There’s a good reason why people often talk about the existence of an “information security echo chamber”. As a community, we’re really awesome at (over) communicating to those who immediately understand a perspective on why a certain technology is doomed or exciting, or know that you should quietly scoff anytime a SQL injection vulnerability is found in a tier-one vendor’s software. The common lexicon we share, the inside jokes, and the events we see our peers at every couple months further promotes this idea that we should share and share often – except to “outsiders”.
I don’t intend this to sound like security professionals are exclusionary, more that we don’t often stray outside of the comfort zone we’ve established. That’s a shame because the amount of knowledge we have to offer is immense, and the audiences that likely would gain the most from hearing that knowledge are probably never even at a security conference.
Take software developer conferences, for example. I’ve attended and spoken at quite a few over the past couple years and noted that I may be one of perhaps two presentations focused on security topics that benefit developers. Occasionally, there will be an entire track dedicated to security topics but I’ve also noted the CFP submissions don’t fill the allotted hopper. This is crazy because you could find a line out the door at an “infosec” conference with talented engineers, who are ready and able to explain why that string you just passed to an exec method is in trouble.
Similarly, when’s the last time you as an information security professional attended a product design conference? For me, it’s never. That’s a huge problem though and something I plan to change because the newest devices coming onto the market, especially under the guise of the “Internet of Things”, are easier to build than ever. There’s a great opportunity waiting for us to help educate the brilliant minds creating the products we all are going to want, but shape the conversation in a way that security becomes a central focus rather than an after thought.
It’s quite common to hear the disdain with which the information security community speaks of the people coding and building the products that we all use for the failures of “obvious” security needs. However, when much of our community is only speaking to ourselves it’s pretty easy to find where things are falling apart between our knowledge and the transfer of that knowledge to relevant parties.
The challenge, then, is to replace one of your usual speaking gigs this year with an event that doesn’t feature all of your friends on stage. Maybe that’s a local developer conference, a product design expo, or even a group like InfraGard. Plenty of intelligent people who are eager to learn more about security will be at these events and need to hear what you have to say about security. If a conference doesn’t offer a “security track”, discuss with them why that is and how you can help fill it with other speakers from the information security community.
By addressing security education directly to the people who know the least about it and probably have the most to benefit from hearing about it, perhaps we can stop being so reactionary and start building better, safer hardware and software the first time around.
Mark Stanislav | Duo Security | @markstanislav
Bio: Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, start-up, and corporate environments, primarily focused on Linux architecture, information security, and web application development.
Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.