Today began with a discussion on Boomers, Gen Xers, Millennials and Gen-Zers. You know who you are.
The point was, if we’re going to reach them in training and awareness for security, we have to know how they think, and how they consume information, and tailor our stuff appropriately. It was a fun session, with a lot of your usual psychology stuff
– Boomers = Kennedy, Vietnam, Moon Landing, etc
– Gen Xers = Challenger disaster, MTV, End of Cold War, Latchkey kids
– Millennials = Colombine, 9/11, and Facebook
Here was the funny thing – Millennials think they know security really well – better than the Boomers rate themselves. But, they are 15% more likely to have been breached. Overconfident? Perhaps. As a university CISO, I was interested in knowing how to get Millennials to care about security and privacy – but in general they just don’t. So, focusing on the fact that the UNIVERSITY cares about the data they manage is where we have to focus our training efforts. For everyone else, we can just tell them what they have to do. (OK, not really).
From there I listened in on a presentation about Insider Threats, and how to programmatically address this. In this sense, Insiders are malicious, not accidentally careless. HR, Legal – we’re coming for you 🙂 Actually, we need great partnership with HR and Legal to identify likely scenarios and triggers for “insider” behavior, so we can QUICKLY triage incidents. Note the golden 30 day window – insiders are disproportionally more likely to do something nefarious between the time they resign and the time they actually leave. Of course, most people DON’T do something creepy – but should the university keep an eye out for this?
I then dragged my tired mind over to a panel discussion on letting users “go rogue” using cloud services. No real new stuff there. No surprise, folks are using cloud services (the average company uses 395 vendors today – I can only imagine the exponential OSU numbers). The goal here is to enable secure cloud usage, not to prevent it from happening. We also need to orchestrate HOW we use cloud services – we can get pretty inefficient pretty quickly without some air traffic control. Even for all the support of people using cloud, none of the panelists want “Crown Jewels” to be there – some things (like the Coke recipe – yes, really) don’t belong in the cloud.
Of the five keynote speakers today, only some are worth mentioning.
First, James Comey, our new FBI Director, spoke about the need for the FBI and private industry to support one another. We need to share information quickly and routinely, at the speed of computers, not the speed of humans. His presentation was well received, and he comes from private industry where he ran Security teams (he’s a lawyer, actually), so he’s been on both sides of the political fence.
Art Gilliland from HP threw out some interesting statistics:
– We collectively, as an industry, spend $46B (yes, Billion) a year on Security.
– We’re seeing 20% increases in breaches year over year
– A single breach costs 30% more this year than last year, on average (pity the Universities of Maryland and Indiana…)
– Statistically, we’ll get better bang for our buck if we focus on people (training, analysis) and process (intelligence gathering), than on “silver bullet” tools. No argument from me on this one.
The most interesting speaker of the day was 19 year old Taylor Wilson. He’s a nuclear scientist, and from the age of 10 (when he built a nuclear reactor in his garage) to now he has created nuclear material scanning devices, medical isotopes scan tools, and is currently working on cheaper, safer nuclear reactors. It is not a stretch to say that he is a Genius in Action, and he absolutely gives me hope for our future. If I thought the Cryptographers were above my IQ paygrade, they’ve got NOTHING on this kid. Yes, kid. Millennial, actually.
Apart from the speakers, we also cruised the vendor halls today. Some of our own vendors were there, of course, but there were also PLENTY of new vendors. It was a bit like running the guantlet to make it down an aisle without being accosted for our contact information. I would also say that my unscientific poll shows more Michigan fans than Ohio ones at this particular event!
2 days left to go. Let’s hope I’m still standing when it’s all over.