February 2013 Archives

And so it begins...

| 1 Comment

RSA 2013 is underway, with registered attendees wandering San Francisco with their badges on, showing perhaps a little less OPSEC awareness than is appropriate... billboards and taxis are adorned with infosec vendor advertising... BSidesSF has 1 day in the books... and the ABA InfoSec Committee has closed the books on yet another excellent annual pre-RSA meeting (I'll post separately on just how awesome this meeting was - and why you should get involved!:).

For those unfamiliar, the Monday or RSA week is about pre-conference workshops, seminars, etc. In the past few years, this day has become incredibly overcrowded with competing offerings, such as a huge Cloud Security Alliance full-day event, or this year's "Advancing Information Risk Management" half-day seminar. RSA also runs their "Innovation Sandbox" event where they showcase a handful of up-n-comers, and then they open the Expo floor with a big reception. Also, increasingly, Monday is becoming the secondary night of choice for vendor receptions as companies realize that trying to do anything on Wednesday night is just a bad idea, unless you're already well-established on that schedule.

Coming up later this week:

The conference gets started "officially" on Tuesday, with a string of vendor keynotes in the morning, and then actually track sessions starting in the afternoon. You can find me in the LAW track to start, moderating the "Hot Topics in InfoSec Law" panel for it's Nth consecutive showing at the conference. The LAW track is sponsored by the ABA SciTech Section, and provides a unique perspective vs. the rest of the event. If you have any interest in law as it pertains to security and privacy, then we hope you'll join us!

Wednesday morning, bright and early, a handful (or maybe a bunch) of us will be heading out on a fun run around 7am. That seems a little crazy, especially given the hills around here, so hopefully we'll take a sensible track. :) You can then find me Wednesday afternoon co-presenting with Bill Burns of Netflix. This will be a very quick 20-minute session on the confluence of security and risk management within a true DevOps/NoOps environment, looking at how it works! :) This session is begin reprised Thursday morning as a studio session, too.

Beyond that, I will be floating around between meetings, sessions, expo floor, etc. If you see me, please say hello! Oh, and btw, just to toot my own horn a little bit... I'm a "top-rated speaker" this year! :)

I'll try to post some updates during the week. In the meantime, if you're out here in San Francisco, have a good time and I hope to meet you all! If you're not here... have a good week, and maybe we'll see you out for RSA 2014! :)

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

Security Isn't Something You "Do"

Newsflash: Just because you work in the "security" industry does not mean you "do" security. In fact, allow me to go a bit extreme and declare that none of you/us have ever "done security." It's simply a distortion of reality and misrepresentation of the facts to say or believe otherwise. Is this an old Schneier-esque point? Perhaps, to a degree... but...

Drop whatever it is you're reading and go read The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. This short book will quickly change your perspective on a lot of things, not the least of which being the role and importance of IT within the greater context of business operations, as well as the imperative to more tightly align business priorities with operational risk management.

Go here for more information about the book.

Go here for a free 170-page excerpt of the book.

The book walks through "The Three Ways" as it describes a fictional company transitioning from a badly broken and dysfunctional old school IT and dev environment into a newer-than-new-school DevOps model. A sage guides the new IT director through this transition, with one of the big lessons in the end being the point that IT is so central to all business operations today (and forever more) that the COOs of the future will have to be extremely competent in technology operations, and may just come almost exclusively from an IT background (offset with business school training, or comparable).

It's hard to understate how well this book explains the concepts contained therein. It covers many of the topics that I've mentioned over the years on this blog, but the authors do a much better job explaining those ideas. Security, IT, and Dev should no longer exist as standalone silos, but should instead be all part of one cohesive, optimized unit designed to rapidly evolve and function with great agility.

I could go on, but will spare you... go read the book! :)

I've often remarked that perception is far more important than reality, as we see proved time and time again through public and political life. Perception is what leads people like Beyoncé Knowles to walk out to a large, hyped press conference - as happened yesterday - and ask that people rise while she sings the national anthem, all to prove the point that she knows the words and the tune (it seems there was some controversy related to her lip-syncing during the recent Presidential Inauguration).

One area where perception is incredibly important is with regards to risks and risk management. Specifically, we in developed countries tend to "overestimate rare risks and underestimate common ones" (as noted by Bruce Schneier today). We can see the effects of such mistuned risk perceptions in the hasty, ill-conceived passing of laws like the USA-PATRIOT Act and the standing of the TSA (all to address the perceived risk of terrorism, despite terrorist incidents being extremely rare, and the subsequently losses of civil liberties hardly justified by the alleged benefits). We similarly see mistuned risk perceptions at play in the current gun control debate, which has visually targeted semi-automatic rifles with certain stylistic characteristics, intentionally conflating them with military-grade fully automatic firearms.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10