Recently in Events Category

With the end of July close by and the beginning of August looming at the end of my calendar, the Black Hat and the Defcon conferences are rapidly approaching. For me, it is the time of year where I get to hang my suit and put on simple clothes to go hang out with many of my friends in the security arena. As an added bonus, I get to attend some world-class caliber talks about new types of attacks, new tools and generally a new refresh about what we are up against. Anyone who is serious about making a career in information security should attend both conferences at least once.

The stuff I do for a living is guiding my organization to be successful at keeping its valuable information assets secure. To do that, my days mostly revolve around a combination of meetings in which we talk about developing and implementing security strategy, setting and implementing policy, working on things like vulnerability scanning, patch management, network situational awareness and managing security incidents. There is a lot more, but that's not all that relevant right now ;)

Whenever the big summer conferences approach, the technical side of my starts to speak up more. Suddenly, I want to be more involved with activities such as penetration testing, forensics, real-time log analysis, etc. I typically start annoying the people who are responsible for daily operations when that happens, but as it is the law of the land, I generally win those fights and I get to scratch my itch.

This year is no different, but as things go, I just cannot find the time to get my hands dirty. The closest I was able to do was throw out a few Tweets in which I stated that solving non-tech challenges is rewarding, but in the end it comes down to hard core tech. No CISO should ever forget that. I also said that a well-designed and well-built network in a poorly run organization still has a chance of being secure. The other was around not so much. In a private tweet, I also said that developing and implementing policy is critical too, but that having a great policy without the technology to back it up is a guaranteed fail, which having a good technological infrastructure to work on, technology without policy will work for a while.

Now, to pull out a cliche, as a CISO, it is my job to balance technology, processes and people to navigate my organization to a point where its residual information security risk is of an acceptable level. It is important to realize that all three P's are necessary to be truly successful, but if I had to pick, I would much rather work in an organization that has great technology and knows how to use it, but may be weak on the policy/people end, than work in an organization that is driven by handbooks, policy and procedures, but is weak in technology and people.

The month of April was a month in which I had three public speaking appearances. It started out on April 16 when I addressed the New York Higher Education Technology Forum at Hofstra University. The talk tried to drill home the point that all this Cloud stuff is all nice and fluffy, but that we, as cloud consumers, must make sure that our vendors deliver better service for less money. If we fail to do that, we are not making any progress, and Cloud will just be another concept that is doomed to fail.

The second talk was on April 20 at SOURCE Boston, where I was in the fortunate position to mentor a panel about career development, and especially about the role that mentors in that process.

In the third and final talk, on April 29, I addressed a gathering of non-technology people about the risks of social networking, and how to mitigate the risk for themselves. The most important point that I tried to make in that presentation was that on social networks, people may actually read what you write.

Both presentations are available for download, although they might not do you much good without the narrative.

SOURCE Boston is one of my favorite information security conferences. It is not to say that  other conferences are not good, but SOURCE has the benefit of being relatively close by (New York - Boston is not that far), and the conference is not massively large. As a result, there is excellent interaction between the crowd and the speakers, which is something I appreciate a lot.

Unlike last year, I will most likely not be presenting a full talk. Instead, the organizing committee has asked me to design and moderate a workshop on professional development. Of course, I accepted this invitation gladly, and we are now working to design the session.

To get started in the information security field is not easy. As shrdlu put it recently, information security is a highly specialized craft and practitioners need to get their feet wet before they can truly transition into it. The session at SOURCE Boston will be highly interactive. We'll begin with a  15 minute panel session that should set the stage for the remaining time.

The remainder of the time will take the form of a workshop in which we'll discuss topics like setting realistic goals, identifying relevant work opportunities and building a personal network. We'll also talk about what it is like to be a mentor, and what it takes to be successful as one.

We hope to cover an audience that may range from graduation college seniors to individuals who have been established in a professional environment. If you are interested in learning more, or if you have suggestions to make this session even better, please drop me a line and we'll talk.

More information about SOURCE Boston is available on its web site.

Like last year, Fordham University and the New York FBI office are co-organizing the international conference on cyber security. The conference will be held in August in New York City. If the program resembles last year's, it is going to be an interesting event for anyone who works for/with law enforcement on cyber-related cases, and for security professionals with an interest in investigations.

The ICCS 2010 web site is located at http://www.iccs.fordham.edu.