If you’re the type that likes talking about security-related topics with your colleagues (and who doesn’t?) then you should check out some of the Peer2Peer sessions at this year’s RSA Conference in San Francisco.

Peer2Peer sessions are group discussions around specific security topics, where participants get the chance to really dig deeply into a topic that that care about with a group of peers. This year we've once again asked the discussion facilitators to help explain what you can expect from their sessions so that you can choose the groups and topics that will be most beneficial and interesting.

This post features the following six sessions:

1. Managing Increasing Compliance Obligations across Multiple Industries
2. Saying Goodbye: Managing Security for Departing Personnel
3. Turning the Tide: Driving Software Security in the Enterprise
4. Threat Modeling for Risk-based Application Security Design
5. Effective (Or Ineffective..) Third Party Risk Management
6. Architecting for Security in the Age of Agile Development

1. Managing Increasing Compliance Obligations across Multiple Industries (P2P1-R15)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

Attendees that would most benefit from this session are compliance, risk and security leaders with responsibility for balancing the expectations of very diverse customer sets. The diversity of those customer sets might be across industries or across different regulatory requirements, and the requirements might be for data that ranges from personal financial data, to health data, to international data transfer issues. Any individual that is responsible for designing a program equipped to address a broad range of unique customer obligations within regulated industries, particularly when the company that they work for does not service a single regulated industry, would benefit from this conversation.

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

This is becoming an increasingly important topic for information security program managers to consider. There is no single accepted “gold standard” for information security programs. The many different competing security frameworks, certifications, credentials and audit models in the industry today make it an increasing challenge to articulate and substantiate the quality of your security program.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

There are a few different perspectives that would enhance this conversation. The first perspective is that of the service provider who is grappling with how to satisfy the requirements of a range of industries with varied and unique security requirements. The second perspective is that that of the service recipient who often has to work with a vendor or partner that serves multiple industries.

Organizations are increasingly focusing on their core business competency and outsourcing any services that fall outside of that core competency. Companies are therefore increasingly partnering with vendors that service multiple industries outside of their own. The conversation in this Peer2Peer session will focus on ways that companies can partner with vendors to find a solution that ensures all security requirements are met, even if at times those requirements are met through different certifications or credentials than were originally identified by the service recipient.

This session will be sharing of ideas to find a middle ground that works for all parties.

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

This session is intended to facilitate a sharing of ideas from the perspectives of both the service provider that serves multiple industries and the service recipient that is often focused on a specific core competency. Attendees will walk away from this session with new ideas about how to efficiently manage a security program that caters to multiple often highly regulated industries with a range of specific security requirements, as well as a greater understanding of how service providers structure their information security programs.

2. Saying Goodbye: Managing Security for Departing Personnel (P2P3-R08)

Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

Virtually all attendees would benefit, because most everyone is working within, or with, organizations that have personnel departures. This includes attendees who assess security of processes, or who participate on cross-functional process teams, that involve user access to information system resources and information assets, and attendees whose roles include IT security, legal, human resources, asset-management, risk-management, insurance. This session will be strategic and tactical, not deeply technical.

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

Organizations regularly have personnel departures, often a daily occurrence for large organizations—resignations, layoffs and terminations—that involve employees, contractors, interns, guest workers and visitors. Some of these departures involve people with privileged access, or special relationships with customers or vendors. Organizations are also impacted by organizational transitions, such as reorganizations, spin-offs, subsidiaries, outsourcing, or sales of part or all of the organization.

Some departures are predictable, managed transitions while others occur with little warning. Virtually all of departure transitions involve information and access sensitive or even strategic to the organization. Most organizations have some process in place to manage these departures, but may not have a full picture of potential risk or proven mitigation strategies, and could richly benefit from sharing with peers.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

Attendees should come into the session with some understanding of the departure processes they currently have in place. Attendees should also come with some thinking about concerns they have, holes in the process that they worry about, and what they hope to accomplish within their organization to improve processes.

