Observations From Corncon X
I got to spend the end of last week at Corncon X in beautiful downtown Davenport Iowa. It was my first time at this event, and it was the first time in years that I visited a conference as just an attendee. I've been a vendor at these things for the past 10+ years, and after a few hours of booth duty per day (few being a relative term), and dealing with "business as usual" at the same time, I've had little time and less desire to actually attend sessions regularly.
Obviously I've been missing out. A lot. Let me just hit you with some of the highlights of my experience as a regular (not VIP) attendee.
The Conversation Was Different
I'm used to conventions that focus on technical conversations - and there were those - but a huge percentage of the presentations were focused on people. Burnout. Stress. Culture. Sure, there were technical tracks, and there was a lock-picking space. But I was impressed with the number of talks that were outside of that focus. AI, was a hot topic, with some hot takes mixed in with some thoughtful content.
It was also different as an attendee. I wasn't boring myself with the same pitch conversation over and over. I wasn't a slave to the badge scanner. I was talking to speakers. I was just talking to peers. Learning, networking, and none of it forced by a sales conversation. What a different experience.
The Venue Was Fine
No, it wasn't a Vegas mega-casino and convention center. But it also wasn't the basement of a convention center where the vendors were lucky to get tables in a hallway and the AC was a swamp-cooler. It was fairly goldylocks - just right. Sure, some things could have been a bit better, but parking wasn't miles away, the hotel was attached but separate, and the AC worked - especially for those who brought layers.
Much of this was because the organizers chose well. They didn't choose the swanky location, they chose the practical one. They didn't invite hundreds of competing vendors to cover costs, they kept costs manageable (and didn't try to make obscene profits from the event the way some VARs have been known to do of late <cough, cough>) and it worked.
I Had Valuable Takeaways From Every Session
I'm not going to pretend that every presenter should have their own Ted Talk recorded, but every session I attended had valuable takeaways for me. Here are some of the most important I'd like to share.
Kate Goldman connected the dots between the federal report on Microsoft's lack of "cybersecurity culture," and deficits in our current approach. In short, we spend less than 5% of our cybersecurity spend on culture (and what we do spend it on is basically phishing training) while between 60 and 90% of cybersecurity events have a human component to them - that's a cultural problem if ever there was one.
Paige Hanson reminded us that while we're trying to get Mom and Dad to not click on the link in that SMS message, the biggest financial fraud impacting individuals is still check washing. Yes, the "low tech" stuff is still a big deal.
Rich Greenberg reminded me (during a period of unemployment) that I need to take risks and move outside of my comfort zone to keep moving forward. Chris Roberts reminded us to celebrate the small things since it makes the big things easier.
Rob Labbe pointed out that incident response plans need to include human factors, like mandatory down time, burnout monitoring, and the expectation that multiple incidents may happen at the same time.
Steve Shelton shared practical advice on detecting burnout in ourselves and our peers, and some exercises to temporarily help while longer term fixes are being worked through.
Professor Gene Spafford illustrated how ad-hoc our industry really is, and the need for some fundamental, unambiguous definitions and other building blocks for measurement and communication.
Shafia Zubair and Chris Johnson provided some practical advice for working through AI deployment and usage that is already happening in our environments.
Ira Winkler reminded us to use our influence for good - and to beware shyster cybersecurity influencers.
Shad Roberts made me understand why any small to medium business should be reaching out to CISA for assistance with their security programs. (Seriously, talk to them, you've already paid for their assistance via taxes)
My Next Conference
I have no idea what my next conference will be. But I know it won't be one of the "big" ones. It will be a local conference. It will involve driving there, not flying. Who knows, maybe I'll have something interesting to present as well.
If you're interested in an experience like this, and you're not sure to find one, check out InfoSecMap and InfoSec Conferences for ideas.