Yesterday was a great day at Teleport Connect. Thanks to the team for having me (I was an early guest on the Access Control podcast).
There were a mix of talks and fireside chats. I spend most of my time with CTOs, so spending an entire day with CISOs was a nice change. 😉
Some things I learned:
Mark Strande gave a great talk about being a CISO.
- "passion project" was a great phrase to describe solutions we should have bought but built instead. They generally cost more than buying in the end.
- I talk often about SPoFs (single points of failure) and he talked about Single Points of Compromise. 💡
- He gave a great example from his past about Yubikeys making authentication easy. I've written many times about Make the Right Way the Easy Way so this resonated strongly!
There was a talk about Cisco buying vs building.
- Building turned out to be a support nightmare, much easier to buy and offload the work.
- Were able to more easily satisfy FedRAMP requirements.
- Were able to greatly reduce the number of tickets requesting access to resources which resulted in big engineering productivity gains.
Eddie Glenn,MBA gave a talk about incidents.
- The mix of legacy and modern infrastructure creates opportunity for vulnerabilities (my take: because of mixed mental models).
- The increased complexity of modern infra also creates opportunities (my take: harder to have a complete mental model, and it's constantly changing).
- Time to market pressure can induce problems.
- He discussed the results of a survey where "Virtuosos" said they fired people for security breaches (my take: great way to get people to hide information, probably no material improvement in your security posture).
- Called for elimination of silos in organizations 🎉
George Chamales and Jason Shropshire gave a talk heavily focused on FedRAMP. I teach a lot of clients that regardless of which certification, the core idea is to be able to show: Who, did What, When? They had 4 core principles that expressed the same idea FIPS (get your crypto algo story straight).
There was a fireside chat with some great quotes which I hope I'm attributing correctly:
💡"If you can solve for engineering fundamentals, you get most of the security benefits." - David Tsao
💡"Make security tools better while reducing friction."
💡"You (CISO) need to be able to speak the language of business." - Mark Strande (I co-wrote a white paper about this with IT Revolution)
The event closed out interviewing Joseph Menn about the book he wrote about The Cult of the Dead Cow. Favorite quote: "Shout out to the statute of limitations!". 😂
I walked a way from the event feeling smarter and more energized. Thanks Teleport! (not an endorsement)