(ISC)² Security Congress 2021 - day two

Looking at my sessions on day two.

(ISC)² Security Congress 2021 - day two

As the longest of the three days I was aware there was a lot to get through today.  I also spent some time looking around the "side shows" of the conference - pre-recorded sessions that offered additional content.  Today primarily focused on careers and mental health.

Careers advice

Day two started with a one to one careers advice session with Suzanne Ricci which was really useful.  I've been considering where to go with my career for a while and don't really know which direction to go (although I'll probably stick with cyber security as my primary, and development work as a secondary).  Thank you (ISC)² for making these sessions available to attendees.  Unfortunately my confirmation emails went to spam (thanks Gmail!) and then Teams played up, but I got there in the end.

The session didn't answer my question of "what should I do?" but then I didn't really expect it to - there's no way for someone to answer that for me.  Instead I got some advice ranging from working out what I enjoy about my job (common sense but worth reiterating), to "informational interviews" where you speak to people doing the role to find out what is really involved.  Another technique would be to work out if I want to chase a job title or a particular salary.

We discussed whether I should stay working for an organisation (job stabiity but potentially lower wage, particularly in the public sector) or to move into consultancy, which I've considered for a while.  Consulting should pay more which would allow me to build a fund for retirement (I'm assuming pension values are going to go down).  To do well out of consulting Suzanne recommended I use LinkedIn more effectively and get my name out there more because, in consulting, once your name falls off the RADAR you're losing business.  Social proofing is also necessary, and forms part of having your name out there and building your brand.

All food for thought, and I have another session with Suzanne tomorrow.

Next up was a double keynote, so I'll cover each in turn below.

Keynote, Adam Seltzner: Into the Unknown - How Leadership, Ingenuity, and Perseverance Put a Rover on Mars

Both of the keynotes were more inspirational than technical but still quite useful.  Sometimes we can focus on the technical elements of work too much, ignoring the human parts.

The first keynote was possibly the most motivating talk today, focussing on how we can achieve things if we persevere and remain optimistic.  As Henry Ford said: "if you think you can't do something, you're probably right".  Adam also highlighted that humans are capable of adapting to disruption - proven during the pandemic when there was mass disruption.

A quote of Adam's that I particularly liked was "great works and great folly may be indistinguishable at the outset".

Keynote, Daymond John: Daymond John's 5 Shark Points for Success

Not knowing who Daymond John was (he's a self-made entrepreneur and investor in the US) I was a bit lost in this session.  A useful comment from Daymond was that being an entrepreneur essentially just means problem solving, so there's a link to the security realm 😊️.

His five points for success:

  • Set your goals (you become what you think about most)
  • Do your homework and analysis
  • Remember what you are
  • Put yourself into two - five words (a slogan)
  • Keep swimming - persevere

Hal D Gangnath: What to read after you've gotten your certification (or you need a break from studying)

Some time ago I tweeted about how my reading list and how it was quite sizeable, and attached a photo of the physical books in my reading queue.  I do most of my reading on a Kobo, so I can change the font (OpenDyslexic) and spacing.  If I count my reading list, physical and digital, I'm probably pushing over twenty books across various genres in both fiction and non-fiction.

Hal didn't help reduce my reading list!  I've just added several following his talk so I'll just have to fit them in somewhere...Hal started off by talking about the five books shown in the image below, which I'll list as the ALT tag may not be long enough!

  • The Cuckoo's egg by Clifford Stoll
  • Countdown to zero day by Kim Zetter
  • Dawn of the code war by John P Carlin
  • This is how they tell me the world ends by Nicole Perlroth
  • Sandworm by Andy Greenberg

Josh Stella: Pen-Testing Your Cloud Infrastructure Environment

Josh made an observation that I can completely relate to - penetration testers aren't keeping up with cloud developments.  I did my penetration testing training, both web and infrastructure, quite some years ago when a cloud was something you find in the sky (now I feel old!) - I'm very conscious I need to up my game when it comes to testing cloud environments.  The same is true for cloud forensics.

You might ask why I can't just pick up existing techniques and run them against a cloud target.  Cloud environments are completely different.  Take serverless workloads like Lambda functions - the total lifetime for that workload is potentially in the order of seconds.  A lot of breaches in the cloud also come from misconfiguration and excessive read permissions.

Key takeaways:

  • Check for misconfigurations
  • Automate configuration checks wherever possible
  • Use cloud security policies to restrict access / protect against misconfiguration wherever possible
  • Don't hard code secrets (credentials) into your environment

Josh's company has some videos on his YouTube channel that might be useful: https://www.youtube.com/channel/UCI3ubmQ50wDpU42d3C53ntw

Ask a Coach Live Networking Event

Something missing from an in-person conference is the networking time, where you speak to other people and share stories and advice.  To solve this (ISC)² has worked with company Remo to create an online networking lounge.  Those that have been meeting others in groups online because of the pandemic will know that side conversations aren't possible - only one person can really talk at a time.  Networking "tables" were limited to six people at a time and there weren't enough tables for people "sitting down" as a two, so I'm not sure this really worked.

