Recently I went to the New York Metro Joint Cyber Security Conference. Overall the content was good, the speakers were of high quality, the venue itself was nice, it was a good atmosphere, etc. Overall it was informative and worthwhile.

However, there was one talk in particular by Timothy Singletary of Peraton that missed the mark completely. In my opinion, it had all the components of a talk that represents exactly the message we should not be spreading.

The Talk Itself.

Almost the entire presentation was “fear mongering” and “doom and gloom”. I’m not sure exactly what the presenter was trying to accomplish, but he was pointing out many of the common cliches: disturbing things on the Dark Web, recent hacks, finding mass security issues with Shodan, everything is broken, etc.

Without getting into details, there were some factual and technical errors throughout the presentation. The speaker was clearly against using any form of social media and at one point stated “I have better things to do with my time than use social media” as if it was below him.

The speaker went on a mini rant that he overheard some folks in a doctor’s office using a shared password of Password1. He mentioned his wife had to forcibly pull him away from intervening.

The speaker was an advocate of all user data from social media, email, and other “cloud providers” being made readily available to law enforcement with no regard for privacy. Of course he mentioned the common fallacy of “I’ve got nothing to hide”.

Towards the end of the presentation, the speaker spent a few minutes showing a news clip of a successful police raid in which his company apparently helped law enforcement with technical aspects of an investigation. I always enjoy seeing a success story among all of the issues and hacks we always see in the news, but it came off more like he was patting himself on the back.

In the last minute or so, the speaker finally had a slide on call to action. Unfortunately the advice was literally “Stop whining”:

The speaker used up his entire allotted time, so there were no time for questions or comments. I was planning on engaging the speaker with some question like “Do you think ‘don’t use social media’ is realistic for everyday people?” or “Have you considered the implications to our Privacy of having law enforcement having access to personal data en masse?”

My Opine.

In an increasingly interconnected and online world, we as security professionals and advocates need to come up with practical solutions for everyday users, not belittle or make fun of them. We are not “better” than people who don’t understand security or the implications of the technology they may be using. We are just more exposed to it because it’s our day job.

An everyday person should not be expected to understand the complexity of technology. “Don’t use Social Media” or “don’t put your data in the cloud” is not only terrible advice but it also shows a gross mis-understanding of the problems we are trying to solve today.

We need to understand how people are using technology, and work within those parameters. If you don’t know how everyday people or your employees are using technology, you probably don’t have any hope in securing them or your organization.

Many companies, including some of the conferences sponsors (Microsoft), have worked very hard to turn the tide and keep people using their technology as safe as possible, without putting the onus and responsibility on the them. I commend them for taking this approach because I believe it to be the best path forward.

As a security advocate, I found the talk to be embarrassing.

As a user of technology, I found the talk to be misguided at best.

Conclusion.

We all know there are plenty of complex technology and security problems that need to be solved. We don’t need you to spend an hour pointing them out to us (again). When you are giving a presentation to a room full of “career” Security folks, this generic “doom and gloom” is probably not news to anyone.

A talk should always have a real “call to action” for the audience. What can you start doing, or do differently to solve these problems?

Privacy is an important aspect of security that often gets lost for what some consider “the greater good”. Security Advocates should be spreading a message of increased privacy instead of spreading a message that effectively erodes it.

Instead of telling people “not to use cloud”, let’s try to hold companies that hold our data to a higher standard and hold them accountable.

If a security “solution” places additional burden on the end user, it’s probably not a very good solution.

MORE FROM ME

Email Security and Authentication

How to think about Security: Year 1 Retro