Posted September 21st, 2009 by
rybolov
Been busy lately. This is a quick rundown on where I’ll be over the next couple of months so you can stalk me.
- October 5-7: SecTor, Toronto, ON, Canada. I’ll be talking about “Massively Scaled Security Solutions for Massively Scaled IT” which an allusion to the size of the US Federal Government IT budget and techniques that they use to manage it. The Rybolov Layered Information Security Management Model seen here earlier weighs heavily into the presentation, as does a ton of other ideas trying to get people to understand that hazy information security management area above the enterprise.
- November 6-7: DojoCon, Laurel, MD. I’ll be talking about the “Current State of Compliance” which somewhere along the lines has a punchline of “It’s going to happen anyway, might as well drive the bus instead of being under the bus”. There is also a compliance panel following my talk and I’ll be on it with Cyberhiker and Dan Philpott.
- November 10-14: AppSec DC, Washington, DC. I’ll be running amok making part of the conference work. I’m not speaking at this one which is a good thing because, well, everytime I start talking web apps and security it takes me back to all the bad code I wrote in the late 90’s. But hey, didn’t we all?
So in between preparing slides, running amok as a volunteer, and the usual work-life imbalance, I haven’t had much free time lately to add to the blog. Plenty of ideas and blog fodder are floating around inside my head. After the conventions I’ll put up my materials for the rest of the world to pick on.
Similar Posts:
Posted in Speaking, The Guerilla CISO | 5 Comments »
Tags: compliance • security • speaking
Posted August 7th, 2009 by
rybolov
Apparently I’m the Internet’s SCAP Evangelist according to Ed Bellis, so at this point all I can do is shrug and say “OK, I’ll teach people about SCAP”.
Right now there is a “pretty OK” framework for SCAP. IE, we have published standards, and there are some SCAP-certified tools out there to do patch and vulnerability management.
What’s missing right now is SCAP content. I don’t think this is going to get solved en-masse, it’s more like there needs to be an awareness campaign directed at end-users, vulnerability researchers, and people who write small-ish tools.
So I sat around at home trying to figure out how to get people to use/write more SCAP content and finally settled on “Everytime you use SCAP content, a kitten runs free”.
Anyway, this is a presentation I gave at my local OWASP chapter.
Similar Posts:
Posted in NIST, Speaking, Technical | 4 Comments »
Tags: NIST • scalability • scap • security • speaking • tools
Posted July 17th, 2009 by
rybolov
Actually this is all a little bit strange to comprehend, I’m not sure I get it all, but here goes…
So my friend Michael Santarcangelo sold his palatial estate, put his wordly posessions in storage somewhere in upstate NY state, and packed up his family in an RV and is travelling around the US giving a series of seminars on “Communicating the Value of Security”. I’ve met Michael, and he’s not a patchouli-smelling hippie looking for inner truth or some kind of weird traveling salesman, he’s just a really smart guy who’s passionate about what he does.
And he’s coming to Northern Virginia on the 25th to bring you BBQ, pool, and a seminar on how to communicate with non-security folks. There’s a trivial cost to pay for the food. It’s also a family event, and there’s no extra cost for your family to come along, although when Michael sees how much my teenage daughters eat, he’ll probably charge me at least an extra $50 bucks.
Get the full set of information here. Sign up and give it a try.
Similar Posts:
Posted in Odds-n-Sods, Speaking | No Comments »
Tags: awareness • bbq • infosharing • management • seminar • speaking • training
Posted July 9th, 2009 by
rybolov
Dan and I were on the Beyond the Perimeter Podcast Featuring Amrit Williams and will be for a couple more episodes. It’s hard work to not sound like my usual dorky self. =)
Check out Episode I here
Similar Posts:
Posted in Public Policy, Speaking | 1 Comment »
Tags: Cyberwar • government • infosec • speaking
Posted June 11th, 2009 by
rybolov
Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.
I’ll be going. This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen. You might end up running a conversation on your favorite privacy topic, so you have been warned. =)
*Most* of the folks going are of the civil libertarian slant. With my background and where I work, I usually “bat for the other team on this issue”. The organizers have assured me that I’ll be welcome and can play the heretic role.
How to play:
Some themes that I’ve seen develop so far:
- How some concepts (System of Record) from the Privacy Act are outdated or at least showing their age
- How the open government “movement” and the push for raw data means we need to look at the privacy concerns
- FOIA and privacy data
- Ending the political robocalls
See Y’all there!
Similar Posts:
Posted in Public Policy, Speaking | No Comments »
Tags: collusion • datacentric • government • infosec • infosharing • law • legislation • privacy • publicpolicy • security • seminar • speaking • training
Posted April 10th, 2009 by
rybolov
Some of my friends (and maybe myself) will be teaching the NIST Framework for FISMA in May and June with Potomac Forum. This really is an awesome program. Some highlights:
- Attendance is limited to Government employees only so that you can talk openly with your peers.
- Be part of a cohort that trains together over the course of a month.
- The course is 5 Fridays so that you can learn something then take it back to work the next week.
- We have a Government speaker ever week, from the NIST FISMA guys to agency CISOs and CIOs.
- No pitching, no marketing, no product placement (OK, maybe we’ll go through DoJ’s CSAM but only as an example of what kinds of tools are out there) , no BS.
See you all there!
Similar Posts:
Posted in NIST, Speaking | 1 Comment »
Tags: 800-30 • 800-37 • 800-53 • 800-53A • 800-60 • accreditation • C&A • catalogofcontrols • categorization • certification • compliance • fdcc • fips-199 • fips-200 • fisma • gettingtogreen • government • infosec • infosharing • NIST • privacy • publicpolicy • risk • S3474 • scap • security • securitylob • seminar • speaking • tools • training