RSAC in a flash – quotes, opinions, trends from some of the preso

No resounding theme this year (compared to last) outside of the words: Ransomware, DDoS, Machine Learning, and over use of “pivot”

• Security by obscurity is not security but a fallacy
• PLC lack programming interfaces for solid password authentication and overall security
• https://www.youtube.com/watch?v=KTKRjvTgTQI&feature=youtu.be
• https://www.youtube.com/watch?v=t4u3nJDXwes&feature=youtu.be
•  Incident Response
• Availability – does not mean a fire extinguisher everywhere
• Budget – there will be unexpected cost
• Collaborate – with all groups and roles, with frequency
• Plan – for chaos
• Pay ransom sometimes (70% do and 20% over $40K), when you don't have backup or can't recover timely
• Security awareness strategy answers who, what and how – make it simple and don’t assume
• Uptick in HealthCare attacks
• Must lead without authority
• Machine Learning is the wave but is enhanced with GPO to speed up reaction
• 7 factors of organizational management
• Gain command of the facts
• Get the business to own risk
• Embrace the change agent role
• Run InfoSec like a business
• Build a technical and business capable team
• Communicate the value
• Organize for success
• CISO Impact Quotient equals 5-7 year journey before trust and value is seen/woven into the organization
• Building confidence is your first objective; and having a plan; as well as tying it back to the most critical business function
• Driver for Maturity is from Compliance to Solution to Vulnerability to Threat modeling/detection focused
• Change your habits and change your life
• 3 critical skills for better decisions and greater influence
• Self-awareness – clarity in thinking and feeling
• Deep work – attention management vs. time management
• Mindfulness and mentalizing
• Mandatory data breach notification is no longer just an option, to include within 72 hours to Data Protection Agency
• Burden of proof lies in the ability to prove (substance) unauthorized access/processing did NOT occur
• EU personal data definition is any information related to an identified or identifiable natural person so varies from US’s SSN and Driver’s License Number
• EU fines are 4% global turnover or €20,000,000
• Practicing fire drills is necessary – hands on exercise to test incident handling
• Variant of important trifecta is Speed, Security and Variability (aka cost)
• MARCI chart plots risks along impact and vulnerability with speed of risk (aka velocity)
• Diversity makes you smart; current role diversity is 31% Boomers, 38% Gex X and 46% Millennials
• Cyber skills shortage continue to rise
• 93% of organziations take just minutes to compromise (Synack)
• Few Good Links
• Nomoreransom.org  for help
• https://github.com/jzadeh/Aktaion GPO and endpoints
• github.com/wickett/lambhack  serverless security
• https://rsa2017.iansresearch.com  survey
• www.iamthecavalry.org  medical devices