Last week I had the opportunity to be in San Francisco for the RSA conference and Metricon 9. The discussion at the conference and what is now coming out in news reports is that this was the largest RSA event to date in terms of attendance and exhibitors. I agree with what Morgan Stanley cited in their RSA Conference takeaways report: the attention that recent high profile breaches have received contributed to the increased interest from attendees. Cyber risk has finally become a board level issue. The heightened awareness and consequently anticipated increases in security budgets evidence the recognition that organizational cyber security performance is a critical business issue.
A stand-out moment during the week for me was attending an RSA panel that featured several key industry thought leaders: Chris Wysopal (Veracode), Adam Shostack (Microsoft), Alex Hutton (Zions), Harry Sverdlove (Bit9) and Jacob Olcott (Good Harbor). The panel discussion was titled, “Should a National Cyber Safety Board Be Created to Help Report on Breaches?” I was really pleased to hear such a candid and thoughtful discussion on the topic (so much so that I spoke about it during my interview with iSMG’s Tom Field which you can watch here). I’ve been an advocate of collaboration and transparency in the security industry for a long time and thought that many of the points these speakers made were spot on with what the industry needs to move forward.
In the panel, Adam Shostack compared the infosec industry to the early years of the commercial aviation industry. At the dawn of commercial aviation the risks of flying were high and there were hundreds of accidents. In response, Congress charged the DOT with investigating the cause of these accidents. The investigative body ultimately became the National Transportation Safety Board (NTSB) with the single aim to “to ensure that such accidents never happen again.” To date the NTSB has investigated 132,000 aviation accidents and issued over 13,000 safety recommendations to “help prevent accidents and save lives.” Although we still do have aviation accidents today, history shows that the efforts to investigate failures and share the learning from them has dramatically reduced the risk of flying. In fact, your odds are 11 million to 1 that you will die in a plane crash, making it more likely you’ll die in a car crash, or even be killed by a shark attack, than in flight.
If we look at cyber security through a similar lens, it’s safe to say we’re still experiencing a fair amount of “accidents”; however, we could do a better job of investigating the failures, transparently sharing the findings, and making recommendations to properly address the risks. Jacob Olcott predicted that government legislation resulting in something akin to the NTSB for cyber security is unlikely to happen in the near term and that private sector solutions will need to fill the void. I believe that a National Cyber Safety Board or a similar type of organization could indeed help reduce the number of cyber “accidents.” Unfortunately, waiting for a coordinated government solution is not going to address the problems in the short term. The private sector needs to continue to step up and offer compelling solutions to these challenges.
The other highlight of the week for me was attending MetriCon 9. It is always a privilege to interact with individuals who are equally passionate about risk measurement and management. I’d like to thank the organizers and sponsors, especially Jay Jacobs and Bob Rudis for their fine work and to congratulate them on the release of their book Data Driven Security. It was a great week and I am already looking forward to next year.