In some cases, the attacks were against the computing systems of corporate entities that greatly contribute to or comprise our nation’s financial infrastructure. In other cases, the impact was extensive enough to impact the financial or personal data of millions of US citizens.

As to be expected, regulators are stepping up the effort to promote legislation and issue guidance with the intention of preserving our nation’s cyber systems and critical infrastructure.

However, as it is with evolving legislation, rules will require some interpretation and vetting in the community prior to widespread adoption, but organizations will still be expected to demonstrate diligence with respect to these areas, especially in the event of a security incident.

The intent of this session is to provide clarity as it pertains to evolving legislation and guidance as it pertains to cyber security.

Not only is this important if one is seeking new employment opportunities, but also if they wish to continually and consistently demonstrate their value to their current employers.

This program will focus on conveying key concepts that can be applied by those in information security related fields, to promote avenues of internal and external employment, maintain marketability, and expand upon opportunities within the information security arena.

Presentations:

Session 1 – CareerMytbusters2.0-Draft

Session 2 – How to Stand Out in a Time of

Session 3 – Managing Your InfoSec CareersV(10)20120515 (2)

Information Security Career Planning – Protiviti – NYM ISSA 5-16-2012

The compromise of several large third party service providers in the past year has continually reminded us all about the importance of vendor management. But vendor management, the processes that support it and the individual tasks that befall security practitioners can be often easier said than done.

Ramping up a vendor management program can be a challenging task, but attempting to implement a program without knowledge of common obstacles and issues faced during the early stages of program implementation, could result in delays, inconsistencies, or failures of the program all together.

The focus of this program will be to highlight tools and resources useful to practitioners tasked with vendor management, industry trends with respect to leading vendor management practices, challenges faced by program implementers, and the steps to be followed when implementing vendor management.

Cryptographic controls have been consistently bypassed. For example:

Encryption algorithms and methodologies have required evolution given their susceptibility to cracking; Malware in recent years is designed to collect data in system RAM, to bypass encryption controls applied to data both in motion and at rest. More recently, researchers have discovered vulnerabilities in SSL/TLS that allow for the theft of encrypted cookies, which could result in data compromise.

For these reasons it is important to maintain strong cryptographic key management policies/processes, and advance cryptographic controls. This program will focus on cryptographic challenges and the efforts such as PKI implementation that have been adopted to address confidentiality/integrity risks.

While adoption has been on the rise, so have obstacles and challenges encountered by DLP project managers and solution owners within the enterprise.

The aim of this program is to inform attendees regarding the challenges that may be encountered during a DLP solution implementation, and convey approaches that will aid them in either avoiding or overcoming such challenges should they be encountered.

The aim of this program is to convey the step and processes that aid in accommodating industry best practices with respect to implementing application security controls. The messages and lessons learned from our speakers will aid attendees in understanding effective code review, manual assessment and the governance to ensure the resources dedicated to these efforts are efficient and effective.

It was early 1991, and I was a lowly program manager at the NSA. And I was in shock. For I’d done my homework and knew that the venerable Robert P. Abbott was one of the pioneers of computer science in general, and computer security in particular, and this guy was… ulp, of color? I must have had a stricken look on my face, for he laughed, and then said something that to this day rings in my ears – “We are destined to be good friends, you know. For I suspect that the only thing rarer in this security industry than a black man is an Oriental woman from the deep South!”

And so began one of the most important relationships of my life, on both professional and personal fronts. Bob, as he had done so many times before in his career, marched in, saw that there was work to be done in order for progress to occur, and pitched in. In doing this for my community of security technologists, he won the hearts of an entire generation. Because he had done it all (and his list of accomplishments support this assertion) Abbott understood the full complement of often arcane points that would come into play as we in security forged a path forward.

But Bob brought something extra to the community. He was, above all, gifted with the ability to put everyone around the table at ease, from the power brokers of Washington to the lowliest of graduate students even as he informed the discussions and debates that raged around him.

