Black Hat is back. Yes, I know the event was held the past two years, but 2020 was all virtual and 2021 was a unique hybrid experience. This year’s show rivaled conferences held pre-pandemic—the vendor hall was packed with companies, there were thousands of show attendees, and people were networking both on and off the show floor. Needless to say, I left Black Hat with high hopes that the in-person conference experience is here to stay.
On that note, let’s talk about some observations, reactions, and takeaways from this year’s show. I’ll get to products and threat research in a bit (teaser: I was less impressed with the level of innovation this year than in year’s past), but first I want to address two things that bothered me in the vendor hall.
Product sales were valued over talent recruitment.
The Black Hat vendor hall is massive. As soon as you walk through the doors, you’re hit with the huge booths of behemoth companies such as Crowdstrike, IBM, and VMware. As you navigate further down the hall, you start to come across the booths of smaller companies and startups. And finally, all the way in the back right-hand corner is the careers section. The placement of this section alone bothers me, because it sends a signal to attendees that one of the biggest problems facing our industry right now is only as important as a tiny corner section on the show floor. And then add to that the fact that there were hundreds of companies hawking their products to drive sales in the vendor hall, yet I counted only eight in the careers section on the show floor.
Of the eight, three were vendors—Cisco, Mimecast, and Tenable—and five were universities and learning institutes. Only three vendors out of the hundreds exhibiting were actively trying to recruit talent and solve the cybersecurity talent shortage by standing up a second booth devoted to the cause (I actually witnessed several interviews happening in real-time at these booths!). With nearly 715,000 cybersecurity job openings in the U.S. and Black Hat, as the largest hacking conference in the world, bringing together the best and the brightest in the industry every year, it is an absolute travesty—and major missed opportunity—that more isn’t being done to help bridge the talent gap at this show.
Vendors’ money is going to big booths, swag, and activities designed to drive product sales, leaving talent acquisition in the dust. And truth be told, Black Hat provides little incentive for companies to stand up a second booth and staff it with a team devoted to helping people in their cybersecurity careers.
Next year, I would love to see the conference organizers offer some sort of financial incentive for companies that want to make a difference by having a careers booth. Vendors: Consider scaling back on the product gimmicks and instead allocate some of that money toward a second booth focused on talent recruitment. And show attendees, make it a priority to visit this vital section of the show floor. Together, we can show the world that solving the cybersecurity talent shortage actually is a priority.
Small vendors and startups have to fight for the spotlight.
Next year, I’d also love to see small companies and startups exposed more predominantly on the show floor. The big vendors paying the big bucks get prime real estate in the exhibit hall. But here’s the thing: Most attendees going to Black Hat know they are going to visit these booths regardless of where they are located. They don’t want to miss out on the swag, the networking, and the invites to show parties. So why not stick these behemoths in the back of the hall where they’ll get the same foot traffic as if they were located up front?
The small companies and startups should be the focus when you walk in the hall doors, so attendees who might not have made their way all the way down the exhibit floor in years’ past will get the chance to learn about these up and coming companies that are trying to solve niche, yet important, cybersecurity problems. I’m even willing to bet that attendees will find their experience at these booths more valuable than at those owned by the bigger players, because most small companies and startups staff their booths with company founders and executive leaders (rather than sales and marketing folks like the big companies do), so they can get a first-hand account of why the company was founded and what’s its striving to do.
Booth placement says a lot at Black Hat, and I hope to see some major changes at next year’s show. Not only will it equal the playing field for vendors of all sizes, but it will show a shift in priorities from product sales to solving the industry’s biggest challenges, including the talent gap.
Product and Research Reactions
Now that I’ve got that off my chest, let’s talk about products and research. From a product perspective, I have to admit that I didn’t see a whole lot of new innovation on the show floor—but a big reason for this is that RSA just happened in June. Normally, RSA occurs in February, so companies have six months to take the product feedback they received at RSA and iterate their solutions with new features and functionality by the time Black Hat rolls around in August. This year though, because RSA was pushed to June, there was only about two months between it and Black Hat, which doesn’t give companies a whole lot of time to innovate.
I did leave Black Hat with one big takeaway though: the industry is doubling down on API security. In 2020 there was hardly any talk of API security, and last year, there were one or two vendors in the game. This year, however, there was a predominance of new vendors supporting API security, which I believe indicates a market shift and a moving trend toward securing APIs in the DevOps process. According to VentureBeat, “Vendors introducing new API security solutions include Canonic Security, Checkmarx, Contrast Security, Cybersixgill, Traceable, and Veracode.” Most of the vendors I came across were tackling API security in one of two ways: inline or not inline. But, as the industry works toward tackling this problem, I expect we’ll see new API security innovations emerge in short order.
From a research perspective, things were far less interesting this year. There was only one session in particular that made me walk away thinking, “Wow! That was cool!”—and it was the security researcher that demonstrated how to hack into the Starlink internet system using about $25 worth of equipment. The topic of cybersecurity in space has been around for a few years (Def Con’s Aerospace Village, anyone?), but we’re seeing this topic move into the forefront of discussions as of late, and it’s certainly something we should be concerned about. But, the fact that one receiver gave the researcher access to the entire Starlink network brings to light another important lesson as well: when you put hardware into the hands of people, you lose all control over security, and you realize how vulnerable hardware technology can be. This concept certainly isn’t anything new, but it’s one that we can’t forget about, especially in the digital world we live in.
And there you have it: my takeaways from Black Hat 2022. If you want to chat further about anything I’ve said in this post, you can find me at @ITJunkie.