(ISC)2 Congress

So I spent the last week at (ISC)2 second annual congress conference held in the city of brotherly love that is Philadelphia. Luckily or unluckily, I didn’t get to experience any brotherly love whilst there, which may be a good or bad thing – I’ll never know.

The conference is co-hosted with ASIS. By which I really mean that ASIS is very much the dominant conference, I heard it is in something like its 50^th year or so and has one of the biggest vendor halls I’ve ever been to. It really is humongous with a wide selection of physical security vendors ranging from CCTV cameras, gates, man-traps, trained dogs and drone tanks that seek out and defuse bombs. You can’t help but thinking a SIEM or firewall vendor would just pale in comparison if they tried to set up a stall. Although what was rather fun was watching some of “our” guys i.e. IT Security guys talking to some drone manufacturers about how secure their remote transmission protocols were and whether or not they could take control of their devices and to turn them against them. But that was the exhibition hall and a very interesting place to visit. It just goes to show, if you have a nice product with blinky lights that makes whizzing sounds, you don’t need no booth babes.

Onto the actual conference itself, and (ISC)2 has done a good job. Having been involved in BSides London when it started up a couple of years ago, I have an appreciation of how much work goes into this behind the scenes and how difficult it is to prepare and plan a conference especially in the early years whilst it’s establishing itself. This is where the partnership with ASIS has paid off, as a lot of the logistics were taken care of, allowing (ISC)2 to focus on the conference itself.

There were a number of tracks and I attended a fair few sessions which, by comparison were on par with any other conferences presentations. Sure, the talks were geared more towards the business and didn’t dive into the technical nitty gritty that you would find at a DefCon, but there were some very interesting perspectives shared. Of the sessions I did attend, the standout talk for me was “Solving the Cyber Security Hiring Crisis” by Winn Schwartau. The talk was based around ‘hiring the unhirable’ and provoked some great discussion and thought. The point can be distilled down to this; “we don’t have a security skills shortage, corporate bureaucracy that requires people to have degrees and certifications and no piercings or colored hair etc. are what keep some of the best talent away”.

But all of this got me thinking, what makes a good conference? I’ve been to a few over the last year, and I’ve formed the following thesis. A conference can be split into 3 core parts:

1. The attendees
2. The talks
3. The organizers and sponsors

I’ve put attendees top of the list because that’s the first thing I try to determine when I am going to a conference. Who are the people attending and what are they like – will I have anyone to have lunch with? Yes, nothing worries me more than having to grab a plate and sit on my own in the corner during the lunch break. But the social element is what makes conferences fun and helps you ignore a boring speaker as you simply turn it into a hallway con. I must say, the attendees at (ISC)2 congress came with zero ego. They were a slightly different crowd from your typical hacker con by which I mean there wasn’t much measuring of genitalia going on. Of course, one could say it lacked the passion that comes with heated debates, opposing viewpoints and all those kinds of fun and games that go along at a more fun conference. But that largely depends on personal preference and every style of conference will eventually develop their own charm.

Second comes the talks. Finding the right speakers who can talk at the right level for the audience is always a challenge for conference organizers in the infant years. It’s a bit of an organic process as attendees form their own view as to what the conference provides and what they can get out of it, whilst speakers also adapt to this. I’d give it another year or two and (ISC)2 congress will carve out its own identity and appeal.

Finally come the organizers and sponsors whom I’ve bundled together because collectively they create a lot of the personality of the conference. Without sponsors, DefCon would probably have no fun after party’s and cons like Bsides would never take place at all. But parties aside, there are a number of of interactions one gets at conferences where the organizers set the tone. Conferences like RSA or even Blackhat are kept quite corporate and the overall layout helps us form an opinion of who the organizers are and what they are wanting to achieve. At the local Bsides, we all know who the organizers are personally. We know they are security people themselves who are passionate about the community and want to contribute. So we generally bond with them, are grateful for the time and effort they put in for no monetary gain. On the other hand you have a conference like Infosec Europe, which is run by a marketing company; they can have the best talks lined up but we will walk away with generally no feeling of gratitude or sympathy towards the big faceless organization that is just doing its job.

Before attending (ISC)2 congress, I viewed (ISC)2 much the same way. A faceless organization that acted as a certification body, took AMF’s and not much else. I could only name one board member (Wim Remes) only because I was a strong advocate and voted for him to become elected last year. This year seemed to have seen a rise in (ISC)2 opposition, with Brian Martin of Attrition.org giving a presentation at DefCon (it was based on a talk by someone else whose name escapes me) entitled “Why you shouldn’t get a CISSP” and cumulated in Dave Lewis, Chris Nickerson, Boris Sverdlik and Scot Terban throwing their names in the hat to be elected as (ISC)2 board members. I affectionately dubbed them as the 4 Horsemen of the Infosec Apocalypse. Each of them have published their agenda as to what they want changed and how they want to change it and on a personal basis I have a lot of respect for all of these guys and any one (or all) of them being elected onto the board will be a positive change. If for nothing else, to bring a different perspective. However, even if they are unsuccessful, there are other ways in which the organization can be influenced. I’m a believer in the fact that one doesn’t need positional power in order to make a change – or maybe that’s just something people with no positional power say to make themselves feel better.

At (ISC)2 congress, I attended a town hall and a member reception through which I learnt a great deal more about the organization – which made me reflect upon what I knew and what I thought I knew. The biggest thing that dawned on me was that I had never really made much of an effort myself to find out more about the organization, what it does and what it doesn’t. I found out how the Common Body of Knowledge (CBK) is evolving and being updated and not so stuck in 2001 as I thought it was. I met with several of the board members, I became aware of how the organization is growing to be much more than a certification body, by reaching out to the community via local chapters or helping young professionals get on the career ladder and most important of all, I was very impressed by the (ISC)2 foundation that reaches out to the population at large. Providing security training and education to school children and providing education scholarships to those who need it most. At the member reception we got to hear first-hand from two recipients of (ISC)2 scholarships. Hearing their stories of overcoming hardships and how the scholarship really helped turn their life around even warmed my otherwise sub-zero heart.

Does this mean (ISC)2 is the perfect organization. Not by far. Do we still need fresh and dynamic personalities voted into the boardroom, absolutely. Are they an organization that is growing and on the right track, I believe so. Are there alternatives – absolutely, and I encourage people to actively research and look into all options. If you really aren’t getting any value from (ISC)2 and their certifications, I will be the first one to agree with you and advice walking away. It’s like a relationship that’s deteriorated over the years, you may remember how you once used to love your partner, but just don’t have those feelings any more – it makes more sense to walk away than subject yourself to the drama that comes with hobbling along like a tricycle with two flats.

I will say that I have walked away more willing to engage with (ISC)2 than before I went. I hope some of the 4 horsemen make it onto the board and improvements are made, there are far more bad guys out there than good guys and if we can work together to improve collectively. I’m not just referring to (ISC)2, but every organization at this point. Finger pointing is generally a futile activity, unless the finger is being pointed at someone with the surname of Evans… in which case, not only is it actively encouraged, but it is mandatory.

So am I an (ISC)2 fanboy now? Anyone who knows me will know that I  never have and never will make such a claim. Call me a cynic, but I don’t trust any organization on this planet. However, I have grown close to a lot of people who work there and have grown to respect them whilst considering many to be friends. Maybe I’m just getting emotional in my old age – but you can never have enough friends. I mean real friends, not Facebook friends.