InfoSec World 2016 is now in the books. For the better part of a week, infosec pros took over The Contemporary Resort to discuss everything from building an incident response plan to leadership skills to active defense and trust. One-size-fits-all does not apply when it comes to security, since every organization faces distinct challenges based on its threat profile, industry, internal resources, architecture, external network, and more, but a few themes emerged throughout the event.
Come on, come talk to me
Security still has a problem when it comes to communication. System admins up through CISOs continue to focus on technical details when talking to other business units and even the Board of Directors. The business itself, however, is less interested in how many malware infections were stopped each month than they are uptime, efficiency, and profitability.
During the CISO Leadership Summit, Michael Santarcangelo led participants through a series of exercises to help them understand why communication is not just the act of relaying information—that’s delivery. Effective communication is comprised of structure, substance, and style, and looking at each of these elements as the foundation of information delivery improves communication with the business.
Throughout the main conference the idea of improving communication with the business remained front and center. Lance James, in his opening keynote, talked about the “hacker persona” and how that subset of security professionals isn’t doing itself any favors by keeping others at bay. The best way, he shared, for security teams—including hackers and red teamers—to provide more value to the business is to focus on repairing broken communications with the Board, the CISO, and engineers.
With poor communication, security remains the thorn in the side of the business. When communication with the business is improved, however, security increases its ability to serve the business, providing valuable information that can help the organization avoid unnecessary risks or recover from incidents when they occur. InfoSec World 2016 speakers and attendees alike seemed to share in the desire to move past communication barriers and into circles of trust so they can work more amicably and closely with the business and towards a common goal of enablement.
A matter of trust
Trusted partnerships are a critical element of any security organization. We have to trust that the people on our teams are working towards a shared goal and not abusing privileges or rights that offer unfettered access to systems. We have to trust that the technology on which the organization relies is doing its job and won’t break or be broken. We have to rely on third parties, suppliers, employees, customers, vendor marketing. How do we verify trust, though? The common saying, “trust but verify” is a wonderful platitude, but what does it mean, really? How do we honestly verify that every party with which we work is trusted? Is it a checklist? A gut check? A vulnerability scan? A compliance report?
The fact is, in security it’s more complicated than any of those things. Our world is one of always-on interconnectivity, which means that networks, devices, applications, and people are inherently, continually linked together.
Today’s models for trust are not working, and because risk assessments are currently the primary way most security professionals determine trust, we must find new methods of risk modeling. Several presentations—“Risk Management is Dead: Long Live Digital Trust,” “Application Security: Maturing the Secure SDLC,” “Bridging the Gap Between Enterprise Information Security and the Business,” “Party of 3: Throw Away Your Old Risk Management Strategy,” and more—addressed new models for building better processes across the organization that help build trust. Rafal Los’ talk recommended security teams learn to build risk models that are aware, reactive, adaptive, purposeful, and strategic. Dave McPhee presented on how to combine people, processes, and technology to run security like a business, ensuring that security’s goals are aligned with the business operating model, support all aspects of the business, and remain resilient and flexible enough to adapt as the business changes and grows. Accomplishing these goals will help security become a trusted partner and, in turn, help the business determine what information, partners, and systems can be trusted to drive growth.
InfoSec World 2016 wasn’t all about soft skills. The security community remains keenly aware that the ability to successfully and effectively implement, monitor, and manage the SIEM, IDS/IPS, firewalls, honeypots, authentication, containers, SaaS/PaaS/IaaS, encryption, cloud storage, and the list goes on and on, is security’s number one priority. Without the ability to identify zero-days or analyze malware or correlate logs and see the anomalies, there is nothing to communicate. Attendees flocked to “The Secretive Zero-Day Exploit Market,” “Network Security Workout: All Your Defenses Should Be Active,” “Windows Servers and Active Directory Security Baselining and Monitoring,” “From Chaos to Control: Managing Privileged Accounts,” and other technical sessions.
Technology changes rapidly and new, promising vendor solutions are launched every day. Security pros know that it’s important to keep their skills fresh and their eyes on the prize: stopping attacks before they happen or, worst case scenario, finding problems before they escalate too quickly. To be a more effective business partner, security teams know they must build trust and communicate better, but none of that means anything if the technical acumen isn’t up to snuff.
As the technology landscape grows, introducing more avenues for exploitation, security must constantly learn and evolve. And because a staff shortage exists, it’s incumbent upon most teams to have a wide and deep base of knowledge; there aren’t enough bodies at most organizations to have specialists for every new device type, application, or area of the infrastructure. Security is a challenging field, and Infosec World 2016 attendees piled into session rooms to hear the latest and greatest, from watching a compromise analysis to seeing the best open source tools for testing to hearing about a new model for implementing cloud security.
Let’s get it started
Plenty of fun was had at InfoSec World 2016, too. Deviant Ollam and The CORE Group conducted lock picking demos and a challenge on the expo floor throughout the event. Simon Singh, best-selling author of The Simpsons and Their Mathematical Secrets, presented a lighthearted and eye-opening talk then signed hundreds of books while attendees munched on donuts. Attendees said they loved the new round table track, and Joe Grand led the first-ever Hardware Hacking class at a MISTI event to great success.
InfoSec World 2016 achieved its goal of providing a fun, interactive learning environment for infosec professionals, and we look forward to 2017 when we can go above and beyond!