
I’ll be writing these up for a variety of reasons:
- To demonstrate how many ideas I have, to help me determine whether that number of ideas is unusual.
- To get feedback on whether I should have tried to do more with the idea, was there an angle or benefit that I missed?
- So others can highlight to me whether someone has tried the idea already, and whether it succeeded or not.
- To encourage others to share their own ideas, similarly incomplete, failed, or half-baked.
Also sharing these kinds of “dead projects” has been an idea that’s been rattling around my brain for some time, but I’ve finally been inspired to start writing them up after attending a couple of Stefan Hagar’s Valhalla For Ideas sessions. Valhalla for Ideas is a structured way of working through old plans that we’re hanging onto, to either let them go, or to breathe new life into them. You can read more about Stefan’s services here, and we may be working together on some of them in future.
Description
Analogies give us insights into situations, or solutions to problems, that we would otherwise miss if we only considered that situation literally.
I think this applies to life and business in general, but I think it especially applies to cyber security. I still retain some involvement in that industry, having worked on the offensive and defensive sides of it for twenty or so years. I was always struck by the level of effort and intelligence applied to the discipline, but it was surprisingly insular, and generally unwilling to look at concepts or methods from elsewhere.
To give a rare example of what I mean, I think cyber security has largely adopted the blameless approach to incident investigation that the airline industry instigated decades ago, and was arguably inspired to do so by the success of the approach in its original discipline.
I’m still convinced that my American Football based thinking around improvements to cyber security blue team strategies by comparing the practice to an exemplary NFL defence have something useful in them, but I never quite got that to work, and couldn’t communicate it as well as I wanted to.
But, intrigued by the insights that research gave me - why not double down and try and run an entire conference along these lines? I had a couple of interconnected ideas: either bring together a line-up of speakers who make the same kind of analogical connections I had, or literally think of subjects I think that cyber security people should know about and make connections to, and just bring in speakers on those subjects.
I even bought a domain name and kept it for a while. But I thought it through… and the domain lapsed.
( if you’re intrigued by the idea, do check out PancakesCon for something kind of similar )
Why I didn’t try this project
- I’ve too many other ideas that I’m more interested in to devote time to this one - having realised just how much time it would take.
- The world moved away from online conferences, favouring more traditional in-person formats, with the higher investment and risk that comes with.
- Direct knowledge of tactics, techniques and procedures in the technical side of cyber security is hard won, and requires constant effort to maintain - I felt that practitioners were unwilling to put that investment to one side in favour of more esoteric or experimental concepts they could apply.
- I don’t think anyone cares… or cares enough more than to give this idea a quick acknowledgement and move on. I think finding new analogies to situations we’re in, or problems we face, can give us new solutions - and even when those analogies don’t work, figuring out how they don’t work or why they don’t apply can give us new insights. But mostly practitioners just want to “cyber harder”, and failings are seen as personal or circumstantial rather than conceptual or structural.
- I like the idea of building or running an event, but at best I’m a helper or an instigator. From previous experience I know how difficult it can be to organise a conference, and organisational skills are something I spot in others, rather than skills I have or want to develop.
So overall I think this falls into the category of “things I wish existed” and/or “conferences I would like to attend” rather than “things I would like to build”.
Summary
All feedback welcome of course, come find me on Mastodon or BlueSky or LinkedIn, whichever platform you prefer.
And as with Stefan’s offering, I wonder if there’s a service in helping others choose which of their projects to pursue, and which to put to one side? I struggle with this myself, but I’ve had great feedback from others when I’ve helped them think this kind of issue through. Either as personal consultancy, or even helping people work through many of the decision making frameworks out there so they can do this themselves, with all the timing and privacy benefits that come with working alone?
Epilogue
Having found some old notes on this, one other version of the idea I did have was collating existing recorded talks by others, and “top-and-tailing” them with an explanation of why I thought they were relevant to cyber security, and what angles a viewer could take away. Hence me rebuying that domain name… we’ll see if it just expires in a year…