Judging security breaches: InfoSec Court is helping to change the narrative about cybersecurity

Male judge hitting gavel, calling court members to stand

Photo by SynthEx/Shutterstock

It’s not unusual for data breaches to propel a company into court. Sometimes it’s for a lawsuit, sometimes there are criminal charges, and sometimes a breach can force a company into bankruptcy court. 

One cybersecurity professional has created a mock court that helps people look at data breaches from all sides. But this court can’t throw you in jail.

InfoSec Court is the brainchild of Sandor Slijderink of Seymour, Indiana. Slijderink has been working in cybersecurity for about 32 years, he said, and he now works for BorderHawk, based out of Athens, Georgia. 

He noticed something unsettling about public data breaches, he said. When a large company suffered a breach, people would instantly blame the victim without learning the truth about what kind of security the company had in place to protect itself. People are quick to voice anger over something they know very little about. 

Slijderink used a story about math to explain it: “Einstein did a classroom thing one time where he goes, ‘Hey, nine times one is nine, nine times two is 18,’ etc. When he got to nine times nine, he put 90. and the whole class [freaked out]. And he said, ‘You focused on the one thing I got wrong, but did not even see the other nine items that I got right.’ And that’s focusing on the one item that someone got wrong, versus looking at the rest of the entire organization, of everything they get right.”

While that story may actually be apocryphal, the sentiment still stands. Slijderink wanted to shift the focus from attacking companies that have been breached to really looking at the information and seeing what lessons can be learned from it. 

That’s why he founded InfoSec Court, a side project he does for fun and education. 

“When we see a security breach in the news … you’re looking at a gas station. And instantly it’s all about the guy with the gun barging in, Blazing Saddles, everything else,” Slijderink said. “It’s never about the gas station and if they had better security. And they didn’t have bulletproof glass, they didn’t have high-resolution CCTV, so they got the $50 cheap stuff from Costco. We don’t look at the systems and processes and procedures when a gas station suffers a security breach like someone robbing it. However, when a company gets breached, we’re ready to just sling eggs and we’re ready to throw mud at their faces and go, ‘How could you? You just ruined everyone’s life!’”

Slijderink wants to help change that way of thinking. “In information security as a community, I’m trying to change that narrative and go, hey, instead of degrading everyone, let’s try to find a way to engage with them and build them up in a respectful manner and try to find a way to patch the hole.”

The mock trial is done via video so guests can watch from their home or office, he said. There is a judge who hears the case, and the guests who stand in for the prosecution and the defense make their respective cases. Visitors can chat during the live event, and sometimes their comments make it into the show. 

Some recent participants have been Mike Jones, founder and host of H4unt3d Hacker podcast; David Greer, senior manager of network security for Sun Pharma; Patrick Gillespie, founder of Boots to Cyber; Matt Lee, senior director of security and compliance for Pax8; Jay Harmon, managing director of cybersecurity at BorderHawk (and Slijderink’s boss); and even Nick Espinosa, a “security fanatic” and Tedx speaker. 

At the end of the trial, a final verdict is delivered, and there are “consequences,” which are really recommendations for the company to harden its security.

The InfoSec Court tackles serious events, but it’s all in good fun. In fact, Slijderink was inspired by the 1980s sitcom “Night Court,” so a sense of humor is vital to the event.

Some participants have used the InfoSec Court as an example of their knowledge when looking for jobs, and even been hired as a result, Slijderink said. “So, it’s a great place for people new to information security and cybersecurity to get an opportunity to get involved but, you know, it’s also great for well-seasoned people to be able to have a chance to showcase their knowledge, their thoughts, their concerns, in a non-biased way.”

Court is in session at 8 p.m. Thursdays on Crowdcast. You can check the dates and get more information on LinkedIn