I learned a lot from IST's Winnipeg Expo 2005
Written by Gordon Fecyk, 10/1/2005
Gord Wong of Information Security Technology, Incorporated, along with his senior conference organizers, challenged attendees to "not learn anything" during his conference. He offered refunds to those attendees who could meet that challenge.
No, I didn't try to hold him to his promise. But I did share what I learned with him. What follows is a letter I wrote to him two days after the conference. This copy contains corrections to his original letter.
Dear Mister Wong:
Thank-you for allowing me to represent my company at the IST Security Expo in Winnipeg. Thanks also for challenging me to try to "not learn anything" and offer a refund if this were the case -- admittedly, I forget exactly if that was you, Keith Olsen, or another who made that offer. I'm happy to say I won't have to take you up on that.
I would, however, like to share with you what I learned on that day.
Overall, I learned that while the methodologies have changed, the overall thinking has not. McAfee wants to look for known vulnerabilities after the fact instead of known viruses after the fact. Your own firm's staff wants to blame Microsoft and Delphi for providing the programming tools that malware writers use. Ironport wants us to believe e-mail is "broken," when in fact it's doing exactly what it was designed to do -- anyone who attended the IETF-marid conference in 2004 would have learned that. Blue Coat claims Java is a threat, yet after ten years we haven't seen a single Java-based threat. Finally, computer security firms continue to use anecdotes and "what-ifs" to justify their jobs and products without any hard quotable data. They like to cite the Michelle Delios and Russ Coopers of the IT industry, even after their own firms call them on their lack of quotable sources. By the way, Computer Economics, Incorporated doesn't count as a quotable source.
That's not to say I wasted my eighty bucks. I expect to benefit from products provided by Air Magnet and LURHQ, whom I wouldn't have known about without attending your conference. I don't blame IST as a company for this shallow thinking. However, you risk losing your audience by continuing to let your sponsors do this.
As computer security professionals, we're exposed to this hysteria daily. We already know what Symantec's Threat Report says -- it's our job to know this -- so we don't need to have it quoted during half of a Keynote speech. We want to know about your sponsors' products and services so we can reduce or eliminate the damage. Personally, I'm more interested in prevention, not so much detection, and I'm interested in metrics so I can determine trends and plan for upgrades. You can sell security products and services to security professionals without resorting to fearmongering, anecdotes and "what-ifs."
You can sell to computer security critics too. For example, Mr Cooke was grateful for my "heckling" during his first speech, as, "it keeps [him] honest." I made an effort to speak with every speaker after each session, first to clarify vague points and to verify sources of data, and second to point out questionable parts of the speech. While I might have offended one or two non-speaking attendees, each speaker expressed gratitude for my comments and a desire to be more accurate. I believe they were effectively "put on notice" to expect criticism in the future and I believe that will result in better presentations. We need more criticism in this industry because clients are asking us questions that we can't answer, and because certain "unethical" speakers are making us look bad.
I hope IST hosts more conferences in the area, and invites more security firms, security professionals, and security critics to those conferences. I look forward to attending the next conference to see what awaits us.
By the way, I forgot who won the Sony Playstation 2 you gave away, but I hope he didn't come away from the conference worrying about Playstation 2 viruses. Those boxes can connect to the Internet, you know!
Thanks again for an entertaining and informative show.
Recently Edited Categories:
All trademarks are property of their respective owners.