So while I was at some conferences over the past couple of months, I had an awesome idea while sitting in a panel about data breaches, especially notification. While streaming conferences is pretty awesome for most content, I keep thinking that we need that as an industry we need the exact opposite: a track of the conference that is completely off-the-record.
Here in DC when we do smaller training sessions, we invoke the Chatham House Rule. That is, the discussion is for non-attribution. There are several reasons behind this:
- You don’t have to worry (too much, anyway) about vendors in attendance selling you something
- It won’t end up in the press
- It gets real information to people instead of things that are “fit for public consumption”
My local area has a hackers association (No linkie, if you have minimal skill you can find it) that meets to talk about mostly technical stuff and what folks are working on. I find that more and more often when I do a talk there I do it “Off the Record” for a wide variety of reasons:
- I don’t want the attackers to get more effective
- I have half-baked ideas where I want/need feedback on if they are completely off-base
- The subject matter is in a legal gray-area and I’m not a lawyer
- I talk “on the record” all day every day about the same things
- I can “test-drive” presentation material to see how it works
- I can show nuts and bolts
So, the point of all this is that maybe we need to start having more frank discussions about what the bad guys are doing “in the wild” if we want to stop them, and that involves talking with peers from other companies inside the same industry to see what they are getting hit with.
Chatham House Rule photo by markhillary.