The Summer Without A Cybersecurity Conference - Joe Uchill

Small crowd of well-dressed people looking at their mobile devices

“A lot of the best stories I’ve had coming out of Black Hat and DEF CON were ideas that only came up because of the setting. If I meet somebody for lunch, I can ask all the questions I already have, but you have to fill up another 15 minutes with idle chatter, and a lot of the best ideas come from the idle chatter, not what I go in there planning to talk about.”

– Joe Uchill, Cybersecurity Journalist

We are certainly living in extraordinary times as the globe continues to face the Coronavirus pandemic that upended nearly every aspect of our everyday lives from how we work to how we play. Companies have been forced to pivot, nearly overnight, to become remote workplaces.

This disruption is being felt in the cybersecurity industry. The Coronavirus has forced the organizers of Blackhat and DEFCON to go virtual this year – robbing vendors of the opportunity to show their products on the conference floor AND the chance to get valuable validation that comes with media coverage. A good story in top-tier publications and leading cybersecurity trades offers visibility and credibility. The summer conferences in Las Vegas provided companies that moment to reach dozens of journalists in just a few days. On its face, it would seem impossible to re-create that opportunity.

Furthermore, Gartner is estimating a $6.7 billion decrease across the globe in 2020 spending for security software and services as a result of the economic impact of the pandemic. This makes it even more critical to create impactful opportunities with potential customers.

So, what is there for a company to do to break from the pack and support sales via social, industry and business media? In a word, plenty.

Create Your Own Events – Partner with an influencer or reporter to host a Twitter Town Hall. Develop compelling webinars (30 – 45 mins long) that are issue and problem/solution-based. Content, Content, Content – Do your own research, analyze your data and use that to create compelling storylines and content that will help your customers and potential customers tackle their biggest challenges. Connect, Connect, Connect – Being “present” is more important than ever. Be creative and increase your interactions to reporters. Bring reporters information they can use and be a resource, not a nudge.

But, don’t take my word for it. I recently had the opportunity to speak with Joe Uchill, formerly of The Hill and Axios, to see what the changes in conferences means for him and other cybersecurity journalists.

A: When you heard the news they were done this year, what was your first thought about what the biggest loss of not having an in-person cybersecurity conference would be?

J: I’ve never lived in Silicon Valley, but whenever you hear people talk about living there, they always talk about how it’s this cross-pollination of ideas and you get everyone there together. A lot of things grow out of just having a community in the same place at the same time, even if everyone’s working on different things. I think that you lost that, even more than the conference itself, but losing the opportunity to have everyone in the same city at the same time is a loss to generating ideas. I assume for researchers it’ll be losing ideas for research. For being in journalism, it’s losing time to hear what people are working on and learn new things that weren’t on schedule (hallway-con kind of experience). 

A: What are the kinds of things that come from Blackhat and DEFCON? What are the opportunities you get at conferences?

J: I think it’s obviously a lot easier to build a personal relationship with people who don’t live in the same city as you if you get to meet them physically in person. With how spread out a lot of the industry is, I would never meet or see the people who work in companies working out of England or the West Coast with any regularity without conferences. A lot of the best stories I’ve had coming out of Blackhat and DEFCON were ideas that only came up because of the setting. If I meet somebody for lunch, I can ask all the questions I already have, but you have to fill up another 15 minutes with idle chatter, and a lot of the best ideas come from the idle chatter, not what I go in there planning to talk about. You lose that, that ability to see people spontaneously come up with ideas, interact with people who aren’t on your schedule. 

A: Do you think that for companies, researchers, non-profits, there’s a workaround to this? What’s the next six months look like?

J: Anything that gets people talking with researchers, even if it’s in an informal setting gets some of that back. Anyone is going to jump at any opportunity for human contact outside of their own. International developments are going to move at a different pace for one, because legislators aren’t going to be in the same building as much anymore, maybe more reports on general status updates on what people are seeing. Like a big book of things we’ve seen this week as opposed to waiting for a big event to occur. A list of what activity you’ve seen, if anything’s new, who’s being targeted, what the next initiative is going to be. Minor things are going to become bigger news, and we’re going to need to compile patterns between multiple sources as opposed to waiting. Journalists might need to take a more active role in discovering patterns than they have in the past.

A: It can force journalists to become cybersecurity researchers?

J: It can force them to parse together what’s going on from a number of different companies. It can force them to try to interpret events and sub-report kinds of information from different companies, things that wouldn’t normally rise to a press release into something that would be a story as opposed to working off of press releases. 

A: With 2020 being an election year, how do people like yourself get to some of those stories knowing that you won’t have that key opportunity to get all the experts in the same room at the same time?

J: It’s going to be a bigger problem for people who are not as dialed into election journalism. Sometimes you see the one story on election security a year, it’s the DEFCON Voting Village story on the evening news. That’s not going to be there anymore. But for people who are very plugged into how elections are run, there are tremendous security concerns with how this one-off, very weird year is going to work, whether it’s through mail-in ballots, which obviously the GOP is fairly certain will have some sort of security issues. There will probably be people bringing up concepts of online voting, which is generally not seen as secure by the cybersecurity community. There are going to be tremendous opportunities for things like disinformation since no one knows how they’re going to be voting in November. Some of the digital dirty tricks can come back into play. The digital equivalent of sending people mailers saying if you’re Republican, vote on Wednesday and if you’re Democrat, vote on Tuesday. One thing that cybersecurity is pretty consistent with is whenever there are major world events, it creates a bizarre array of new challenges, whether that’s people using terrorist attacks for phishing events or targeting the Olympics as a retaliatory measure from Russia. Major world events are a smoke screen for cyber events all the time, and so you imagine that the confluence of COVID and the elections is going to create something unique, even if it is something that we’re going to get from the DEFCON village people. To an extent, it might force everyone to do something more interesting. For the years that DEFCON villages have been around, we’ve seen a number of stories on how they had these new machines this year and they’ve been hacked. It might force some of the more mainstream sources to be more specific that “these things are insecure” to specific reasons and advance the story further than the things we’ve had in the past.