Are you thinking about attending any Peer2Peer sessions at RSA Conference this year?
Peer2Peer sessions are group discussions around specific security topics, where participants get the chance to really dig deeply into a topic that that care about with a group of peers. This year we've once again asked the discussion facilitators to help explain what you can expect from their sessions so that you can choose the groups and topics that will be most beneficial and interesting.
This post features the following six sessions:
- Application, Network and Infrastructure Vulnerability Management
- Enterprise Security Concerns for Consumer IoT Devices
- The Impact of Security Megatrends on Your Infosec Program
- Cyber-Insurance as an Integral Part of Your Cyberrisk Management Strategy
- Advancing Information Security Strategies in Higher Education
- How Do You Detect Attacks?
1. Application, Network and Infrastructure Vulnerability Management (P2P2-W16)
Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
Those responsible for vulnerability management – both infrastructure and application would benefit—also those responsible for interacting with development teams.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
As an industry, we are very focused on finding vulnerabilities. However the real value comes when the right vulnerabilities are actually fixed. Many organizations have had some success creating a process for handling network and infrastructure management, but those same organizations often lag behind in maturity when dealing with application vulnerabilities.
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
Prior to the session, it would be great for attendees to think about the process(es) they have for managing various types of vulnerabilities as well as the metrics they use to judge the level of success of those programs.
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
Hopefully attendees with leave with new ideas for changes they can make to streamline both infrastructure and application vulnerability management, as well as metrics they can use to better characterize the maturity of their program and the health of their practices.
2. Enterprise Security Concerns for Consumer IoT Devices (P2P1-R12)
Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
I believe that there are two polarized personas that would benefit from this discussion. The first is the leader or member of a team/organization responsible for creating/maintaining policies on what devices are acceptable. Many organizations are still using their BYOD policy—
which only discusses early 2000s Blackberry devices—as a “catch-all” for IoT security. The people I would expect to encounter in this session would be individuals with management-level or supervisory function.
The second persona is the in-the-trenches security practitioner who is responsible for monitoring the organization’s network for threats and responding to operational issues as they arise. This could be a security analyst, incident responder, or forensic analyst.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
My own research has shown a surprising proliferation of consumer-oriented IoT devices—such as webcams, connected hard drives, smart televisions, and toys—popping up in highly regulated industries. These range from one or two person “Mom & Pop” shops, to large hospitals, to Fortune 50 oil and gas companies. These devices are penetrating our networks and very little is being done to evaluate or secure them before allowing them access.
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
I’d like attendees to ask themselves the following questions:
- “If someone brought a new IoT device into my network, would it have the ability to connect out to, or accept connections from, the Internet?”
- “Would we be able to detect its presence using our existing security controls and tools?"
If the answer is no to either of these questions, don’t worry, you’ll meet like-minded individuals with the same problem at this Peer2Peer session.
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
My hope is that attendees will walk away from this session with a better understanding of just how prevalent consumer IoT devices are within their organization. The aim of this session is not to scare people. Instead, I’d like attendees to share their respective suggestions on how to better prepare an organization for the introduction of these devices and how to manage any subsequent security issues that may arise.
3. The Impact of Security Megatrends on Your Infosec Program (P2P3-W07)
Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
For the Megatrends session, I'm looking for attendees from across the organization, but specifically those involved in Infosec Strategy for organizations, InfoSec Architects, Infosec R&D and similar thought leaders. But I'm also looking for those who are thinking about the implementation and operational processes and systems that might address those Megatrends.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
Every year between November and RSAC, we see top 10 lists from various sources—do those help? Is it valuable to have someone stepping back and providing a perspective on what's happening and what's coming over the next year? I'm curious how individuals and organizations use those Megatrends. What would be more valuable for those behind Megatrends to do for the attendees?
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
I'd like them to think about two things:
- Which Megatrends they've seen that really caught their eyes over the past 6 months
- What have they (and their organizations) done or planned because of the Megatrends that got their attention?
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
Attendees should walk away with a better understanding of how they can or should use megatrends as part of their planning and operational processes for the information security program at their organizations.
