One of the best forward-looking security events is SINET’s semi-annual conference.  It features vendor-agnostic sessions (largely panel discussions) led by subject matter expert speakers such as Taher Elgamal; Subra Kumaraswamy VP, Product Security Engineering, Visa, Joe Sullivan CSO, Cloudflare.

Quick takes from the April Conference:  

• The agenda: https://www.security-innovation.org/events/silicon/agenda/

• Board Members are now informed by the “threat intel” they obtain from the media (i.e., they get it as quickly as the CISO). This leads to questions such as “Are we protected against threat ‘X’?”.

• Employee Retention: a hot topic for obvious reasons. “We all do exit interviews; we need to also do “stay” interviews (provides good signal on an employee’s job/company satisfaction)”.  Monitoring morale: consider tools like TINYPulse that sends one survey question, once a week to employees. The team can respond instantly and anonymously via their mobile app.

• What Cyber Solutions Do Venture Capitalists Want To Invest in:

  • Companies use dozens of security tools. The cost to implement and maintain them are the drivers for VC interest in “great” security platforms.

  • AppSec, data security, IoT, and critical infrastructure.

In an industry where we are sometimes criticized for not speaking the language of the business, Equifax has tackled this issue in a big way.  It now issues a security annual report that is modeled after a corporate annual report and includes:

• A letter from the CEO focused on his commitment to the cyber security program

• A letter from the CISO (Jamie Farshchi)

• Summary of its security transformation initiatives

• Independent benchmarking results

Download the 2021 report at:
https://assets.equifax.com/marketing/US/assets/2021-security-annual-report.pdf

Resource #1: Check out the Open Source Software Security (OpenSSF) 10 working groups aimed at securing open source security.  See https://openssf.org/community/openssf-working-groups/ For example:

• Security Tooling: This group’s mission is to provide the best security tools for open source developers and make them universally accessible.

• Supply Chain Integrity: This group’s mission is helping people understand and make decisions on the provenance of the code they maintain, produce and use.

Resource #2: Nicolas Chaillan, a past VCSP presenter on DevSecOps is a security thought leader.  He served as the first Air Force Chief Software Officer, brought DevSecOps to the DoD, and a serial entrepreneur. Check him out at:

• https://www.inthenicoftime.us/nic-online/

• Twitter @NicolasChaillan

• Webinars such as “When YOU finally understand what Zero Trust is” https://www.youtube.com/watch?v=z1ZL41vrSeo&feature=youtu.be

  • In this video, Nic walks you through the largest implementation of Zero Trust (ZT) in DoD.

  • Reviews 3 pillars of ZT with:

    • Device enforcement: including, patch levels, endpoint protection, MDM etc.

    • Strong identities: for both Person Entities (PE) and Non-Person Entities

    • Data-centricity: labeling data down to the cell level

  • Leverage Software Defined Perimeter (SDP) (not just SDN) using mTLS tunneling with granular micro-segmentation using the Segment of One concept

  • Leverage Service Mesh to prevent lateral movement by enforcing east/west traffic down to the container level.