That was the week that was – RSA Conference Europe 2012

Leave a comment

Having arrived at the Hilton Metropole on Monday lunchtime and finally left the hotel (virtually for the first time) on Friday morning, I am left with a sequence of mad, fascinating, zany, intriguing, bizarre, educational, alcoholic and downright enjoyable experiences. I knew what to expect having attended last year. In no particular order (except by which they fall out of my head) here are my high points, and occasional low points.

Meeting Wendy Nather (@451wendy) of the 451 Group  at last and having lunch with her and Kai Roer (@kairoer, and a constant and welcome companion throughout the week);Dinner at The White Swan with my fellow panellists/debate team, Christian Toon(@christiantoon), Geordie Stewart, Rowenna Fielding (@InfosecGeekLady), Kai Roer, Javvad Malik (@j4vv4d), Gemma Paterson (@GemmaPats) and Chris Batten (@Acumin), and supposedly talking about our debate the next day but actually just sharing inapproriate jokes (mostly led by Chris…); The actual debate itself, not a massive attendance although not only were we up against stiff competition numbers were down somewhat anyway; meeting my first bona fide infosec journalist John Leyden (@jleyden) of The Register as well as my second, Dan Raywood (@DanRaywood) of SC Magazine; Meeting James Lyne (@jameslyne) who is not only a genius but also has the audacity to be charming, funny and an all round lovely guy, goddamm him; Watching Christian Toon bluff his way into the Media/Analysts party on Tuesday night, and watch Javvad have to do nothing to get into the IOActive party on wednesday night because everyone knows him; spending nearly an hour chatting with Javvad talking about blogging, public speaking, charlatans and heroes and being very pleasantly surprised at how much we have in common on these topics; walking out of Bruce Schneiers keynote because I found it dull and unengaging which was a real disappointment; finally making my mind up about Ira Winkler after watching his presentation; wishing I wasn’t late for Josh Corman’s (@JoshCorman) keynote, watching Hugh Johnson again, a master of working the room and engaging his audience, and marvelling at what a thoroughly lovely guy he was; spending time with Brian Honan (@BrianHonan) again and always enjoying his funny yet surprisingly modest company; Eating Schawama’s with Javvad and @sirjester, and subsequently meeting the aforementioned James Lyne and Dan Haywood; failing to win a single thing in any of the prize draws, yet still coming back with five t-shirts and a bag of booty; Watching Javvad and Emma Tweet each other whilst standing side by side; Being amazed, yet finding myself also tweeting almost every 10 minutes in synchronisation with everyone else you happen to be with – what has this world come to?; getting beered up with Chritian Toon on Tuesday and not being able to work out why I feel so drunk and he seems so fresh. The next day it turns out he is nearly 15 years younger than me! I obviously look young for my age, and he the opposite!; Spending a fascinating 90 minutes with Josh Corman on Thursday night and being impressed with how genuine, non judgemental and actually concerned he is about our industry; receiving my first ever Friday Five’s in Twitter and seeing it suddenly explode with activity as everyone joined in, for 10 minutes!; Watching Javvad being awarded his RSA Rockstar t-shirt.

There are many other people I met, chatted with and discussed topics raised in the presentations that are just too numerous to mention. If I have missed you out I apologise profusely and blame my poor memory and being inundated with great times.

The photos throughout this article barely scratch the surface of the fun and educational experience of the week, and I am already looking forward to RSA 2013 in Amsterdam next year!

CSARN Organisational Resilience Conference

Leave a comment

I was able to attend the City Security And Risk Network (CSARN) conference on organisational resilience today. It was a very well put together one day event with speakers from a broad range of companies and backgrounds such as the Police Force as well as military and traditional consultancies.

The key focus of the day though was of course on elements of organisational resilience such as incident and crisis management, the terrorist threat, global travel planning and the associated risks (in this case played against a backdrop of maintaining operations during the Arab Spring) and of course business continuity management. The speakers were knowledgable, and approachable during breaks for further questions. Justin Crump did a cracking job of maintaining order throughout the day and ensuring the audience was engaging well with the speakers.

Halfway through the day there was a panel discussion focussed on “building and embedding effective cyber security structures”, and I was pleasantly surprised to have been asked last week to be on the panel itself. (Cue jokes for how far down the list they had to go before they got to me etc…). Also on the panel with me was Geordie Stewart (who I am also speaking with at RSA and Paul Simmonds (Co-editor, Cloud Security Alliance “Guidance” v3 Co-founder & Board of Management, Jericho Forum Former CISO, AstraZeneca). I felt it came across as a very well balanced discussion, with some very insightful and focussed questions from the audience. I had been primed that the audience was not that well versed in all things “cyber”, but that didn’t really come across which made for a very enjoyable and engaging discussion.

