If you are interested in sitting in a room digging into a specific security topic with other people, the Peer-2-Peer sessions are for you. The goal is to get peers—people in other organizations with similar job functions and roles—in one place so that everyone can share what they are doing and have learned. Wondering which conversation will be the most relevant to your job role and concerns? We asked each session facilitator to provide a short summary to help you decide.
This post highlights six P2P sessions (Scroll down for answers). Links to other session summaries are at the bottom of the page.
- TLS/SSL and Certificate Crossfire
- Shining Light on the Shadows: Integrating Security into the Lines of Business
- Accountability - How to Make Professional Risk a Growth Opportunity and Love It
- Continuous Network Compliance: Finding Flaws and Betting Futures
- PCI DSS and SSL—What You Need to Know in 2015
- Can Peer Collaboration Be Our Next Best Practice for Risk Management?
We also included some questions to get you started thinking so that you come to the session prepared with some thoughts.
TLS/SSL and Certificate Crossfire (P2P-W01A)
Who should attend?
The session is for IT Technicians, Developers, Engineers and Architects with experience in the topics at hand. “If you are opinionated and have an industry colleague with opposing views to your own, please invite this person to join you at this session,” says Errol Lloyd, a principal network engineer from Fidelity Investments and facilitator of this session.
Why is this topic important?
The importance of this topic is described nicely here by Tim Moses, then Chairperson of the CA/Browser Forum: "SSL/TLS certificates are a critical part of the Internet's security infrastructure, combining proven technical standards with the capability to scale to handle millions of websites and the wide array of user software," Tim Moses, then-chairperson of the CA/Browser Forum, said on Dec. 14, 2011. More than four years later, the statement still rings true. SSL and TLS topics have peppered the news with increased frequency: Web practitioners 'FREAK'ing-out on pre-Y2K export grade encryption and unsuspecting users swimming with Superfish.
What should attendees think about?
At a minimum, all attendees should have a good technical understanding of topics such as Heartbleed, POODLE, FREAK, Superfish, SHA-1 end-of-life, Perfect Forward Secrecy, Certificate Transparency, OCPS Stapling and the CAB Forum. “I'm hoping for some seasoned practitioners to briefly share their 2014 TLS/SSL related 'war stories' during the session. Additionally, be prepared to debate when we pull a hot topic question,” Lloyd says.
What will attendees walk away with after the session?
“I hope attendees will learn from their peers’ experiences as we all prepare for what's next with TLS or SSL. If some experienced practitioners attend, we may get a closer look 'under-the-hood' of modern measures that bolster the use of TLS and SSL,” Lloyd says.
Shining Light on the Shadows: Integrating Security into the Lines of Business (P2P-W02D)
Who should attend?
This session is for any information security professional who has succeeded in, or wants to hear more ideas on integrating security into the lines of business. This P2P session relates to organizations of all sizes but will be of particular interest to those in large, highly segmented corporations.
Why is this topic important?
As businesses work to deliver faster, more cost effective solutions for their customers, formalized IT processes may be thought of by the business as a hindrance. When this occurs, business units develop or engage with third parties to address IT needs. The information security executive should align with the business to understand their needs, their initiatives, and the risk landscape for each specific segment.
What should attendees think about?
“Be thinking about how the emergence of ‘shadow IT’ has grown and what are the potential drivers: we’ll spend just a few minutes understanding this as it will help with our discussions on how to address the issue,” says Lee Parrish, CISO of Bridgestone and facilitator of this session. From there, what are some things that have worked for you in your organization? How do you engage with the business units specifically? How do you track your involvement to ensure you don’t have blind spots? Are there techniques you use to address each segment individually, customizing your interactions?
What will attendees walk away with after the session?
“We want to discuss all of these as a group so we can each take tips/tactics back to our organizations,” Parrish says.
Accountability - How to Make Professional Risk a Growth Opportunity and Love It (P2P-W04B)
Who should attend?
The target audience for this P2P session are those who wear the stripes of advocating for security and controls in a less than receptive environment. If one is frustrated, wondering if it is worth it, wondering how to get recharged and look at things a new way—this session is for that person.
Why is this topic important?
“The issue of ‘moral distress’ is a very real one for information security practitioners,” says Karen Worstell, managing principal at W Risk Group and facilitator of this session. “It leads to job dissatisfaction, personal dissatisfaction at home, and burnout. We need to recognize it and get ahead of it.”
What should attendees think about?
Questions include: What is the BEST aspect of your work as a security professional? What aspects of your current work make your job difficult? Have you ever felt that your professional ethics or values were compromised in the management decision-making process?
