Exploring Information Security

View Original

2020 Presentation: I need your help

I think one of the things I’ve discovered about myself is that I really enjoy teaching. I love passing along knowledge and helping others trying to figure it out. I think that’s something I really missed last year by not speaking at conferences or doing the podcast. I plan to bring both back this year and I need help deciding.

In the past coming up with a topic has been a bit harder to come by. In the last month I’ve had four different talk ideas. All I’m still excited about after letting them sit for a bit. I can’t really decide which one I like better. Since I’ve had several people reach out to me about my recent blog posts (I have readers!) I thought, “Why not see what’s the most interesting to people.” With the deadline approaching for several spring and summer conferences, I need to start working on an outline and start submitting CFPs SOON. Here are the talk ideas. Titles to come (recommendations welcome).

How to build an agile process for your security team

I got promoted to manager this year. Prior to that I was made a team lead over two other teams as well as continuing to perform my other responsibilities. I had to figure out what work needed and start tracking it to ensure it was done. For most of my career I had used Outlook’s task list to try and manage my work. It was frustrating and often gave me a headache. Being embedded with the devs as my primary role I had adopted kanban for my own work management. It was an eye opening experience that converted me to the agile way of work management.

I used my experience and what I had learned from the devs and incorporated in with the security engineering and pentester teams. This talk will cover how I got buy in from the team. The lessons learned from getting a new process in place. The challenges I faced using this process with the rest of IT. How I was easily able to start pulling metrics from the teams work. How I look for ways to improve the process.

Phishing for health

This is a talk on my experiences both responding to phishing incidents and standing up a phishing program. I will talk about the defenses we put in place and provide what statistics I can on phishing in the workplace. Examples and resources will be provided.

Threat Modeling all the things

How to implement threat modeling with developers and the rest of IT. Threat modeling is apart of software development life cycle. I’ll talk about the experiences and strategies for implementing there. The benefits we’ve gained from implementing threat modeling. This past year, with my expanded role, I’ve started to incorporate threat modeling sessions into designs for the other parts of IT. Also, potentially how to use it to as a tool to better understand another departments business objective.

Follow up to my kick starting AppSec talk

A few of years ago, I did a talk on kick starting an application security program. This would be a follow up to that talk. With successes and lessons learned. A good title is, “How to frustrate pentesters.” I recently sent both of the pentesters at the internal applications built with our SDLC (appsec program included). Both came away frustrated and flustered at the lack of fun the application presented.

Voting

I’ve created a poll on Twitter. You can vote there, leave a comment, or reach out to me directly. All the talk ideas will likely get a blog post at some point.

See this content in the original post