You can see the platform in the screenshot below (do excuse the very slap dash anonymisation!).  There's a number of open networking tables, where you can talk with up to five other people at a time (see above).  Limited private coaching was also available in pairs.  Other than that there were specific tables of focus:

  • Resume (CV) advice
  • Interviewing tips
  • Salary negotiations
  • Job searching
  • Career success
  • LinkedIn tips
  • Event helpdesk

Sadly the platform didn't work on my elementaryOS 5.1 instance (based on Ubuntu 18.04) running the latest Firefox.  The site did warn me about that, but equally it said that about my Chromebook which seemed to work fine.

Screenshot showing a map with several tables grouped by section (described in the blog text).
An interesting set up that sadly doesn't quite replicate true face to face networking.

Martin R. Okumu: Ransomware

In this session the speaker explained how a ransomware attack had impacted their organisation, taking down 90% of systems.  The organisation elected not to pay the ransom - a business decission.  Martin discussed how the cyber incident response team (CIRT) wasn't owned by the security team and in fact is sponsored by the executive team.  Indeed, the CIRT wouldn't work correctly without executive (management) support.

One key activity when dealing with a ransomware incident is to determine what can be done to keep the business alive in the absence of the computer systems.  Are there statutory obligations that you have to meet?  Output from this activity will contribute to prioritising your recovery efforts.

Having a plan is great, but if it's not accessible (say, has been encrypted by ransomware) then it's useless to you.  Comments in the chat included a good suggestion of printing copies of the plan to be kept at the homes of key staff, with a USB stick containing a digital copy for easy searching.  I really liked that suggestion so will be taking it to my boss when I get back from the conference.  Remember that you might not be able to get to equipment you need either, perhaps access is denied by law enforcement or because you can't swipe through your network connected door access system.

Run simulations and table top exercises to ensure relevant staff know what they'll need to do.  For those that dislike writing exercises, there's a handy resource provided by CISA: https://www.cisa.gov/critical-infrastructure-exercises

Panel discussion: Breathe In, Breathe Out – Finding Balance to Keep Burnout at Bay

I picked this session as burnout is something I've dealt with in the past, and mental health is certainly moving up the agenda.  Reassuringly, mental health seems to be moving up organisational agendas too.

Physical exercise was named as a key factor that affects mental health and the panel recommended getting into a good exercise regime.  With gyms being closed due to the pandemic it's important to "own your own health" and to sort out your own fitness plan, without the gym.  For me that's meant walking a lot more (see my coronavirus blog posts).  Consider walking meetings too, useful for one to one meetings where there may not be a need to look at the screen.

Working from home is a blessing and a curse, with some loving it and others hating it.  There's various reasons for that but the panel (and delegate chat) seemed to feel a hybrid model was likely to be the result, and seemed to be happening.  Time savings from working from home (no commute) have really benefited many people but the reduction in human contact cannot be ignored.  Check in on your co-workers!

A parting thought from one of the panel, who changed job during the pandemic:  "If it's not working for you and you are stressed out, then find something that works for you...You have to change the story".

The panel consisted of Rob Ayoub (moderator), Sharon Smith, John Esparza, Deidre Diamond, Erik von Gelden.

James Arlen: Why I Quit Security For A While And Came Back (But Might Leave Again)

James got to the end of his tether with cybersecurity after various things niggled too much.  One example he gave was of doing the wrong things for the right reasons - compliance requirements might make you force users to change passwords regularly.  Having got to the end of your tether the options are to stick with it anyway and take the money, or find another job.

So James left cyber security for 18 months and went into product engineering, which he then found had lots of overlap.  He came back after realising he didn't hate security, just some (silly) security traditions.

He decided on three things:

  • Not buying security products: operational tooling is better than specific tooling (and tools should do more than one thing)
  • No more doing "fashionable" security things: do the real work first and best
  • "DevSecOps is buzzwordy and doesn't tell the whole story - it's EverythingSecEverything"

I'm not sure I agree with all of his points but I certainly agree with wanting to get stuff done (GSD).  GSD is something my fellow deputy SISO talk about quite a lot, as sometimes we'd rather do the work than just raise the tickets...

I asked how to spot getting to the end of your tether before you get there and James had this advice:

  • Step back and look at the elements of security culture and the coping mechanisms.  When you start spending more time using the coping mechanisms you know things are wrong
  • The less time you spend thinking about "not work" is a big indicator
  • Remember that work/life balance is really important.  Work out what you need (generally in terms of money) to get by and then prioritise your non-work life over the extra cash
  • Keep an eye on things

Comments in the chat were really useful during this session too, and one attendee reminded us to not be afraid to use all of our paid time off.  Another tip was to say "no" to excessive drags on your day, like superflous meetings.

Done right, security can help other teams, which is something I think is often overlooked both by the security team and the other teams they can help.

Day two conclusions

As I said, today was less technical for me and looked more to the future with both career and a motivation / mental health angles.  I don't consider that a bad thing given, at the end of the day, I'm a person first and a security professional second.  Tomorrow should be more technical.

(I opted out of the C-Y-B-E-R bingo session that I'd initially planned to join in favour of watching some additional side content.  It would have been a very late night otherwise.)


Banner image: The (ISC)² career centre banner.