How to organize a security conference in COVID times
Planning an international conference with tens of speakers and hundreds of guests is difficult. Planning one in a World with a deadly pandemic ranging outside makes it even more… challenging. Here is how it went for us and some tips along the way.
Failing to prepare is preparing to fail
While it may sound obvious, the bigger the conference – the longer time you need to prepare. So, in our case, we start planning our next annual Security Summit on the week following the last one. The biggest upside is that we can work on the agenda and themes early enough to then secure the time of potential speakers. People are much likelier to show up and share their experiences if they have been asked to do so 6-9 months in advance.
Same applies to partners and guests. Since event tickets and travel may have to be paid out of a specific budget, the sooner visitor knows about it – the better.
Also, securing a good price on the venue is linked directly to how far in advance you are ready to commit to the event. Bigger places tend to plan their event schedule year(s) in advance, so getting the exact date you need is tricky.
This March though we had completely different planning thrown our way: how to move an event with so many moving pieces 4 months into the future. The answer was – retrace our steps and be prepared to run the event with as little preparation as possible.
Fixing the agenda
Regardless of our original plans, it was clear that we are going to lose some of the live speakers. Also, we had to acknowledge that the cybersecurity discussion focus has shifted completely. It was time for us to get back to the drawing board and see, how we can spend more time sharing information about security in lockdown and home-office security without making it boring.
Fortunately, many of our speakers, who happen to be CISOs and CSOs in their respective organizations. People like Liisa Past, Chief National Cyber Risk Officer of Estonia, and Jesse Wojtkowiak of PipeDrive have just spent the better part of summer dealing with these issues.
Key message – remote work is the new normal and regardless of the job specifics, you have to make sure that your employees are protected. Not just the VPN bit but also things like encryption of drives, device access control and, probably most importantly, email gateway and email protection.
Steve Rivers from ThreatQuotient delivered an excellent overview of SpearPhishing and the relative ease of being caught off guard by cybercriminals.
Another area, which had to be addressed in-depth was cloud security. Almost all of the companies we spoke to mentioned that they are (sometimes – begrudgingly) fast-forwarding their cloud migration plans. Something, which brings a completely new level of complexity to the cybersecurity landscape.
Your head in the clouds
We are used to the situation where team members, who are not very skilled in IT, consider IT security an unnecessary boon. Because nothing is ever going to happen to ME. It’s someone else who will be a target of a ransomware attack. The cloud though can cloud the judgement of even IT-savvy people. The sentiment here is “Microsoft, Amazon, Google etc can protect my data better than anyone. I don’t need to worry about security, as soon as we move everything up there”.
Well, the reality is quite different. And cloud security experts like Nir Zuk (Palo Alto Networks), Nicolas Fischbach (Forcepoint) and Nigel Hawthorn (McAfee) shared the way their companies see it: the cloud is potentially the biggest security risk we’ve seen to date.
The reason is quite simple: once the criminals get access to critical employee credentials, they have, potentially, access to your entire network. Simply because most people don’t bother with creating proper passwords and re-use the same ones over and over.
There are no magic bullets but having a proper cloud access security broker solution will get you quite far. And so will utilizing a Security Operations Centre (SOC).
WTF (what the future) holds?
By far the most popular session of the day has been a live demo of Cybers SOC. Or, more precisely, (ethical) hackers using technology and social engineering to gain access to victim’s systems and a SOC team with IBM qRadar fighting back.
We won’t spoil it for you, since you can see the entire 15-minute long presentation here, but let’s just say it involved Kali Linux, a phone call to a secretary and some creative usage of Dark Net.
Red team and SOC team demo
Also, during the following Q&A sessions with customers, SOC theme was quite popular alongside the eternal question: “Is our organization mature enough to implement SIEM and build a SOC?!” The answer to that question is of course highly dependent on each organization but we had Mikael Bjerkeland (Splunk) weight in on the topic alongside others.
One of the takeaways for many has been the fact that IT security maturity can be gradually built up by organizational measures, rather than by “dumping” money into hardware/software. Regular security assessments and audits, as well as penetration tests, can potentially give more effect than CAPEX spending.
The World outside the conference room
Actual physical safety had to be addressed as well. We ended up ordering a bunch of masks and sanitation supplies last minute and it did prove a logistical complication. Fortunately, both attendants and our partner were very open to the issue and forthcoming when it came to safe distance etc.
Additionally, because of COVID19, we ended up having more “m2/person” because we wanted a chance to spread the people out a little.
Another issue was that some of the partners from abroad couldn’t make it, which meant that we had to do extra “sales” training for some of our engineers to fill in the respective empty booths. Fortunately, the video streams worked as intended, so those, who couldn’t come from abroad, managed to watch the whole thing (and do presentations) online.
To be fair, of all the feedback, which we have received, the online component was the least “attractive”. Most of the visitors came for a chance to talk to other security people face-to-face and the digital option was not too exciting.
With that being said, I would still advise anyone planning a conference in the foreseeable future to include the online version as well. Otherwise, you might have to cancel the entirety of the event or postpone it time after time.
The conference coincided with a very difficult time and was by far the most difficult to arrange and manage to date. Yet, we are certain to do it again next year. Hopefully – in Spring. Do visit Security Summit website for videos, pictures and registration for 2021!