The rise in hacktivism and data breaches changed the information security landscape. These incidents also influenced the content of RSA Conference 2012, says Hugh Thompson, event program committee chair.
"It feels like one of the most active years in security in quite a while," Thompson says in an interview with Information Security Media Group's Tom Field [transcript below].
This year's RSA Conference was the first to take place since last year's major security breaches, including the attack that involved RSA itself. Those incidents helped the conference's programming committee select the most appropriate sessions for RSA 2012, including sessions on hacktivism, advanced persistent threats, mobile security, including the bring-your-own-device trend, and the insider threat, an issue that played a big part in the major breaches that happened over the past 12 months.
"A lot of [breaches] began with a person, a smart, well-intentioned person inside the company making a choice," Thompson says.
Other sessions throughout RSA 2012 focused on the human element of security and how people make choices and reason through certain situations.
ISMG's in-depth coverage of RSA Conference 2012 includes over 75 audio interviews, 34 video interviews with top thought-leaders, and news reports on these very topics. [See RSA Conference 2012 for full coverage.]
In an exclusive interview conducted in advance of the conference, Thompson discusses:
- Highlights of this year's agenda;
- Security trends and other new tracks;
- How to access the event's content remotely.
Dr. Herbert H. Thompson is Program Committee Chair for RSA Conference, the world's leading information security gathering. In addition, he's also Chief Security Strategist at People Security and an Adjunct Professor in the Computer Science Department at Columbia University in New York. He is a world-renown expert in application security and has co-authored four books on the topic including, How to Break Software Security: Effective Techniques for Security Testing (with Dr. James Whittaker, published by Addison-Wesley, 2003), and The Software Vulnerability Guide (with Scott Chase, published by Charles River 2005).
TOM FIELD: To start our conversation, why don't you tell us a little about yourself and your role as chair of the conference program committee, please?
HUGH THOMPSON: I've been program committee chair for the U.S. Conference, wow, I guess this is the third year. My background is pretty technical. I teach a class on software security at Columbia University as an adjunct professor and have a software security company, and so I bring a lot of that into this role, that kind of understanding of the technical space, but also where technology meets business.
As the program committee chair, my role is to oversee the selection of sessions that make it into the final agenda. I'll tell you, it's amazing. It's such a competitive process. Every year we get tons of submissions from people that are academics and practitioners, folks from the vendor space, analysts, the press, and it's a really interesting task in taking all of those interesting presentations and boiling them down to what you see in the final program. We've got an amazing group of folks on the program committee from every sector of information security.
FIELD: What would you say is the percentage of the sessions that make it to the event versus the ones submitted?
THOMPSON: That's a good question. It varies. I'd say we're around ten percent, so it's an extremely competitive process. What's fascinating about it is that many of the sessions, the challenge is we get seven or eight or sometimes over ten on a very specific, narrow topic and we've got to choose among these folks to make sure that we get coverage in the program. It's a good problem to have.
New at RSA 2012
FIELD: With that as a backdrop, what's new at this year's event?
THOMPSON: This is a really exciting year for us. I mean, if you can think back to the events over the last 12 months, it's really incredible. It feels like one of the most active years in security in quite a while. We've seen the rise of hacktivism. We've seen just a huge amount of these highly targeted sophisticated attacks and this year, if you look over the agenda of the conference, you'll see quite a few programs that touch all of those areas of information security.
What isn't new but I think will be new to some people is the innovation sandbox event that we have on Monday. This is actually our third year of doing it as a Monday event, and if you haven't been to that I strongly encourage you to go. It's a really good crystal ball of what's coming down the pike in information security.
We've also got some really new features this year. One is security debates, and this is something personally I'm really looking forward to. We've got a great line-up of folks. This is during the lunch period on Wednesday and Thursday, and it's just a very different way to learn about a topic. You see two information security professionals kind of duke it out on a specific topic and get all of those issues fleshed out in a really visceral way, at least we think.
Then of course we've got a set of new tracks that focus on current trends. Obviously mobile security has been a huge trend over the last couple of years, and this year we've got a half-track dedicated to it. So you'll see that. [There are] lots of interesting ways to engage with your fellow conference attendees too over the week. We've added some interesting networking events too. So I think no matter what your temperament is or what you are going to the conference to find, you'll find an event that fits that need.
Breaches Setting the Tone
FIELD: I want to follow up on a couple of points you've made. One is, this is the first RSA conference since last year's major security breaches, including the event that involved RSA itself. How do those types of incidents set the tone for this year's event?
THOMPSON: That's a great question. I think they've impacted it pretty fundamentally. If you look at many of the breaches over the last 12 months, most of them ended with some type of sensitive data leaving the enterprise. But it's interesting to look at how many of them began and a lot of them began with a person, a smart, well-intentioned person inside the company making a choice, and the choice was to either install an executable, open a file, and I think that you'll see that play out in a very fascinating way during this year's agenda. We've got quite a few talks on the human element of security.
