Spurred on by a conversation with Just Bressers (http://sobersecurity.blogspot.com/ and @joshbressers on twitter), when I mentioned the usefulness of grass roots, local information security user groups like richSEC and conferences like RVASec , he posed the following question:
How do we leverage this to solve hard problems now?
This is a good question, and is at the same time really easy to answer and infinitely complex to implement. Before you shout shenanigans, hear me out for a second.
We’ll start with the easy answer. Look at how localized groups and meetups have helped spread the word about technologies, ideas, and concepts. LUGs (Linux Users Groups) for example have been the go to place for learning new tips and tricks, share ideas, and network with others who are interested in the same thing… Linux. Fast forward to modern day where there seems to be a meetup or group for just about everything. OpenStack meetups, Python User Groups (PUGs), Java User Groups (JUGs), the list goes on. These groups are successful by and large due to a handful of reasons:
- Sponsorship: One of the biggest determination that I have seen to help ensure success is the ability to provide a steady location suited for both in-depth discussion as well as tomfoolery. (free food and beer doesn’t hurt attendance either)
- A dedicated and motivated core staff. While I’m largely an absentee member of the richSEC community now-a-days, the core group has stayed consistent. It’s like a second full-time job ensuring there are presenters/speakers/sponsors for the meetings and to muster attendance. Every month. Without fail. (Looking at you Sullo, Nick, and Jake!)
- Local professionals willing to take a few hours out of their personal time to meet with other professionals and talk about what they’re doing, how they’re doing it, and how we can do it better together.
See? Not so hard right?
This is where it gets far more complex. Especially when you talk about infosec. This is such a broad and deep topic, that it’s nearly impossible to touch every single aspect of whatever infosec means to you (while mercury is in retrograde and the moon is half waxing….) So why bother right? I’ll tell you why. I say this at the onset of every_single_talk I give. “We are ALL ultimately responsible for security!” From the level one support guy, to the systems admin to the CEO. This is where the small, local, community based meetups and groups help. They may not give us all the answers, but they can help us think differently. Think more strategically. It could empower us to make suggestions. Speak up. If you’re lucky enough to work for a company that actually values what their employees think, and you bring data to back up your assertions, we can all affect change. It’s this personal, face-to-face interactions that bolsters confidence. Helps the learning and passing of information. You’ll always have those who are not “people” people. But the world of infosec is changing and needs to open up to those who are not traditionally “infosec” people.
So how do we solve the hard problems today? By doing what the industry does with their computing needs. Create a massively distributed network of groups that freely share information and ideas as well as bolster connections on a personal level. Engage in a healthy debate of ideas and ensure those ideas trickle up. Get out of your caves and talk to people, because solving problems, especially the big ones cannot and MUST not be done in a vacuum or in a sterile environment of extremely like minded individuals. Take the anonymity away that is IRC and forums and put your ideas to the test.