Can you imagine having a conference intended to represent the Canadian IT security landscape and not have Symantec among the exhibitors? What about Microsoft? If you’re attending InfoSecurity Canada 2008, don’t bother looking for Bell Canada or RSA, either.
I almost didn’t notice the absence of these industry mainstays because the quality of the sessions themselves is pretty good. Much like SecTor, the upstart conference launched last year, InfoSecurity Canada seems to be gradually moving away from vendor-driven product launches and more towards education and training. Which is all good. But the overall lack of support (the only platinum sponsor is a consulting firm; McAfee’s a bronze) suggests these kind of events may face a struggle for long-term survival.
The easy argument to make here is that security should not be divorced from the rest of the business. In one session I attended, a gentleman who works for a provincial agency said his managers prefer to outsource their IT security, and he wondered how the speaker at one of the sessions would suggest he change their attitude. “I have no easy answer for you,” the speaker said, going on to recommend that somehow the security experts need to get in front of the CEOs and other senior managers, instead of preaching to the converted at events like InfoSecurity Canada. This would be interesting. Imagine if a Symantec – or even better, a Winn Schwartau, who is speaking at InfoSecurity Canada tomorrow – were able to get in front of the annual Davos World Economic Forum? If the economic impact of IT security breaches is to be believed, it shouldn’t seem so unlikely.
Of course, there will always need to be some focused education, training and even product showcases directed at IT professionals, but maybe that should be rolled into more general business events as well. If you’re developing an application that interacts with customers and suppliers, you should be thinking about security. If you’re moving toward a service-oriented architecture, you’d better make sure the data moving across that SOA is well protected. IT security is obviously not a policy directed solely at end users but something that should be embedded in the corporate culture.
What’s ironic is that security at InfoSecurity is, in a word, pretty lax. As always I quickly removed my badge (it looked horrible with my suit) whenever I didn’t have to be on the show floor and had no problem accessing session. If I had merely wanted to learn what I could from the speakers at the event, I could just as easily have avoided registration altogether. What if a hacker did that?
As much as we like to talk about “the bad guys” as though they’re not in the room, they very well might be in the room. To call them “bad guys” at all implies they have the desperation of a hoodlum holding up a bank, when in fact they are often highly intelligent people who would be very inclined to pursue some training and development on how the “good guys” are trying to defend themselves. The future of InfoSecurity Canada, and security events in general, will be determined by how well they provide the kind of information we can’t afford to let the hackers find out about.