Posted November 21st, 2011 by rybolov
So while I was at some conferences over the past couple of months, I had an awesome idea while sitting in a panel about data breaches, especially notification. While streaming conferences is pretty awesome for most content, I keep thinking that we need that as an industry we need the exact opposite: a track of the conference that is completely off-the-record.
Here in DC when we do smaller training sessions, we invoke the Chatham House Rule. That is, the discussion is for non-attribution. There are several reasons behind this:
- You don’t have to worry (too much, anyway) about vendors in attendance selling you something
- It won’t end up in the press
- It gets real information to people instead of things that are “fit for public consumption”
My local area has a hackers association (No linkie, if you have minimal skill you can find it) that meets to talk about mostly technical stuff and what folks are working on. I find that more and more often when I do a talk there I do it “Off the Record” for a wide variety of reasons:
- I don’t want the attackers to get more effective
- I have half-baked ideas where I want/need feedback on if they are completely off-base
- The subject matter is in a legal gray-area and I’m not a lawyer
- I talk “on the record” all day every day about the same things
- I can “test-drive” presentation material to see how it works
- I can show nuts and bolts
So, the point of all this is that maybe we need to start having more frank discussions about what the bad guys are doing “in the wild” if we want to stop them, and that involves talking with peers from other companies inside the same industry to see what they are getting hit with.
Chatham House Rule photo by markhillary.
Posted in Public Policy, Speaking, What Doesn't Work, What Works | 3 Comments »
Tags: government • infosec • infosharing • security • speaking
Posted November 23rd, 2010 by rybolov
Joan Goodchild interviewed me about some of my experiences in the big sandbox and how I was good enough at avoiding IEDs to make it there and home again–an abstract form of risk management. Go check it out. And while you’re on the subject or for visuals to go along with the story, check out my Afghanistan set on Flickr, a random set of them are below….
Posted in Army, Risk Management | 1 Comment »
Tags: risk • security • speaking
Posted September 29th, 2010 by rybolov
My talking schedule over the next couple of months:
October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.
November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.
And coming to you, if you give me a call. =)
Posted in Speaking | No Comments »
Tags: barcode • cloud • cloudcomputing • ddos • management • security • speaking
Posted August 13th, 2010 by rybolov
Metricon 5 was this week, it was a blast you should have been there.
One of the things the program committee worked on was more of a practitioner focus. I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.
I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.
You can go check out the slides and papers at the Security Metrics site.
My slides are below. I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.
Posted in Public Policy, Speaking | 1 Comment »
Tags: catalogofcontrols • certification • compliance • government • infosec • infosharing • law • legislation • management • publicpolicy • security • speaking
Posted August 4th, 2010 by rybolov
…and I’m excited. I’ll be talking on “Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks” which is an Idea I’ve been mulling over on how to “build a better rat race” or at least to consciously build security management frameworks in a coherent manner. Obviously I’ll put up slides afterwords.
Agenda is here, I think there is still time to sign up and come as long as you’re not going to be a wallflower. =)
Posted in Uncategorized | 1 Comment »
Tags: government • infosec • infosharing • management • metrics • security • speaking
Posted May 17th, 2010 by rybolov
This was announced a couple of weeks ago (at least 9000 days ago in Internet time) so now it’s “old news” but have a look at Metricon 5.0 which will be in DC on the 10th of August.
It’s a small group (attendance is capped at 60), but if you’re managing security in Government, I want to encourage you to do 2 things:
- Submit a paper!
- Attend and learn.
I’ll be there doing a bit of hero-worship of my own with the Security Metrics folks.
Posted in Public Policy, Speaking | 1 Comment »
Tags: government • infosec • infosharing • management • metrics • publicpolicy • security • speaking