The RSA 2014 Conference took place in San Francisco February 24-28. It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees. I had the privilege to attend (and lead a CISO panel). While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events. Below is a snapshot with commentary:
Security Awareness and education was a common theme throughout the conference. The industry is finally realizing it’s about the humans and people will always be the weakest security link
Chris Hadnagy (
@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”
Jack Jones (
@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.” He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010). Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security. @JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.” @JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.
Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.
@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.] @SpireSec just mentioned the Hand Rule (see http://en.wikipedia.org/wiki/Calculus_of_negligence …).
So few security / risk professionals know anything about it.
@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.
@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security
NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. Of course, this generated a few comments:
#RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.
The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.
Of course, one of the hot topics was NSA Surveillance:
“Understanding NSA Surveillance: The Washington View
#RSAC” < what’s legal may not be wise – said by both Hayden & Clarke
We need a real debate at
#RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see http://bit.ly/MZJVrQ.
Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.
#RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.