This years (ISC)2 congress was held in Atlanta, GA. I’d heard of Atlanta being referred to as ‘Hotlanta’ and was warned of the humidity that prevails, but fortunately I caught it at the right time of year where the weather was quite pleasant.
The conference itself appears to have grown over the last two years quite significantly, even with 9 concurrent tracks running, each room seemed to be well-attended (or maybe I only attended the well-attended ones). But despite its growth, Congress still overshadowed by the gigantic ASIS which draws in excess of 25,000 attendees and exhibitors with cool robots, bullet proof cases, trained dogs and vehicle stop equipment amongst others.
As with most conferences, it’s a time to catch up with old faces and connect with new people too.
The talks themselves were of a high standard – I guess that’s the impression you’re left with when the first talk you catch is Chris Nickerson’s talk which is always informative and engaging and helps break out from the ‘IT-only’ mindset into the physical world of red teaming.
Another great talk was delivered by Dave Lewis regarding security risks in the supply chain. Having spent many a year in a previous life working on third party risk; I was pretty sure this would be an academic talk covering the basics – which isn’t a bad thing. However, what I was met with was an hour of anecdotes, war stories, and dynamic presenting that reinforced some of my beliefs whilst had me thankful that I didn’t have it half as bad as some people.
I’ve been following the work of Alex Pinto and Kyle Maxwell with regards to their MLSec project around machine learning security, so I was delighted to be able to not only meet Alex, but hear his talk on threat intelligence. Alex is a person who is extremely friendly, approachable and likeable… but at the same time scarily clever. His talk laid out some very solid concepts around threat intelligence and made some great points around capability and intent, signatures vs indicators, data vs intelligence, tactical vs strategic and atomic vs composite.
He also presented a high level breakdown of what data is within a feed, how much overlap there exists within various feeds, what kinds of data is easily available and what is more reliable.
Tony Vargas hosted several panels. I was able to attend the ones on DevOps and business skills for security. Both were well-attended and Tony always does a great job as moderator – inviting comment and discussion from the audience during the sessions.
The last talk I attended was by Winn Schwartau entitled ‘why security awareness programmes fail’. Winn is a great character and if you’ve never met him or seen him present you really are missing out. He rattled off a list of how to make an ineffective awareness programme which included great nuggets such as, ‘it must be boring’, ‘never use humour’, ‘let the CISO into the production process’ and to ‘use threats and give orders.’
There were plenty of other talks, but these stuck out in my mind. I’m pretty sure all talks were recorded and will be made available at some point, including mine.
Every year the ASIS presidential reception is held at a nice venue – and this year was no exception with it being hosted at the aquarium. (ISC)2 held the ISLA awards at the Hard Rock Café, which turned out to be a very fun and chilled out event. It was heartwarming to see an emotional Tony Vargas get an award in recognition for all his efforts and you could tell how much it meant to him as was lost for words for the first time in his life!
Perhaps the most enjoyable event of the week was the (ISC)2 member reception, which allowed everyone to network whilst sampling some fine food and engage in some games such as pool, a giant connect 4 and also some retro video games. Raj Goel introduced me to ‘cards against humanity’ a game that can be so offensive yet additive at the same time.
On the last day I took a Segway tour through Atlanta which was very nice as there’s a lot of civil rights history in the town of Martin Luther King Jr. I also managed to take a trip to CNN and check out some of what they get up to and drool over all the equipment they have.