Friday, November 09, 2012

Conference planning for 2013

Having a look at conferences, as I have spoken at quite a few over the past couple of years, including AppSecEU, eSecurity Scotland Summit, Institute of Internal Auditors, ISACA and IISP events.

Top of my list for the year is the grass-roots security conference: B-Sides London, which I got to in 2011, but unfortunately missed this year. It's in the calendar, and I may propose a talk if I can get time before the CfP closes at the end of November. It coincides with Infosec, which is much more vendor focused, but the pair of them offer some excellent networking opportunities. is another one I'm looking at. I haven't been, but the Abertay guys are a good bunch, and this is just an hour up the road for me.

Will have to liaise with the team to see if I can take along some Security.StackExchange swag - T-shirts, pens, torches, stickers etc.

Any other thoughts on which conferences I should get to?

Thursday, November 01, 2012

And the Evening...

Now my IIA conference piece is finished, I can focus on tomorrow evening - Metaltech is one of the headline acts at the Alba Underground Scottish Industrial Music Festival.

We have been working hard to plan a session of hard rock, lasers, glowsticks, techno, fire-breathing guitars, audience based pyrotechnics and bubbles. Yes - bubbles. If Ozzy can use them, so can we!

Timing seems perfect, ISACA Now just published this article on my double life - and I hear from more and more people in security who have a deep interest in rock, metal and similar genres of music.

If you can make it - come and say hi. If not, enjoy a little number called Sell Your Soul, which harks back to some of our influences:

The Day Job

Was invited to talk to the Chartered Institute of Internal Auditors today, at their annual even. This was hosted at the Hilton in Dunblane (lovely setting, by the way - I recommend it!)

The theme of the event was around the auditor being a 'critical friend' which supports a large proportion of the work I do with audit, IT, security, risk, compliance and governance teams, namely:

Leveraging the skill sets of these teams and communicating will help you understand risks in your organisation!

With the rate of change of technological advances, and the associated new risks, your audit team are not in an ideal position to know about the new security risks a particular technology brings. But your security team may well know all about them already. So they should talk to each other.

In the echo chamber that is the security industry we harp on about this a lot - we understand security and often seem puzzled why others don't 'get it' but it is because we have our own peculiar jargon, terms, ratings etc.

The focus of my talk was on communication - being able to translate this jargon into business language. This goes for all specialist teams, to be honest - you all need to be able to get your information across to the FD, the COO, the business unit lead or whoever, in their terms, otherwise you will be ignored!

It was perhaps a challenge, being placed right after lunch, and right before Karl Snowden's political awareness talk, but I enjoyed myself, and I had enough people come to talk to me about the subject that it must have resonated with a few of the attendees.

Many thanks for inviting me, hosting an excellent event, and I must congratulate the venue on the awesome chocolate chip cookies!

(My only problem now is that with KPMG sponsoring this event, I now have an EY umbrella and a KMPG umbrella - and with my OCD I'm going to have to complete the Big-4 set!)