If you look at David Brook's key note for example, I think you're going to find a lot of very interesting elements around how people make choices and how people reason about situations. I've got a session on Friday of the conference that's focused on exactly the same thing, and we've got a political strategist there with us and an expert on choice. So that's one way that it shaped this conference.
You'll see quite a few sessions too on these advanced threats. The whole gamete, everything from how businesses should be thinking about them all the way down to the specific techniques they've used, not just to get inside but to move laterally inside the organization, you'll see that reflected pretty heavily.
[With] a lot of the breaches that we've seen, some of them have been highly targeted [and] stealthy, with the goal of exfiltrating information. But some of them have just been focused on exposing information or embarrassing the company, these hacktivist-like activities. You'll see that really play out in the agenda too. We've got a key note on hacktivism, which I think is a fascinating topic for us to get our heads around in information security.
Mobile Security Track
FIELD: You mentioned a couple of the new tracks this year. Some of them - mobile security and security trends - stand out. What should we expect from these new topics?
THOMPSON: It's interesting on the mobile security topic. This year we included a half-track on mobile, and it's amazing we just couldn't contain all the mobile talks to that track. There were so many submissions on mobile security, everything from the new types of malware that we're seeing all the way over to business strategies to manage employee-owned devices in the enterprise. That's a pretty wide gulf in-between those two areas, so I think that's what you can expect to see. You can expect to see the very technical barometer-type talks on what we're seeing in terms of malware. You're going to find interesting talks of how businesses have rolled out a "bring your own device" program, some of the challenges that they've had and some of the successes. Then from a big picture standpoint, you're going to hear from the providers, the carriers. You're going to hear from quite a few of the device manufacturers and the OS manufacturers too about what we can expect in the coming months and years. Mobile is definitely a very hot topic for us this year. And like I said, you'll find talks on that in the mobile security track, but you'll find them permeating through some of other tracks too, especially hackers and threats.
Security trends is a really interesting track. It's looking at not just the current state of security from a high-level perspective, but what we can expect in the future. Now I think that's one of the most interesting comments that people make who are new to the information security field, that it seems we're very reactive. So something happens and then we respond to it, and something else happens and we respond to it. I think a big undercurrent that you're going to see this year, especially in the security trends track, is how do we get ahead of this cycle? How can we be more proactive? How can we leverage big data, for example, to get smarter about our own vulnerabilities, and maybe even brewing attacks that are out there? Are there some canaries in the mine that we just haven't wrangled into a cage yet?
Sponsors and Attendees
FIELD: Talk a little bit about the event. How many sponsors and attendees are you expecting this year in comparison to recent years?
THOMPSON: Registration numbers are definitely trending very positively. We're seeing upward momentum both in terms of attendance and in terms of year-over-year growth. We won't know the final attendance numbers until the conference is over and we've had a chance to reconcile the registrants and the actual attendees, but I can tell you this year we've got 50-plus sponsors and 300-plus exhibitors, which is also trending really positively.
Tips for Conference-Goers
FIELD: And for people attending the event, what advice do you give so that they can get the most out of it? There's a lot to take in, in just a few days.
THOMPSON: It really is. It's pretty overwhelming if you've never been to one of these conferences before. I would recommend a couple of things, especially for people that are new to the conference. First, we've got a session on the Monday of the conference. This is sort of the pre-conference day called Security Basics Boot Camp. And I just find that fascinating. Many of us are siloed in specific areas of security. We spend a lot of time on either PCI compliance or dealing with application security, or dealing with risk management. Security Basics Boot Camp is almost like a springboard that you can jump off of and really experience the rest of the week because it exposes you to the range of domains that you'll see for the rest of the week. That's one tip.
Another one is we've got a first-timer orientation session on Monday. This is always a lot of fun but it's also a very loosening-type of activity. I think one of the huge values of RSA Conference is networking and the people that you run into in the hall, and I think that the first-timers session is a great way to break the ice. The other thing that I can say from an advice perspective is to plan your agenda out in advance. When you get there on-site, you think, "Well, I'll just kind of look over the sessions and see what feels good at the time at a particular spot." We've got so many sessions that are there on such a wide range of topics and a lot of them happen at the same time, so the best advice I can give is to take some time this weekend, if you haven't already, go on to the online scheduler and really think through the experience you want to get out of this conference.
RSA Conference Online
FIELD: For those who can't attend, what's the best way to maximize their experience?
THOMPSON: I'm glad you asked that. This year we have RSA Conference Online, which I'm really excited about. Some of the key notes, for example, will be broadcast out directly, so folks that aren't on-site will be able to see those. We've also got a series of sessions, some of what I think will be the most popular sessions of the conference, or at least some of the most interesting to ask questions about and engage with, staged in the weeks afterward. So you can go online. You can kind of see the key notes or at least many of them as they're happening, but even in the week following and the week after that, you can see some of the other sessions and engage with the people that have actually participated in those sessions. This is a really exciting program for us because it allows us to take some of the knowledge of RSA Conference and help it scale in an even better way.