Every year in Washington DC, the best and brightest in the world of infosec come together for “three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues.” This east coast hacker convention, known as ShmooCon, is a long time favorite in the community.
“I’ve been attending ShmooCon for over a decade,” says Robert Weiss, Head of Information Security at OpenVPN, Inc. “It’s one of the highlights of my year. There are other information security conferences that are larger or smaller than ShmooCon, but ShmooCon always delivers a great combination of networking with the right people in the community and quality content. For many in our community, ShmooCon is a ‘must attend’ event.”
As one of the first in-person infosec conferences since the COVID lockdowns, this weekend in March presented a real return to the community that so many of us have missed. Says Weiss, “I love meeting with people in the information security community. Conferences are the way we share information and network; whether you are a n00b or have been doing this for decades, it is a chance to meet others, share information and learn new skills.”
But Weiss wasn’t just there to learn — he was also there to present. His presentation, “Practical Information Security Metrics: Measuring the Business Value of Your Information Security Program” touched on a topic that has been a source of tension in cybersecurity for decades. How do you measure the value of good cybersecurity? How do you put a number on the breaches your company doesn’t have to face? This question is essential because, as many IT professionals know all too well, if you can’t answer it then communicating the value to decision-makers can be much more difficult.
“Delivering the right metrics is hard,” explains Weiss. “There are misconceptions that sometimes prevent practitioners from doing what they can. For many, finding a way to get started is tough. That’s what the presentation is about.” As reported by CSO Online, Weiss’ presentation “provid[ed] security professionals with practical ideas on starting their information security metrics programs.”
“An organization should make a commitment to drive decisions with analytics and data,” says Weiss. “For the techies in our industry, this should be an easy commitment. Once you have decided to do this, send a clear message by starting to measure everything you do. Later you can modify or delete measures that don’t make sense.”
Weiss also highlights some of the other presentations he attended: “Rob Fuller did a presentation titled ‘Practical Crypto of InfoSec Noobs,’ which I enjoyed,” he says. “Also, ‘Safe and Secure WordPress’ by Alex Ivkin, and ‘She doesn’t even go here! Using Denial, Deception, and Adversary Engagement for Defense’ by Karen Lamb, Gabby Raymond, and Maretta Morovitz was great. The closing plenary with Liam Connolly, Kathy Wang, Michael Darling, and Bruce Potter had some great information about how different organizations were handling challenges related to working from home.”
Watch Weiss’ complete presentation right here.