I know it has been a while since my last blog. I am at the RSA Conference with a goal to put a blog out each day about the sessions I attended. This is my first RSAC and am really excited to finally be here. First of all, it is absolutely amazing how many people are here. It is a little overwhelming. I have made a pledge to myself to not be my normal introverted self and actually meet people and do what I can to spread the "word" about what my team is doing.
So this morning I attended a panel discussion on Information Sharing Leadership Development: Surviving as a Security Leader. There were CISOs and similar from George Washington University, Omgeo, John Deere, DTCC, and Morgan Stanley. I felt there were some key points that were worth noting and taking away. It was also surprising to see some of the responses from the audience to the questions they posed. First of all, this room was packed solid - barely an empty seat in the room, and it was a big room. Most of the attendees had been in Info Sec for between 5-10 years, and I would say almost 99% of them did not start their careers there. I find that to be fascinating since I am one of those people and thought I was in the minority but today realized that my path towards this career actually was not so uncommon after all.
There were a few quotes I noted. The first was from Joseph Hammer with Morgan Stanley. He said that to be an effective leader in information security, you have to have a "non-jargon" approach to security and a "healthy dose of honesty." That really resounded with me. We talk to C-suite leaders a lot in my program, and I have found the minute the most technical person in the room starts talking tech-speak, their eyes glaze over. Don't get me wrong, I never go to a meeting with my partner in crime who is my technical brain - the Technical Lead for my team - as it is imperative to have someone who can discuss the more technical issues of the program. However, the reason my partner is so effective is because he can explain the most technical things in a way that anyone can understand them. I have learned so much from him because he takes the time to explain things in a way I can get it. I have also seen how critical a skill that is to have.
Another quote was "the more you practice, the more you realize how imprecise the field is...not something you can learn from a textbook." That, too, resonated as I just finished my Masters in Info Sec and was disappointed when I was complete as I felt that I really did not learn that much. I had asked one of the guest speakers from my Emerging Technologies course for recommendations on what our next steps should be, especially for those of us wanting to learn the more technical skills we thought we would get out of the Masters but did not. He said to teach ourselves. Look it up on the Internet and teach yourself how to write code or to hack a computer just so you know how it is done. One of the people I follow on Twitter, Jeremiah Grossman, gave a presentation at a TED conference in January about hacking yourself. I have not yet seen the video but am looking forward to doing so. The summary and comments I have read about it though are essentially, how can you know where you are vulnerable to hackers if you have not looked yourself from their perspective. To me, that is one of the reasons why I want to learn some of the more technical skill sets. The other reason that this resonated was because the next step everyone keeps telling me to do is to get my CISSP. Yet, I also keep hearing from people who have it that it is nothing more than being able to pass a test. So when you are looking for the right candidates for key technical positions, it is not necessarily where they went to school or how many certifications they. It is how well do they understand the art that is network security.
Yes, I call it an art as I do not think it is a precise science. Those who are hacking into companies are constantly adjusting their tactics as they need to, even going back to old ones that no one is looking at anymore. To me, that is an art - understanding all the tools in your toolbox and knowing when to pull which one out for what purpose - like an artist knows what colors to use or combine to create the image they are trying to create. If we are to be good at protecting ourselves agains this agile adversary, we have to understand that.
Another presenter was John Johnson from John Deere. Now here is a unique company that many would not stop to think about the importance of protecting their data - how critical their data could be to say, national security. Their tractors collect data on soil types, chemical used, weather, planting cycles, etc., from farms across the world. Imagine the value of that data aggregated...imagine it in the wrong hands for nefarious purposes. His presentation was on metrics and how information security organizations need to mature from the qualitative "storytelling" (some would say "fear mongering") for the upper management to quantitative measures that matter. Another presenter, Mark Clancy from DTCC, added that in the IT realm, the key measure was availability - five 9's - but we have yet to come up with its equivalent in the information security realm.
Finally, the last presentation that really left a mark for me was the one on Roadmaps. I am a strategic thinker so this one made me perk up in my seat and stop checking my Twitter account. Two things he said that I think are key takeaways: (1) Each time you come up with a new initiative, tie it to a business value - not just the usual scare tactics of 'there are terrible things happening so we have to do this" but rather, what is the VALUE to the business. That is something that I think is often missed and most difficult, yet so important. The second thing he said was, (2) even if you have deprioritized a project, still always give some directional movement towards completion. You never want to say you are doing "nothing" to fix something. If it is on the list, then movement towards fixing it, even small steps if other things are a higher priority, need to occur.
Overall, I think his was a good starting session for me. I went to the Innovation Sandbox this afternoon but have to say, was not blown away by any of the presentations there. I have heard of some really great start up ideas that I think are better than the ones that were selected, but I will acknowledge, I am not exactly the target audience either. It was still interesting to watch them do their quick 2 minute pitch to everyone.
Now it is time to head off to the Expo and collect all my swag! Until tomorrow...Signing off from San Francisco. Catch my Tweets between now and then at @scauzim.