What will attendees walk away with after the session?
At the end of this session, participants will understand ways to recognize moral distress in their work as security professionals, and will have perspectives on ways to adapt that are professionally and personally fulfilling.
Continuous Network Compliance: Finding Flaws and Betting Futures (P2P-R03C)
Who should attend?
“I think this session will be valuable to anyone who is dealing with security/compliance in a fast paced IT environment. Whether startup or enterprise, if your IT team is using agile, lean principles and concepts like continuous delivery, continuous integration, you should come to this session,” says Alan Shimel, founder and CEO of The CISO Group and facilitator of this session.
Why is this topic important?
“We live in a continuous world, especially in IT. Shifting security left is the way be more secure and more compliant, while doing more faster,” Shimel says.
What should attendees think about?
Questions include: How can they change the way they think about security and compliance. Instead of being a point in time or process, how can they "shift left" and make security/compliance a continuous part of the IT flow.
What will attendees walk away with after the session?
“We are hoping that people will see that continuous security and compliance is not only possible, but more efficient and more secure,” Shimel says. Attendees should leave with ideas on how to shift security left to build security and compliance in, instead of bolting it on.
PCI DSS and SSL—What You Need to Know in 2015 (P2P-R03D)
Who should attend?
Those responsible for PCI DSS compliance in their respective organization are the target audience. “But we hope to engage security assessors and consultants, as well as technology providers, since all of these groups have to work together to drive migration away from the Secure Sockets Layer (SSL) and early Transport Layer Security (TLS) protocols to a cryptographic approach that will protect payment transactions,” says Troy Leach, CTO of the PCI Security Standards Council and facilitator of this session.
Why is this topic important?
On April 15, 2015 the Council released Version 3.1 of the PCI Data Security Standard (PCI DSS), which removes SSL and early TLS as examples of strong cryptography. Recently identified vulnerabilities in these protocols have increased concern over future attacks that we should expect and prepare for. Upgrading to a current, secure version of Transport Layer Security (15 years ago SSL v3.0 was superseded by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2.) is the only known way to remediate these vulnerabilities. It’s critical for organizations to understand how this impacts their security and PCI DSS compliance efforts and have a plan and strategy in place to address these challenges.
What should attendees think about?
If your organization is currently still allowing SSL traffic, have you done analysis to determine there is a demonstrative need to do so? Do you know how much e-commerce traffic or other use still requires SSL? What are ways to minimize the threat and/or migrate your infrastructure away from SSL in a reasonable amount of time? What should constitute a reasonable amount of time? What challenges do you anticipate? What resources do you need?
What will attendees walk away with after the session?
After attending the session, PCI compliance managers and technologists should understand: the migration plan required for PCI DSS v3.1; future reporting of the existence of SSL; how Approved Scanning Vendors (ASV) may modify the Common Vulnerability Scoring System (CVSS) score for SSL based on risk; and strategies for monitoring potential risk to payment card devices and environments.
Can Peer Collaboration Be Our Next Best Practice for Risk Management? (P2P-R01D)
Who should attend?
Four groups of individuals will benefit from, and contribute to, this session: Risk managers who manage the overall risk profile for financial, healthcare, or other organizations in heavily regulated industries—as well as organizations that value the privacy and security of sensitive data, whether in their own hands or the hands of third parties; Procurement and other professionals responsible for managing third-party relationships for the outsourcing organization; Information security and privacy professionals responsible for protecting sensitive and/or regulated data; Third parties who provide services for organizations in finance, healthcare, or other regulated industries.
Why is this topic important?
Hackers are now using third parties as an entry point to access an outsourcer’s sensitive data, increasing regulatory scrutiny and reputational risk. Because of our dependence on outsourced services, we must evaluate these third parties to ensure proper protection of sensitive data against cyber threats and breaches.
What should attendees think about?
Today’s risk evaluation process of third parties is inefficient and costly for all involved, driving a need for new competencies. What new ideas, such as shared peer collaboration, might you suggest for performing assessments on third parties with common shared services? What other ways can risk managers collaborate to create efficiencies and cost savings?
What will attendees walk away with after the session?
“We hope that attendees will view third party risk management as a collaborative issue, not a competitive issue, and that they will come away with actionable ideas for implementing new, cross-industry best practices,” says Robin Slade, executive vice-president and COO of the Santa Fe Group/Shared Assessments Program and facilitator of this session.
Check out P2P sessions in parts one, two, three, four, five, and six. We look forward to seeing you in San Francisco!