Tuesday, February 28, 2012

Day 2 - Opening Ceremonies and Public/Private Sharing

So far, so good, in keeping my plan to blog each day...I mean, hey, it is just day two but two days in a row is better than missing my goal on day two.  It was a ridiculously long day and here I am all ready to crash for the night, and it is barely 8pm.  There are people who stay out all night every night....don't know how they do it other then they must be missing out on some of these presentations and sleeping.

This morning included the opening ceremonies and keynote speakers to kick things off and who better to do that than Art Corviello from RSA with some mea culpa on the events from last year.  There are some good sound bites here though that I think are definitely worth sharing, and if anyone in the audience was paying attention, then hopefully they will heed some of the call to action.  All the keynotes are up on the RSA website (http://365.rsaconference.com/community/archive/usa) so if you have the time to check them out, definitely do...otherwise, I will summarize those that I sat through...of course, duty called and I had to step away and missed the last couple of them so you are on your own there.

First off, they opened with a cyber geek version of "You Can't Always Get What You Want".  I am sure they have the changed lyrics out on the web already...it was pretty amusing though with a church choir and two lead singers singing away about things that I know they likely had no idea about.  Made me chuckle first thing in the morning.  Then Art Corviello came out to talk about expanding trust and confidence in the digital world.  He stated consumers are adopting technology faster than government and IT can absorb.  We are well past the "tipping point" where the physical and technical world can be separated and where personal and professional lives are kept apart.  He said that he has never sold on a basis of fear and never intends to but acknowledged that the industry has been going through hell in the last 12 months and that RSA personally feels responsible for that.  They want to apply the lessons that were learned from last year's events first hand to drive strategic and technology roadmaps.

Some key quotes from his presentation were:
"An attack on one of us is an attack on all of us." These attacks are being used as stepping stones to gain access from one victim to another.
"Accepting the inevitability of compromise does not mean accepting the inevitability of loss."  Just because they can get in does to mean you have to allow them to take anything out.  You need to understand your internal assets and environment along with leveraging external intelligence sources. Using the "big data model" (a common theme throughout this conference thus far by the way) allows you to shrink the window of vulnerability.
"We need to champion and develop a new breed of cyber security analysts ... who are offensive in mindset."  He stated that we need to leverage the talent in the military - not just cyber expertise but intelligence and other strategic fields where their knowledge can be applied to cyber. I applaud him for encouraging this idea as I am a huge supporter of finding jobs for our Veterans who are leaving service and having trouble translating their skills to the civilian world.  He offered a way to do just that - looking at what they do on active duty and how very applicable it can be to this career field.
"People are refusing to wait for a top-down approach from government or industry to start sharing."  Grassroot organizations are forming to share actionable data. Those organizations are starting to not just share within their groups but across other groups.  He stated we need to encourage and participate in these efforts along with the ISACs to share with DHS who can serve as the clearing house across industry and the public sector.  RSA is taking this challenge and revealing this week new technologies for sharing within trusted circles.
He closed with a quote of Justice Oliver Wendall Holmes to Franklin D. Roosevelt - "In a war, there is one thing to do - form your battalions and fight."  He used that as the call to action to the audience that we all need to come together as a community to fight the common enemies.  "The knowledge gained by any one of us can become power for all of us."

The next keynote was Scott Charney with Microsoft.  I only caught the first part of this presentation but again, there were some key takeaway points worth sharing.  "Strategy is just thought.  Proof you are implementing that strategy is your products and services." This really resonated with me as I am a strategist but always need to remember that no matter what strategy I may develop, if it is not implemented, then it is nothing.  He too talked about big data - this is definitely a common theme of this conference.

The last session that I feel is worth capturing notes on was the Public/Private Sharing panel discussion which opened with Howard Schmidt and included Mark Weatherford, DHS; Richard Hale, DoD; Patrick Gallagher, NIST; and Deborah Plunkett, NSA.  First of all, I may be a little more critical of this panel because it happens to touch right on what I do.  The biggest disappointment, I think, was there was very little discussion really about public/private sharing.  Sure, each of these had the opportunity to summarize what their priorities are and current initiatives but there was no time for questions to allow time for the private sector to have any input into the session.  Also, it was four separate agencies talking about their four separate programs, and though they tried to say they are all working together, it certainly was not presented as a united front - what it should have been was, "here we are, the public sector, doing the following things together with private sector...any questions?"  Instead, it was an informercial for what each of them are doing and in some cases (<cough...NSA...cough>), what they think should be done which competes with what everyone else is doing.

Mark Weatherford really plugged the National Cybersecurity and Communications Integration Center (NCCIC) which is great except he did not really plug what ICS-CERT and US-CERT are doing which is really where the sharing is beginning to take hold (in ICS-CERT's case, has been there for quite some time).  Lots of talk about continuous monitoring of government systems...and this matters to the public/private sharing initiatives why???  Richard Hale said, and I quote, "we share data from the DIB pilot out to the other government agencies and are trying to figure out a way to share that data out to critical infrastructure."  He is on the record. Then he later said it again - the expansion of the DIB program with the Federal Rule coming out for public comment will be done "in partnership with DHS."  Gallagher discussed their new initiatives to include a new cyber center that will be focused on technology R&D around  use case.  Honestly, I did not capture any take away points from Plunkett but that may be because I felt she was trying to get the jabs in there about how it should be NSA's mission - subtly but still there for sure.

The other sessions I attended today were not really worth summarizing. Interesting but no real takeaways. I also spent quite a bit of time, as my poor feet can tell you, walking around the unbelievably overwhelming expo hall.  It is just sensory overload.  I mean, there are companies giving away race cars, Ferrari's, all expense paid vacations, iPads, computers, TVs, you name it and someone on that floor is giving it away.  It is just insane.  Me, I got a couple free t-shirts and learned about some pretty darn amazing technologies that have been developed.

