These last few months have been crazy for me, especially as we wrap up with Blackhat, Defcon and BSides Las Vegas. Since April, I've been to and spoken at the following events:
- CyberSecureGov - Washington, DC
- RVASec - Richmond, VA
- OSEHRA - Washington, DC
- ChefConf - Austin, TX
- MORS Summit - West Point the United States Military Academy
- SECon - New York, NY
- BSidesLV - Las Vegas, NV
- DefCon - Las Vegas, NV
With all of those events now in the past, I wanted to offer some reflections on this bit of madness that I've recently experienced in a few themes.
Multi-Disciplinary Research is a Net Positive
Anybody who knows me understands that I am an avid study of many fields, including, but by no means limited to everything from economics and politics to Epidemiology and network theory to engineering, data science and information security of course. I have to put a disclaimer here that I'm a massive military and defense nerd, so there's certainly some bias here. But, I thought that the MORS Summit was far and away one of the best conferences I've ever attended. The briefings that I attended leveraged a data-driven approach to solving a variety of strategic and tactical problems, of course through a military lens. The amount of crossover to my day-to-day life, however, was amazing.
All of this left me asking the question, why do we frequently re-invent the wheel trying to figure out how to do things like portfolio management, procurement of the right long-term solutions, resiliency and contingency planning, etc.? There are far too many times when we're trying to solve the same problems as our peers in different sectors, yet we seem to think and believe that cyber security is a special snowflake, it's really not.
Security Talks are too Damned Tactical
I attended a lot of different presentations as part of my participation in all of these conferences, and I've fallen into this trap myself. However, I left a lot of talks thinking that there was too much work being done to both investigate and report back to the industry on extremely tactical issues where the lasting benefit was so short-lived. I can't help but believe that there is a better way to address this kind of information distillation where we can then focus on and debate the bigger issues that let us think past the "flavor of the month" style topics.
Favorite Talks and Topics
Some of the things that really jumped out at and excited me regarding presentations over the last few months are wrapped up into the following bullets:
- Something Wicked: Defensible Social Architecture in the context of Big Data, Behavioral Econ, Bot Hives, and Bad Actors
- Data visualization in security: Still home of the WOPR?
- Almost all the talks on war gaming and defense procurement that I attended at MORS
- IATC Cyber Crisis Simulation
- SE vs Predator
I wanted to give a special call out for the last linked talk here from Chris Hadnagy (@humanhacker). He put in a super human effort to get The Innocent Lives Foundation officially launched. Huge and well-deserved kudos!
Now that things have settled down a little bit for me, I look forward to getting back into a regular cadence of posts. If I could leave a single piece of advice, it's that you challenge yourself to consider whether your field's preferred approach is the right one for the job. Consider whether any abstract pieces could already have an answer from another place; stand on the shoulders of giants and stop re-inventing the wheel. Perhaps some examples applying this thinking to various roles in infosec might make for a useful future post!
Interested in following along? Follow this blog here.