I recently attended the Rocky Mountain Information Security Conference (RMISC), a rather impressive and unique gathering that prompted several relevant notions.
First, about the conference. Looking around the room, I saw about 1000 attendees. This conference is in its 10th year, and started by the Denver chapters of two Information Security conferences: the Information Systems Audit and Control Association (ISACA), and the Information Systems Security Association (ISSA). While it may have started small, there is nothing small about two local chapters holding a conference of about 1000 attendees.
What brings so many attendees to a conference held by local chapters? It seems there are at least two drivers: a large community of practitioners in security in the area, and a strong program. While the greater Denver area has a lot of companies and professionals working in Information Security, the profession is a critical contributor on many hot topics in engineering and society. Further, this conference brought some important names in InfoSec to the keynotes: John McAfee, Gene Spafford, Dave Cullinane, and Chris Wysopal. The technical content was sound as well, with four sessions in eight tracks, so 32 separate presentations by researchers and practitioners, ranging from use case experiences to emerging concerns in InfoSec.
But there were several points of note that struck me while attending this conference.
- Reliability and InfoSec are more than kindred spirits: the reliability community should have been at the forefront of InfoSec, and should have driven its progression, but it’s not too late to help. I say this because so much of what was discussed at this conference, by the keynote presenters and the contributed presentations alike, were almost the same thoughts I saw being discussed a few decades ago in reliability. And many of the techniques used to mitigate InfoSec issues are adopted from the same tools born out of the reliability community. We’ve seen this happen time and time again, of course. The general skills of reliability are adopted by a context and profession that needs these skills, and adopts them to their own. Unfortunately, the reliability experts aren’t always coming along to help speed the development and share the knowledge. I witnessed a large room of practitioners discuss ways to capture risk sources in a risk assessment framework that was no different than an FMECA. But the discussion was about the mechanics of what works, and an experienced reliability engineer could have provided the answer before the question even came up, well before the first attempt to capture risk in an InfoSec context.
- When corporations truly need a skill set, and see clearly the value contributed to their business by that skill set, they hire a skill set in large enough numbers to support a community. Denver and InfoSec is a clear example. How did that happen? Where was the tipping point? And how can the reliability community learn from it, or from our own examples? While members of the IEEE Reliability Society may clearly see that reliability is the mechanism for developing research into marketable products, and generally engineering better, it is rare to see any local community with a large number of researchers or professionals who see themselves as working in reliability. There is a disconnect somewhere.
- Local chapters can do big things, like hold a quality conference with 1000 attendees. It takes a strong community to do that, with corporate sponsors, and relevant program content. But it can be done, and done well. RMISC is a great example of that. Knowing what is possible, how do we help our local chapters take steps toward that level of growth?
One idea seems to be common among these points: partnerships. As we recognize the market for our capabilities is broad, and interdisciplinary, we can spread value more widely, and grow in very important ways. I would like to find ways for the Society to do more outreach to other disciplines, and support local chapters expand their horizons as well. By finding opportunities to add value outside our immediate disciplines, we spread knowledge, add value, and grow the community. While it can be done at all levels of interaction, it has to be done locally.