Recently in conferences Category

Now that I've had a week to recover from the annual infosec circus event to end all circus events, I figured it's a good time to attempt being reflective and proffer my thoughts on the event, themes, what I saw, etc, etc, etc.

For starters, holy moly, 43,000+ people?!?!?!?!?! I mean... good grief... the event was about a quarter of that a decade ago. If you've never been to RSA, or if you only started attending in the last couple years, then it's really hard to describe to you how dramatic the change has been since ~2010 when the numbers started growing like this (to be fair, yoy growth from 2016 to 2017 wasn't all that huge).

With that... let's drill into my key highlights...

In preparing for my Cloud Security World 2016 talk, "Automagic! Shifting Trust Paradigms Through Security Automation," I did a lot of thinking about what can be automated, how to automate, and how to demonstrate and measure value around all that jazz. It occurred to me. however, that perhaps I was looking at those questions all wrong. Is it really a question of whether or not something should be automated, so much as it's a question of what shouldn't be automated?

At first blush, this may seem like a silly way of thinking about things. After all, it's probably still too early to talk about automating, well, just about everything, right? As it turns out, this isn't the case. Not even close. There are so many ways to automate many of our standard development, operational, and security responsibilities that I'm actually surprised we're still hearing complaints about inadequate hirable resources and not instead hearing complaints about too much automation stealing jobs.

That said, there are certainly several areas where automation requires human involvement, either as a fail-safe, or as a manual process. Here are a few of those categories and a little information on why fully automating is at least premature, if not an outright bad idea.

It was another record year for the RSA Conference USA, with a reported 33,000 attendees (an increase, I believe of 8-10k year-over-year). This year also saw the first truly full-scale double-expo event with both Moscone North and South sporting packed expo spaces with more vendors than seemed possible or reasonable. Impressive growth for our industry, to be sure, though as always in many ways it raised more questions than provided answers.

Due to limited personal funding, my trip was short (Tu-Th) this year, so I missed out on the DevOps Connect event Monday, which I heard was phenomenal. I also didn't get a chance to look at Innovation Sandbox, though given prior year experiences I wasn't too disappointed. I did wish I could have caught Amit Yoran's first opening keynote as RSA big chief, but alas it wasn't to be...

(Note: To be up front, two things to bear in mind: 1) Yes, my talk was selected for this track. 2) I started this piece before selections were announced but held off on publishing until after selection announcements were made as I wanted to see how things played out.)

For the first time, the RSA Conference US 2015 has added a track for crowdsourced talks (original announcement). This track provided an opportunity for submissions to be voted on by the population at large (not just registered attendees), which I found to be very cool. For me, it provided a great opportunity to see if my proposed talk title resonated with people.

Overall, I'm very excited about this opportunity and advancement. The process wasn't perfect by any means (see Britta Glade's reflective post on changes for next year), but overall the outcome appears to me to be a good selection of new talks.

Of course, there were a couple nits, including active ballot stuffing (see one submitter's "theoretical" description - unsurprisingly, his 4 talks held top-5 ranking on the leaderboard throughout voting... and he's not on the final speaker list).

What I found most egregious, however, was the dearth of vendor talks, many of which failed to even try to appear like something other than shilling (I mean, come on Ken Levine, do you seriously expect us to believe you'd give a talk on "why DLP sucks" and not distinguish "except for my company" given your position as CEO of a DLP company?). This is why we can't have nice things. What was created as an opportunity for talks to be included in the program that might not otherwise get noticed or accepted ended up looking like a race between vendors to see who's marketing team and customer base could stuff the ballot box better. *sigh*

The good news is that the judges did an excellent job following-through and making sure that selected talks represent a reasonable value proposition (no shilling!) for attendees. Big kudos to the judges for not being afraid to dive down into the vote rankings to pull out what appears to be a really awesome list of presentations (here's the final list).

Now it's up to attendees to help make this track truly successful! I hope that everyone registered to attend the confernece will come spend some time in the crowdsourced track to support speakers, whether you voted for them or not. If you want to have your voices heard, then participation and support for innovating new approaches is critical!

