Modern field guide to security and privacy
Matt Orlando/The Christian Science Monitor

Hollywood cybersecurity vs. Vegas cybersecurity

The cybersecurity we see in movies and TV often takes some creative license (we’re looking at you, CSI), but the stuff on stage in Vegas conferences can be just as far removed from the day-to-day practice of cybersecurity, too.

You can go one of two ways with depicting cybersecurity in movies and TV shows: you can depict it so seriously that every technical mistake generates an outraged howl from the infosec pros, or you can romanticize it so that it becomes a cult classic.

On the one side, you have the complaints about CSI: Cyber; on the other, you have every picture of Angelina Jolie on rollerblades. You have neuroalternative people with colored hair saying, “If I can just get into the mainframe … there!” and then you have people lining up at RSAC to have their picture taken with Rami Malek.

There’s Hollywood cybersecurity, but then there’s also Vegas cybersecurity. It’s the glitzy, glamorous showcase where all the people on stage are breaking systems in arcane but spectacular ways, getting on CNN, and handing out tactical schwag at vendor booths.

In Vegas cybersecurity, the few defenders who make it onto the panels are passionate, changing the world, and displaying wall-to-wall green dashboards. And needless to say, all the vendors are above average.

I hate to break this to you (actually, I can’t wait), but Vegas isn’t the real world any more than Hollywood is. And it does a tremendous disservice to the practitioners who can only line up for the talks — if they can afford to come to the conference at all — and take notes, hoping to convince their management to let them try just one more tool. “What did you learn at the conference?” “Well, as usual, I learned that we’re in deep trouble.”

Compare and contrast the key players:

 
Vegas cybersecurity
Real world cybersecurity
Adversary
RHINESTONE PANDA
Stuart the Auditor
Tool
MEGAPWN
Microsoft Excel
Technique
Social engineering
Judicious use of Bcc:
Success
Bug bounty paid
Headcount approved
Signature move
Pivot
Head on desk

Key Vegas cybersecurity scene

Researcher: … but the adversary made one fatal mistake in a rookie move and revealed their IP address, and then we had them! We couldn’t tell you the story until now because the FBI was busy mopping up. (*Adjusts martial arts black belt, accepts drinks invitation*)

•••

Real world cybersecurity scene

CISO: … so Pat will text me as soon as they call him out of the office and walk him over to HR, and then we can disable his AD account and go power down his desktop.

 Junior Security Officer: Can I go with you?

 CISO: Why? You’ve seen a power-down before.

 JSO: I know, I just want to swap out my desk chair for his before anyone else gets to it.

•••

The trouble is, it takes a lot of work to make real-world cybersecurity exciting enough to put on a stage. And nobody wants to pay conference fees to hear about someone doing the same things they’re also doing at the office.

Over the past couple of years, a few conferences have been adding more defender tracks, and some newer conferences are popping up that are explicitly defender-focused. That’s all good progress.

But we also need to remember that when we glam up cybersecurity for show, we have to be careful not to send the message that the real world is just like that.

In Vegas, every product works perfectly, every enterprise has the skilled team that it needs, and it’s just a matter of getting that last puzzle piece into place for a magical security state to happen. Somewhere out there must be a finish line, if only we could cross it. The reality is less like a finish line and more like Grand Central Station.

Sometimes cybersecurity is exciting and it makes the headlines. Sometimes it’s very, very weird. But mostly it’s painstaking technical work mixed in with office politics.

To finish off the year, let’s tip our hats to the infosec outside of Hollywood and Vegas. Let’s toast to Hometown cybersecurity. May their dashboards be evergreen.

•••

RSA®  Conference, happening Feb. 13 - 17 in San Francisco, drives the information security agenda worldwide. It has consistently attracted the best and brightest in the field and created invaluable opportunities for first-hand interactions with peers, luminaries, and emerging and established companies. Use promo code 5U7CSMPFD for $100 off admission for Passcode readers. Register here