security conferences around the world – speaking at many of them. Along the way I got to chat with hundreds of attendees and gather their thoughts on what they hoped to achieve or learn at each of these conferences.
In way too many cases I think the conference organizers have missed the mark.
I’d like to offer the following thoughts and feedback to the people organizing and facilitating these conferences (especially those catering to local security professionals):
- Attendees have had enough of stunt hacking presentations. By all means, throw in one or two qualified speakers on some great stunt hack – but use them as sparingly as keynotes.
- Highly specialized – border-line stunt hacking topics – disenfranchise many of the attendees. Sure, it’s fun to have a deep-dive hacking session on voting machines, smart cars, etc. but when every session is focused on (what is essentially an) “edge” security device that most attendees will never be charged with attacking or defending… it’s no longer overwhelming, it becomes noise that can’t be applied in “real-life” for the majority of attendees.
- As an industry we’re desperately trying to engage those entering the job market and “sell” them on our security profession. Trinket displays of security (e.g. CTF, lock-picking) sound more interesting to people already in security… and much less so to those just entering the job market. Lets face it, no matter how much they enjoy picking locks, it’s unlikely a qualification for first-line SOC analysts. Even for those that have been in the industry for a few years, these cliche trinket displays of security “skill” have become tired… and look like wannabe Def Cons.
- Most attendees really want to LEARN something that they can APPLY to their job. They’re looking for nuggets of smartness that can be used tomorrow in the execution of their job.
Here’s a few thoughts for security (/hacker) conference organizers:
- Have a track (or two) specifically focused on attack techniques (or defense techniques) where each presented session can clearly say what new skill or technique the attendee will have acquired as the leave the hallowed chamber of security knowledge goodness. This may be as simple as escalating existing skills e.g. “if you’re a 5 on XSS today, by the end of the session you’ll have reached a 7 in XSS against SAP installations”, or “you’ll learn how to use Jupyter Notebooks for managing threat hunt collaboration”. The objective is simple: an attendee should be able to apply new skills and expertise tomorrow… at their day job.
- Get more people presenting, and presenting for less time. Encourage a broader range of speakers to present on practical security topics. I think many attendees would love to see a “open mic” speaker track where security professionals (new and upcoming) can deep-dive present on interesting security topics and raise questions to attendees for help/guidance/answers. For example, the speaker has deep-dived into blocking spear-phishing emails using XYZ product but identified that certain types of email vectors evade it… they present proposals on improvement… and the attendees add their collective knowledge. It encourages interaction and (ideally) helps to solve real-world problems.
- An iteration of the idea above, but focused on students, those job hunting for security roles, or on their first rung of the security ladder… a track where they can present on a vetted security topic where a panel of security veterans that evaluate the presentation – the content and the delivery – and provide rewards. In particular, I’d love to see (and ensure) that the presentation is recorded, and the presentation material is available for download (including maybe a backup whitepaper). Why? Because I’d encourage these speakers to reference and link to these resources (and conference awards) in their resumes/CV’s so they can differentiate themselves in the hiring market.
- Finally, I’d encourage (and offer myself up for participation) a track for practicing and refining interview techniques. It’s daunting for all new starters in our industry to successfully navigate an interview with experienced and battle wary security professionals. It takes practice, guidance, and encouragement. In reality, starter interviewees have less than 15 minutes to establish their technical depth, learning capability, and group compatibility. On the flip-side, learning and practice sessions for technical security hiring managers on overcoming biases and encouraging diversity. We’re an industry full of introverts and know-it-all’s that genuinely want to help… but we all need a little help and coaching in this critical area.
— Gunter Ollmann
*** This is a Security Bloggers Network syndicated blog from Technicalinfo.net Blog authored by Gunter Ollmann. Read the original post at: http://technicalinfodotnet.blogspot.com/2018/09/the-missing-piece-of-security.html