I'll have a big, huge link dump to our Delicious Page for a LOT of the links I got over the course of the conference, and they will show up via RSS if you're subscribed to our feed.
Groggily, I attended the Security Awareness talk first thing this morning, whilst drinking my first batch of tasty, french-pressed Nitro. During my time as a penetration testing consultant and in my current role in internal information security, I am constantly amazed by the lack of comprehension that people have surrounding security. Irina Piven from the US Federal Reserve Bank discussed many topics that have worked well for her organization. This includes frequent Reminders and training, security awareness posters and even interactive games.
After some light brunch, I went to Paul Glen's keynote on Leading Geeks. This was among my favorites of the day. While I don't plan on becoming a manager right now, I do often find myself in less obvious leadership roles. Here are some of my favorite points:
- Geeks are different from most other workers
- Geeks like hierarchy, they just don't like YOUR hierarchy (that is to say most prefer meritocracy over progression based on loyalty or longevity of service)
- Geeks are more loyal to their technology than they are to companies or managers
- Leaders can't provide intrinsic motivation, they can only provide a work environment that nurtures geeks' interests.
- Leaders should choose people who are going to be interested in a project, not those who have the most experience or most skill. Geeks acquire skills very quickly when they're interested in something.
Before lunch, I saw Craig Wright (who I met yesterday) talk about record and document retention and destruction as it pertains to various laws and regulations. This talk couldn't possibly go on without mentioning Anderson and the Enron debacle, but it drove a few good points home:
- You must have a document retention / destruction policy.
- You must try your darnedest to follow that policy, or else you'll have a hard time convincing the court that you really care about your documented policy
- Laws are always subject to interpretation by lawyers, jurors and judges.
- Tort law AND regulatory compliance both matter
I met Ira Victor (co-host of Information Security Podcast) over lunch. That was a pleasant surprise. We talked for a while about conventions and geeky stuff (like blogs and podcasts).
After lunch, I attended Terry Behrens' talk on Identity Management. As IDM is a significant part of my current day job, I felt obliged to hit this talk. In a way, I'm glad I did. I really felt that the presentation of the content was lacking. This talk focused on the technical details of a "roll your own" IDM Solution. That might work if you're building an enterprise from the ground up. It did a good job covering IDM Mechanics, but provided very little information for me to take back to the mothership. Oh yeah: most of Terry's "slides" were pre-drawn sheets of newsprint on an easel. An easel is great for making on-the-fly diagrams or fostering interaction with people in the session. These were used in lieu of power-point slides. I'd pretty much consider that a sin at a conference like this.
I finished up the training today by going to George Dolicker's session on making Information Security a business process. George is CISO for Lenovo (you know, the laptop guys!) and he's put a lot of effort into public speaking. I can tell. There's way too much information for me to even scratch the surface here, but his presentation was easily the one with the most immediately-applicable information. I barely took any notes, because everything was covered well in the slides. Even though a lot of the information covered was for Director and CxO-level people, my favorite points are:
- Give "Yes, and [insert challenges here]" instead of "no, because..." answers
- Like brakes on a car help it go faster safely, security can enable business processes if used properly.
- Planning only for worst-case scenarios usually leaves a huge gap in business continuity
It was a pleasure to meet all of the speakers today. Some provided a lot more useful information than others.
All in all, today lacked a lot of serious technical content but was still very rewarding.
Again, links will come in time (it might be a few days) and I'll probably have a final ITSecWorld post on Thursday or Friday. Tomorrow will be a light day with only three sessions. Stay tuned!