Conferences and the Wider Security Eco System Culture - Toxic or Not?
Updated: Oct 26, 2021
This could be part of another whole series on the curse of binary thinking so please read this in that tone. In other words, I’m trying to be nuanced.
There is a constant set of commentary across various media about the toxic culture of information security conferences, the security community on Twitter/other social venues and the general lack of support for new-comers and diversity in all its forms. This is usually directed at various “hacker" forums and some of main "cons" and similar. I don’t typically attend those things in person, preferring to consume the output separately, so I can’t comment personally. But I’ve no reason to disbelieve what is said that has happened at some of these events and that is, of course, terrible and needs to be eliminated.
What I do want to say, though, is that this toxic culture is not all of InfoSec. Yes, it might seem that way to people who only circulate in that part of the community - and to be fair that might be the only part of the community they get to participate in, which makes it all the more deplorable that it is toxic at many levels. But, the wider community, while by no means perfect, is a lot more nurturing of new comers and people's career development. It is also making some progress (although, nowhere near enough yet) to actively support diversity, equity and inclusion.
This wider community is typically found in what you might call the corporate blue-team eco-system of private and public sector defenders. Many of these people do this work with as much passion as any other part of the field. There are also plenty of people who consider this simply a job - a job they probably excel at and deeply care about, but still, a job that doesn’t define their identity.
This wider culture is full of CISOs and highly professional security leaders and their teams at major public and private sector organizations (again, nuance, this might not be universally true, but from what I’ve seen and have been told it is improving steadily). These organizations partner with each other and a wider community to share and help each other. They do this directly and they do this through organizations that facilitate that. In doing this they increasingly strive to nurture new-comers and share career development techniques not just because it's the right thing to do but because it is also important to their mission. Many of the people in these teams spend time in the community, they give back to the profession and for the most part they are not presenting at the more public "cons" (like Blackhat, DefCon, or even RSA) but rather in industry specific groups and associations or other events.
Here are some of those gatherings (and this is absolutely not in any way exhaustive):
Professional societies like ACM, IEEE, BCS, CIISec and many others.
Accreditation and training associations like ISACA and the International Information System Security Certification Consortium.
Corporate professional / executive sharing groups like the World50 group and some of its sub-groups such as Security50, Risk50 and so.
Large technology companies' CISO and related customer advisory boards.
Conferences and sharing fora associated with research organizations like Gartner and Forrester. One of my regular favorite conferences ever was The Burton Group event (subsequently acquired by Gartner).
Information security specific multi-sector organizations like the ISF and I-4 both of which were absolutely crucial in my development as a security leader over two decades.
The growing set of developer driven and open source related conferences which have vast areas of security focus, development and community opportunities like KubeCon.
Newer conferences that bridge academia and defense techniques like the truly awesome Enigma Conference where significant corporate sponsorships fund attendance for many under-represented communities.
Practitioner oriented research conferences which, while academic focused, are very inclusive and accessible to professionals of all levels. The Workshop on the Economics of Information Security is a great example of this.
Not-for-profit standards setting organizations like the Cloud Security Alliance and the Center for Internet Security not only do great work but also offer multiple ways for people at all levels to apprentice in the wider community.
And, last but absolutely not least, the shared defense / information sharing organizations like the many ISACs and ISAOs some of which like the Financial Services-ISAC span decades, have 1000's of member organizations and contribute to the career development, sharing and professional growth of 10,000's of InfoSec professionals.
Bottom line: there are fundamental problems with parts of the InfoSec community which need to be dealt with. But there are also very positive elements of InfoSec culture especially in the wider public and private sector blue team eco-system - in particular with respect to bringing on new-comers and supporting career development. Yes, huge strides still need to be made (and I’m sure there are pockets of terribleness in places I’m not even aware of), especially on diversity and inclusion. We shouldn't ever diminish what still needs to be done, but it's also worth acknowledging what has been done so that we can use those things, and those elements of good progress, as examples to amplify so that they can ever more crowd out and quash the bad.