Every year, the security community gathers in Las Vegas for the BSidesLV, Black Hat and DEF CON conferences – aka Hacker Summer Camp. For the most part, the media continues to depict our community with stereotypical representations straight out of hacker stock photos. Each year these portrayals become further from reality due to the expansion and growth of the security community. From the Black Hat keynote to BSides Hiring Ground to the Hewlett policy suite during DEF CON, a significant and exciting expansion is occurring. Below are three overarching themes that will hopefully continue to shape the community into the future.
The Lost Policymaker’s Guide to Hacker Summer Camp set the stage early by reaching out to policymakers to offer useful insights and tips for optimizing the week in Vegas. This outreach is essential and remains fundamental to bridging the gap between the policy community and the security community. It includes numerous tips that are useful to more than just policymakers. As the week went on, I found myself recommending it to more people new to the community.
BSidesLV has a phenomenal Hire Ground track aimed at professional development, and again reflected the growing diversity and expansion of the community. During this time, I was fortunate to volunteer for career coaching. I discussed the community and all of its opportunities with a range of professionals, including operators leaving or just recently leaving the military, a woman transitioning mid-career into security, and a graduate who had won a scholarship to attend the week. Each of these distinct perspectives, and the excitement they bring, reflect the growing breadth of opportunities in our field.
Similarly, in my third year at the Diana Initiative— a conference for women, inclusion and diversity in information security—I’ve seen it grow from a hotel room to large conference rooms that sell-out at capacity. On our panel alone, we represented a range of career opportunities from threat intel, to policy and plans, to detection and incident response. In addition to this great event, other villages and tracks, ranging from Queercon to VETCON, highlight the diversity and expansion of opportunities in the industry. With a workforce gap estimated in the millions, and the need for distinct perspectives required for securing our private and public sectors, the better we communicate the opportunities and impact individuals can make, and expand this outreach, the stronger we will be as a community and the better equipped we will be to promote security and privacy for everyone.
Dino Dai Zovi’s keynote – “Every Security Team is a Software Team Now”—kicked-off Black Hat with an overarching emphasis on security as an enabler. He encouraged security professionals to focus on saying “Yes” more often by providing the necessary technical support and security tools to help organizations reap value from security. In some cases, this included introspective discussions of whether the shared security model is failing in light of recent cloud-based compromises. A prominent solution is the integration of security into the development process instead of acting as a negative bystander hindering business and innovation. This integration of security within development, and especially moving it left in the development process, was reiterated in several talks throughout the week. Whether you prefer the latest buzzword—DevSecOps—or security engineering, the growing importance of security as a crucial component within development is a growing and welcome trend.
Kelly Shortridge and Nicole Forsgren’s presentation further drove home this point but added a warning to the community. Either get involved in development and be an enabler or get left behind. These themes are not anomalies but reflect an essential evolution and imperative as organizations become more reliant on creating innovative ways to leverage software to provide value, which requires security as a core component. By looking beyond the buzzwords, this is a welcome and exciting movement away from the FUD rhetoric and toward real defensive solutions that provide both security and business value.
Finally, as an industry often defined by the dark arts and security by obscurity, there is a noticeable increasing openness and push for collaboration. These are core features of the hacker culture that are beginning to permeate both the private and public sectors. For example, the Hewlett Foundation’s policy track during DEF CON offered a unique opportunity and safe space for discussion for anyone interested in shaping policy. Dr. Nina Kollars of the Naval War College and I had the opportunity to address the growing market for hacking services and its implications at the Hewlett Foundation’s policy suite. These kinds of open discussions that bring people from all facets of the community are essential to ensuring policies support privacy and security without hindering innovation or stifling defenders.
In addition to open discussions, open applications also dominated the week. We had our own launch of the open Virtru Developer Hub, which includes software development kits and policy and key management to help developers easily integrate data protection into their applications. We hosted an event to hear how early adopters are already leveraging these tools across a variety of use cases, including secure development, detection and response, drones and streaming data, and compliance support for data protection regulations. Our privacy engineering challenge similarly reflects the collaboration and expansion of the community to together innovate and provide solutions to a range of security and privacy issues.
While these are all welcome trends, we are hopefully in the early stages of some significant changes that will produce impactful innovation in security and privacy. We are at an important inflection point in the evolution of the internet and data security and privacy. As a wide range of backgrounds continue to grow the community, and as security becomes integrated into the development process, the growing openness for collaboration and applications is certainly going to produce some exciting innovations that will shape the future of security and privacy online and off.
Clearly there is much more to be done, and certainly room for improvement; this will require persistent engagement from each of us to help ensure the evolution continues and to support these positive trends. I am encouraged by the outreach and growth of the community, which continues to grow while retaining the foundational characteristics that make it such a dynamic, open and impactful community.