I spent the first half of Wednesday in talks about compliance, then spent the rest of the day enjoying San Francisco in the daylight rather than in darkness as I had the days prior.
First things first, I went to a talk on using PCI Requirements to help drive your IT Security initiatives. This focused mostly on the case study of one specific PCI DSS implementation and how the implementing team was able to finally get funding for common-sense security stuff in order to comply with PCI DSS. The company I work for doesn't directly do a lot of stuff in the Payment Card Industry, but it was an interesting topic with points that are directly applicable. In short: you can leverage compliance to drive security home with your executives.
The keynote for the day was from a forensic "cyber crime fighter" in the private sector. Glaring abuse of the word "hacker" aside, it was interesting to see the techniques used to help track malicious attackers, and interesting to hear about what techniques he's found in use "in the wild"... most of which boil down to social engineering attacks and other of which were exploiting lack of policy enforcement or poor security policies to begin with. This further bolsters security awareness as a factor that people should be looking at when budgeting for security in the enterprise. The talk itself left me with the impression that the speaker is pretty clueless when it comes to what the "hacking scene" actually is and how cyber-criminals actually evolve. Case and point: most "curious kid in the basement" type "hackers" don't eventually progress into cyber-criminals, corporate spies and terrorists. I'm pretty sure his naive, presumptuous commentary offended more than 10% of the attendees, many of which got our start in this industry as being the curious kid in the basement, tinkering with our computers.
Last, I went to a talk on SOX compliance, how to streamline parts of the audit process, and how to understand business processes surrounding SOX compliance. It was relatively short and to the point, but a little bland.
All in all, I come back here to Kansas City with a few thoughts:
- The presentations and presenters were varied and for the most part entertaining enough to listen to for an hour to an hour and a half.
- There are some presentations I really wish I could have seen, and would have rather gone to in lieu of the ones I did attend, but hit some presentations that are immediately relevant to my line of work. This was mostly to make by boss happy.
- Some of the presentations I attended specifically for my job carried very little take-away content that I can use. This makes me sad.
- The venue was nice. The accommodations were relatively lavish for the price (discount rate at the Marriott for conference-goers) and I really have a soft spot in my heart for San Francisco now.
- Maybe it's just me, but trying to network with thought leaders (what few were present) at ITSW was difficult and awkward. MISTI's attempt to add a few social elements here or there did NOT make this conference an event that fostered social interaction. Perhaps it was because managers and C-level execs have a different idea of networking than minions like me who work in the trenches all day long.
- It "SOXs" to get thrown headlong back into audit stuff after being in San Francisco for 4 days. :P
In closing, I must say that I would not pay my own way for this conference, even if I was working for myself as a security or audit consultant. I wouldn't mind going on the company's expense account again, but I'd likely eschew the talks that have anything to do with audit and compliance next time. I can honestly say I learned more and made more valuable contacts and friends via DefCon and the SecurityTwits list than anywhere else so far.