We covered topics such as sources of cybercrime (state sponsored, organised crime and so called chaotic actors), what our thoughts were on the biggest threats coming out of the “cyber” threat and what we could be doing better at international levels. When each asked what the single take away from the discussion, mine was a rather glib, if valid, “plan for failure”; another strong take away to my mind was “get the basics right, everything else comes second”. Again, it sounds glib and from the school of the bleeding obvious, but over complicating any challenge is so easily done.

If I had one piece of critical feedback (well, two actually) it was that towards the end the presentations seemed to move into blatant sales pitches; now I understand sponsors need to get a return on their sponsorship, but it was the wrong forum to my mind for sales pitches. Secondly, I wouldn’t do something like this again on a Friday; it felt like half the audience had left come 2 o’clock, which can’t have helped the afternoon speakers at all!

I thoroughly enjoyed myself though, have some great key takeaways specifically for my business continuity planning, and I hope have planted the seeds of being able to return again in the future as a solo speaker!

My thanks to Acumin and CSARN for giving me the opportunity to be on their panel, especially alongside two people whom I admire in the industry.

More Thoughts on BSides London 2012

Leave a comment

A very quick post to spotlight the excellent talking heads reel posted recently by Javvad. Given I will very shortly be posting the video of my presentation from there I won’t waste space going over the excellent event again, suffice to say the devilishly handsome chap at 0:35 and 2:37 sums it up nicely!

BSidesLondon – Woot Woot!

2 Comments

What a marvellous couple of days I have just had; Tuesday at InfoSec Europe in Earls Court followed by BSidesLondon in The Barbican on Wednesday. While InfoSec was good, and I enjoyed not only the wide variety of stands, prizes, swag and educational events, it is and will always be a trade show. I always feel I am one tiny eye contact away from signing up to 1000 licenses of a product I never knew I need.

BsidesLondon however was an entirely different event. This was the first BSides event I have attended anywhere, and its reputation as an edgier, grittier and slightly geekier type of conference (or at least that is what I picked up on) was entirely unjustified. What I experienced was an extremely high quality of talks, great organisation, interesting activities, engaging workshops and above all a broad, eclectic mix of information security professionals. To be honest, I was somewhat concerned that my professional background in governance, risk and compliance was going to be entirely misaligned, but I was encouraged to attend by a colleague in our Boston office. How mistaken I was!

I should have guessed really when a talk I submitted was voted for by the attendees (An Anatomy of a Risk Assessment) – I explicitly stated it wasn’t technical, or even focussed on a given standard, but rather a more social/human experience of risk assessments. Whilst I didn’t exactly fill the auditorium to the gunwales, I estimate there were about seventy people attending. I also had some great questions at the end and a stream of conversations and compliments throughout the rest of the day. I even managed a few more Twitter followers!

(On that last point, I think I really am going to have to pull my finger out now and start providing some real value on Twitter, and especially this blog!)

The “Crew”, and team of people entirely made up of volunteers who gave up their full day to support the event (and miss out on all of the great activities as well) did a phenomenal job in both setting it up and managing it. I was able to thank a few of them in the bar at the after party, but I know I missed a few; to all of you, Thank You!

If pushed to, there would be a few things I would change; please understand this is by no means a criticism of any aspect of this years event, but rather a desire to see a cycle of continual improvement!

1. Make it a two day event. I would hope this would encourage more volunteers who could do a half day stint at a time. This would mean that volunteers would not miss out on the excellent content. (I heard many times “I haven’t been able to see a single talk all day”)

2. Charge a nominal fee. By nominal I mean £50 for two days (£25 for students/concessions etc of course. That is only a night or two of beer for an average student and they will more than make up for it at the after parties!). This would ensure people actually turn up – I saw a lot of unclaimed name badges at the reception which is a massive shame given the clamour for tickets. One day tickets could be suitable priced at £30 and £15. This would also take the pressure of the organisers for the basics like T Shirts, lunch, booking fees etc and the (excellent) sponsors can focus on the value-add stuff.

3. Increase the numbers. I know smaller events have a niche value and connect with the community more effectively, but I think a third track formal could easily be accommodated next year as the reputation of this event will only improve and numbers wanting to attend will increase. There is a balance to be had, but pushing to 500 or 600 is still viable in my humble opinion.

All that said, even if everything stayed the same I will still be attending next year, and hopefully speaking again. Congratulations to all involved, what an amazing event. It’s barely been two days and I am already looking forward to next years!