DerbyCon Recap and Broader Themes

Each episode we’re going to be talking about information security and technology security issues that matter to business, not just the technologists. This episode we wrap up the recent DerbyCon conference and talk about broader themes of improving the effectiveness of the information security industry.

Click through for the video and detailed description…

DerbyCon 3.0 was held September 25-29th, 2013. The goal is to keep it around 1,000-1,200 people and maintain a close-knit conference where we all come together to learn and share ideas. This is a great conference for meeting up with some of the thought leaders in the information security industry because it is a small and intimate setting that facilitates encounters.

There was a coordinated effort, almost a full side-conference on its own, dedicated to identifying the issues that matter most and how to fix them. A set of information security professionals has recently started a sort-of open working group to address things that matter in information security. This breaks down into three general categories: body, mind and soul. Body issues are those that have the chance to cause real harm, such as security problems in medical devices, automobiles and other newly-connected devices. Mind issues address the current grey area within security research – what is appropriate and legal, and what crosses the line. Soul issues deal with civil liberties and privacy rights.

This year there was a sense that the idea of simply breaking things is broken. Several talks focused on getting past the futility of continually figuring out what not to do, and moving to what can and should be done. A theme from some of the side conversations at the conference focused on learning, passing on knowledge and knowing what works. One issue is that there’s little in the way of a formal, comprehensive and well-vetted body of knowledge in the industry. Without this, and to some degree because of it, we each duplicate past efforts, relearn things that are already known and make mistakes that we shouldn’t. That’s engendered a level of frustration and futility in many of us that we need to overcome.

The conversation was very interesting, and if you haven’t already done so you should listen to the podcast in its entirety. It may help you understand where your security department and vendors are coming from a bit better.