Monday, May 14, 2012

A meandering rant on sexism.

This has been a bad year for technology.  Not necessarily for the business of technology (although it is very hard to discuss the current state of the tech and InfoSec biz without using the word “bubble”), but for the culture and future of tech.

I commented on the depressing “booth babe” situation at RSA in this year’s RSA wrap-up blog post, it is an ongoing embarrassment.  As I’ve said before, in the right contexts I have nothing against attractive people, fast cars, or other things normally used to sell cheap beer- I just don’t believe tech and security events are the correct contexts.  There are not very many women in tech, and that is not a simple problem to fully diagnose or correct.  There is plenty of blame to go around, starting with the way we market to and educate brainwash young folks, but what we do inside tech industries is our responsibility and we have a lot to fix.

A couple of weeks ago I was at Infosecurity Europe in London.  It is very much like a somewhat smaller (but still big) RSA San Francisco event.  The attendees (at least from my perch in the Tenable booth) were much more likely to be customers seeking information on the latest products and services than attendees at RSA, which certainly gets a lot of customers- but is really a business-to-business event IMHO.  I had many great conversations with customers, prospects, and folks who just wanted to chat.  I’m looking forward to going back next year- but I’m working out my schedule so that I can get over to BSides London next time.  BUT, the booth babe phenomenon was a blight on Infosecurity Europe, too.  Probably worse than RSA.

Last week I was at InterOP Las Vegas.  It is a big networking show, with a healthy dose of cloud, and a touch of security.  I enjoyed the event, and hope to put together some thoughts about what “security” means to a non-security crowd.  Sadly, there were more “booth babes” than in years past.  Special dishonorable mention goes to WatchGuard for succumbing to the lure of the booth babe over technical innovation in a field they dominated a decade ago.

And then there was the Dell fiasco.  Dell had a partner event in Denmark and the moderator they hired for the day was, well, not moderate.  In a series of demeaning and sexist remarks following Michael Dell’s talk Mads Christensen said some really inappropriate things.  The primary source of coverage is this post at Elektronista (if you are a sentient being, you’ll probably want to skip the comments), and Molly Wood has a good follow up post on why we need to keep talking about women in tech.  Sadly, Dell has only apologized weakly thus far, and no actions appear to have been taken.  It looks like Christensen issued a non-apology (I’m sorry if you were offended…).  The ability to hire and retain good employees is critical to a company’s ability to execute, and with a dire shortage of candidates for many security and tech roles Dell’s mistake and subsequent inaction may cause them some HR pain.  Let’s hope it does.

And, not to be completely negative here, ExtraHop Networks gets credit for going in a different direction to draw attention to their booth.  And they are doing it because what they do works, not as a political statement. Because it works, the excuse for using booth babes, is turned around here.  See this post at Network World for details and links.

As a reminder, I’m an old, white, heterosexual male with a great job.  I’m supposed to be part of the problem, not one of the voices ranting about it.  I can’t imagine my outrage if I were a woman trying to deal with the tech industry.  It is unacceptable.

By the way, I’ve been an “old boy” for a while now, and yet I have not received a single invitation to join any of the much-heralded Old Boys’ Clubs.  Perhaps I’ve done something to offend the Old Boys’ Clubs, such as not wanting this industry to be one.



Friday, May 4, 2012

Context matters

A recurring theme for me lately is explaining the significance of taking things in context.  When discussing vulnerabilities with people (I do this a lot working at Tenable), some folks don’t intuitively grasp that context is critical in translating a finding into usable and valuable information.

Let’s shift gears, a few weeks ago I was in Texas for BSidesAustin.  While I was there I picked up a couple of bumperstickers, this one’s my favorite:


(For those who don’t know, that’s a stylized flag of my home state of Texas, and Texas is always trying to secede from something).

What does this have to do with context?  Imagine this bumpersticker on the back of a Cadillac Escalade in Houston, there’s the stereotypical Texan sick of the meddling of the federal government and the liberal hatred of the Second Amendment.  Now, let’s picture the same sticker on the back of a Toyota Prius in Cambridge, Massachusetts-  the sentiment is more likely “get rid those ignorant hick psycho cowboys who are screwing up America”.  Context matters.

So, back to that vulnerability, opportunity, threat, bug, whatever it is you are contemplating.  You have to ask yourself “Is this on the back of a Houston Escalade, or a Cambridge Prius?”.  Not literally, of course, and certainly not out loud- people would give you the kind of look I’m used to getting.  BUT, you do need to assess how the vulnerability is exposed and what mitigations are in place (or possible); how hard the threat may be to execute against your situation; whether there is a graceful failure mode if the opportunity turns out to be inopportune, etc.

Consequences of the action or situation are also part of the context; the world is full of unintended consequences, please limit your contribution to them.

I guess what I’m saying is don’t make decisions in a vacuum, because that would suck.