Hallelujia, it’s the last day!
Being the last day, it meant some morning session that were remarkably well attended, then some really great afternoon keynotes designed to keep people in their seats. Nicely done, RSA conference organizers.
So, in the morning, it was metrics, metrics, metrics (and measurements). Here are the themes:
– Metrics measure services, and link to the organizational mission
– They measure the underlying pieces of services: People, information, technologies, and facilities
– For security, metrics at some level measure “How Secure Am I?” “Am I Secure Enough?” “How Secure Do I need to Be?” “What would change if I was more secure?” “What Is the Business Value of Being More Secure?” and most importantly, “SO WHAT”.
– Metrics are only valuable if they inform decisions, affect behavior/actions, and determine improvements
– Metrics should: guide decision making, guide variance (aka compliance) measurement, guide loss exposure
– Benchmarks against peers may also been known as the “Lemming approach” or “Regression to the Mean” – in other words, benchmarking works if you are starting from scratch, but can sometimes be used to replace critical thinking of what is important to an individual business.
So, that was it for the really Security focused sessions. Which brings us to the last Keynotes of the conference.
The first session was “Hugh Thompson and Friends”, discussing the intersection between predictive analytics and the implication for privacy. The first “Friend” was Dr. Angela Duckworth from UPenn, who has worked out a 10 question measurement of “Grit”, used to predict success, and measure passion and perseverence. It is used at West Point to determine who will stick out the program (25% of entrants drop out), and who will last. If you will, this measures “Top Talent”. I won’t tell you what my score was, but the good news is you can learn to model your behavior after people with “Grit”:
– Be Specific about the skills you want to sharpen
– Work on fixing your weaknesses, not improving your strengths
– Work in your discomfort zone
– Get feedback often and early
– Be loyal and steadfast to your goals
Then, Dan Greer came on to discuss more of the predictive analytics in a security sphere. Most interesting assertion: That de-identification (anonymizing data) can be reversed – always. The implications to big data research is significant. Here was another zinger: Knowledge is power. We are Creating Knowledge. Where does the Knowledge/Power Go? Here’s another thought: it is cheaper to keep data forever than to selectively delete it (which is what our current records retention policies require). Private industry keeps data long enough to work out that the data cannot be monetized; government keeps data as long as they can afford to store it. “The right to be forgotten” is not achievable. (Ominous music plays in the background).
Lastly, and by far my favorite, Stephen Colbert was the final speaker, and was predictably hilarious. He noted that he has created a new company called “CloudFog” – look for it in a store near you. I leave you with his thought:
“There is no greater threat to our security than not knowing where the money goes, and not voting.”