I look forward to catching up with everyone in San Francisco. I'll be there Tues-Thurs (including, of course, speaking at 9:10am PT on Thursday). Ping me on twitter (@falconsview) if you want to coordinate crossing paths. :)

Just a quick note, mainly to let you all know that I'm still alive and that this blog will start having content again soon. First, though, I'm finishing getting up-to-speed on things in my new gig with K12.

In the meantime, I am pleased to announce that I will be at RSA US 2015 in April, at least for a few days. I'm flying out to San Francisco on Tuesday, April 21st, and will plan to stay through at least Thursday, if not Friday morning.

Toward that end, you can help me out (a LOT) by voting for my crowdsourced talk submission. To read full details and indicate your support (please!:), go here: Automate or Die! How to Scale and Evolve to Fix Our Broken Industry.

Where I'll Be: Spring/Summer 2014 Events

A quick post... I'll be traveling a bit this Spring and Summer to speak at a number of events. For non-Gartner events, we're actively looking for GTP sales opportunities, so if you've been thinking about getting a subscription to Gartner for Technical Professionals, this could be your chance to meet face-to-face to discuss! :) For Gartner events, I will be available for 1-on-1s, as well as sales support as needed.

Continue reading here...

RSA 2014 Round-up: From Predictive Analytics to Denied Taco Service

One of the most challenging aspects of attending RSA each year is not just attending, but also recovering from, RSA each year. :) It occurs to me as I finally get this recap post drafted that it's been almost two weeks since I returned and am only now getting a chance to put virtual pen to virtual paper to share my thoughts from the event. So, here goes... :)

Continue reading here...

RSAC 2014: Buyouts and Boycotts and Allegations, Oh My!

Unless you've been living under a rock, you've undoubtedly heard about the various revelations from the Snowden files, with which he absconded from the NSA. In a [Reuters article] last year it was alleged that RSA - the namesake and official owner of the RSA Conference (RSAC) - had accepted a single payment from the NSA to prominently place a flawed algorithm into their BSAFE crypto library (read more here). RSA has denied those allegations.

Continue reading here...

A Few Thoughts on the NIST CSF

"Pre-dating my joining Gartner, I am currently co-chair of the Information Security Committee within the American Bar Association's Section of Science and Technology. This blog post was triggered by conversations that occurred at the Fall 2014 ISC meeting, which was held over the weekend of October 26-27 in Washington, DC. The ISC also traditionally meets the Saturday and Sunday preceding the RSA USA Conference, as well as contributing content to the Law Track of that event.

"NIST last week released the most recent draft of the Cybersecurity Framework (CSF), providing an opportunity for public comment. This document was triggered by an Executive Ordered issued earlier in 2013 by President Obama, and is the result of the combined efforts of NIST, DHS, and industry contributors."

Continue reading here...

With my transition to Gartner, my days of freelance public speaking will now be strictly limited. As such, I've decided to upload the presentation decks from some of my recent talks. You can find them on SlideShare as follows:

Title: Interesting Times: Will Business Survive?

Description: Cloud computing. Mobile computing and Bring your own device (BYOD). Global collaboration and communication. Big data. Governance, risk management and compliance. Rapidly escalating regulatory requirements. The world is changing faster than we can keep pace. Attackers evolve methods more rapidly than we can develop defenses, amplifying the asymmetric threat. These are, indeed, interesting times. The question is not how to win, but how to survive in the ever-changing risk landscape.

Title: Manage Your Risk, Not Somebody Else's

Derived from: SC Magazine article "Manage your risk, not somebody else's"

Description/Abstract: More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they're getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.

Title: Talk Pretty: 7 Easy Steps to a Better Presentation

Description: This is a firetalk that I threw together after attending ShmooCon a few years ago and being thoroughly disgusted by the incredibly terrible quality of presentations. I've given the talk a couple times. It's intended to last about 10 minutes total and should be relatively self-explanatory.