The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones.
@SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.