Category: Conferences

My opinion of my first Gartner event in my 23+ year long career

My opinion of my first Gartner event in my 23+ year long career

I’m sitting here in the beautiful Gaylord National Resort and Convention Center in Washington D.C., nice and comfortable as I look out over the cool little “town” they built inside this gargantuan building. While I enjoy the artificial scenery, I am also thinking about the week I just spent at the Gartner Security and Risk Management Summit that was held here at the Gaylord (it’s wrapping up now). And frankly, it kinda surprises me to think that this was my first Gartner event. I have been in the IT and Security industry since 1994, and this is my first one. Maybe it’s because RSA, BlackHat, HouSecCon, DerbyCon, and BSides events have been my focus because most of my friends are there (and because I spend a lot of time organizing HouSecCon). Maybe I view those as more meaningful as far as security tech goes (RSA might not fit in that category for some). But I think it is more likely because, over the years, I have often joined with others in viewing the analyst business with disdain (I’ve expressed some negative views over my career). I have only recently (in comparison to the rest of my career) started working for vendors. So combining that with some of somewhat – but not overly – harsh opinions on analysts in the past, and I think it kinda makes sense why this is my first one.

Saying all of that, I’d like to list out some quick impressions:

1. I found it to be a generally good event. Very well organized. Some of the sessions had some great info, though the ones I saw were mostly on trends versus anything hard-hitting. That is the nature of the analyst business, so that is fine. As a vendor, the info can be very helpful.

2. Almost all the talks were succinct and not laced with “here are my credentials and why I am awesome”. Some might chalk that up to arrogance of analyst, but I found it refreshing in comparison to some of the talks I have attended in other conferences. Look, you’re up there talking. I will pretty much assume you’re knowledgable in your field. I will judge your talk almost completely on the content of the talk, not on how long you’ve been working or your certs.

3. Every talk I saw was well laid out and logical and ended with either time to spare or right on time. Gartner has trained their folks well.

4. You don’t go to these talks for entertainment. You go for information. I can enjoy a good talk where someone is keeping me laughing, but I value a talk that gives me the information I am looking for and gets it done.

5. The information was valuable. That doesn’t mean you take the analyst’s word as gospel. In fact, there were numerous points with which I disagreed. It does mean you use it as a data points to make a decision (which is what Gartner and other analyst firms are there for).

6. The 1-on-1 meetings I had with analysts were very helpful. This is the first time I have worked directly with analysts as a vendor representative, and I was impacted by the difference in those talks. But my main point is that the analysts were all very… human. They weren’t stodgy or impersonal. The talks were enjoyable and professional.

7. The 1-on-1s were kind of like speed-dating. I’ve heard numerous people make that comparison as I have started learning this new area, and it is very true. Get in there, see if you like, them, see if they like you, make a future appointment to meet again if the talk went well so you can get to know each other better, then go meet your next potential relationship.

8. Gartner analysts seem to fall into very well-defined lines as to what areas of the industry they cover. It’s seems to follow the OSI stack verbatim in many cases, and that makes sense for the sake of organization. The problem is that my new employer (Alert Logic) doesn’t fall neatly in those lines. So we often find ourselves talking to a bunch of different analysts to get full coverage. Not necessarily a bad thing, but it can men even MORE meetings than the typical vendor has to go through. It will be interesting to see that unfold in the next few months.

So, that’s it. If you’ve been in the industry a while and have done a bunch of Gartner/analyst events, this is all probably old hat for you. Hopefully others find it helpful when making decisions on whether to go or not (as a vendor or just an attendee).

New talk – The Solution vs The Silver Bullet

New talk – The Solution vs The Silver Bullet

I have developed a new presentation that I gave for the first time yesterday at the Texas Technology Summit in Houston. The title and synopsis are below.

Title: The Solution vs The Silver Bullet (or InfoSec Industry != InfoSec Practice)

Synopsis: The information security industry and information security practice are two concepts that should not be confused. The industry is for making money. The practice is for securing your organization. While the two certainly overlap on a Venn Diagram, there are large areas where never the two shall meet. The infosec practitioner needs to know how to discern where the practice stops and the industry starts. Otherwise, the Silver Bullet mentality will take over, and the practice becomes unmanageable. Join Michael on this talk to discover how to start down the path of discernment. Michael will give practical ideas on dodging the Silver Bullet cycle or getting out of it if you are there already.

The Texas Technology Summit is more of a general IT show with a good amount of security focus. I picked that venue for this talk because I wanted to test the talk first on that kind of general crowd. I wanted to see if it resonated with folks who might have security as a part of their job, but not be solely focused on security. Turns out that it did. I had great feedback that addressing security as a complex system rather than a checklist helped them with their approach to building a security program. I also talked about determining your organization’s current and desired security maturity levels, and using that data to help make decisions. That was also very well received.

I did have a couple of people at the show who are straight security professionals who I know and respect. They were very positive about the talk as well. So now I am going to try it on a security-focused crowd at NAISG DFW next week. We’ll see how it goes there. I may do a bit of tweaking between now and then, but overall I am happy with the talk. I’ll post a recording if I get one while I am there.