A friend of mine recently complained in Twitter that, according to his count, nearly 80% of all talks given at the security conferences he’d looked at recently were now non-technical. It might be in part because he’s @ramblinpeck on twitter, aka Daniel Peck, Research Scientist or something like that at Barracuda Networks. Which is my way of saying his idea of a technical talk might be a little more technical than many peoples’. But whether you’re at his level of technical expertise or mine, I think he’s got a valid point in saying that at most security conferences, the majority of the talks are less about the technical aspects of security and more about the philosophy or generalities of security. And that’s probably the way it should be.
Why should most talks be more about principles of security and less about the technical aspects of security? The first reason is that, with a few exceptions, the whole reason that conferences exist is to get butts in seats and to a place where vendors can get at them. Even community led events like the BSides movement are about getting people to attend and mingle, the goal is still to create an atmosphere that draws people into the event and around other like minded individuals. And many technical talks are counter to that goal, not in their content, but in who they pull in. For example, a talk about a bug in a compiler on a OS X box is great for the few individuals in the crowd of attendees who a) work on Apple b) are worried about bugs in compilers and c) have enough technical knowledge and interest to travel the distance to attend an event. But for the other 98% of the people interested in security who might be willing to travel to an event, they’ll take a look at the subject matter and decide it’s not for them. Finding the right audience for any deeply technical talk is an art form at best and in most cases is more closely akin to guesswork than anything resembling a science.
A second reason it’s hard to have technical talks at security conferences is because of the wide variety in skill levels attained by security professionals. I’m fairly smart, I’ve been in security for a long time and I understand at least the basics behind most of the technologies that make the Internet tick. There are even one or two aspects of security that I can do the deep geek dive with almost anyone. But when a talk is given that assumes a level of expertise that may not exist in more than a dozen people worldwide, I’m going to be left out and leave the talk annoyed and confused. Or worse, if a talk was advertised as being technical but I find out when I attend that it’s a primer level of technical and I already know most of what’s being presented, I’m going to be annoyed, probably vocally so, and tell people that the talk was mislabeled. It’s very hard, if not impossible, to create a presentation that captures multiple levels of technical background and it’s even harder to look at an abstract for a talk and decide what level of technical expertise it’s appropriate for. Which, again, makes it less likely that the talk will be selected for a conference.
The third, and possibly most important, reason we’re talking about the philosophy behind security more than the technology is that so many of the assumptions that have gone into building the technology are wrong! Security isn’t something that was designed into the Internet and corporate networks from the start, it was bolted on after, the cracks were spackled over and huge loads of duct tape were wrapped around the whole thing and it was called ‘secure’. Or, more often, security has simply been ignored as a cost center until a compromise happens and data is lost. Instead of building a cohesive, multilayered approach, we’ve built a collection of point solutions, few of which actually deliver on their promises and even fewer of which are properly configured to fully deliver what they’re capable of. Given some of the compromises we’ve seen over the last year, we have every reason to believe what we’re doing isn’t working.
We’re at a point where we need to re-examine the fundamental thinking that underlies how security works. It’s not an issue of flipping the evil bit off in a packet, it’s an issue of engineering a new set of solutions from the ground up. The technical aspects of these solutions will be vitally important, but unless we can understand the underlying assumptions we’ve made, we’re going to make the same mistakes again on an even larger scale.
Security professionals come in all levels of technical expertise, but all of us benefit from a better understanding the philosophy that underlies our decision making processes. I think that understanding where your decisions are coming from is even more important than the technical details of how those decisions are implemented. I’ve seen many technical decisions made that looked good in the short term, but led to dead ends both in terms of the technology and the opportunities that the decisions limited.
This is all my way of saying that I believe an 80/20 split of non-technical to technical talks is probably appropriate for most security conferences. The majority of people aren’t going to care about a specific technology because it simply doesn’t affect them directly. But so many of us want to understand the underlying foundations of our chosen field. It’s great to dig into the deeply geeky details of a protocol, but the vast majority of professionals will never need to do that for fun or for profit. But every person who works in the security field needs to understand the philosophy that goes into making security decisions at all levels.
PS. I’ll be giving a related talk, ‘Fundamental Flaws in Security Thinking’ at BSidesSF on Tuesday, February 28th at 1pm. Come tell me how I’m wrong.