We sat down for a little Q&A with Michael Schell, organizer of the Innovate Pasadena Cybersecurity Meetup.
First, tell our readers a little bit about your meetup group — what is cyber security, and who should attend a cyber security meetup?
I would say the root of this particular cyber security meetup is to promote education and awareness without facing any particular scrutiny or ridicule for not being subject matter experts in cyber security. We encourage researchers and folks that are considered “white hats”, or folks that are just generally interested and curious about what’s going on in cyber security to attend the events, not only to network but also to ask questions… and there’s no question too stupid. We feel for most folks — even the most aggressive security people in the industry — that lack of education has actually been driving the success of the attacker and the adversary. Our goal is to reduce the mystery around what they’re doing because it’s not complicated. They’re really doing very basic things and we’ve reduced our opportunity cost so significantly that they’re making a killing off of our lack of education. What I mean by “they” are the attackers, state-sponsored adversaries, and organized crime.
Can you elaborate on “white hat” for our readers?
The difference between pen testing and hacking is permission. So a white hat has permission; an attacker or hacker has no permission. They’re doing it on the behest of someone else or some other organization that is funding their effort, meaning it’s illegal or most likely will be construed as illegal because they’re stealing. They’re either stealing access or they’re stealing intellectual property or they’re stealing data.
Your meetup page says that the core focus of the group is “not to share research or hack, but to provide a forum where like minded folks can discuss the impact cyber security has had on their business or person”. What drove you to start this group?
Most of the current cyber security groups focus on the delivery, fundamentals and execution of security, meaning hacking and risk mitigation. What I mean by that is, sharing research or educating practitioners and thought leaders has been primarily what attracts that specific audience. Unfortunately, laymen’s, executives’, and entrepreneurs’ cyber concerns are often not addressed. Our goal with the Innovate Pasadena Cyber Security Meetup is to promote conversation, and most importantly, remove the fear of asking questions. The biggest issue with cyber security is people, and their lack of awareness. Raising hackers’/attackers’ opportunity cost can be done with minimal education…and a few basic steps.
So true about awareness! As we become more dependent on connected technology in all aspects of our lives, security should be a priority — but it’s not really something that most people think about. How do you address those people and educate them?
That’s a good question. I think it’s oftentimes misunderstood in terms of what you can do as a person who does not have a computer science background or even an operational experience with technology. Cloud environments, deployment, how data is transferred, proper authentication, proper encryption mechanisms… all of that stuff is not important, really. What you’re really trying to do is defend yourself against the pickpocket — the smooth sleight-of-hand individual. That is essentially where security is moving into, and where the risk mostly lies is with the “stupids”.
The stupids are the folks that refuse to educate themselves or refuse to understand the risk; they’re refusing it because of fear: they feel like it’s too complicated for them to understand. I can tell you the liver or the heart or the kidney or the brain is far more sophisticated than any cyber security attack! People are going to WebMD to understand and educate themselves; they should apply this same level desire to be educated to understand where the hucksters may lie. [You need to] understand that your Internet presence is essentially a front door to your bank accounts, your business, your family… the amount of information that folks are willingly and openly sharing is quite alarming. They should understand what risk they are assuming with those kind of activities.
This meetup is designed to help the executives and entrepreneurs who are really trying to build a security program with their small businesses or their investment fund or their family. [To do so], you have to take steps to protect and transfer your risk accordingly. That’s what we’re designed to do at this meetup — to help folks understand and feel more empowered to take action without having to rely on IBM or Dell or Ernst & Young or the big consultants and law firms that you maybe can’t afford to hire. It’s much easier to mitigate and transfer that risk with thought leadership than it is with money.
What is the typical format for a Cybersecurity Meetup? How often do you meet?
Currently, we meet once a quarter. We have toyed with a few different formats: panel discussions, moderators. For our last event of the year we have three polished speakers who have a lot of credibility on the subject matter. We may move to monthly events but that might be a bit too much for folks to commit to [right now].
Can you describe what the process was like to form this group? As an Innovate Pasadena Meetup Creator, you had to go through certain steps to participate in the program — have you found that helpful?
The steps to start a group do require some amount of relationships and understanding of value for your audience. However, Innovate Pasadena and the volunteers are quite helpful in providing the resources to get the ball rolling. I would recommend speaking with a current Meetup Creator, and then meeting with Innovate Pasadena volunteer staff to design the appropriate meetup. You want to avoid redundancy, appeal to a specific target audience, and most importantly, create desire.
You’ve had a full slate of events in 2016 — any favorite moments or tidbits of insight you could share with our readers?
I feel the first event was quite impressive due to the turnout, and engagement from the audience. As always, the favorite moments are the happy hour in which folks can relax a bit, and meet new people before we get to work.
What do you think was the most notable breach of 2016? Do you have any thoughts on what big concerns or trends we might be facing in 2017?
Google it! It’s so played out in the industry, it’s cliche. This is a question that often comes up; everybody is hacked! [FireEye President] Kevin Mandia pointed out that there are two kinds of companies: those that have been attacked by hackers and those that don’t yet know they have been attacked by hackers. So looking at the most glorified or detrimental or damaging attack for 2016 is like talking about the first step of the Parthenon: no one remembers that but they’ll remember the last step. We’re so far away from that right now it’s going to be a while before we get there.
The Cybersecurity Meetup is coming up on its 1-year anniversary! Can you share what’s in store for 2017?
We are very excited for 2017. We are planning on bringing in some heavy hitters for speaking engagements as well as possibly gaining larger sponsorship from the community to help make the events much more fun and valuable. We also have ambitions to turn this event into a highly engaging party/conference, drawing on the support of the Pasadena community and our sponsors to help promote cyber security and networking. You can never know too many security professionals.
Now that you’re a veteran organizer, what advice would you give to someone who wants to start a meetup?
My advice is to form a volunteer team who is committed to the long term. Its a lot of heavy lifting at first, but with the right team and right leadership, can be highly engaging and rewarding to the Meetup Creators. Its a great way to hone your networking skills and at the same time expand your horizons.