Last post I set a goal to attend infosec meetups and whatnot throughout the DC area. I’m told NOVA Hackers is really good. Their rule forces participation and presentation. Once cannot be a passive member of NOVA Hackers. So to attend, I need to present something, but I’m an infosec novice, what do I have to offer? We’ll get there.

My Relationship with Authority

While trying to figure out what I’m going to talk about found a conflict bouncing around in my head. I like teaching. When I was a Lieutenant, one of the first things I did when I got a new platoon was teach them a class on encrpytion with special emphasis on very large number appreciation. It was fun, I was excited to engage with them and answer questions. Roughly 4 months later I gave a confirmation brief to my battalion commander before taking that platoon on a training exercise. I dreaded it, and slogged through it talking too fast and stumbling over words. The weird thing is that I was much more prepared for that confirmation brief than the encryption talk. I knew every minute of that exercise backwards and forwards, had planned until my eyes bled, and I had back-up in the form of my Company CO and Ops Chief. This is probably normal, it just seems weird.

It’s probably reasonable to assume that my relationship with authority is largely a product of my decade-and-a-half-so-far as a Marine. We tend to have pretty strict concepts of heirarchy. So I’ve established that I would rather teach a room full of my peers and/or subordinates rather than a room full of generals. Well, the issue is that in infosec, everyone is a general relative to me. Maybe this says something of my self-perception or maybe it’s just realistic but I think I need to take some steps to get out of my own head on picking a topic and presenting it. Let’s say I pick a topic and give a talk. However it goes, what’s the worst possible outcome? Probably that I gave a boring and crappy talk and the group, whoever they may be, politely ignore me, ask no questions, and we all go about our day. A bit more abstractly, I would be percieved negatively by these folks. Ok, what’s the best outcome? The ideal option would be a topic and talk that is interesting and engaging and the group is intrigued and asks questions that I’m able to answer. The most realistic outcome is probably somewhere in the middle and the best thing I can do to avoid crashing and burning is to pick my topic well, make sure I’m prepared, and just kind of go for it. Though I’m a baby compared to the folks I’ll be speaking to when it comes to infosec experience and knowledge, I think there are unexplored avenues of the field that most don’t think of. For example, the mental health village at DerbyCon seemed to be a huge hit.

Alright Already, What Are You Talking About

Well, I’m not set in stone, but I do intelligence analysis for a living. I read a lot, form theses, and attempt to support them with evidence. So I can discuss logical argumentation but I can go outside of logic as well. Recalling courses in analysis, I can use the concepts of ethos/pathos/logos (credibility, emotion, logic) as a baseline and apply it to the difficult task of convincing users to adopt some semblance of security in their collective mindset. Example of phishing could be better than defining phishing. Getting the CEO or someone similarly credible to be the messenger might be better than getting it accross in annual security training.

Obviously I have some development to do but this could work, right? Well, whatever, first goal met… and 13 days early.