This conference is enormous! That doesn’t make it great (not yet, anyway), but there is certainly a lot to see and do.
Getting my feet wet, I spent the morning in a 3 hour session titled “Surviving As A Security Leader”:
We discussed “making Regulations and Audits work for you”. Key takeaway: don’t expect an auditor to know more about your space than you do (if so, you should consider a different career…) – so in the Audit planning process you should partner with Audit to help them understand the technology and the control/risk environment you work in. RISK-RELEVENT FINDINGS SHOULD BE THE MUTUAL GOAL of an audit – they are partners to help us do our jobs better!
We then discussed Security/Risk leadership – we need to lead participatively, to get buy in and reduce resistance. We also need to develop others in the organization to be security leaders – even when they are not in the business of security. Motherhood and apple pie, right?
Then, there was a panel of ex-CISOs talking about being a CISO. The main skill? Influencing without direct authority. The primary focus? Basic IT blocking and tackling – configuration management, change management, asset management, etc. etc. Think ITIL… The most valuable thing? Understanding the business: Goals, objectives, motivations, stressors. To know how security supports the business is to make Security relevent and useful. The most depressing thing? Not one of the ex-CISOs on the panel want to be a CISO anymore. The function was self-described as a “high burn-out position”. Hmmm….
Lastly, in the morning session we discussed Boardroom presentations. Not necessarily Security-specific, but interesting nonetheless. Fun fact: ROI can also mean “Risk of Incarceration”.
In the afternoon, the session turned to Risk Management and Operational Resiliency Frameworks. Really bad topics for the “first after lunch” spot. Key takeaway? Most Risk Managers are really bad at estimating risk… how to fix this? Get Risk Calibration training for Risk Analysts. Oh, and scrap ratings of High, Medium and Low and use real numbers to quantify orders of magnitude when evaluating risk. You can check out www.societyinforisk.org for the Society of Information Risk Analysts.
For Operational Resiliency, we heard from Carnegie Mellon and www.cert.org/resilience, and how being operationally resilient means you’re like a Slinky – you can snap back into shape during and after an incident. Another fun fact: The average age of a Script Kiddie (you can google the term) is 10. Ten! (Editorial: It’s time for our elementary and high schools to be teaching software coding so we can teach them how to do things well…)
So, as you can see, the topics are varied, broad, and for geeks like me, interesting. Tomorrow is the real kickoff of the conference, so I’m looking forward to sharing more then.