Dive into Deep Conversations at Peer-2-Peer Sessions at RSAC 2015

Posted on by Fahmida Y. Rashid

At RSA Conference, you can meet in a group to explore a specific security topic in-depth as part of a Peer-2-Peer session. Wondering which conversation will be the most relevant to your job role and concerns? We asked each session facilitator to provide a short summary to help you decide.

This post highlights five P2P sessions (Scroll down for answers). Links to other session summaries are at the bottom of the page. Talk with Peers at RSAC

  1. Third Party Supplier Governance – Secure the supply chain 
  2. Mindfulness: Leadership from within 
  3. Behind Enemy Lines... Security in a Hostile Environment
  4. Operationalizing Threat Intelligence
  5. The Evolution of Threats Targeting Industrial Control Systems

We also included some questions to get you started thinking so that you come to the session prepared with some thoughts. 

Third Party Supplier Governance – Secure the supply chain (P2P-R03B)
Who should attend?
Attendees who have accountability for management of security services with third party supplier relationships, governance of security suppliers, designing solutions that will use third party services will benefit from this session, as well as audit professionals and managers who are involved with understanding the risks to information security when engaging with third party suppliers. Potential job titles include: Security Managers, New CISO’s, Enterprise Security Architects, Security Architects, Procurement Professionals, Project Managers, Head of Security, Head of Security Governance, Third Party Risk Attestation Managers, System Auditors, Auditors.

Why is this topic important?
Sharing information internally with staff and contractors, and externally with customers and suppliers, is integral to most organizations’ daily operations. However, sharing increases the risk to the confidentiality, integrity or availability of data. Securing data during its lifecycle and supporting the supply chain is ultimately the responsibility of the engaging organization. However, as governments and organizations share valuable information with other parties in their supply chains, they often do not know how − or even if – this data is being protected by suppliers, or their suppliers in turn. 

What should attendees think about?
Attendees should think about how well they know their information supply chain, what trust parameters are in place for the information supply chain, and how the required controls and assurance parameters are defined. Where are the controls defined? Attendees should consider the privacy and Compliance obligations of their information supply chain. 

What will attendees walk away with after the session?
A discussion on multiple models of third party supplier governance in line with the changing industry dynamics and rise of cloud. Facilitating a discussion on how the organizations being represented in the room are undertaking third party governance and securing their information supply chain, sharing experiences and learnings. “The attendees will be able to walk away with an appreciation of the varied approaches that have been adopted across Europe, Australasia and the Americas in relation to securing organizational data assets across the supply chain,” says Puneet Kukreja, senior security advisor at National Australia Bank and facilitator of this session.

Mindfulness: Leadership from within (P2P-R04B)
Who should attend?
Attendees who would contribute the most are those who have a mindfulness practice of their own, and are pursuing ways to expand that practice to the workplace to reap even greater professional benefits. Having said that, anyone interested in the topic can (and will) find value and add value here. The right mindset is one that fosters flexibility, to open the door to traditionally uncommon workplace practices for proven results without forcing any specific beliefs or philosophies on participants. “Mindfulness is not about religion or dogma, it’s about mental mastery and freedom through simple practices,” says Jennifer Minella, vice-president of engineering and Consulting CISO of Carolina Advanced Digital, and facilitator of this session.

Why is this topic important?
Managing stress, increasing adaptability and mental flexibility, and enhancing awareness are important for all people—not just those of us in the information security industry. However, we certainly provide a unique petri dish for the tonic of mindfulness practices. In our industry, most professionals are in a job they’ll never win, and in a role with no positive proof of success. “The stress of only knowing when you failed (after-the-fact usually) can be overwhelming, and mindfulness really is the little black dress of managing stress,” Minella says. It’s simple, effective, and goes with everything! We know we make poor decisions when we’re under stress, so the industry as a whole stands to gain a great benefit from these practices that will help us reimagine situations, surmount impasses, and be pro-active instead of re-active.

What should attendees think about?
“We’d encourage each attendee to think about his/her own story and path. If they’ve integrated mindfulness in to their lifestyle, it will be good to reflect on how they arrived there, and how they overcame their internal resistance to changes like this,” Minella says. For those who haven’t jumped on the mindfulness wagon, a similar reflection will let each person understand ahead of time what their resistance has been (or will be) to these practices. Thinking through these before the session will give everyone the opportunity to look at themselves in a mirror before debuting their thoughts on stage.

What will attendees walk away with after the session?
Mike and I always say ‘if we can affect just one person, it was a success.’ We hope our session attendees will step out of the room, ready to lead by example, prepared to overcome whatever resistance they still have, and be committed to pushing forward,” says Minella. Continued forward movement – continuous improvement of self and surroundings – that’s an outcome that scales and can be taken as fast or as slow as is comfortable! 

