Perspectives from a Maiden Voyage to the RSA Conference 2018
Contributed By: Kilani Paulik, TalaTek Information Assurance Consultant
Your first trip to any professional conference is always going to be spent learning how to get the most out of the event. Your first trip to RSA Conference (RSAC) in San Francisco can feel like it’s spent learning how to get from one building to the next! This year’s RSAC was bigger than ever, and construction around the Moscone Center made every trip between sessions a labyrinthian journey and a people watching extravaganza. Attendees in business suits to vendor tees, there for education, exposure, sales, or networking; were all crammed on the same tiny sidewalk!
The RSAC Expo – both buildings! – boasted booths by the “Big Guys” – Microsoft, Amazon, IBM, Cisco, Symantec, Splunk, and Tenable – but it was in the smaller aisles where more time could be spent talking about new products and the future of the industry. Professional organizations like ISC2, ISACA, and ISSA took the opportunity to meet their members in person, and NIST showed up to provide some management-friendly guides to their Cyber Security Framework and NIST SP 171 and other upcoming publications. Exploring the Early Stage Expo introduced information security startups to attendees with short sessions throughout the week.
But if you aren’t there for the swag and the whitepapers, 2018’s RSAC had hundreds of speakers and breakout sessions. Hot topics this year included cryptocurrency, Internet of Things (IoT), NIST’s Cybersecurity Framework, and the May 25, 2018 enforcement deadline of Europe’s GDPR. Keynotes by Rami Rahim (CEO, Juniper Networks), Monica Lewinsky, and Reshma Saujani (Founder and CEO, Girls Who Code) addressed the role of information security in changing our world, through innovation, empathy, and gender equality.
As a TalaTek Information Assurance Consultant, much of my work involves identifying risks for our customers and providing key stakeholders the information they need to make informed decisions. This means I must understand the threat landscape, our client’s security posture, the technology available to protect and support that security posture, and most importantly be able to translate those findings into actionable information for executives who may not have a deep security background. Two sessions in particular at this year’s RSAC delivered valuable insight in achieving these goals.
Creating Order from Chaos: Metrics that Matter – One of my primary missions is gathering the raw data that organizations are already capturing and turning that into quantifiable information. During this session speakers James Lugabihl and Marta Palanques, ADP, introduced me to the DIKW pyramid: Data, Information, Knowledge, and Wisdom. As security professionals, our responsibility is to take client’s raw data, and use our expertise to provide the context required to turn that raw data into useful information. With further insight into an organization, and our understanding of their goals and objectives, that information can be presented in ways that increase the business’s knowledge to support informed decision-making, and ultimately ensure they have the wisdom to move forward with a strategic plan.
Super Forecasting: Even You Can Perform High-Precision Risk Assessments – Only by identifying the organization’s goals and objectives, can we determine appropriate metrics by which to measure success. But once we have those metrics, how do we present them? Often, the organizations I’ve been a part of have relied on “stop light” charts (red, yellow, green), and verbal, qualitative scales such as Low/Moderate/High or Likely/Probable/Unlikely to communicate risk and likelihood. Rick Howard, CSO, Palo Alto Networks and Richard Seieren SVP and CISO, Lending Club explained why that approach is inefficient and can even be misleading. It is often assumed that everyone interprets the terms consistently and similarly, and many fail to appreciate the variance in the interpretations of these words. “Highly likely” can be interpreted as a 50 percent chance or a 90 percent chance, depending on who you ask. It’s this variance that quantitative risk measurements seek to prevent. Yet there remains a need to present likelihood and risk data in a visually friendly way, ensuring that information can be presented accurately and quickly to those outside the security sphere.
These two sessions further validated the foundation of the TalaTek process for building successful risk management programs. The TalaTek team works with our clients to establish a risk management foundation. This includes definition of risk appetite and risk tolerance and selection of the most appropriate metrics to support the organization’s business and risk management objectives. From there we leverage our Enterprise Compliance Management Solution (ECMS) to establish a consolidated system of record and a single risk taxonomy with custom risk profiles to define how the organization views each risk and its potential impact, including likelihood. Once the system is established, each risk can be measured using weight, strength and effectiveness to calculate a quantitative risk score providing a prioritization of risk in the environment, enabling informed decision making. ECMS also provides Robust data visualization, including trend reports, heatmaps, calendar views and at-a-glance dashboards, tailored to each business area, role and/or system within the organization, ensure each stakeholder gets privileged access to the data they need. Read more about TalaTek Risk Management Services