As I sit down to write this I do so just a few days after stepping off the plane from RSA Conference in San Francisco, and mere weeks away from Infosecurity Europe in London, 05-07 June.
These are, of course, two of the biggest events in the information security conference arena – two of the three shows (I’m throwing Black Hat USA into the mix too) that, for me, form the backbone of the annual cybersecurity calendar, with what seems like an endless litany of other great events sprinkled on top.
Tens of thousands of us attend these events all over the world, and we all come away with different things. They’re an opportunity to learn, share, network, grab swag, make money, etc. As a reporting journalist, my main objective is to attend as many of the various talks and sessions on offer as my time allows, deciphering them and quickly turning around pieces of content for our readers to enjoy. That’s something I love doing, and I’m passionate about the process. That said, the experience can sometimes feel like a mixed bag for me personally.
Before I divulge why, it’s worth explaining that I tend to categorize the conference sessions into two types. The first are the information security-focused sessions that chiefly explore a wide range of industry topics and talking points. These are mainly given by infosec experts and professionals, who live and breathe the industry.
Then there’s the slightly different but less frequent non-technical keynote sessions; the ones featuring ‘big-name’ speakers that often open or close an event or day and who, whilst often successful, experienced and learned individuals, are very often not cybersecurity experts and do not come from that background. They tend therefore to reflect more on personal experiences or give honest opinions.
I regularly find myself leaving the first type feeling satisfied that I’ve got enough for a decent infosec story, that I’ve been reasonably informed about something or that I found whatever I had just listened to interesting enough to have made sitting through it worthwhile. Rarely do I leave particularly inspired, stirred or even slightly emotional.
However, I have felt like that several times when I’ve walked out of the lecture theatre after a talk by a non-technical, often non-industry personality. There was an example of this at RSA 2018 when I listened to social activist and writer Monica Lewinsky address thousands of conference visitors in her keynote session, The Price of Shame.
"Never disregard a session just because the speaker doesn’t come from an information security background"
Lewinsky spoke candidly about her own personal experiences of online public shaming and assessed the current online culture of humiliation. She presented the audience with a hard-hitting video demonstrating how, as a society online, we either turn a blind eye to, or participate, in the type of depredation and bullying that would shock us in the physical world. Many of the problems we have, she continued, stem from a compassion deficit and empathy crisis on the internet that can only be put right by changing our own behaviors and beliefs. She only spoke for 25 minutes, but there were members of the audience in tears and visibly moved – I’d never seen that at a security conference before. Lewinsky is certainly no security expert, but it was probably one of the most impactful talks I have ever seen: it had relevance, it had purpose and it had an effect, and I walked away with her message reverberating in my mind.
Lewinsky is just one example. I’ve also been lucky enough to see Professor Brian Cox discuss how quantum theories can be applied to the storage of information and computing, and at Infosecurity Europe, I witnessed Lord Hague of Richmond give a political perspective on citizens’ right to privacy and explorer Levison Wood reflect on embracing risk.
My point is, sometimes eyebrows can be raised at cybersecurity conferences when we take a look at a speaking lineup and see that some of the keynote sessions feature individuals who may be well-known or even household names, but in reality, know very little about our industry. I’ve been in the queue for keynote sessions and heard people say things like “why are they speaking here?,” or “what do they know?” and “security keynotes should be for security experts only.”
I couldn’t disagree more. I actually believe these types of keynote sessions and speakers are crucially important to infosec conferences. They can offer a brief respite from what can be a quite full-on schedule of purely industry-focused chat, but most importantly they can provide an outsider’s honest, refreshing perception of our industry, and ultimately remind us that there are always things we can learn from other sectors and other people’s experiences.
I’d also argue there’s definitely a lot that some of our industry talkers can learn from speakers who may not be particularly versed in our sector or knowledgeable about all of its ins and outs, but have real valuable stories to share and know how to connect with an audience on a more personal level – after all, that’s how you really get a message across and get it to resonate outside the lecture theatre.
In a few weeks’ time, thousands of us will come together once again under London Olympia’s famous glass roof for Infosecurity Europe 2018, and many will be able to benefit from three days of fantastic content. My message for attendees is this; enjoy the security and industry-focused sessions, they are full of information and are terrific learning opportunities, but never disregard a session just because the speaker doesn’t come from an information security background, or assume that because they’re not a pro in the field, they have nothing to offer an audience that is full of them.