- I am seeing the same people over and over
- These same folks are the ones who already "get it"
- Attendees vary by region (rarely do people get to travel too far)
- Those that I can't say get it are -really- clueless
- Some very basic concepts are still eluding many security conference attendees
- Attendee counts have dropped drastically
I recently spoke at SANS, and while it was a small niche conference on the left coast I think we had a pretty good turnout. My topic was pretty high level, speaking of the Web 2.0 dangers ("When Web 2.0 Attacks") and I could tell that some of the folks clearly got it - but what concerned me was that I could tell not everyone did. Specifically speaking my talk wasn't rocket science and I wasn't releasing any ninja code-fu 0-day, nor was I explaining how to write shellcode for embedded systems ... this was conceptual "Web 2.0" stuff... hrmm.
I also saw some of the same things I'm used to seeing- people falling asleep (seriously, why show up?), people yacking on their cell phones or thundering away on their iPhone or BlackBerry keyboards answering emails (again, why come?), and then there were the glazed-over faces which can only mean one thing: clue challengedness. I would break down the room like this: 30% got it (or they already knew it), 40% were being successfully woken up to the harsh realities, and the remaining 30% was absolutely lost. I welcome you to read through the slides, then answer this one question: "Was this something the average person should comprehend?"
If your answer is yes - then you're in my camp. You're wondering why people aren't getting int. If you're answer is no - leave me a comment and I want to know where I failed.
Oddly enough, earlier tonight I had a great conversation with Jeremiah Grossman, and he reminded me of something someone had mentioned a while ago... There are no easy entries into web application security. Think about it. As Jeremiah put it- "If someone asked you right now what they should do to get into web application security, what would you answer?" I've been asked that question many, many, many times and I always have a really crappy answer... because I fear there are no good resources for beginners. I think that's a failure of those of us that get it. I think we're completely failing to educate others and thus we're causing a serious lack of talent, and thus driving down the overall security posture all around.
Now, I get that some people simply can't travel due to insane budgetary cuts all around every industry but that's really no excuse to be clueless. We shouldn't be (as Jeremiah put it) "eating our young"... but I'll let him expand on a post of his own.
I encourage those of you who are out there, and "in the know" to reach out and teach. Help increase collective IQ of the security fold... the more smart people we have the better we all are.