Cognitive Dissidents

RSA 2012 is close upon us (Feb 27th – Mar 2nd) – for better or worse.

Love it or hate it, RSA is the single largest security conference of the year – and if the security industry has a rhythm and a cadence, then it is the RSA Conference sets it.

Though I sometimes quip that:

RSA is mandatory punishment

or

Every year at RSA I want to quit security

…there is no denying the importance of the event on framing the upcoming year’s buzz words, topics, trends, etc.

Below are:

• a few quick thoughts on how to make the most of the conference week
• a few topics/times I’ll be speaking in case you’d like to catch me

People Value:

The best parts of the RSA conference aren’t the actual conference. Be sure you embrace the Hallway-Con, the Bar-Con, the Lobby-Con, and nearby eateries… People are what drive the progress of our industry more than any vendor or sponsored keynote. We are blessed with some very creative minds and dynamic personalities. Network as ferociously as you can. My best collaborators have been born from happenstance chats in some hallway or lobby.

Non-RSA Venue:

Some of the best talks and debates are at adjacent events to RSA. BSides and BSidesSF has become a force (despite its growing pains). I get a ton of value out of the AGC Security Conference (America’s Growth Capital) which brings great content to a high octane audience of the investment community, the founders of innovative start-ups, and potential acquirers. Mini-MetriCon 6.5 continues to push the rock up the hill to drive us from faith based security to evidence based models. There are a myriad of other events and working groups which converge that week. While many are closed or filled up by now, do some digging – as they are well worth it.

The Exhibit Floor:

While the exhibit floor is a bit of a Bizarre Bazaar (Hat Tip to Neil Gaiman), you must try to walk the floor. Embrace the horror. Treat it as a Tour de Force of what matters and what doesn’t. Of who is a source of SIGNAL and who is a source of NOISE. In fact, develop a justified, righteous indignation against hyperbole, FUD, and vendor B.S. Vendors do this because they can, because we let them, and because there are seldom consequences for doing so. Provide the feedback loop that alters that equation for them.

Last year I walked the floor with Paul Roberts and we gave this a try. We knew just about ever vendor, who had the goods, who was full of [insert your favorite here], etc. We saw maybe a dozen vendors making credible claims about emerging security challenges and offering valuable products/services in response. We asked each vendor who was thumping APT to define it – with nearly none of them even close to real substance. Asking for specifics will quickly reveal the snake-oil from the substance. We even quipped a safe rule of thumb (at least last year):

The frequency of the phrase “APT” by a vendor is inversely proportional to their actual expertise or comprehension of it

Put the vendors to the test. Ask for specifics. Maybe take some dramamine 1st.

My Speaking Slots:

Monday, February 27, 12:30 PM – RSA – Room 302

PROF-001 – Stress and Burnout in the Information Security Community

Jack Daniel, Stacy Thayer,  Gal Shpantzer, Martin McKeay, Joshua Corman (and @kcyerrid shhh!)

We’ve done real survey work with proven non-security-models and this is an important topic. We did a less formal version at BSidesLV 2011 with great feedback, validating the need for this.

Monday, February 27, 3:00 PM – AGC’s Security Conference – Main Stage at Westin Market St

PM Keynote: Apocalypse Now: Adapting to Espionage and Chaotic Actors

Joshua Corman

I’m excited to confront the VC and Investment community to actually rise to substantive changes in the space – versus repackaging old “kit” into the latest compliance or FUD buzzwords. This industry used to innovate, and it is time to again. What’s really cool about this, is my keynote is followed by two child panels: one on adapting to Espionage developments – one on implications of Chaotic Actors. With the money and the innovators in the room, confronting these topics, perhaps we can catalyze some action.

Tuesday, February 28, 1:10 PM – RSA – Room 305

CLD-106 – Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

Gene Kim & Joshua Corman

Gene and I have been collaborating for a little over a year and a half on this topic. I’m most excited about this one. **BONUS POINTS if you can name the movie reference in the title

Here is a short podcast teaser we did with RSA

Wednesday, February 29, 9:30 AM – RSA – Room 309

GRC-202 – Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M?

Joshua Corman & David Etue

David and I have been working this idea for several years. After last year’s pantheon of adversaries and pervasive failures became clearer, more practitioners may be ready for this concept. HDMoore’s Law will be discussed.

Here is a short podcast teaser we did with RSA

If you need/want to reach me while there, hit me on twitter: @joshcorman

RSA is what you make of it…

• What are you expecting?
• What are you dreading?
• Which people/talks are you eager to see?