March 2013 Archives

Bruce Schneier would have us believe that security awareness training is pointless. People have inadequate incentive to change, and thus why waste the time, money, or energy? And, to a degree, he is certainly correct. The old-fashioned once-per-year computer-based training modules to which many (if not all) of us have been subjected are, in fact, completely worthless. After all, these training modules are a mere blip on the radar of one's life, with no foundation in reality, and making no meaningless impact on how we conduct our jobs.

However, that is not the state of practice in the industry. Or, more specifically, it's not the leading edge state of practice. Moreover, his comments ignore much that we know about approaches, learning styles, incentives, etc., based on research from the past few years.

Well well well... what a week! Sadly, I didn't make a single session (other than my own) due to poor time awareness (several times I realized I had just missed the session I'd been planning to see, derailing myself by being chatty... go figure!). Overall, this was one of the best RSA conferences I can recall over the last few years. I mean, it ended with Hugh interviewing Billy Beane... how could it be much better? :)

For everyone I saw in San Francisco last week - it was great seeing you! For those I missed... dreadfully sorry, and I hope we catch-up at any of the many other events I'll be at later this year (e.g., Secure360, RMISC, MISTI "Big Data Security" conference). It has been a busy year thus far, and the pace will not be lessening anytime soon. Wheeeeeeeeee! ;)

I had the opportunity during RSA 2013 to interview Gen. Harry Raduege (ret.), who is currently Chairman for The Deloitte Center for Cyber Innovation. His full bio is available at the link provided. Among his many accomplishments, he was the longest-serving director of the Defense Information Systems Agency (DISA), including overseeing the restoration of ICT at the Pentagon in the wake of the 9/11 terrorist attacks.