The RSA Conference descended on San Francisco again this year. It attracts hordes of infosec people who wander the jumbled grid of vendor expo halls and attend sessions. For several years it has been preceded by the BSides SF conference, which is far smaller and far more focused on technical and practictioner tracks.
For several years, and this year in particular, the RSA keynotes have skewed mostly-to-almost-entirely male. BSides also skews this way, as do many conferences. RSA’s response to this situation evoked the mundane refrain that not enough diverse speakers were proposed or submitted by the keynote sponsors.
This prompted several people to challenge the assumption that speakers from under-represented groups are hard to find. Roughly five days later that challenge was transformed from an idea into the announcement of the OURSA conference. It promptly sold out in 12 hours.
The speakers weren’t essentialized to their identity or set forth only for their personal experience. Their experience and identity informed the security and privacy work they’ve been doing on a daily basis. It was that work, that context, and that perspective that was set forth throughout every presentation.
The format of the sessions contributed to both a focused message and enabling a variety of voices. Sessions were broken into roughly 15 minute blocks followed by a moderated panel of the speakers. The moderators continued that focus on message and brought out discussions that helped tie the presentations together.
Check out the recorded stream. It’s a long day of sessions, but it’s one well spent.
It’s a reminder that these groups exist, that they’ve been participants in infosec since the beginning. There are professionals with a voice working on important problems.
It’s a reminder that diversity enriches knowledge and points of view. Appsec, threat models, and privacy are enduring conference topics. Hearing them presented from different perspectives highlights important aspects that the usual lists and recommendations miss.
It’s a reminder that inclusivity requires action to build programs and that representation matters. Speaking in support of an effort isn’t as strong as having members of an under-represented population speak for themselves. Urging people to “just submit” to a conference where they may be unsure they’re welcome isn’t as strong as inviting people who can set the standard for technical content and presentation skills.
It’s refreshing to see how well a conference can be run — on schedule, high-information content, engaging speakers. It’s especially refreshing to see one that demonstrates how many of the familiar mantras of threat modeling, privacy, and appsec have failed to account for the context of underserved and vulnerable populations. Appsec and privacy need to raise the bar in terms of how they protect users and their data. To do so will require revisiting our understanding of these issues and how apps are or are not helping. What OURSA proved is that there are already people who understand this. Even better, they’re already working on solutions.
In a way, the OURSA conference shouldn’t be necessary. The speakers and their work should be visible in other conferences, as should speakers like them. The presentations were far more interesting that yet another discussion of weaponizing XSS or shallow commentary on why users make security impossible. The type of work they’re doing, applying appsec to vulnerable populations and pushing for more privacy engineering, makes for engaging content. And it pushes for ways of making infosec pick up more of the burden for crafting effective solutions.
I’m looking forward to 2019.