Infosec In the City (IIC) — 2 Years In & the Future
Authored by Emil Tan, Co-Founder, Infosec In the City.
2 Years In: The Story
The idea of Infosec In the City (IIC) was born 3 years ago (2017) by Adrian Mahieu—serial entrepreneur and Co-Founder of 44CON. Expanding on what he has given the UK cybersecurity community, he envisioned an international brand that organises training and events to plug the capability and capacity gap of cities around the world. He had his eye set on Singapore as the first IIC city. I've known Adrian for a while by then because of 44CON, BSides London and my Royal Holloway days. He pitched the IIC idea to me in mid-year 2017, and within a week, IIC was no longer just an idea.
The Singapore cybersecurity community—which I run under the banner of Division Zero (Div0)— has always dreamed of organising a techno-centric conference. Although we run a very successful monthly meetup community, we can't compare with other international communities that have conferences that bring in leaders and experts around the world to level-up the local/region capability and capacity e.g. DEFCON (USA), 44CON (UK), HITB (Amsterdam), BruCON (Belgium), DeepSec (Austria), ZeroNights (Russia), NULLCON (India), HITCON (Taiwan), CODE BLUE (Japan), POC (South Korea), ROOTCON (Philippines), Ruxcon (Australia), Kiwicon (New Zealand), etc. When IIC came about, it was really "Game On!" for us to really push Singapore cybersecurity community to a greater height.
We had the following items on our IIC Singapore (#IICSG) planning canvas:
To organise affordable world-class specialised training courses — If you wanted to attend specialised training courses on topics e.g. exploit development, full-stack exploitation, hardware/embedded systems security, threat modelling and kernel research, you had to fly overseas for it e.g. Black Hat USA, BruCON, etc. #IICSG scale specialised training by bringing world-class trainers in and priced them reasonably.
To organise an affordable world-class techno-centric conference — Majority of cybersecurity events in Singapore were tradeshows i.e. display of solutions and services offerings. Cybersecurity practitioners and enthusiasts had to fly overseas to experience and learn about cutting-edge research and practices. It's not feasible to send hundreds of cybersecurity practitioners overseas every year to attend cybersecurity conferences. Although we do have better conferences in Singapore, they cost >$1,000 SGD to attend. Singapore and the region's cybersecurity capability and capacity will take a long time to level-up if training and exposure to world-class research and content are considered a privilege, rather than an essential.
Challenge the stigma that cybersecurity is just about solutions and services sales — Cybersecurity is not a checkbox/compliance problem. Many tradeshows are indirectly encouraging a compliance mindset in cybersecurity by showcasing all the solutions and services there is in the market rather than discussing and deep-dive into the actual cybersecurity practice, threats, architecture and technology. For many years I have been approached by practitioners and government officials at tradeshow events asking if I can fix this.
Demystify cybersecurity in the board room — This is not a typical problem statement of a techno-centric conference. However, Adrian and I believe that in order to push-the-envelop of cybersecurity practices, we need to demystify the subject in the board room. Cybersecurity practitioners life will be way easier if their board members really understand cybersecurity from the get-go.
I am very proud that Adrian and I, together with our crew and volunteers, have managed to organise 2 successful years of #IICSG since the idea-stage — #IICSG2018 Training, Conference and CXO Brief, and #IICSG2019 Training, Conference and CXO Brief.
Now, Singapore is known for regularly featuring acclaimed specialised training courses e.g. Corelan's Exploit Development training and Dawid Czagan's Bug Hunting course, and big names e.g. James Forshaw, Joe FitzPatrick, Dave Lewis, FC, Vitaly Kamluk, etc. We are also showing the world that Singapore has amazing cybersecurity talents too, with them sharing the stage with our invited esteemed experts.
For #IICSG to come this far, it wouldn't have been possible without our sponsors who believe in our philosophy. It was a shock for many companies—especially those that set up Singapore offices just for their sales function—when we told them that they don't automatically get a slot on our stage and that they should only be showcasing their deep practice and technical knowledge to the participants, not just their products/offerings. Cybersecurity is a field that by just waving your solutions/offerings at people doesn't make you an industry leader. Showcasing and proving that you have the deep expertise and knowledge to the cybersecurity practitioners—i.e. the board room/executive influencer— (i.e. our participants) is. To sponsors who defied the traditional ineffective marketing matrix and sponsored us for the greater cause of levelling up Singapore's and the region's cybersecurity capability and capacity, a very big thank you to all of you.
Rebranding — SINCON
IIC has an international expansion ambition. Hence, we always suffix our Singapore events with "Singapore". But "Infosec In the City, Singapore" is a mouthful. We were also often incorrectly called IITC or many other abbreviations.
To correct that, we rebranded our Singapore since last Jul 2019 as "SINCON". We are still operating under the IIC umbrella, but "SINCON" establishes an even stronger Singapore brand.
The Future — More Than An Event Company
When we started, we simply describe IIC as an event series tailored to the city where it is hosted. Having operated SINCON for the last 2-3 years, I learned that we are not just an event company. The true value of IIC/SINCON is our network of leaders, experts, trainers, knowledge-base, etc. as a cybersecurity capability and capacity development (Cap Development) enabler.
Hence, we will be further developing IIC/SINCON in this direction to contribute more to the cybersecurity ecosystem.
#SINCON2020 Is Not Cancelled
A final note, #SINCON2020 Is Not Cancelled.
We are still running training courses (some have moved online): https://www.infosec-city.com/sin-training;
We will still hope to organise a CXO Brief later this year (physically or virtually); and