Vendor conferences and webinars:
Yesterday many of you who might read my ravings saw my Twitter feed explode with rage over a vendor sponsored conference I attended on the “Target Hack” The invitation to this meeting local to me …well an hour away that is, promised new and interesting information on the Target case and I decided to attend in hopes that there would be some inside info. What I got instead was a chance to listen to the meanderings on the 2nd amendment by Asa Hutchinson and the community college version of X-Force’s state of the hack.
The finale though was the talk on the Target hack which was prefaced with “Everything I am going to talk about today is open source and from the news” …really now, this is your inside information that you said would be given? What proceeded was a description of information you could get by reading the news reports and in particular Brian Krebs blog on the subject. This was nothing like that which I had been lead to believe was on offer and it made my bile rise as you may have seen. It was a giant time suck and really should only have been on offer for those who hadn’t a clue about the hack. In fact, this may well have been useful were you an executive without a clue. Which I am not.
A proposal for a ratings system:
I left the conference after IBM had done their dog and pony show on Target with a headache and a real distaste for all things vendor. I know, this is the norm for the bulk of the people in this business but it made me start thinking on the hour drive home. Perhaps in a perfect world we could have a ratings system for these meetings. If we were to be completely efficacious we could craft a way to denote the level of information being given and those best suited to attend. I know this is likely a pipe dream but I just have to toss this out there.
While I was completely bored and enraged by the conference yesterday, it did have it’s merits for someone who had no clue about the Target hack. Chris Poulin did a fair job at describing the events that were in the news and in the blogs and I believe a lay person (exec) would have learned at least something from it. So could we perhaps work with vendors to get a ratings system as well as maybe work with them to inform our managements in an efficacious way? I know, I may be dreaming a bit here and sound like a Cavalry Unicorn but hey maybe an aneurysm from yesterday made me more open to the idea.
All I am really saying is that if we want to be better at getting our execs to understand some things perhaps we need to control our vendors a bit more and get them to actually be useful to us instead of just hawking bad data and wares. Perhaps the reality is we as security professionals need to look at all of these vendor offerings and choose which ones can be trusted to be at least somewhat informative and worth going to for our management. A simple rating system would be very helpful, let’s say a 1 for n00bs, 2 for intermediate people and a 3 for technical and competent people?
Please? Pretty please?
The community wants better communication? Start reigning these guys in:
I guess what I am saying is that with all of the hubbub over Cavalry and “doing better” I would suggest we first start working with vendors offerings. Let’s cut the bullshit right out and start getting our managements to offerings that will actually help them comprehend the job they are supposed to be doing. Perhaps that only really means not letting them attend anything from a vendor at all huh? Perhaps these are all just in reality boondoggles …which incidentally I feel security conferences are today anyway, that need to be avoided like the plague.
Maybe there is no winning here.. I feel the rage returning which is the prelude to the apathy again, turn, turn, turn. Look, we all complain every day about managements lack of comprehension so if we are going to fix that perhaps strictly monitoring their vendor conference attendance is a good start. As for us, well, we need to continue to be jaded about these calls, webinar’s and meetings accordingly. If yesterday was any indication for X-Force then I need to start pulling away from anything they put out there. I cited it in a tweet but I have no idea how they put a <1% attack traffic on Aerospace and Defense in their slide. Perhaps that datum might speak more to their lack of penetration and usefulness in the space though.. hmmm….
I guess in the end the words to live by are “Caveat Emptor Stupid!”