So if you are still awake, and quite frankly, cannot believe that I am, hope the summary and soundbites were of some interest.  Lots of common themes going on - big data; the community must come together and share; automation is required; and the cloud.  At least I have really felt like what we are working so hard on every day - painfully sometimes due to all the politics - is on track with what these attendees see as what is necessary.  Now, if we could only just get them to put up the data they all think needs to be shared...that is going to be a longer process.  One step at a time though.  To coin one of the quotes above....we are still putting together our battalions.

Monday, February 27, 2012

RSA Day One - Leadership Challenges

I know it has been a while since my last blog.  I am at the RSA Conference with a goal to put a blog out each day about the sessions I attended.  This is my first RSAC and am really excited to finally be here.  First of all, it is absolutely amazing how many people are here.  It is a little overwhelming.  I have made a pledge to myself to not be my normal introverted self and actually meet people and do what I can to spread the "word" about what my team is doing.

So this morning I attended a panel discussion on Information Sharing Leadership Development: Surviving as a Security Leader.  There were CISOs and similar from George Washington University, Omgeo, John Deere, DTCC, and Morgan Stanley.  I felt there were some key points that were worth noting and taking away.  It was also surprising to see some of the responses from the audience to the questions they posed.  First of all, this room was packed solid - barely an empty seat in the room, and it was a big room.  Most of the attendees had been in Info Sec for between 5-10 years, and I would say almost 99% of them did not start their careers there.  I find that to be fascinating since I am one of those people and thought I was in the minority but today realized that my path towards this career actually was not so uncommon after all.

There were a few quotes I noted. The first was from Joseph Hammer with Morgan Stanley.  He said that to be an effective leader in information security, you have to have a "non-jargon" approach to security and a "healthy dose of honesty."  That really resounded with me.  We talk to C-suite leaders a lot in my program, and I have found the minute the most technical person in the room starts talking tech-speak, their eyes glaze over.  Don't get me wrong, I never go to a meeting with my partner in crime who is my technical brain - the Technical Lead for my team - as it is imperative to have someone who can discuss the more technical issues of the program.  However, the reason my partner is so effective is because he can explain the most technical things in a way that anyone can understand them.  I have learned so much from him because he takes the time to explain things in a way I can get it.  I have also seen how critical a skill that is to have.

Another quote was "the more you practice, the more you realize how imprecise the field is...not something you can learn from a textbook."  That, too, resonated as I just finished my Masters in Info Sec and was disappointed when I was complete as I felt that I really did not learn that much.  I had asked one of the guest speakers from my Emerging Technologies course for recommendations on what our next steps should be, especially for those of us wanting to learn the more technical skills we thought we would get out of the Masters but did not.  He said to teach ourselves. Look it up on the Internet and teach yourself how to write code or to hack a computer just so you know how it is done.  One of the people I follow on Twitter, Jeremiah Grossman, gave a presentation at a TED conference in January about hacking yourself. I have not yet seen the video but am looking forward to doing so.  The summary and comments I have read about it though are essentially, how can you know where you are vulnerable to hackers if you have not looked yourself from their perspective.  To me, that is one of the reasons why I want to learn some of the more technical skill sets.  The other reason that this resonated was because the next step everyone keeps telling me to do is to get my CISSP.  Yet, I also keep hearing from people who have it that it is nothing more than being able to pass a test.  So when you are looking for the right candidates for key technical positions, it is not necessarily where they went to school or how many certifications they.  It is how well do they understand the art that is network security.

Yes, I call it an art as I do not think it is a precise science.  Those who are hacking into companies are constantly adjusting their tactics as they need to, even going back to old ones that no one is looking at anymore.  To me, that is an art - understanding all the tools in your toolbox and knowing when to pull which one out for what purpose - like an artist knows what colors to use or combine to create the image they are trying to create.  If we are to be good at protecting ourselves agains this agile adversary, we have to understand that.

Another presenter was John Johnson from John Deere.  Now here is a unique company that many would not stop to think about the importance of protecting their data - how critical their data could be to say, national security.  Their tractors collect data on soil types, chemical used, weather, planting cycles, etc., from farms across the world.  Imagine the value of that data aggregated...imagine it in the wrong hands for nefarious purposes.  His presentation was on metrics and how information security organizations need to mature from the qualitative "storytelling" (some would say "fear mongering") for the upper management to quantitative measures that matter.  Another presenter, Mark Clancy from DTCC, added that in the IT realm, the key measure was availability - five 9's - but we have yet to come up with its equivalent in the information security realm.

Finally, the last presentation that really left a mark for me was the one on Roadmaps.  I am a strategic thinker so this one made me perk up in my seat and stop checking my Twitter account.  Two things he said that I think are key takeaways: (1) Each time you come up with a new initiative, tie it to a business value - not just the usual scare tactics of 'there are terrible things happening so we have to do this" but rather, what is the VALUE to the business.  That is something that I think is often missed and most difficult, yet so important.  The second thing he said was, (2) even if you have deprioritized a project, still always give some directional movement towards completion. You never want to say you are doing "nothing" to fix something.  If it is on the list, then movement towards fixing it, even small steps if other things are a higher priority, need to occur.

Overall, I think his was a good starting session for me.  I went to the Innovation Sandbox this afternoon but have to say, was not blown away by any of the presentations there.  I have heard of some really great start up ideas that I think are better than the ones that were selected, but I will acknowledge, I am not exactly the target audience either.  It was still interesting to watch them do their quick 2 minute pitch to everyone.

Now it is time to head off to the Expo and collect all my swag!  Until tomorrow...Signing off from San Francisco.  Catch my Tweets between now and then at @scauzim.