I get asked quite often about why I started CMHSecLunch and what the goals behind it are. I wanted to take a moment and discuss it on the blog.
First, if you aren’t a security person in Columbus, Ohio, you might not have heard of the event. Here are the details about it.
Every month, on the second Thursday, my team loosely organizes a simple lunch meet up at one of the local mall foodcourts. It is free, open to all – including non-security folks, kids and interested parties. There is usually a topic like “physical security”, “supply chain”, “threat intelligence”, “pen-testing”, etc. We also usually have something for people to fiddle with while they talk, like locks and lock picks, Legos, smart bits, cards and readers, etc. We find that having something to play with physically seems to help the attendees converse more easily.
The mission of CMHSecLunch was to emulate the “hallway conversations” part of security conferences, and to open up the security community to even larger groups of folks that may be interested, but may not have an easy way to get involved. I wanted it to be less formal than something like an ISSA/ISACA event, be free, loose in organization and really help people make personal connections with each other and the community at large.
The mission started in roughly 2012, and while we took a couple of breaks, is over 4 years old. Sure, there a lot of other events and even a couple of knock off lunches – emulation is a compliment 🙂 – but those usually include some formal presentation, vendor sponsor pitches or some other form of noise as the center of the event. I wanted to avoid all of that and put people at the center of the event. No vendor pitches, no one buys your lunch – so you don’t owe anyone anything either implicit or implied – and since it is in an open public space like a mall food court – there is no separation of infosec from the general public. Everyone can see, talk and ask questions without all of the speed bumps and smoke/mirrors and sense of separation sometimes associated with the infosec community. We’ve had middle school kids, college students, IT folks, janitors at the mall, infosec practitioners, managers and executives join us, engage and ask questions.
So, the #1 reason that I support CMHSecLunch is just that – the open nature and open discussion that comes from it. Thus far, nearly everyone who sits down with us at these events leaves their ego at home or in their car. We’ve had honest discussions from technical to personal, jokes and explanations, stories and anecdotes and even some project launches. Overall, the sense of openness and community has been one of the most amazing parts of my career. Sometimes there are 3 people, sometimes 30 – but I always leave with a smile and a renewed sense of community.
The second reason I believe in CMHSecLunch is that I have seen it bring new talent and fresh energy to the community. People have personally told me that because it was an open, public space and there was nothing expected, that they had the courage to finally approach infosec folks. Many times, people are nervous that they may not fit in, or have the skill set or knowledge of security practitioners at the more focused meetings. They may not have the management or budget support to go to conferences, ISSA/ISACA/OWASP events or even know that they exist. But a lot of people are on Twitter. A lot of people aren’t nervous to go to a mall food court. A lot of people can afford to invest in a fast food or brown bag lunch to get to know people to get started. That’s the crucial ingredient – to make it easy for new folks to join and engage. We need them. The community desperately needs new talent, fresh ideas and new resources that aren’t already locked into the echo chamber of infosec. In fact, I would say new ideas and new talent will make or break infosec over the next 10 years. I believe CMHSecLunch is an easier way for those new people to get started.
Lastly, I love bringing security discussions out of closed business conference rooms and into the mall. I absolutely get thrilled when people around us ask about lock picking or smart bits or whatever we are playing with. I love it when people lean in to listen about hacking or about how credential theft works. We have seen so many surrounding tables clearly listening in – that I have made it a habit to simply ask them to join us and explain the mission. It’s a beautiful thing. Remove the smoke, mirrors and mysticism of infosec – and everyday people are suddenly interested again. They become a little less apathetic, a little less distant and a lot more aware. Isn’t that what we have always asked for as a community? Didn’t we always want everyday users to be more engaged, more aware and more security capable? I truly believe that it will take bringing the public into the fold to make that happen. I believe that events like CMHSecLunch – loosely organized, free, open to the public, held in common public locations and developed on a spirit of inclusion, just might be a way forward. Mostly, I believe in the open, honest and caring attitudes of people, regardless of what community they believe themselves to be a part of. Thus, I believe in CMHSecLunch and our mission…
Wanna give it a try? If you are around central Ohio, you can find the schedule, locations and times here. Want to start your own event, in your area? Ping me on Twitter (@lbhuston) and I’ll be happy to discuss what I did to promote it, and how I would go about it. If I can help you get a group started, I will. That’s it. That’s why I believe. I hope you will believe too…