The Policy Trap

It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.

Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.

RSA 2015: Security Mega-Con!

It was another record year for the RSA Conference USA, with a reported 33,000 attendees (an increase, I believe of 8-10k year-over-year). This year also saw the first truly full-scale double-expo event with both Moscone North and South sporting packed expo spaces with more vendors than seemed possible or reasonable. Impressive growth for our industry, to be sure, though as always in many ways it raised more questions than provided answers.

Due to limited personal funding, my trip was short (Tu-Th) this year, so I missed out on the DevOps Connect event Monday, which I heard was phenomenal. I also didn't get a chance to look at Innovation Sandbox, though given prior year experiences I wasn't too disappointed. I did wish I could have caught Amit Yoran's first opening keynote as RSA big chief, but alas it wasn't to be...

(Note: To be up front, two things to bear in mind: 1) Yes, my talk was selected for this track. 2) I started this piece before selections were announced but held off on publishing until after selection announcements were made as I wanted to see how things played out.)

For the first time, the RSA Conference US 2015 has added a track for crowdsourced talks (original announcement). This track provided an opportunity for submissions to be voted on by the population at large (not just registered attendees), which I found to be very cool. For me, it provided a great opportunity to see if my proposed talk title resonated with people.

Overall, I'm very excited about this opportunity and advancement. The process wasn't perfect by any means (see Britta Glade's reflective post on changes for next year), but overall the outcome appears to me to be a good selection of new talks.

Of course, there were a couple nits, including active ballot stuffing (see one submitter's "theoretical" description - unsurprisingly, his 4 talks held top-5 ranking on the leaderboard throughout voting... and he's not on the final speaker list).

What I found most egregious, however, was the dearth of vendor talks, many of which failed to even try to appear like something other than shilling (I mean, come on Ken Levine, do you seriously expect us to believe you'd give a talk on "why DLP sucks" and not distinguish "except for my company" given your position as CEO of a DLP company?). This is why we can't have nice things. What was created as an opportunity for talks to be included in the program that might not otherwise get noticed or accepted ended up looking like a race between vendors to see who's marketing team and customer base could stuff the ballot box better. *sigh*

The good news is that the judges did an excellent job following-through and making sure that selected talks represent a reasonable value proposition (no shilling!) for attendees. Big kudos to the judges for not being afraid to dive down into the vote rankings to pull out what appears to be a really awesome list of presentations (here's the final list).

Now it's up to attendees to help make this track truly successful! I hope that everyone registered to attend the confernece will come spend some time in the crowdsourced track to support speakers, whether you voted for them or not. If you want to have your voices heard, then participation and support for innovating new approaches is critical!

I look forward to catching up with everyone in San Francisco. I'll be there Tues-Thurs (including, of course, speaking at 9:10am PT on Thursday). Ping me on twitter (@falconsview) if you want to coordinate crossing paths. :)

RSA 2015: A Quick Trip

Just a quick note, mainly to let you all know that I'm still alive and that this blog will start having content again soon. First, though, I'm finishing getting up-to-speed on things in my new gig with K12.

In the meantime, I am pleased to announce that I will be at RSA US 2015 in April, at least for a few days. I'm flying out to San Francisco on Tuesday, April 21st, and will plan to stay through at least Thursday, if not Friday morning.

Toward that end, you can help me out (a LOT) by voting for my crowdsourced talk submission. To read full details and indicate your support (please!:), go here: Automate or Die! How to Scale and Evolve to Fix Our Broken Industry.

Leaving Gartner, Joining K12

Today, Friday the 13th, is my last day with Gartner. I've been onboard for almost exactly 21 months now and have learned quite a few things about how the analyst world works. But... it's time for a change. It's time to get back to more of a field role where I can feel like I'm making a difference, seeing the needle move little by little. This is something you don't typically get to see as an analyst because, out of the hundreds of interactions you have each year, /maybe/ 10% result in some form of feedback, and only a small portion of that feedback is particularly meaningful.

On Monday I start my new role as security architect with a local, public company - K12. They're a leading provider of online education services, which I find interesting and exciting. In many ways, this will be a green field opportunity for me, working as part of an enterprise architecture (EA) team as they pivot into more of a DevOps style approach. More than anything I'm greatly looking forward to getting back to more hands-on work where I can see the fruits of my labors.

I'll be reviving this blog in the coming weeks as I start to get my feet wet with various projects. I'll also be putting up a couple retrospective posts about my time as an analyst. I've received a handful of queries from folks interested in working for the company, and so one of these posts will specifically target that audience.

Overall, I'm very much looking forward to the new opportunity! I can't wait to see how well my theories play in the real world. There are lots of exciting options to be pursued here, ranging from security analytics to risk analytics to SecDevOps automation. :) Now to see what sticks and what doesn't!! :)

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: Recent GTP Security Research

From November 2014...

Before resuming delving into any philosophical meanderings about infosec or info risk mgmt, I wanted to first highlight some recent research for you all. All of the following require a GTP subscription (go here to contact us if you're interested in getting access).

Continue reading here...

GBN: Updating GTP's DLP Coverage

From November 2014...

It's been a couple years since the last update of our DLP coverage. In the process of updating it this go-round, I'll be taking the reins from Anton Chuvakin and picking up primary coverage of DLP for the SRMS team. In addition to revising the existing documents (Enterprise Content-Aware DLP Solution Comparison and Select Vendor Profiles and Enterprise Content-Aware DLP Architecture and Operational Practices - GTP subscription required), we'll also be spinning off a foundational document that can be referenced when getting started with a project.

Continue reading here...

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Recent Comments

  • Danniel: SANS Top 20 controls are not controls. Its like a read more
  • Ben: I hope that it's not so dire. I think there read more
  • Tunde: The question at the back of mind now is: How read more
  • Dan Raywood: I met you at the Barracuda party, introduced myself with read more
  • Ben: Hi Jack, Thanks for the comment. I've read the context read more
  • Jack Whitsitt: Ben - while you're correct in almost all of your read more
  • Ben: Hi Amith, This review is now near 4 years old. read more
  • Amith Sarma: Hi Ben, A very valuable feedback on the book. Thanks. read more
  • Ben: Hmmm, thanks for catching that, Rob! I was going off read more
  • Robert David Graham: Minor correction: Dell was founded in 1984, not 1994. read more

Archives

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10