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

I anticipate a vibrant, in-depth, inclusive discussion that surfaces a variety of viewpoints and debate between them. I hope for some controversy around approaches, risk tolerance and organizational teaming. Attendees will leave with an understanding of the issues, assessments and controls involving personnel departures. I expect to spark for participants some of those invaluable RSA “aha!” moments, where they gain new perspectives and insights that they bring back to add immediate value to their work and spark meaningful change in their organization.

3. Turning the Tide: Driving Software Security in the Enterprise (P2P1-R07)

 Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

The attendees will have a better understanding of how savvy security leaders push a software security initiative in spite of sheer numbers—typically most organizations have only a handful of application security staff trying to convince thousands of developers to write more secure code. I hope my session attendees bring some of their strategies that have worked in the field to share with other members. The attendees that are likely to get the most out the session are CSO’s, CISO’s, or security managers running their application security program within the company. 

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

I believe this this is important because the bulk the literature about software security involved technical testing approaches, SDLC fixes, or other code-level remedies. In practice, however, the biggest challenge that security leaders find in the field is that they have to convince thousands of developers to do what they probably should already being doing, namely building code in a more secure fashion. The software security function still remains in the security organization in most companies, not the development organization. As a result, security leaders have to use informal power to influence developers to write more secure code—I’m hoping that the P2P session will bring out some interesting approaches.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

I’d like for them to bring a success story or two to the discussion, so coming armed with a story or two will make for a more lively discussion. Also, if they have a development manager who happens to be attending RSA 2016, they should consider bringing them too. I’d love have the developer perspective present too, if possible…

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

Ideally, I’d love for attendees to leave with one or two great ideas to immediately implement back in their organization. I’d also love to see lots of business cards exchanged between participants so they can continue to trade strategies after the discussion.

4. Threat Modeling for Risk-based Application Security Design (P2P2-R12)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

I think it would be application security architects, application architects, technical leads, project managers, application security engineers—basically people who deal with application security while designing and developing the application, who worry about their applications being hacked or abused by either internal or external malicious users or programs.

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

When it comes to designing and developing security applications, people often take a checklist approach such as OWASP Top 10 or SANS 25. However, is that good enough or even necessary? Threat modeling provides the foundation for a risk-based approach, by which effort can be spent on security controls that would mitigate threats that are relevant and important for the specific application.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

When it comes to information security, are all my applications created equal? How do I know my application has the right level of controls for the relevant security threats that may cause material harm to the underlying information assets?

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

I want them to have the understanding of the value of threat modeling and how it can be done, a set of best practices and resources people can refer to in practice, and potentially a community for further discussion on this topic.

5. Effective (Or Ineffective..) Third Party Risk Management (P2P2-W09)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

Risk practitioners, managers, information-security leaders responsible for third-party risk management, procurement, contracting, or legal professionals will add value to this discussion.

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

Our reliance on third parties continues to rise. Given the increase and drive towards cloud-based infrastructure and hosting solutions, our business and IT Leadership teams require relevant assurance of the protection of data, the security of systems, and visibly to risk regardless of where, who, and how its managed.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

Think about who is in control and how that control is measured and evaluated. The largest challenge that I see today is that many organizations seemingly forget that they are not in direct control of their third parties. The function is about finding ways to properly evaluate, measure, and gain assurance of their capabilities while governing relationships with terms and contractual conditions, including liability and indemnification.

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

I would like participants to walk away from the session with not only new and proven ideas, but also tangible and repeatable methods to assess and measure risk in their third parties.

6. Architecting for Security in the Age of Agile Development (P2P1-W16)

Who are the attendees who will most benefit from—and contribute to—this Peer2Peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

Attendees most likely to benefit from this session are Application Development Architects and the security professionals who advise them, especially those working in threat analysis and risk mitigation.

Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

This is a timely topic because the increasing acceptance of Agile development is driving shorter release cycles, sometimes placing application security at risk.

Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

To prepare for this discussion attendees could think about their organization’s current process for formalized architecture definition and how it contributes (or fails to contribute) to their organization’s process for threat analysis and risk mitigation.

What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

Attendees of this session could apply processes and approaches in their organization to enable stronger integration of architecture definition with threat analysis results.

You can check out all of the Peer2Peer sessions on our agenda and read about more sessions here.