Industry Observations

InfoSec Europe Wrapup

It took an hour for my mind to catch up to my experience when a member of the House of Lords stopped by the WhiteHat Security booth at InfoSec Europe in London a few weeks back.  I read the organization name on his badge when he stopped to talk to me.  “House of Lords.”  But it didn’t quite click.  Here was a nice, easy going, casually dressed late middle aged man with a round nose and loose slightly unkempt brown hair, smiling and joking about how the kids were going to fight over the little WhiteHat branded fold up multi-tool we were giving away to visitors at our booth.  He didn’t really seem like he had much interest in our actual technology so I scanned his badge and exchanged a few words and he went on his way.

That’s how these trade shows work- everyone has some freebie to give away in an attempt to get the attention of passers by, often enough just for long enough to scan their badge and capture their information for a leads database.  Our marketing and events team, led by Kim Gerton, does a great job of bringing things that are actually useful.  I had some fellow come by in the afternoon asking if we had any more of the flashlights we’d given out at an earlier show; he loved his so much that he wanted a spare in case it ever died.  Another gentleman came by towards the end of the day and during our conversation mentioned that a hacking event at another booth wouldn’t have come off without the tool we were giving away today.  Someone had installed the hard drive on the machine wrong and there were half a dozen software guys trying to figure out what to do and not one screw driver among them.

For me, as a Product Manager, a conference like this is a rare opportunity to speak with potential and current customers I don’t usually encounter. Obviously the CIO who dropped by to ask “Do you do static analysis?” Yes. “Does it do Java?” Yeah. “Great, here’s my card. Have your sales people get in touch with me” is a rather desirable visitor, as was the one sent over by a colleague who told him we’d be a great fit to hear about the details of our service in a sit down session. For me, however, it’s more exciting to talk to people uncertain about whether WhiteHat is a good fit.

Whether it was the keynotes that focused on security best practices and budget management, the release at InfoSec Europe of the 2013 Cyber Security Breaches Survey, or simply the growing awareness and interest, there was a lot of interest from attendees in how WhiteHat’s offering worked. The Cyber Security Survey, a UK government study, is an interesting read and highlights the need for comprehensive Web Application Security programs. According to the survey, 80% of attacks are a result of well known problems detectable via security assessments, and 93% of large organizations (250+ employees) and 87% of small business had at least one security breach last year.  I spent time with a broad variety of people from students and interns interested in how WhiteHat’s technology works, to people from small businesses who had staffing constraints but still wanted to solve their security concerns, to the aforementioned CIOs looking for large scale solutions.

Perhaps the most interesting category of people I spoke with was the Indian consultants.  That’s at least partly because I realized over time that these guys were quite serious and represented an interesting trend I had not yet seen personally.  I usually figure consultants are worth talking to because they may end up being influencers within organizations or experts in the community.  Indeed, half the American or European consultants I talked to ended up knowing about us already and asking me to send their greetings to Jeremiah or Jim or Jerry (btw guys hi from PDP and Dinis).

The Indian consultants turned out to be a different story – or rather a very similar one repeated three times.  They consult with many private and/or governmental organizations in India, helping them architect and manage their IT and/or Security policies and infrastructure.  As I spoke to them and listened to what they had to say, I realized that these guys were here on serious business to find solutions for pressing needs so they could serve their customers better, and that they understood better than most people I’ve spoken to how WhiteHat might help them do that.  Typically I assume people with “consultant” on their badge at security conferences are doing manual pen testing themselves and wouldn’t particularly care for our message; here the situation was quite different.  When I talked about taking that workload off their hands entirely for all their customers, they seemed interested, not uneasy.  When we discussed how WhiteHat can give their customers, their end users, direct access to our portal and through that the ability to ask questions and get clarity directly from our large team of security engineers in the Threat Research Center they started pulling out business cards and asking to talk more later.  For them the idea of being able to offload the day to day management, support, and education in the web application security domain was a big potential boon which they immediately understood and valued.  They were more interested in being able to deliver quality to their customers without a lot of personal time investment, leaving them free to focus on the bigger IT management and/or security picture.

InfoSec Europe was a big success for the organizers and for WhiteHat with over 12,000 attendees and a great deal of positive engagement. For me it was a reminder that though on the surface the swag and lead collection seems like the main activity, there is a real and more substantive reason these conferences are so well attended. The industry is growing and changing rapidly, and the chance for newcomers and old hands to talk to each other and learn what is possible – and what is needed – is invaluable for those who take advantage of it.