I won’t attempt to rehash the conference, except to say, if you have a chance to attend a BSides event, do so in great haste. Despite being free, they are worth every penny you could invest in visiting one. What a great respite from the RSA Conference!
What I do want to cover was a very interesting panel at the end of the conference. The panel included some great minds: Will Gragido; Josh Corman; Marc Eisenbarth; HD Moore; Dave Shackleford; Alexander Hutton; Caleb Sima. The subject was of interest since it drew quite the crowd: “State of the Scape: The Modern Threat landscape and Our Ability to React Intelligently”
But what came out of the panel as a result of some “heckling” on the subject of APT, Cloud Computing et.al. was priceless (kinda like a MasterCard commercial). It was not what I think the panel had planned or was expecting (but that’s the fun of a panel, and BSides). If you are a budding CSO or Security Manager take note:
- Don’t make people security experts. Make it easy for people.
- Make security accessible and something that people care about.
- Make it easier for programmers to program securely than it is to program insecurely (an example of Microsoft’s .Net work was offered as an example).
- Get out of the echo chamber where we only talk about security in obscure terms and treat everything as unique and terrifying. People need it to be accessible and simple.
Wow. This echos stories I’ve told for years, and stories that have been popping up around the world as I’ve been traveling the last year:
- At a conference I attended in the EU, the local CERT authority described a company who had spent millions of Euro on top-of-the-line security technology, and yet it was all turned off. It was turned off because users always looked for ways around it because it made their jobs too difficult if not impossible to perform.
- As a traveler do you enjoy the TSA security line, do you enjoy dumping out your entire belongings into a plastic tray for the world to peruse, being subject to numbing technology scans, and in the end a joyous pat down? Or would you prefer a simple process to ensure your flight is safe?
- Is it easier to teach programmers to write code void of SQL injection flaws, or is it easier for Microsoft to write .Net functions that make it more difficult to make direct SQL calls, thus significantly reducing the probability of someone writing code that results in SQL injection vulnerabilities? (P.S. Microsoft did the latter, hooray!)
Simplicity for all of us is the best way. Simplicity that anyone can use, and makes it easier for all of us to do things the right way rather than the wrong way. And that does not necessarily mean making the hard way painful by imposing fines, penalties or punishments.
So as a Security Professional I would highly recommend you take the following actions in your strategy, and tactics:
- Make security invisible – it shouldn’t get in anyone’s way, or stop them from doing what they need to do to get their job done. But it should be part of what they do.
- Remind people of what they value – so they can protect that. It may be the teenager’s pictures and music, it may be the accounting departments numbers, it may be the sales person’s leads, or it may be the IT infrastructure. Whatever it is, make sure the people who care about it are aware that you are trying to protect what they value.
- Look for methods that make security easier for users than the lack of security. Whether that is through technology that makes authentication easy (biometrics for execs?), or programming libraries that are inherently secure, or handling data easier to do securely than insecurely.
- Always give something back. If you find that a security control you have to put in place has an impact, be ready to give something back to the users. They will be more likely to comply if you can show that you care about their priorities (such as how they can get their job done successfully and efficiently).