4. Cyber-Insurance as an Integral Part of Your Cyberrisk Management Strategy (P2P3-T09)
Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
In most organizations today, the cyber-risk management funding decisions for cyber insurance and ITsec controls are independent of one another. The likelihood that this leads to less than efficient spending and resource allocation is high. Thus, anyone who has an interest, or experience, in taking a holistic approach to funding cyber-risk management, which includes ITsec and cyber insurance investments is an ideal attendee. Likely titles include: CISO; CIO; Risk Manager; VP Finance and depending on the size of the company the CEO or members of the Board.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
Cyber insurance is rapidly becoming an important tool companies are deploying to mitigate cyber risk. The question is how do you balance investments in cyber insurance with investments in ITsec (people, process and technology)? Understanding how to measure the effectiveness of ITsec controls, such that you best understand your exposure, enables a more informed investment on the cyber insurance side. However, this is only true if an organization makes a conscious effort to look at these investments holistically (and historically they do not).
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
If they currently buy cyber insurance, how do they determine how much coverage to buy? And do they consider the cyber-risk posture of their organization—the ability to protect itself—when making cyber insurance buys?
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
Most importantly I want individual attendees to share their experiences so that the group of attendees are better positioned to leverage cyber insurance as part of the cyber risk management strategy.
5. Advancing Information Security Strategies in Higher Education (P2P3-T11)
Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
The session will be geared toward higher education information security professionals, or infosec professionals interested in how higher education approaches information security. All manner of professionals, from CISOs to technologists to policy writers to communications specialists, are welcome to participate in the conversation.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
Higher education often has a poor reputation in terms of information security practices—maligned in industry publications for a high number of data breaches or just for having poorer security practices compared to other industries. Of course, every industry has information security challenges. However, I think the reputation of higher education information security is undeserved and external industry criticism doesn't look closely enough at how provisioning information security in the higher education environment has some unique challenges that may not exist in other industries.
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
Some see higher education as a highly regulated "industry" in terms of providing information security to all of the different teaching, learning, and research missions on campus. To prepare for the session, attendees should think about the unique challenges to providing good information security in the higher education environment? What are the strengths and weaknesses of the higher education information security community? What can we do differently or better? What can we learn from other industries in terms of addressing information security on campus? What can other industries learn from higher education?
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
I want to use this conversation to start to change the conversation about providing information security in higher education. Identifying our strengths, weaknesses, and learning opportunities is a good first step to helping higher education information security professionals do just that. Attendees will walk away with a robust conversation, tips and techniques from their peers, and new connections for higher education information security resources.
6. How Do You Detect Attacks? (P2P3-W09)
Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
While all cybersecurity professionals could benefit, those most interested would include those working in a security operations center (SOC) such as SOC analysts, SOC engineers, intrusion analysts, and incident responders. Those whose job it is to monitor events coming from firewalls, IDS, proxies, and other security devices/software would particularly benefit. However, CISOs and other managers would benefit from hearing the discussion as they are the ones who may control the budget and oversee the personnel in a SOC or an outsourced managed security service.
Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
As the RSA Conference, media, and other sources have constantly emphasized, organizations spend upwards of 90% of their budget on prevention and almost nothing on detection. Consequently, for the attacks that make it past the prevention tools, the average breach goes undiscovered for over 200 days and is often detected by a third party (e.g., consumers noticing unauthorized charges on their credit card bills). Moreover, organizations struggle to define the right amount of resources to apply to detection, which can often be labor intensive. See my recent blog post as it relates to detection in the critical infrastructure environment.
Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
As the title describes, I’d like them to think about how do they detect attacks. Is it a deliberate activity or is it more ad hoc? Are roles and responsibilities defined for this kind of activity or is it something people do when they’re not plugging up holes identified in their latest compliance audit?
What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
The hope is to make this a true peer-to-peer activity where people appreciate the importance of detection—and the resources they need to deploy—from others working in the trenches, and that they allocate more budget because their peers are doing it and not because of vendor scare tactics or marketing spin. While the demographics may vary, the hope is that attendees can see an initial roadmap of what their detection program would look like based on input from those in a similar industry and company size.
You can check out all of the Peer2Peer sessions on our agenda.