RSA Conference 2012: Day 1 Highlights

Highlights from Day 1 of RSA:

I attended the professional development track, and pulled most of these quotes from there. Follow me on twitter to see what strikes my fancy in real-time.

  • Remember that being a security leader is first and foremost about leading. Too often we get bogged down in management. Managers deal with complexity, scheduling and resource allocation. Leaders deal with setting a direction and figuring out how to get there. The quote which was used in this session, which I love, was “managers follow a map, leaders follow a compass.”
  • The biggest key to the success of any security program is achieving goal congruence with the greater organization. Every security objective should directly support the overall objectives of the company. We in security must figure out how our projects contribute to the organization’s success.
  • One of the comments that stuck out to me was drawing the difference between CIO’s and CISO’s. Per this presenter, CIO’s want to be remembered often. CISO’s want to be remembered not at all. While I understand and appreciate the concept (much like a baseball umpire never wants to be talked about after the game), I believe it’s an outdated model for a CISO. Today’s security departments need to find ways to add value to the organization, stepping out from behind the curtain. Instead of focusing solely on avoiding breaches, security can add value to organizations in the sales process, by providing product innovations, and assisting in the achievement of company objectives. I believe that the most successful CISO’s in coming years will be front-and-center in senior leadership strategy sessions.
  • Understanding security is not enough. To create an effective security program, first we must understand the business we’re supporting. In the vein of the Prayer of Saint Francis, “not so much seek… to be understood, as to understand.” We must first look to understand how the business can be successful before we can be successful in security.
  • “The destination should achieve compliance, not be compliance.” This is what I’ve been saying since I started this blog, and believe is more true now than ever. It seems like we all agree… but we must go from agreeing about it to practicing it. That’s the challenge, and it requires real proactive work, getting ahead of our requirements, rather than continually trying to catch up to the latest audit report, or regulatory update.
  • Let’s ban the phrase “best practice.” It’s much like the one-size-fits-all shirt. It doesn’t really fit any of us. The thin folks are swimming in it and we bigger folks look like a sausage. No two organizations will need exactly the same security program. A security program must be much more like a custom-tailed shirt, hiding our trouble-spots, and accentuating our strengths.

Connect with

Advertisements

2 thoughts on “RSA Conference 2012: Day 1 Highlights

  1. Hi Robb, Thanks for your RSA Conference 2012 thoughts. I was unable to attend this year and have been going through conference withdrawal.

    I am interested in hearing more about one of your bulleted items above; ‘“The destination should achieve compliance, not be compliance.”’ First, I’d like to understand what you mean before I can agree or disagree. Do you mean that our efforts to secure the enterprise should achieve compliance and that our destination should not just be meeting some compliance standard?

    Thanks again.

    Daya

  2. Daya,

    Thanks for the note. I believe that the intent behind of the quote you mention (“The destination should achieve compliance, not be compliance”) is that when organizations are architecting their security programs it should be done with an eye toward implementing proper security, NOT toward passing a particular regulation or standard. I have written a few blog posts on this topic in the past if you want to read my thoughts on the matter.

    http://www.robbreck.net/blog/enterprise_information_security/security-leads-to-compliance/
    http://www.robbreck.net/blog/enterprise_information_security/proactive-security-versus-reactive-compliance/
    http://www.robbreck.net/blog/enterprise_information_security/compliance-leads-to-security-breaches/

    I am looking forward to your thoughts. I am always interested in dialog about these subjects.

    -Robb

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s