Few technologists can even claim to approach Bob’s status as an industry pioneer. His work, over a 50 year career, was of indisputable quality and it tackled major issues of the day. Bob took on building supercomputer operating systems when I was still in diapers, did the earliest studies of health care computing, security vulnerabilities in computer software, and audit processes overseeing business processes that were automated. He and his commercial security practice even served as a model for a popular movie that remains a cult classic for security practitioners!

Finally, at an age when many would have rested on well-earned laurels, Bob continued to contribute to the information security mission. The capstone of his career, the landmark 2008 study of security vulnerabilities of computerized voting machines, significantly influenced how California and much of the country decided to deal with voting technology, both now and in the future. Throughout his life’s work, Abbott made significant contributions to the industry, the nation, and the world.

In November, Bob Abbott died. As news of his departure reached the different contingents of the security and computing communities, the response has been widespread and heartfelt. A wide variety of community members, from students to senior executives have come forward to express gratitude that they had the privilege to know Bob and to work with him. This comes with a profound sense of loss – it will be a different community without him.

As for me, Bob was a friend, a mentor – a security godfather of the finest sort. He and his lovely wife, Alfreda enabled me to take on Silicon Valley in a way I wouldn’t have dared without their support. We did become good friends, true to his word, and I bless that day I met him twenty years ago. As I wrote in the dedication of my first book – “may we someday get this right.” Bob and his security pioneer cohorts deserve nothing less.

Please join us after the program for a cocktail hour, generously sponsored by our hosts Orrick, Herrington & Sutcliff.

Hi, my name is Becky, and I’m a security lifer. I’ve been offered the opportunity to initiate and, over time, carry on a conversation with the members of the New York chapter of ISSA. It’s my privilege to accept this kind offer and this missive is intended to introduce me to you.

I was first labeled a “security lifer” about 25 years ago by several members of the group who are responsible for seminal work in information security. In particular, the venerable security greybeards James P. Anderson and Robert Abbott were my mentors and gave me my “lifer” label. I entered the realm in the mid 1980s as a programmer and systems engineer with the National Security Agency, and found my life’s calling in the late 1980s when I transferred into the research group of the National Computer Security Center. There, I assumed responsibility for the intrusion detection research program. I chose to coordinate the multiple discrete IDS research initiatives scattered across the intelligence community and Defense Department, pulling them together into a national research community that produced technology that was successfully transferred to the commercial realm. I’m especially proud of the early academic programs that were funded by my program, and the power of the community that formed around the mission area. As encores to this tour of duty, I served as deputy CISO for the computing division of the Los Alamos National Laboratory, where I learned to respect the expertise and dedication of security officers and their staffers.

A series of serendipities put me on the road to Silicon Valley in the late 1990s, where the dot com boom was in full force. I formed a consulting practice there and worked with customers with a wide range of security needs. I also wrote a book on intrusion detection which allowed me to document the lessons learned in leading the community in the 1990s. The book reflects one of the themes of my career – in researching the history of computer security-related technology, I realized how much really good work had been done -and promptly forgotten – in the area.

Another serendipity resulted in my joining the venture capital world of Silicon Valley when the convergence of the dot com bust and the events of September 11, 2001, made the commercial viability of the security products industry a reality. In my eight years with Trident Capital, my team underwrote many successful security technology firms, and I learned more about the successful transfer of good technology to commercial product and service markets. In 2009, I took a year out to work with In-Q-Tel, the investment arm of the intelligence community, where I helped them build a new security investment team. At the end of that year, I returned to private practice, where I focus on strategic issues associated with the cyber security and related realms.

What can you expect from this column? I’d like it to represent a mix of commentary on events of the day, news of developments that might be helpful as you tackle a pressing issue, and perspectives on fellow community members who take on noteworthy efforts. As I very much want this to be a conversation, I’d welcome your comments and requests. Here’s to a productive experience for us all!