You can go one of two ways with depicting cybersecurity in movies and TV shows: you can depict it so seriously that every technical mistake generates an outraged howl from the infosec pros, or you can romanticize it so that it becomes a cult classic. On the one side, you have the complaints about CSI:Cyber; on the other, you have every picture of Angelina Jolie on rollerblades. You have neuroalternative people with colored hair saying, “If I can just get into the mainframe … there!” and then you have people lining up at RSAC to have their picture taken with Rami Malek.
There’s Hollywood Cyber, but then there’s also Vegas Cyber. It’s the glitzy, glamorous showcase where all the people on stage are breaking systems in arcane but spectacular ways, getting on CNN, and handing out tactical schwag at vendor booths. In Vegas Cyber, the few defenders who make it onto the panels are passionate, changing the world, and displaying wall-to-wall green dashboards. And needless to say, all the vendors are Above Average.
I hate to break this to you (actually, I can’t wait), but Vegas isn’t the real world any more than Hollywood is. And it does a tremendous disservice to the practitioners who can only line up for the talks — if they can afford to come to the conference at all — and take notes, hoping to convince their management to let them try just one more tool. “What did you learn at the conference?” “Well, as usual, I learned that we’re in deep trouble.”
Compare and contrast the key players:
|
|
Vegas Cyber |
Real World Cyber |
|
Adversary |
RHINESTONE PANDA |
Stuart the Auditor |
|
Tool |
MEGAPWN |
Microsoft Excel |
|
Technique |
Social engineering |
Judicious use of Bcc: |
|
Success |
Bug bounty paid |
Headcount approved |
|
Signature move |
Pivot |
Head on desk |
Key Vegas Cyber scene:
Researcher: … but the adversary made one fatal mistake in a rookie move and revealed their IP address, and then we had them! We couldn’t tell you the story until now because the FBI was busy mopping up. (*Adjusts martial arts black belt, accepts drinks invitation*)
Real World Cyber scene:
CISO: … so Pat will text me as soon as they call him out of the office and walk him over to HR, and then we can disable his AD account and go power down his desktop.
Junior Security Officer: Can I go with you?
CISO: Why? You’ve seen a power-down before.
JSO: I know, I just want to swap out my desk chair for his before anyone else gets to it.
The trouble is, it takes a lot of work to make real-world cybersecurity exciting enough to put on a stage. And nobody wants to pay conference fees to hear about someone doing the same things they’re also doing at the office. Over the past couple of years, a few conferences have been adding more defender tracks, and some newer conferences are popping up that are explicitly defender-focused. That’s all good progress.
But we also need to remember that when we glam up cybersecurity for show, we have to be careful not to send the message that the real world is just like that. In Vegas, every product works perfectly, every enterprise has the skilled team that it needs, and it’s just a matter of getting that last puzzle piece into place for a magical security state to happen. Somewhere out there must be a finish line, if only we could cross it. The reality is less like a finish line and more like Grand Central Station.
Sometimes cybersecurity is exciting and it makes the headlines. Sometimes it’s very, very weird. But mostly it’s painstaking technical work mixed in with office politics. To finish off the year, let’s tip our hats to the infosec outside of Hollywood and Vegas. Let’s drink to Hometown Cyber. May their dashboards be evergreen.