Behind Enemy Lines... Security in a Hostile Environment (P2P-R04C)
Who should attend?
The attendees that should receive the most value are security architects and operations managers for International Companies.  Specifically those who are manufacturing or have other intellectual property (IP) in countries with differing laws on IP.  We also want to hear from companies that have already faced the challenge.

Why is this topic important?
It’s important to be aware of the risks involved and how to mitigate those risks.  It is easy to look at the cost of manufacturing in these countries and, from a business perspective, want to do move manufacturing. But the cost of securing/mitigating the risk needs to be included in the total cost of manufacturing.

What should attendees think about?
Think about what intellectual property really does need to be in country for manufacturing and what ways business process can be changed to reduce risk.  Too many times people just think we need to throw more technology at a problem when in reality, the solution might be to simply change the way you do business,

What will attendees walk away with after the session?
“I personally hope to walk out of the session with some ideas for working in these countries, what others have done. I would also love to make some contacts so that we can continue to share after the conference is over,” says Don Kendrick, enterprise security architect at Altria Group and facilitator of this session. 

Operationalizing Threat Intelligence (P2P-R04D)
Who should attend?
The target audience for this session would be anybody who has responsibility for the use of or interaction with activities related to threat intelligence. This would include analysts who use threat intelligence, companies or individuals who generate threat intelligence, and executives who have initiatives around threat intelligence projects. This session is largely about what threat intelligence is available, the data contained therein, the techniques and opportunities for using this data, and how people in the industry are using it (either natively or by leveraging other tools/products). 

Why is this topic important?
There is a lot of buzz about threat intelligence. “The buzz itself is not important, but it is generating a lot of confusion around what this data is, what it represents, and what the purpose or expected outcome of using it may be,” says Brendan Hoffman, CTO of Lumeta and facilitator of this session. Security experiences large waves around specialized technology and information and cutting through the volume of dramatically different information about a single topic can be very challenging. Specifically related to this topic, there is some consideration people grant to security because people are more sensitive to the fact that we are in a “cyber war”. As with any war, intelligence is key to warfare tactics. The only difference with cyber is the ubiquity of the battlefield. 

What should attendees think about?
There are several topics that would be helpful to consider in advance:

  1. Using the data: Are you using threat intelligence right now? If yes, what type of data and how are you leveraging it? If no, are you planning to and for what reason?
  2. Integrating data: Regardless of the response above, what security controls are in place that could be enhanced by leveraging threat intelligence?
  3. Efficacy of the data: Is your threat intelligence stream timely? Traditionally the best intelligence is intelligence nobody else has or knows you have. Does the fact that threat intelligence is widely published and can be subscribed to reduce the efficacy of the data intrinsically?
  4. Perspective of use: Should this data be used to enhance your defensive posture, offensive posture or somewhere along that spectrum? 

What will attendees walk away with after the session?
Attendees will come away with enhanced knowledge of what is threat intelligence, and how peers in the industry are using this information. Attendees will have an understanding of the benefits of using this data and whether the current methods have been effective. Attendees will cut through the marketing and determine what unique trends and options exist, consider different ways to use it, and define how to measure the benefits of using this information. 

The Evolution of Threats Targeting Industrial Control Systems (P2P-R02C)
Who should attend?
Ideally attendees will have a mix of backgrounds from Enterprise IT and Control Systems, and be interested to understand how their counterparts in each domain view cyber security.  Technical and operations-oriented staff, and their direct management, the people who's principal job is to make either IT infrastructure or OT (Operational Technology) infrastructure work.  On the IT side, "System Administrator", "Network Administrator", "Security Analyst" would be examples of titles I would expect.  On OT side, "Control Engineer", "Operations Specialist/Technician", "Plant Manager", "Chief Engineer" is what I would expect.  The topic space is sufficiently broad that anyone with a technical skill set in either system administration or process control will be able to contribute, in addition to those responsible for security policy and procedure.

Why is this topic important?
Critical Infrastructure is a unique vertical in information security with many of the same risks as traditional IT systems and new risks specific to process control.  The cyber-physical interface allows computers to directly impact the real world.  Digital control of the physical world permits unique failure modes and consequences more significant than a similar breach in an enterprise system. 

What should attendees think about?
It’s frequently argued by process control operators and engineers that IT staff don't understand their unique requirements.  IT staff counter-argue that OT professionals aren't familiar with the latest and best practices of cyber security engineering.  “It's my position that they're both right, and that there's plenty of lessons that OT can learn from IT but that those lessons need to be tailored for a different application,” says Frank Marcus, director of security technology at Wurldtech Security Technologies and facilitator of this session. Attendees should think about their counterpart's perspective of threats, risk and impact, and why they are not always aligned.

What will attendees walk away with after the session?
A better perspective of the threats and risk to the security of Critical Infrastructure, and how to achieve business goals while protecting the integrity and safety of the process.

Check out P2P sessions in parts onetwothreefourfive, and six. We look forward to seeing you in San Francisco!

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

Business Perspectives

risk management critical infrastructure threat intelligence

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community