Earlier this week I once again went to the RSA Conference in San Francisco. I could have gone to some of the presentations and panels, but once again I chose to not do so. Why? I have found that many times one can learn more from meeting and talking to people at this conference rather than attending sessions, and once again I found this to be mostly true.
I went to the RSA Conference last year and noted in a blog entry shortly afterwards that attendance had dropped considerably from 2008. An unfortunate outcome was my having to deal with the conference’s PR firm, which objected to my mentioning the then downward turn in attendance. Good news—this firm should have no objection whatsoever to my saying without any reservation that the attendance for RSA 2010 was dramatically higher than last year. My main metric, good or bad as it might be, is how easy it is to get from point A to point B within the Moscone Convention Center. This year I had to constantly dodge people in the main upstairs areas and down below in the exposition hall. Seating areas were crowded. There is no doubt that attendance was at least back to its 2008 levels, or very possibly even higher. Read more…
In a SANS NewsBites editorial a little over a week ago I lamented the fact that to date software companies have for the most part not been held responsible in legal cases for damages resulting from bugs in their code. I described this situation as “the single greatest enabler of bug-infested coding on the part of vendors.” A mentor and also friend of mine, the legendary Bill Murray, sent me a message with a plethora of excellent comments concerning the issue of liability related to software bugs. His commentary on this issue is so outstanding that I decided to (with his advance consent) publish it as a blog posting. Read more…
My friend and colleague Donn Parker, security consultant and researcher par excellence, gives an RSA session entitled “Alternatives to Security Risk Management” (RSA P2P 204A Weds at 1pm Burgundy 222) in which he attempts once more to debunk the myth that “risk can be managed” in information security. Donn has been on the forefront of thinking about information security since the 1970s and he is used to being ignored by all types of people who either don’t get it or haven’t figured out a way to exploit an idea for profit yet. Sometimes his rants can seem quixotic but almost always look prescient after-the-fact. Here is an example. Donn is not saying that “risk doesn’t matter” (although read below for more on this notion), but he is saying that the idea that an organization can use quantitative techniques analyzing detailed risk profiles around data and controls to make decisions about information security is pure bunkum. I agree…mostly. Read more…
