In this episode, I talk with Allison Miller, product manager for secure browsing at Google and my co-host of the O’Reilly Security conference, which is returning to New York City this fall. We discuss the importance of having an event focused solely on defense, what we’re looking forward to this year, and some notable ideas and topics from the call for proposals.
Here are some highlights:
Focusing on defense
When we created O’Reilly Security conference we took a risk because we said, "We're going to focus on the defenders, the folks who are protecting the users and the systems." I heard from others over and over again, "How are you going to make a whole agenda out of that?" because it's usually one track at a major security event, or a handful of talks on authentication or SIM technology. At some security events, someone who works on the defense side can feel a little under attack because that's what's being discussed—attacks and how people are not successfully defending against them. This was more like, "Hey, you know what? Let's sit down and talk about how to do this right." That engendered a different spirit of dialog amongst the participants.
Learning from mistakes to make things better
Thematically, we picked some pretty broad topics for the conference, like the effect security has on people. Additionally, most defensive work in the private sector happens in the context of a business, so understanding how security fits into the larger business unit is critical. And when it comes to technology itself—talking about the tools and also data, metrics, analysis and that side of it—those are broad topics with plenty of room to explore. We’re also making room for more war stories, more discussions about learning from the trenches—big “Ooops” moments and how those get turned into lessons learned and concrete improvements. The real emphasis in the discussions we’re looking for is, “Let's make things better.” When something bad happens or a mistake is made, that means you can push off from the wall, like you're doing a kick turn in swimming. It gives you something to push off against, redirecting your effort to allow you to get to the other end of the pool and then to get better.
On the horizon for O’Reilly Security conference 2017
For this year’s call for proposals, I would like to hear about what people are doing for end users. That's my personal passion. I am also interested to hear how people are putting their big data to work for them, who’ve figured out how to quantify impact, or measure, or analyze complex systems or situations, and distill those down. Reasonable approaches for small businesses is also a hot topic because a lot of the techniques that we talk about and the aspects of security being considered as a part of the design process are very important here. You're trying to design security into systems for end users, or leverage data in clever ways. Those types of things scale up far more readily than they scale down. It's not even a question of resourcing—when you are an organization with a smaller footprint some of those things, techniques that are used at large high scale organizations, just aren't going to work.
It takes a village
Security is interdisciplinary because, ultimately, it's not just a technology problem—if it were just a technology problem, we would be done by now. We would just apply the right technology to the technology problem, and we could all go home. But it's a human problem because the actors are humans, they are motivated, and people are a vector of vulnerability, just as much as the systems and data are.