EXPEL BLOG

Back in Black (Hat): Black Hat USA 2022ーDay 1 Recap

· 4 MIN READ · ANDY RODGER · AUG 11, 2022 · TAGS: Company news

Black Hat is more than a collection of successful events held around the world; it’s a community. And if you needed a reminder of that fact, Black Hat USA 2022 will shake those cobwebs free! While Black Hat did hold its 2021 event at Mandalay Bay in Las Vegas, this year brings more people, more exhibitors, and more energy.

From the moment Jeff Moss, founder of Black Hat, took the stage during the first keynote, community has been a common thread throughout the presentations. Moss kicked things off noting that 2022 marks the 25th year of Black Hat USA, and brought the crowd back in time to the conference’s humble origins. At that time, Moss simply reached out to folks in his network to see if they’d want to speak. (Did you know that he considered calling the event “The Network Security Conference”?) Over the last quarter-century, the community of security practitioners has grown right alongside the expanding threat landscape.

Until recently, Moss had thought there were three “teams” when it came to cybersecurity: Team Rule of Law, Team Undecided, and Team Authoritarian. Some teams were following the rules, others were limiting access to information, and there were even a few more somewhere in the middle. But now he sees a new team: a community of super-empowered individuals and organizations. These were people much like the attendees of Black Hat, who take action to right the wrongs in the world. For example, Moss noted how some companies simply stopped doing business with Russian companies in the wake of the Ukraine invasion. Some turned off access by Russian companies to their services and others shut down their websites. He used this example to remind attendees that this community has a significant influence in the world.

Following Moss was Chris Krebs of the Krebs Stamos Group, and former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Krebs spoke about his time “wandering the wilderness” over the past few years, and talking to people in and outside the U.S. across a range of roles about their security challenges and concerns. He kept hearing three questions:

  • Why is it so bad right now?
  • What do you mean it’s going to get worse?
  • What can we do about it?

These aren’t easy questions to answer, but he sees the solution in this community of people who have the ability to make positive changes based on its principles. Krebs covered a lot of ground during his roughly 45 minutes on stage, but if there was a single takeaway, it’s that he holds a lot of hope for cybersecurity and its role in improving the world.

Black Hat explores those huge macro issues, but it also looks at smaller ones, too—the ones that practitioners face day-in and day-out to better protect their organizations. Kyle Tobener led a session on taking a “harm reduction” approach to cybersecurity best practices. Did you know that most organizations’ security teams employ a “use reduction” approach to security best practices? To quote the Five Man Electrical Band song “Signs”: Do this, don’t do that, can’t you read the signs?

Tobener argued that simply telling people what to do isn’t effective. In fact, he shared research that showed how this approach can have the opposite effect. He instead advocates for harm reduction, a commonly used approach in healthcare. Harm reduction offers a set of practical strategies and ideas aimed at reducing the negative consequences associated with various human behaviors. It focuses on the outcomes, not the original behaviors. His advice? Remove “don’t do that” from your vocabulary. Replace it with, “Try not to do that, but if you do, then here are some ways to be safe.”

Adam Shostack of Shostack and Associates took the stage virtually in his session titled, “A Fully Trained Jedi You Are Not.” Shostack pointed out that while the Star Wars movies usually focused on the Jedi and their contribution to the rebellion, non-Jedi characters made huge contributions. He emphasized that the field of cybersecurity needs people of all different skill sets and experience levels, and the field isn’t limited to Jedi-level cybersecurity masters. Instead he shared that a mix of more targeted training and education combined with an effort to “shift left” (incorporating security into the development process) can solve a lot of cybersecurity issues and better support developers and security personnel alike. After all, it takes more than Jedi knights for a successful rebellion.

Burnout can have a major impact on cybersecurity professionals. Stacy Thayer, Ph.D., knows this all too well, and shared her knowledge on the topic in her session, “Trying to be Everything to Everyone: Let’s Talk About Burnout.” A number of factors contribute to burnout in cybersecurity. Dr. Thayer named a few:

  • High levels of mental workload
  • Anticipating cyber-attacks
  • A shortage in staffing and an increase in workload
  • A struggle to find one’s place within the organization
  • Work is often not appreciated in the organization

Dr. Thayer says that the usual advice for dealing with burnout is completely ineffective. Take a vacation? Sure! I’ll just have more work waiting for me when I get back. Go to the gym? Okay, I feel like absolute garbage but sure let’s get on the treadmill! Stop caring so much? Not possible!

According to Dr. Thayer, the more that you learn about yourself and your relationship with burnout and your hidden triggers, the better you’ll be at managing it.

These are just a few of the topics that presenters covered on day one of the event. Presenters and attendees shared so much more in sessions and on the business hall floor, but if there’s anything that’s obvious about Black Hat USA 2022, it’s that the community here is alive and well, and poised for great things.