There's no shortage of anticipated topics to be covered at the many events taking place in San Francisco at the end of February. In this brief Q&A, Trey Ford, global security strategist at Rapid7, discusses the ones he's most excited about.
What events will you be attending this year in San Francisco?
I will be attending Security B-Sides, the RSA expo, and a lunch briefing with Access Data.
What influenced your decision?
RSA is one of the best places on earth to see and hear about the latest security product offerings and network with the community. I don't know of another place where you can meet with this many infosec organizations, and see this many products – especially from our international counterparts.
I love the purity of Security B-Sides, it has a special place in my heart. Conversations and presentations at B-Sides events are unique – they are timely, important, unconventional and unapologetically direct – which means they are often inappropriate for other venues.
What do you anticipate the most as far as conference talks this year?
The legislation impacting information security should be something everyone in the industry watches closely, and it's a priority for us at Rapid7. We need to see legislation achieve a balance of protection for researchers, clear guidelines for corporate due care, and simple definitions for criminal and malicious acts. I do not want to miss the ‘Cyber Legislation' panel.
I am a huge fan of investing in users, so the ‘Sixth Man' talk has piqued my interest, although my pragmatic tendency is hungry for measurement. “How are we measuring progress?”
We all read the news – but rarely get to hear the journalists speak their mind. The ‘Gumshoes' talk may prove to be a fun panel for a variety of reasons.
I am a long time advocate for security research. We all know that privacy has a heavy dependency on security research- I don't see this not being discussed in the ‘Hot Topics on Privacy' panel.
Security B-Sides is always content rich. I always look forward to hearing what the Electronic Frontier Foundation (EFF) is up to, be sure to catch the ‘Ask The EFF Panel' with Kurt Opsahl, Nate Cardozo, Yan Zhu, and Parker Higgins. Everyone in the industry should be paying attention to analyst reviews on products, trends, and solution sets, but few know how that sausage is made. This panel should be as informative as it is hilarious, “How (not) to talk to an analyst” with Jack Daniel, Wendy Nather, and Javvad Malik. As a geek, I think the Internet of Things is fun and neat; as a security practitioner, I am terrified. Zach Lanier and Mark Stanislav's ‘The Internet of Things: We've Got to Chat' will not disappoint.
Given the RSA/NSA news, what kind of impact do you feel this will have on the show this year?
I am excited about the associated implication of distrust. Trust is a scary thing – I believe security models improve when confidence and trust requirements go down. Expecting and accepting the possibility of compromise means monitoring, detection, containment, eradication and recovery will get the attention they require.
What are some pressing concerns/threats in the industry that you feel will be discussed this year?
The perimeter is dead, long live the perimeter: This is an age-old catch phrase that won't die – I believe the future of ‘the edge' is as close to ‘the user' as it ever has been.
Talent management: We have been facing a shortage of knowledge workers, and we are being forced to look harder at our sourcing and delivery strategies. Listen hard for bug bounty discussions and take heed – you need to partner with the community.
Operational security is the new black: Privacy discussions will be inescapable.
The ‘Don't be the next Target' pitch: I hope to hear this discussion framed in the positive – there was a lot they did well, I hope to hear some of that perspective discussed.
Vulnerability disclosure standards: Katie Moussouris has been working hard on an ISO standard disclosure. I cannot stress enough the importance of this work, and the responsibility security teams and companies carry in cultivating a safe way to receive and process vulnerability notifications. We as an industry will perform at a higher level when we agree to a clear standard on how best to do this.
Partnering with IT: Information security has a track record of creating friction for end users in the name of security. Authentication, and passwords are still a sad mess – we as an industry must invest heavily on empowering, protecting, and delighting end users.