I had the opportunity to attend the 2011 ISSA International Conference held Oct 20-21 in Baltimore, MD. Overall, it was a decent, albeit fairly small, event. Beyond getting a chance to catch-up with some industry friends, it also provided a chance to hear a few interesting talks, as well as to discuss a couple topics that have been of interest lately.
Rather than recap things in too much detail, I figured I'd just riff on a few themes that I noticed (or have arbitrarily declared)...
The Cloud!
There were two key federal speakers: Gen. Alexander (US Cyber Command) and Shawn Henry (FBI). Both talked at length about the move to the cloud, and confirmed the news we also heard simultaneously from the intel sector that the US Government is moving to "the cloud." So, yeah... NIST has recently finalized SP 800-145 defining "cloud" for everyone... and now, watch as apps and data head that way. It's going to pose an interesting challenge, but nothing I'm sure they won't be able to out-botch. ;)
In all seriousness, though, I think there is reasonably good potential that moving to cloud-based services will help reduce costs. Although, at the same time, I can't help being a bit cynical since major government contractors could easily pick up the servers they've been running at agencies, move them into off-site data centers, and then declare it "cloud" and increase the cost for doing almost the exact same work (plus the actual hosting). And, this assumes a case where they're not already hosting. Anyway...
Suffice to say, "cloud" will continue to be a hot keyword for the fed sector for the foreseeable future.
That Old "Cyber Crime > Drug Trade" Schtick
The other thing trotted out by both Gen. Alexander and EAD Henry was this notion that cyber crime now costs more than the drug trade each year. It's unclear to me the actually source of this assertion, though I vaguely remember reading a blog post recently that debunked the myth, tracing it back to an old vendor report of some sort that did some fuzzy logic and bad math.
That said, "cyber crime" is certainly impacting life and businesses - enough so for the SEC to issue that guidance on reporting the material impact of cyber risks within quarterly reports by public companies. This is very much a "David v Goliath" type situation, too, in that there's really no realistic way to staff-up defensive forces or law enforcement agencies in order to fully pursue and prosecute attackers.
At any rate... actual losses may be farther away than what we are hearing, but to know that would require a whole lot more reporting and information sharing... which was another related topic mentioned during both talks, along with renewed calls for increased public/private partnerships (always a rally cry, never a success?).
These Problems Are Hard
One common thread from various conversations and a few talks is that there are many hard problems to solve, and none with any obvious answers. Risk assessment and analysis? Difficult. Prioritizing bugs or IT projects? Difficult. Trying to get people to agree to a common set of definitions around key terms like "risk"? Darn-near impossible. And so the litany can go on...
Of course, while there are certainly difficult problems, there are also lots of unqualified people willing to talk about these problems. For example, I suffered through a talk by an auditor dude who didn't understand the first thing about risk management or risk assessment. He criticized risk analysis techniques, but wanted to discard all of risk management as a result. Yet, he described as preferable fairly standard risk mgmt processes. *shrug* Most interesting was this little exchange:
Me: "If risk management is out, then how do you prioritize what work to do first?"
Him: "You fix the simple things first."
Me: "Ok, a follow-up. Say I've fixed all the simple things... now what?"
Him: "I don't know. There's no good way of dealing with this today."
Ummmm... yeah. No doubt. So, that was interesting. That said, I also had a good conversation with a really smart dude about prioritization, and while we didn't reach any conclusions, we certainly realized that there are some interesting challenges, particularly with defining the problem-space (what's the desired outcome?), that make developing solutions a bit of a challenge.
Maturing Risk Management: Learning to Talk to Grown-Ups
Two of the more interesting sessions I attended talked about, well, how to talk to the execs and board about security. One was a CISO/CSO panel that spent a good amount of time talking about this topic. They discussed how you can't just go throw around FUD these days, or ask for blank checks, but rather have to approach business leaders using business language in order to frame business problems.
The other good talk was specifically on how to speak to execs, spending a fair amount of time on do's and don't's. It was very interesting, though mostly intuitive, or so one would hope, though perhaps it's not nearly as intuitive as I thought it might be. ;) Mainly, a lot of the tips were inline with what the panel said. Don't drop bombs on the execs, empower them to make good decisions, avoid "told ya so" moments, and so on. Overall, good stuff!
---
So, that's my summary. It seemed like a smaller turnout this year, perhaps due in part to Raleigh ISSA having a conference at the same time. I've not heard official numbers, but I'd be surprised if it was more than a 300 people (Raleigh drew >400). The vendor expo area seemed much smaller this year than last year, which had to be a bit disappointing. Overall, I don't think attendees were as happy with the venue or level of organization (or, chaos) present. Hopefully next year we can rebound. I know that one pressing issue on the minds of chapter leads was how to make/keep ISSA relevant today in light of all the other security-oriented groups around. Talk about a hard problem to solve...
