I just came home from SecTor 2017, held here in Toronto. It’s Canada’s largest security event, and Brian Bourne, Bruce Cowper, and team have pulled off another fantastic event.
As I contemplate on what I heard, there’s a message growing in volume in our industry: change. We heard it during the summer with Alex Stamos’ BlackHat keynote, we see it daily on Twitter with people like Jessy Irwin, Wendy Nather, and others taking a more user-friendly approach to security, and I saw it clearly across a few key sessions I saw at SecTor.
On Monday, as part of the Canadian summit of the Cloud Security Alliance, Rich Mogull advocated for and clearly demonstrated the benefits of adopting new paradigms for security of cloud-based workloads. From using message queues for communications between Web and App tiers to the impact of immutable infrastructure principles to do version updates, it is astounding how a modern cloud-based architecture can completely bypass key security challenges such as lateral movement and patching concerns.
On Tuesday, Chris Wysopal from Veracode led a master class in understanding the role of security within software development methodologies, including Watefall, Agile, and DevOps. He skillfully articulated the challenges facing those looking to add security to projects – from slowing down projects to competing with other business priorities, among others. Importantly, he proposed very clear improvements for Agile and DevOps scenarios, by embedding security expertise (NOT people) within Dev teams, and supporting these champions with specific guidance and tools. I tweeted about it at the time: one of the best presentations I’ve ever seen, period.
The two Wednesday keynotes were fantastic.
Bruce Schneier led us through an understanding of the broad changes we’ve seen in security and technology. Suddenly, as the ‘rest of the world’ grapples with issues that the security industry has been dealing with for a long time, our expertise is valuable, and that we should put it to good use by working on these problems with government involvement. It was a broad talk, touching on key topics such as the failure of market mechanisms to address the externalities of poor security practices, the cross-jurisdictional nature of technical problems, and the fundamental clash of paradigms. On one hand, we (IT industry) adopted a paradigm of ‘change things quickly’, and that led to the successes we see today, including massive penetration of technology in modern society. However, much of that society has a different paradigm: ‘do it right the first time, and don’t touch it’ as we build public services and infrastructures built to last 10, 20, 50 years or more without being changed. It’s a fundamental conflict that can’t be easily resolved. He wrapped up with a clear call for us to be more involved in policy discussions, to help government craft policies that are helpful and realistic.
The second keynote of the day was Allison Miller – of whom I am an unabashed fan, not only of her ideas and experience as a multidisciplinary professional, but of her easy-going style and wicked sense of humour. She spoke about the broad reframing of security objectives, from “not losing” to “winning”. She was able to weave together a broader outlook for security tying essential lessons from game theory, behavioural economics, and data science. She articulated the notion that security is not necessarily about the never-ending cycle of taming vulnerabilities and that “we cannot live by breach alone”, but that it is about the much more impactful and achievable objective of protecting our user communities, at scale. Jaw-dropping clarity.
Tying these talks together, the message is so clear it hurts: our industry needs to level up. We need to understand that the game we’re playing it’s not purely technical, it’s economics, and that it is constantly played across stand-up meetings, hackathons, budget discussions, courthouses, and more.
Not easy, not quick, not painless, absolutely not “just“, but essential.