major.io words of wisdom from a systems engineer

Thoughts on RSA Conference 2013

1

This year was my first opportunity to attend the RSA Conference and I learned an unbelievable amount inside and outside the sessions. Here’s are my takeaways from the conference:

Be flexible and raise awareness

BYOD was a hot topic at this year’s conference and I was fortunate enough to sit in with a Peer2Peer session with 24 other attendees. One security team member from a large company talked about how they reduced their stress level and increased their effectiveness by focusing on securing the data rather than trying to secure every single device on their network. It seems trivial at first, but after additional thought, it really makes sense. Allowing every single device ever made onto your network might not be an option, but there are many actions we can take to make it more difficult for non-trusted machines to access sensitive company data.

Security awareness was talked about often. No matter how much a company spends on security products, a single user clicking on a phishing email can open the door for attackers. It’s critical to make security awareness real by making it personal. When users think about more of their actions before taking them, the overall security of the business increases. One of the speakers made a good point that the job of a corporate security team in 2013 is to keep the business secure while allowing employees to soar and do what they do best. The days of blocking access to everything are over.

Maintain and constantly re-evaluate focus

Securing your entire company isn’t possible so put your focus on the things that matter most. Wrap security around the most important data you have and shore up security in areas where you are threatened most often. A presenter noted that everyone has legacy baggage in their companies but the stronger companies think about the baggage they leave behind before they create it.

Follow your users

The whole idea of encouraging collaborative security between corporate security teams and the business seemed to surprise attendees the most. One of the talks pushed security departments to learn about what users within the company are doing and how their needs are evolving. This allows security teams to shift focus, modernize, and provide useful, secure alternatives for employees.

Bring outliers into corporate security

The most moving talk I attended was from Winn Schwartau titled Solving the Cyber Security Hiring Crisis – Hiring the Un-Hireable. He had a no holds barred talk about the “hiring crisis” in information security because we’re looking for the wrong types of people. Winn claimed that we’re looking for clean cut people for corporate security while we should be considering a larger applicant group. His critical point was that deception should be one of the few reasons (other than lack of skills) for not hiring someone and he offered up several questions to ask to look for deceptive behavior. Questions like “How many times have you hacked illegally?” and “Do you illegally download music or movies?” worked well in his experience.

He ended with a quote that I must emphasize:

If it’s important, you’ll find a way. If not, you’ll find an excuse.

Summary

Overall, the conference was well worth the trip. The delegate pass price was quite steep but there were tons of conference organizers and security guards who were happy to help attendees. There was rarely a time where sessions where scheduled and none of the available sessions interested me. It was an awesome experience to see Vint Cerf in person and I’d recommend taking the time to listen to him talk if you ever have the opportunity.

As a side note, I noticed that security awareness among conference attendees was extremely poor. I’ll save that for another post.