Once a year, Las Vegas becomes the home of some of the most technically proficient security practitioners on the planet. Adjacent to these attendees are a smattering of would be “black-hats” and “Feds” (albeit fewer with sequestration).
Caesar’s Palace becomes the hosting site for this annual pilgrimage for five days starting with hands-on training sessions later transitioning to formal briefings.
From its initial days of inception to evolving into the who’s who of cyber security warranting key note speakers like former Deputy Secretary Jane Lute and most recently General Keith Alexander, head of CYBERCOM.
Many pieces have been and will continue to be written on this conference but I would like to present a perspective, which “hopefully” also adds value to you as the reader. When I transitioned from local law enforcement to the private sector, I did so because I had an interest in computer crime and the notion of targeting a one-to-many crime versus a one-to-one crime appealed to me.
While I am a man with flaws like any of us, ingratitude is not one of them. I was very fortunate to cut my teeth in cyber with the X-Force guys back in the days of the original Internet Security Systems (ISS) in Atlanta. By having exposure to some of the very best and brightest, it explicitly added value to my professional development and career achievements.
Additionally, what I was able to take away from my first BlackHat and subsequently Defcon experiences back in 2002 added high value a well. If it were not for ISS sending me, I probably would have never gone on my own. Granted, if you are a “conventional” person groomed by law enforcement, these events are anything but conventional.
They are however, highly dynamic and thought provoking. While I admit I was probably pegged from day one during “Spot the Fed”, I greatly appreciated the fact that in many instances, a general interest and demonstrated academic knowledge or proficiency opened many discussions with those that are technologically superior to my level of knowledge.
Over the years, I have traveled to Sin City in July subjected to 100+-degree weather several times. Before last week, my last attendance was in 2009 and not by choice, but rather by job description. Over the years, my career progressed from an analyst providing daily reports to an array of cyber stakeholders to now being a Director of professional services program within an employee-owned company.
While some articles I have read on BlackHat and Defcon this year ranged from General Alexander’s keynote address to highlights from specific track sessions, one thing that is overlooked is well,..”the participants”. While I pride myself on understanding this industry very well, I can state without hesitation that being away four years has an impact and not a positive one.
As with any profession, usually career progression means more money, more authority and greater responsibility. However, once a certain threshold is obtained, individuals seem to lose touch, reality, perspective (you choose) with what is really going on in the cyber risk landscape as well as the cyber market space.
This was made evident to me this year when probably 98% of the attendees, I had no clue who they were and vice versa. For an industry as large as ours is, the transitory, ever-evolving landscape of practitioners changes faster than potentially any other industry out there.
I am the first to admit I am not a programmer. Never claimed to be and this fact was branded into my brain while attempting to learn VB6 and integrating it with an Oracle 8i OODBC connection. Yes, I realize I am showing my age and at that time in my life, people shooting at me when I was a cop was preferable, but my point is to demonstrate that you do not have to be a technical guru to extract value from BlackHat and Defcon.
This year, many track sessions were of great interest to me that enabled growth in my knowledge on vectors of attack with newer techniques contradicting legacy models of defense, legal issues associated with cyber security test and evaluations, or if I want to learn how to turn my boss’s phone into a remote listening device (providing he plays Angry Birds).
So to my industry colleagues who are Director or higher, I submit to each of you that whatever you think you bring to the table, it will be greatly improved upon by retaining grass roots exposure to the hacking/security communities. A hacker does not care what Gartner analysts define as Magic Quadrant, nor do they care about budgetary statistics for commercial and government verticals.
Conversely, unless you clearly understand what is in fact happening in the world that directly influences the risk landscape for cyber, your lack or inability to obtain data that is actionable handicaps your position in this industry.
At this stage of my life, I sometimes struggle to understand how I went from mirandizing a crack dealer to asking a potential customer, “Are we looking at best value or LPTA?” Where I will never struggle is seeing the value in BlackHat and Defcon. It continues to raise awareness and facilitate meaningful dialogues in track sessions as well as evening parties hosted by the usual cadres of sponsors.
If you think you have reached a point in your career where attending such events are passé, evaluate how much more value you can add to your company or your customer if you have cutting edge knowledge from first hand exposure that others have to read about and will still only half the story.
Just as General Alexander spoke about his desire to have the audience help the NSA devise ways to improve what the government does, I am highly appreciative and grateful to those attendees that make it a point to share their individual or collective knowledge to further advance this field of expertise, enhance our security postures and lower or risk.
About the Author: Carter Schoenberg has more than 19 years of combined law enforcement, cyber intelligence and cyber security experience. Starting his professional career in law enforcement as a homicide detective, Carter moved into the private sector working with the ISS X-Force working on daily threat and reconnaissance reports for the ISAC community and DHS. After leaving ISS, Carter worked with the Motorola Security Services Division spearheading a new method of assessing risk by evaluating the actual costs of security events. In 2010, Carter acted as the lead Information Systems Security officer for the US Immigration and Customs Enforcement (ICE) Cyber Crimes Center before taking on his current role as the Technical Director for CALIBRE Systems’ Cyber Security Services in addition to teaching cybercrime, terrorism and white collar crime at the undergraduate level. He has authored several white papers on cyber risk and litigation as well as an accomplished speaker at events like SecureWorld Expo, ISSA, InfoSEC World and in September, will be speaking at the ISC2 Security Congress.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Are Security Metrics Too Complicated for Management?
- Majority of Organizations Committed to Risk-Based Security Management
- Security Professionals Split on Risk-Based Security Management
- Don’t Be Baffled by BS Security Metrics
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock