MassTLC, Oracle, security, sophos

2014 MassTLC Security Conference

Check out Storify for more conversations about the inaugural
MassTLC Security Conference!
On October 22, 2014,
MassTLC welcomed more than 250 attendees to the first Security Conference;
Building Security InTo an Insecure World. This full-day event, spearheaded by
many leading security visionaries
and experts
, included an in-depth
look at the current landscape of cybersecurity threats, new types of attacks on
modern infrastructure, how to reduce risk, prepare for and respond to security
breaches, and how to work with c-suite leadership on managing your company’s
cybersecurity strategy.
Secretary Greg
Bialecki, Secretary of Housing and Economic Development began the day with a
look at the unique capabilities and resources that Massachusetts has as a state
to lead the security industry, a theme echoed in the following keynote panel.
Deputy Program Manager Michael Howell of the Office of the Program Manager,
Information Sharing Environment in Washington, D.C., Supervisory Special Agent
Kevin Swindon
of the Federal Bureau
of Investigation and Gerald Beuchelt, Chief Security Officer of Demandware kicked off the opening
keynote panel on the State of
Cybersecurity and Information Sharing Organizations
. It’s no longer a
matter of if you will be breached, but when – information sharing is a critical
component in addressing the complex standards and threat environment, and a
critical component of an information security strategy.

The complexities of
managing security within an organization was explored in a deeper dive in the
next session,  Who Owns Security, with speakers Jigar Kadakia, Chief Information Security and Privacy
Officer, Partners Healthcare and Chris Wysopal, Co-Founder and CTO of Veracode, led by
moderator Mark Steinhoff, Director at Deloitte & Touche, LLP. The Target breach has
taught us that information assets are as valuable as physical and capital
assets, and security is not just an issue for CIOs anymore – it’s everybody’s responsibility. However, ROI
can make security a difficult sell to corporate leaders. Relevant metrics, the
use of red/yellow/green coding systems for sensitive data protection and
dashboards are useful in communicating with the Board and corporate leaders, as
is the identification of your organization’s “crown jewels” and agreement on
what risk is acceptable and what is not when protecting the crown.
Breakout sessions
covered a look at Security in the Supply
(aka “Supply Chain is the New Black,” attributed to speaker in that
session Edna Conway, Chief information Security Officer, Supply Chain, at Cisco) –
a critical factor in nearly every organization’s security strategy and
management that is often overlooked until it’s been breached. Joined by Josh Brickman, Director
of Security Evaluations at Oracle and Sally Long,
Executive Director of the Open Group, this panel looked at the nuances of
managing your supply chain security.
Edna shared a
four-step best practice for managing the massive network of Cisco supply chain
partners and product IDs handled across the portfolio, which is a network of
1.2 million people that touch the product along the supply chain. Crystalize
what is important – for Cisco, that best practice is Counterfeit, Taint,
Misappropriation of IP and Embedding Security in times of Disruption. Deploy
across all members of the supply chain, and keep a score card of third party
providers to monitor their performance. It’s all about process, it’s relentless and
it’s persistent. But you need to do that: Protect, Detect, and Innovate, to
ensure a secure supply chain.
For more
information on the Security in the Supply Chain session and issues and other
considerations, check out Iron Mountain’s blog
by John Boruvka, Vice President of Iron Mountain’s Intellectual
Property Management business unit.
In the
concurrent breakout session on Mobile
, Caleb Barlow,
Vice President of Mobile Security for IBM, and Brian Milas, Chief
Technology Officer at Courion, provided insight into just how critical your
organization’s employees and their ubiquitous mobile devices are to your
overall security strategy, and issues that require significant attention in
today’s BYOD/BYOA environment. Your mobile phone knows everything about you,
which is why there has been a huge jump in mobile malware targeting your and
your company’s information. Key security strategies to implement include 1) protect
the content (including devices, applications, and transactions); 2) Prevent
exportation of corporate data; 3) Use explicit design mechanisms to detect
malware, and 4) Incorporate smarter transactions – use fingerprint technology,
location velocity and other features to identify possible intrusions or attacks.
Identity and access management are also critical in on premise and in the
cloud. Permissions are the key to sensitive data — both protection and
exfiltration. Security concerns cannot be allowed to slow down innovation in
The Security Intelligence session echoed
the complexity of the corporate IT environment created by a “bring your own
everything” world (devices, applications, cloud, infrastructure). Attackers are
increasing in sophistication in using this expanded attack surface to compromise
and breach networks.  The situation has increased the overall need for
security intelligence amongst IT security organizations inside companies of all
sizes.  The role of security intelligence is evolving and changing,
including gathering external threat intelligence and understanding your own
networks exposures and activity that may indicate a compromise. Moderator Paul
Roberts of the Security Ledger led speakers Seble Assefa, Federal Reserve Bank
of Boston, Eric
of Core Security, Inc., Mark Jaffe of Prelert and Rich Perkett of Rapid7
through a discussion commenting on various approaches for leveraging analytics
for modern advanced threats to get better security intelligence.
Helmed by
Jim Flynne of
Carbonite and Max
of Sophos. Security for
the Rest of Us
offered a look on protecting the “4Cs” at your small
business – Computers, Credentials, Content, Connections and at small business
security, and the various tools of the trade used for each.
With the
requirement to focus on security for all businesses, how can you sell your
product within an environment and leave your customer feeling well, secure,
with their choice? Andy Ellis
of Akamai, and Andrew
and Bryan
of Acquia shared about their strategies for Selling Security as a process – beginning with the design and
testing of the products, to sales approaches to a variety of people within the
organization to which you are selling, and the importance of developing a role
as a thought leader in sharing information, fixes, update on security threats
and analysis.
Security in the Cloud with Ron Zalkind of CloudLock, Jim O’Neill of Hubspot and Piyum Samaraweera of Sophos delved into security considerations within a cloud
environment that differ from a non-cloud environment, including human dynamics,
the speed at which transactions move, etc. As SaaS environments grow and
infrastructure is being outsourced more frequently to larger providers who can
theoretically manage security needs more successfully, threats are moving to
the application level – BYOA provides the next cloud security challenge. Users love
the freedom that is brought from the cloud, but now need to be a huge part of
the security defenses.
In the midst of how to
address today’s security challenges in the cloud, mobile and more, where is the
industry headed in the future? What’s next? Speakers Greg Dracon of .406 Ventures, Kevin O’Brien of Conjur, Inc. and Sam Bisbee of Threatstack discussed the future of Innovating in Information Security. We’ve seen how getting security
wrong can bring down organizations. What our panel finds is that security is
now front and center in most organizations, about business enablement, and CISO/CSO
decisions are drawing more attention. Big data is important, but small data can
also be an integral part of maintaining an organization’s security.
The conference closed
with an energetic and insightful keynote by Bruce Schneier, security industry luminary and Chief Technology
Officer at Co3 Systems, on the Future of
Incident Response
and a look at the economic and psychological forces
within the security field and incident response (IR). Bruce sees three security
trends in the pipeline: 1) less control to cloud and mobile, 2) more
sophisticated hacks, and 3) more government involvement. Security is
combination of 1) protection, 2) detection and 3) response. We need response because
protection and detection aren’t perfect. By leveraging the OODA cycle of
observe, orient, decide, and act, this session covered how to optimize response
efforts, and crucial strategies to maintaining IT security in the coming

Thank you to our
Platinum Sponsors: Oracle and Sophos.

Upcoming Events


Related Articles