RSA Conference 2013 – The Year of the Panel

By Michael Farnum ·

At this year’s RSA Conference, panel discussions appeared to dominate the speaking sessions. Personally, I find that panels are more engaging and provide more value overall. In my opinion, a session with more experts who offer different perspectives results in a better learning experience for all attendees.

At this year’s event, there were two panel discussions that I enjoyed most:

  1. “Information Security Certifications: Do They Still Provide Industry Value?”
This was the first session I attended, and as I expected with a subject like that, the discussion was lively and fun. On the pro-certification side of the debate was Hord Tipton, Executive Director of (ISC)2 – home of the Certified Information Systems Security Professional (CISSP) certification. It was obvious that Mr. Tipton believes that certifications provide high value, and he argued that they are a good measure for human resources in hiring practices. I would not disagree with that statement, especially since HR overwhelmingly uses certifications in hiring. However, I don’t think that point addresses the value of certifications as they relate to real expertise in the field where you hold your certification.

 

Andy Ellis, CSO at Akamai, represented the group that thinks certifications offer little value. And Mr. Ellis can back that up since he doesn’t hold any certifications and is still a highly successful security executive. Mr. Ellis even delivered a keynote at the RSA Conference, so he is clearly a recognized expert in the field. Of course, with certifications such as the Certified Information Systems Security Professional (CISSP) acting as the entry gate to jobs today, it’s likely that hiring practices are different than when Mr. Ellis entered into the information security market.

In the middle of the spectrum of the debate were Jennifer Jabbusch-Minella, CISO at CAD, Inc., and Richard Moore, Sr. InfoSec Manager at RBS Citizens. Mr. Moore and Ms. Jabbusch-Minella went back and forth on an interesting side discussion about certification holders possibly being held liable when breaches occur, similar to doctors or certified public accountants. This point certainly can be debated further.

  1. “Mobile Security Battle Royale”
I felt compelled to mention this panel because of the amount of brainpower on stage. Zach Lanier, senior research consultant at Accuvant, moderated the discussion between Dino Dai ZoviCharlie MillerTiago Assumpcao, and Collin Mulliner.  Each of these individuals is a mobile security powerhouse, so the discussion was extremely informative. And though Mr. Lanier was moderating, let’s be clear that he is a mobile “beast” himself. He was slated to participate on the panel but took on the moderator role when the original moderator had to bow out.

 

Most of the discussion came down to the same old argument about whether Android or iOS was better for security. The panel was fairly split on which was best, which is fairly representative of the general population of security folks with whom I discuss this topic. But, what had some attendees listening most closely was the introduction of the new Blackberry 10 and Windows into the discussion. The panel argued that those two platforms are, at least currently, the most secure platforms. This is because they have few users compared to Android and iOS. As those platforms get more popular – assuming they do – the question of their security will be answered in a real way.

Additionally, I asked a question at the end of the panel that spurred a quick discussion. I inquired about other mobile platforms that are coming out such as Firefox OS and Ubuntu. There was some disagreement among the panel regarding how prevalent these alternate mobile operating would be in the future market. Mr. Dai Zovi believes that the iOS and Android will maintain a dominant position but that other platforms would create a cheaper mobile market. Mr. Miller disagreed with that statement, saying that iOS and Android were so established that no one else would be able to make much of a dent in their market share.

I attended other sessions and panels at this year’s RSA Conference, and I enjoyed them all. I look forward to next year and seeing more great panels around anything new developing in information security. I hope to see you there!