Now I'm Scared
I’m just back from the (ISC)2 Security Congress and I’m scared. I’m scared for two reasons. First, I feel self-pressured to get CISSP certified. From what I understand, the exam is intense and should require a large time commitment to master all ten domains — and I don’t have that kind of time (although I will find the time!). However, what really sent my blood pressure to dangerous levels is the feelings of vulnerability the event instilled in me.
This event was combined with the annual ASIS event, which means the exhibit floor was crowded with all sort of paramilitary type equipment and personnel. That, in-and-of itself, is intimidating but what really ratcheted up the fear were the sessions filled with stories and anecdotes of all manner of security breaches. If the FBI, U.S. Senate, Visa and other Fortune 500 multinationals can suffer from successful cyber attacks who am I to think my stuff is secure!
I did in fact enjoy the conference. I learned a ton and met some great people, but I do have one complaint. Meeting those “great people” was difficult—the event was a lousy place to network. This was the first year (ISC)2 combined their event with ASIS. Among the 20K attendees only 800 represented (ISC)2. As a result I couldn’t find information security professionals to talk to at the networking events.
The people I had lunch and dinner with included the person in charge of security at Manchester Airport, a gentleman who ran an “executive protection” firm, a woman who specialized in vetting security clearances and, I kid you not, someone who wouldn’t tell me what he did (although he said he worked for Safe-Net). All nice people (maybe not that last guy) but not great for learning about information security — which is why I was there in the first place.
Also, while the exhibition floor was over 200,000 square feet, only a tiny portion was (ISC)2 booths. I have no interest in blast shields, kevlar shoes or security cameras and that was what took up almost all of the floor space. I did think the bullet proof mobile command center set up in the middle of the show floor was a nice touch though.
Combining the two conferences might have seemed like a good idea but it failed in the execution. Unfortunately, in talking to the (ISC)2 employees running the conference, while they acknowledged some of my complaints, overall they liked the opportunity to partner with ASIS. Maybe they will be able to address the networking difficulties in future shows. I hope so as they are committed to next year’s ASIS event in Philedelphia.
I want to take a moment to call out the excellent session by Jonathan Fox and Leslie Lambert — bias warning: their session was programmed by the IAPP. The session discussed the importance (and major cost savings) of coordinating efforts of the IT department with the privacy department. Detailing their experience while they worked together at Sun made for an interesting lesson in resolving bureaucratic-type dysfunction.
After the session I introduced myself. As probably the sole CIPP in the room (aside from the presenters) Leslie asked if I thought the crowd was receptive to their message. I said, honestly, that I thought they heard the message loud and clear but that its a tough sell to get infosec professionals to want to bring in outside opinions (the privacy department) into their workflow. I think she took some mild offense to that as a current CISO. She responded, “do you think IT people are inflexible?” Of course I didn’t mean that—well, not exactly. Anyway, if you read this Leslie I didn’t intend to insult anyone!
Another surprising session came from Raj Goel. He gave a talk on the risks of not complying with FTC regulations. It ended up being a great primer on privacy topics. It was obvious he understood both the IT side and the privacy side which is relatively rare combination.
Even rarer is someone with that knowledge who isn’t already a member of the IAPP. Hopefully I convinced him to join. I also encouraged him to submit a speaking proposal for our 2012 Privacy Summit. He’s an engaging speaker so if you find a chance to hear him speak, go see him.
Finally, I want to highlight the scariest session of them all. Alan Brill did a session on cyber security. He’s a computer forensics guy at Knoll. This guy is the Stephen King of the Information Security world — a very scary presenter! I’m not exactly sure what I learned but it will certainly make me more vigilant about the training I provide and procedures I practice.