Participating in the Security Professionals Conference as a First-Timer

Authors:
Martha Benbow Massey
Published:
Monday, June 13, 2016
Columns:
Cybersecurity and Privacy
min read
Keith Schoenefeld (Elon University), Martha Benbow (UNCG), and Christopher Waters (Elon University)

Keith Schoenefeld (Elon University), Martha Benbow (UNCG), and Christopher Waters (Elon University)

The following is a guest post by Martha Benbow, an information security graduate assistant at the University of North Carolina at Greensboro (UNCG). As a recipient of the EDUCAUSE Ryland Fellowship, Benbow chose to attend the 2016 Security Professionals Conference in Seattle, Washington, April 18–20. This blog shares her insights as a first-time attendee.

Day 1 (April 18)

Arriving early for the conference in Seattle, I appreciated being able to pick up my credentials on Monday morning and then attend the free afternoon cyber-threat briefing with the FBI. To attend the briefing, attendees had to submit to a background check in advance of the conference, meet at the FBI building in Seattle, surrender our cell phones during the meeting, and sign nondisclosure agreements before and after the briefing. The FBI Cyber Security Division has appointed a special agent to help higher education with cybersecurity issues. During the unclassified portion of the talk, he asked higher education information security professionals to reach out to their local FBI agents in order to develop a good working relationship before a data breach occurs.

We also learned that the FBI becomes aware of cases in two ways: (1) they discover a breach in the process of other ongoing investigations, or (2) higher education institutions bring information about a breach to the FBI. Since institutions themselves decide whether or not to share their incidents with the FBI, an unknown number of incidents are never reported. Therefore, the FBI is not a complete source of data on the state of higher education cyberattacks.

Afterwards, I headed back to the hotel and conference center for a "get acquainted" meeting for first-time attendees. David Sherry, the conference program chair, facilitated self-introductions from everyone (name, position, institution, and objectives for the conference). He also encouraged us to attend sessions not directly in our field (i.e., for managers to attend technical sessions and vice versa), which set the collegial tone for the conference.

Day 2 (April 19)

Day 2 is the main day of the conference. All of the sessions were included with the registration fee, and the day was packed with events. The first session began after breakfast at 8:00 a.m., and sessions ran until 5:30 p.m. There were optional social activities in the evening, such a reception and game/trivia night. A lounge was available throughout the day for anyone needing a break.

I chose to attend the PCI session on the recommendation of one of my co-workers, a security analyst. Aside from the topic's general significance, it will likely apply to my institution in the near future. Fortunately, the presenters are from nearby Wake Forest University, so help on this issue is close-at-hand. And this points to one of the greatest benefits of attending the conference: finding people who have dealt with similar issues or problems, and vice versa—helping others with problems that you have already solved.

Michael Mattmiller, the chief technology officer for the City of Seattle, was Tuesday's keynote speaker. Having moved from the infosec higher education arena into city governance, he showed how the city is using technology to improve the quality of life for its citizens, from improving traffic planning to collaborating with researchers at the University of Washington. His message is that trust needs to be built between citizens and government by sharing data appropriately, respecting privacy, and allowing the city to be transparent in its data collection.

During lunch, 15–20 tables were set up with various security- and privacy-related conversation topics and facilitators. At the "Career" table, I learned about the various paths to becoming a CISO, the current pattern of having to switch universities to become a CIO, and how having a law degree can be useful for working in compliance. I enjoyed getting to know the people at my table and hearing about their diverse backgrounds and the various stages of their career development.

One of the more technical sessions I attended focused on how to set up data analytics on security logs with "Free Like a Puppy" tools and all the hidden obstacles involved in that process. Another session described how the University of Massachusetts has developed its own business, the UMass cybersecurity program. Their maturity assessment service evaluates endpoint management, security monitoring, firewalls, and vulnerability management for other higher education institutions.

Later, I attended a session on cloud security assessments. What I initially thought was a sales pitch was actually a call for the community to unite and develop a standard assessment for cloud applications, since most infosec departments find themselves with limited resources and personnel and a growing demand for assessments. One attendee from a university with a medical school shared that the health care industry had created a standard form for cloud security assessments, which was a breakthrough idea for higher education to develop a similar form. The attendees in Seattle banded together in support of developing this idea.

Day 3 (April 20)

For the early risers, there was a fun run and a photo walk around the city, and then we convened for breakfast and more sessions. I chose to listen to presenters from my home state, North Carolina. Elon University's CISO shared recommendations and resources for making information security a high-performance department.

At the next session on how privacy and security departments relate to each other at the university level, I learned that privacy is dependent on security, but having security does not assure privacy. However, it is critical for the two departments to work together.

Information security seems to be a small, yet critical, part of the university that those outside of infosec don't understand. At this conference for security professionals, attendees benefit from interaction with peers who understand the challenges and are willing to help. Attending this conference provides many formal and informal opportunities to develop more and stronger relationships with colleagues in the infosec higher education community.

Major Lessons

My overall observations are:

  • The most valuable experience of the conference is expanding your network of infosec colleagues. Colleges and universities face similar obstacles in this area, and we can solve more problems, faster and easier, by working together.
  • Infosec professionals must figure out how to make things work for their institution rather than saying no, which excludes them from important discussions and decisions.
  • Creating a security awareness program is an important issue for many institutions. Having helped write the mandatory Information Security Awareness Training for faculty and staff at UNCG, I'm considering submitting a proposal to present our security awareness training strategy and results at next year's conference.

I hope to see you in 2017!

Martha Benbow is a graduate assistant for information security and data analytics at the University of North Carolina at Greensboro and a doctoral candidate in Management of Information Systems.

© 2016 Martha Benbow. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.