Themes and Thoughts from the 2018 NYS Cybersecurity Conference

I had the opportunity to attend the 2018 NYS Cybersecurity Conference held in Albany NY. The conference is held every year in June and this year marked 21 years of the conference. I’ve attended this conference twice now, the first time last year (2017), and I always get a lot of value from this trip. This time I had the chance to also take a full day of training on the topic of DevSecOps (which was super awesome BTW) which I will share more about below. First, I always try to go into these conferences with an open mind and really try and come away with a few things in particular: major themes (high level thinking) and practical (more hands-on/tactical) things I can begin implementing immediately.

I think the reason I like doing this is because I like seeing the big picture. I like taking a step back and looking at the security industry from a high level to try and pick up on common themes and trends happening. I think this helps me stay ahead of the game and allows me to begin thinking about how I can put myself in the best position to succeed both for my company and for my career.

I like trying to see around corners. 🙂

I also recognize that high-level thinking will only get you so far and you have to also focus on practical hands-on tactical information. You’ve got to not be afraid to get your hands dirty and dig into the nitty gritty of a subject. I like being able to walk away from a conference or training with things I can immediately begin to implement in my career or for my company.

So, now onto the Themes.

Major Themes of the 2018 NYS Cybersecurity Conference

1. Supply Chain Risk Management. This includes hardware, software & services. I’ve learned this can be a very complex problem and this conference opened my eyes to new risks I may not have considered otherwise

2. Open Source Software Risk Management. This is all about evaluating risk, validating, testing, securing, governing. Some reports indicate that 80-95% of all new software contains open source code. I can now see that having good software inventory and risk assessment is crucial to any application security program.

3. Integrating Security into the Business Process. Not just bolting it on at the end. Fostering a culture of embracing security not enforcing. This is big one to me. I don’t have any hard answers for this yet, but my intuition is telling me that the way to further secure the human element is find ways to get employees to have a sense of mutual accountability when it comes to security.

4. Finding and Developing Security champions. Tying into #3 I think it can be super helpful to find people interested in security, who have some influence at the company, who are curious about and/or are willing to help others embrace security. I’ve learned to help them, provide them education and training. I’ve also learned to try and find them in different parts of the company, not just in IT.

5. Just because it’s the way you’ve always done things doesn’t mean it isn’t stupid. This is a little tongue and cheek but the point is pretty obvious. The things that got you here may not be the things that get you to the next level. The longer I am in IT the more I am realizing how much of a headache this mentality can be and how frustrating it can be to try and change it.

Topical Security Thoughts

1. Taking Risks & Failure. I’ve learned to consider how you (i) take risks. Fail fast and manage that process so it doesn’t put you out of business in order to allow accelerated innovation

2. Communication. I’ve learned to think about how I translate what I know to those who don’t know what I know (sr. Leadership, users, etc.)

3. Open Source Software. Falling behind in updates creates an extremely difficult & risky situation. Business risk vs open source risk is many times disconnected. Lack of governance around OSS is a problem. Lack of visibility into what libraries are in the env and even less on what’s actually being used and what versions. DHS says that 90% of security incidents is a result of poor appsec.

4. Death to Web Application Firewalls (WAF). I’m noticing RASP (runtime application self-protecting) gaining a lot of momentum. Some experts see the network control features are being moved to the firewall and the application control features are moving to these RASP devices. They can self-protect meaning they can protect the application in real-time by reconfiguring the application to prevent malicious behavior and attacks. Many of them will also inventory all the libraries being used, can tell you the versions of everything. They look to be quite sophisticated. Definitely something to look into further.

5. Agile & DevOps. I had a full day of training in agile. We took a deep dive into what agile is, how to get to devops, the benefits and how to begin implementing. We also did a hands on excessive that showed what agile is and why agile & devops is great approach. There’s a very good case to be made that adopting and implementing a culture of agile and eventually devops can have tremendous benefits to a business. This is seen mostly in development shops, but it speaks to a larger culture change that includes faster time to value for customers, better and faster feedback loops, earlier detection of problems, IT more aligned with the business and a slew of other benefits. I really truly think Agile & DevOps culture can have a profound impact on any organization not just dev shops and I’m excited to think about that more and explore more about that in an effort to really fine-tune what that looks like to me.

If anyone gets value from this, I would love to know what specifically. And if you have any comments, questions or feedback about anything I wrote above, I would love to continue the dialog on Twitter. Hit me up @techspence