Modern field guide to security and privacy

Hollywood cybersecurity vs. Vegas cybersecurity

The cybersecurity we see in movies and TV often takes some creative license (we’re looking at you, CSI), but the stuff on stage in Vegas conferences can be just as far removed from the day-to-day practice of cybersecurity, too.

|
Matt Orlando/The Christian Science Monitor

You can go one of two ways with depicting cybersecurity in movies and TV shows: you can depict it so seriously that every technical mistake generates an outraged howl from the infosec pros, or you can romanticize it so that it becomes a cult classic.

On the one side, you have the complaints about CSI: Cyber; on the other, you have every picture of Angelina Jolie on rollerblades. You have neuroalternative people with colored hair saying, “If I can just get into the mainframe … there!” and then you have people lining up at RSAC to have their picture taken with Rami Malek.

There’s Hollywood cybersecurity, but then there’s also Vegas cybersecurity. It’s the glitzy, glamorous showcase where all the people on stage are breaking systems in arcane but spectacular ways, getting on CNN, and handing out tactical schwag at vendor booths.

In Vegas cybersecurity, the few defenders who make it onto the panels are passionate, changing the world, and displaying wall-to-wall green dashboards. And needless to say, all the vendors are above average.

I hate to break this to you (actually, I can’t wait), but Vegas isn’t the real world any more than Hollywood is. And it does a tremendous disservice to the practitioners who can only line up for the talks — if they can afford to come to the conference at all — and take notes, hoping to convince their management to let them try just one more tool. “What did you learn at the conference?” “Well, as usual, I learned that we’re in deep trouble.”

Compare and contrast the key players:

 
Vegas cybersecurity
Real world cybersecurity
Adversary
RHINESTONE PANDA
Stuart the Auditor
Tool
MEGAPWN
Microsoft Excel
Technique
Social engineering
Judicious use of Bcc:
Success
Bug bounty paid
Headcount approved
Signature move
Pivot
Head on desk

Key Vegas cybersecurity scene

Researcher: … but the adversary made one fatal mistake in a rookie move and revealed their IP address, and then we had them! We couldn’t tell you the story until now because the FBI was busy mopping up. (*Adjusts martial arts black belt, accepts drinks invitation*)

•••

Real world cybersecurity scene

CISO: … so Pat will text me as soon as they call him out of the office and walk him over to HR, and then we can disable his AD account and go power down his desktop.

 Junior Security Officer: Can I go with you?

 CISO: Why? You’ve seen a power-down before.

 JSO: I know, I just want to swap out my desk chair for his before anyone else gets to it.

•••

The trouble is, it takes a lot of work to make real-world cybersecurity exciting enough to put on a stage. And nobody wants to pay conference fees to hear about someone doing the same things they’re also doing at the office.

Over the past couple of years, a few conferences have been adding more defender tracks, and some newer conferences are popping up that are explicitly defender-focused. That’s all good progress.

But we also need to remember that when we glam up cybersecurity for show, we have to be careful not to send the message that the real world is just like that.

In Vegas, every product works perfectly, every enterprise has the skilled team that it needs, and it’s just a matter of getting that last puzzle piece into place for a magical security state to happen. Somewhere out there must be a finish line, if only we could cross it. The reality is less like a finish line and more like Grand Central Station.

Sometimes cybersecurity is exciting and it makes the headlines. Sometimes it’s very, very weird. But mostly it’s painstaking technical work mixed in with office politics.

To finish off the year, let’s tip our hats to the infosec outside of Hollywood and Vegas. Let’s toast to Hometown cybersecurity. May their dashboards be evergreen.

•••

RSA®  Conference, happening Feb. 13 - 17 in San Francisco, drives the information security agenda worldwide. It has consistently attracted the best and brightest in the field and created invaluable opportunities for first-hand interactions with peers, luminaries, and emerging and established companies. Use promo code 5U7CSMPFD for $100 off admission for Passcode readers. Register here

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Hollywood cybersecurity vs. Vegas cybersecurity
Read this article in
https://www.csmonitor.com/World/Passcode/2017/0123/Hollywood-cybersecurity-vs.-Vegas-cybersecurity
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe