Tuesday, March 16, 2010

RSA 2010 – Day 2-3

Continuing my much delayed coverage of RSA 2010, this is my summary of Days 2-3.

Day 2 was all meetings and getting new business for Security Warrior Consulting, so nothing to write about (yet). By far the most fun part was a long discussion with Rocky DeStefano, that went all the way back to 2003 when we faced each other through the gun ports of the warring battleships… eh... competing SIEM vendors [his side eventually won :-)]

Day 3 started from attending  an 8AM session by Bob Russo. Now, think about it!

RSA conference + Wednesday (day after heavy party Tuesday) + PCI DSS + 8AM (!) = empty room?

I honestly thought I’d be the only one who wouldn’t want to miss Bob Russo (session GRC-201). Ha-ha-ha, poor naive Anton :-) I came at 7:55AM – and there was barely a place to sit in a HUGE room. Bob didn’t say that much new, but he heavily focused on educating the merchants to focus on security, not checklists and “teaching to the test” [=PCI assessment]. See my RSA interview with the PCI Council  for more PCI DSS updates.

After the panel, I spent some time wandering the vendor hall – one of my favorite things to do at RSA; coverage of this will be presented in the next post since I am still sleeping on some of the trends that I think I’ve noticed.

Later in the day, I jumped to SecurityBSides where our compliance panel “The Great Compliance Debate: No Child Left Behind or The Polio Vaccine” was about to be held. This time we also had a QSA , a large service provider CSO and the usual suspects: Josh “PCI is the Devil” Corman and Jack Daniel, our illustrious moderator.  The panel went well and was a much better experience overall than our similar ShmooCon panel (notes, video [FLV]): more structure, more useful discussion and just enough anger to keep it fun :-)  To me the most jarring part was a comment by an esteemed audience member (sadly, she is not seen on the video) that implementing PCI DSS controls is COMPLETELY out of alignment of what she needs to do based on her understanding of risk at a mid-size service provider. Hopefully, she clarifies it on her blog soon :-) So, watch the video: part 1 and then part 2. Also, read some more notes here.

Enjoy! One more RSA 2010 post to come: Days 4-5.

Possibly related posts:

Dr Anton Chuvakin