Talks – Juan's adventures in security & compliance

GRIMMCon 0x3 took place on December 30^th. The virtual conference hosted 2 tracks (GRIMMCon) with questions being primarily shared in their discord server by hosts to the speakers. As with GRIMMCon 0x1 and 0x2, the conference was held using GoToMeeting which has an interface a fair bit different to Zoom.

Following my talk at Beercon2 and the received feedback, I wanted to provide a different perspective to GDPR. Rather than focus on implementations that may or may not have worked, I wanted to look at how different strategies whcih I’d seen companies take failed to work on a compliance or business level.

The CFP process was fairly simple: fill in a Google form with information about the proposed talk. The form included the option to be paired up with a mentor. Speakers were contacted in early December to confirm their selection, & rookie speakers received an additional email for the speaker-mentor pairing.

I was paired with a mentor local to me (same country) which made finding times to review content far easier than if we had been in opposed timezones. In my case, the content review was more focused on form rather than the actual content given our different specialisations.

Prior to the con I was given links to 2 GoToMeeting events, a green room and the conference. In the Green Room one of the GRIMMCon staff checked the AV settings, and we verified the procedure for sharing the slides. Once all was ready, and a couple minutes before the talk started I joined the main room and repeated the procedure. Perhaps due to user error on my side, when presenting, the video feeds from the hosts disappeared. It was a bit startling to talk at my screen rather than speaking to an audience but overall it went well.

Had the conference been in person I would have done the initial introduction, covering what GDPR is and who it protects and followed on with some wargaming, showing points of failure in various strategies the audience may come up with. Given the nature of the conference I instead presented the strategies in failure from the perspective of a tale, where the characters could always start again with knowledge of their past failures, and ending with the entire company training their teams on procedures & risks.

The strategies used were the following:
1. No strategy
2. Avoid / leave EU market
3. Have a lawyer review contracts with vendors
4. Get an audit
5. Purchase a compliance solution
6. Train the entire company according to their needs.

As was the case in Beercon2, the rookie track was absolutely incredible. The speakers brought some really good insights into their topics which made the talks particularly enjoyable. The rookie talks were recorded and should be appearing on the GRIMM Youtube channel soon.

Following my work implementing GDPR in 2018 I have been reading into the topic and evaluating how the tech industry has adapted to it. I was supposed to give a talk about this in the summer of 2020 regarding risks to consumers with misunderstanding their rights and limits of enforcement, but the global pandemic cancelled that event.

The Beer Farmers decided that the 2nd edition of their infosec conference, Beercon 2: Rise of the Rookie would provide a rookie track for all the new speakers whose conferences had been cancelled. I submited a CFP on the topic, focusing instead of the client, on the compliance strategy implementation side of things along with risks to both the client and the business in the case of bad implementation.

The speakers were provided with support from experienced speakers, in the persons of Claire Tills, James Bore, Sam Humphries, Zoë Rose, and Dave McK. They helped us by providing a workshop at the begining of BeerCon 2 preparations as well as listening in to the speakers giving dry runs to test the slides / AV equipment. Their input was incredibly valuable in helping everyone give their best talks on the 29th & 30th October 2020. Additionally, 2 speakers, worked as “goons”. They helped provide some support on the day, as well as helping manage the communications within the Slack server. Lennaert and Gerard, both endured the conference nerves as speakers, with the added nerves of knowing exactly how many people were actually watching them.

Because of course, we’re all rockstars and did our talks live instead of pre-recording. We had live demos THAT WORKED WITH NO HICKUPS. I can safely say that nothing would have prepared me for her the quality of the talks, or the diversity in topics covered. Threat landscape in Japan was covered with the same emotion and energy as an introduction to IPv6.

Fortunately, these talks were recorded and available here. I cannot stress enough the extent to which these talks make their niche topics accessible to people with all levels of experience. I am still rewatching several of these talks between working on different projects given the impressive quality of the content shared.

On the day I was speaking, the experience was incredibly seamless. I missed most of the 1st talk as I was preparing for mine in a breakout room with the “goons” and 2 mentors who helped calm my nerves. Once Zak had finished his talk, I was thrown into the live room, where Scott explained how it would be going. Essentially, as had been practiced with the mentors & other speakers with one caveat: he woud be providing 10 & 5 minute remaining warnings. This differed then that instead of seeing myself on the Zoom call, (and adjusting position to make sure it was my face in the frame) I would be seeing the reactions of someone else. To my surprise, this did not bring any source of distraction, except at the time warnings. Scott did explain that he’d had issues with all the talks as he would forget to switch cameras due to being absorbed in the topics being discussed.

The initial conference nerves faded after a couple of slides, leaving the same thoughts as when giving training – am I talking too fast? am I understandable? can people relate to this? – but with no interruptions. The talk went smoothly, which was a surprise given my internet had been spotty in the previous days, and the positive feedback from infosec and compliance specialists suggested my worries were unfounded. Should you be interested in GDPR, or general compliance strategy, my talk is available on youtube.

The experience with Beercon 2: Rise of the rookie as a speaker was impressive. The work and effort put in by The Beer Farmers over the 2 day event truly reflects their catchphrase #hereforyou. The event generated networking opportunities accross multiple diciplines and nations and I can only recommend this event to people wanting to share knowledge or experience with a wider audience. I eagerly await the surprises of Beercon 3.