Security represents a broad and messy problem space. The boundaries are blurry, always evolving, nearly limitless, and many of the contributing factors to the ultimate security of an organization likely reside well outside the realm of the security team. Security is a moving target—a vector, not a point—but despite the changing landscape, there are common challenges that nearly every security team faces, albeit in varying degrees.
As we outlined in “Building better defenses,” we’ve built our new O’Reilly Security conferences to unite in-the-trenches defensive security practitioners, to open discourse on defending organizations, and to provide a forum for sharing concrete solutions. Security has recently received a tremendous amount of media attention, prompting many organizations to reconsider their approach to security. While this sudden visibility and scrutiny may be less than comfortable, the spotlight brings opportunity.
More than at any time in the past, you have the opportunity to define security as a business or quality metric vs. an IT concern, and to have meaningful discussions with other departments that have a significant impact on the security of your organization. Making the most of this opportunity requires learning new skillsets, adopting new tools and processes, and learning from successes and failures—both your own and those of your peers.
Accordingly, we’ve worked with our program committee to build tracks that parallel the biggest challenges currently plaguing defensive security practitioners. At our upcoming O’Reilly Security conferences in both New York and Amsterdam, we’ll be curating conversations, offering training, and presenting talks on the following topics:
Bridging the gap between security and the business as a whole
Security is not done for its own sake—it’s a business necessity. We’ll be discussing how to break down the insularity of security teams and communicate effectively with other departments and decision-makers. We’re looking to help defenders effectively communicate outside of their department, weigh the true cost of security in terms of both time and resources, and to make efficient and effective decisions when balancing trade-offs between safer, cheaper, and faster.
Tech, tools, and processes
In a space where vendors may require customers to sign a contract stating that they won’t criticize a tool, and where the best tools may not have the biggest marketing budget, how do you discover or know what’s actually working? Every organization looks for the best methods for improving security, particularly those that introduce fewer vulnerabilities and demand fewer developer or monetary resources, or require less maintenance. We invite you to come discuss with fellow defensive security practitioners, to learn from their successes and their failures, to share your own experiences and results, and to ultimately help your organization’s security practices grow to be more effective, efficient, and reliable.
Security in context: Data, research methods, and the sciencification of security
Security practitioners often embrace the mindset that the problems they are facing are unique—and in some ways they are—but analyzing large sets of complex data is the bread and butter of data scientists. We believe data should be used to make clear, actionable decisions in the right context and with the appropriate framework. We’re starting conversations around how practitioners leverage the methods of data science, from collection through analysis, to make measurable improvements to security and operations.
The human element
Communication and collaboration can mean the difference between a successful defense during the stress of a breach or attack. We’ll be engaging in conversations about building successful, responsive security culture through hiring, training, team structure, and changing behavior to improve security. We want to explore how you build an organization that will respond well to security events in 10 years, when the security concerns of today will be irrelevant in months. We’ll be talking about how to best respond to failure and how that response ultimately affects the security of your organization.
We want to hear what success in the security realm looks like for your organization and your team. Traditionally in security, if all goes well, few people will ever know how you saved the day. Talking about failures is hard, and might be frowned on by your company. But sharing what led you to discover that something was wrong and how you responded when you discovered a breach, might save others a lot of heart(bleed) ache.
We firmly believe that the best defenses will not be built, maintained, and continuously adapted in an echo chamber. Do you have meaningful stories or experiences to share on the topics outlined above? Or do you think there’s an important issue that we’ve left out of this list? We’ve created a framework, we’ve pulled together a stellar program committee, and we’re ready not only to talk, but to listen at O’Reilly Security. We hope you’ll join the conversation.