So 2013 is here and while I will not make any predictions I’ve made it a point to make some personal changes. Starting with the new GrumpySec Podcast which is turning into something awesome. We’re 3 episodes in and have had nothing but good feedback. I look forward to working with aricon and making it beneficial to what the community wants.
Also,I’ve made it a goal of 2013 to get back to blogging and while I will try to limit the blogs to more technical and beneficial topics, I’d like to start with one that has kicked up my rage a notch for the industry.
Several of us have asked that conferences become more transparent in their selection process which would provide speakers better feedback on why their talk was or was not accepted. The feedback would certainly benefit the speaker so that they may learn from their mistakes and become better. This is a great first start in ramping up the quality of speakers and cons in general, especially the ones that are in it to generate revenue.
The issue I have is with the friends & family CFP selection process that weeds out good talks for f&f who scrape together talks by grabbing talks that other’s have done at other conferences while adding no real value of their own. Take for example the following two abstracts which were submitted to the same conference. One was done previously and one was accepted for the conference in question.
Which would you select?
“Defense In Depth” is considered by most to be a useless marketing trope that vendors used to sell you more boxes with blinky lights that showed you were “serious” about security. Forget that the boxes may or may not do what was advertised, may not provide usable data, or even fail open when they crap the bed.
Instead we decided to build The Perimeter. Higher walls, bigger locks, more money. That didn’t work. The Perimeter Is Dead, Long Live The Perimeter!
So what do we do now? What amazing boxes with blinky lights do we need to convince our bosses to fund next quarter?
In this talk I will posit that, more than likely, you actually have (or can easily get) most (if not all) of what you need to create an effective, pragmatic, and resilient security program. I will show that by changing our thinking, our perception of “Fail vs. Win” we can provide real value to our business.
It seems everywhere you look there are analysts and product/service providers promising you the magic bullet when it comes to securing your environment and lowering your risk. While some products might be better than others, nothing will help you with the basics which seem to be where most of us are still failing. The presentation will focus on the concept of keep it simple stupid. It will dive into learning your environment and more importantly correlating that to maintaining the profitability of your organization. It will show you how to bypass all the blinking lights and build a cost effective security program that will inherently lower your risk. I will be also be releasing the formal framework.