As a Seattle native, Washington Mutual has been a household name for almost as long as the city has existed. My mom took me to WaMu when I was eleven to open a bank account to put my paper-route money in. We got both our mortgages from WaMu because in the housing frenzy, I thought they were an institution I could trust. When the opportunity came up at WaMu, I was dubious about the health of the company, so I talked to many people. Most felt as I did- that the worst had come to pass. A company called TPG also believed in them and invested $7 billion. I knew things would be tough, but understood the strategy to drive down costs and felt I had a good role in it. I only ever heard one person float the idea of a run on the bank- my new boss. I thought he was crazy. Instead, it was visionary. I had many great experiences and met many great folks at WaMu in my short time there. I will always value my time at WaMu and hope the risk I took is valued by future employers.

Brandon held forth over several sessions on all manner of InfoSec Management, and man was he singing my song.  He spoke on the overly-complex formulas that firms apply for risk management, and the over-agonization people put into picking a framework and mapping them with other frameworks.  The difference in language and detail not-withstanding, the key to me is to PICK A FRAMEWORK.  This allows you to speak a common language with internal and external parties.  It doesn’t matter if the implementation of a control is too vague within the letter of the standard or specification: it’s up to us as InfoSec professionals to justify how and why we implement something.   Brandon also mentioned the “Unified Compliance Framework” which is meant to be something of a Rosetta Stone between all the various InfoSec Standards such as ISO, PCI, HIPPA etc, etc.  In my opinion, they all resemble one another at their foundations, and they are typically driven by things we SHOULD be doing.  Kind of like diet and excercise.   If you are still looking for a silver bullet that excuses you from the basic, but at times tough practices requiring disciplined follow through, then you are probably continuing to live with higher than necessary risk.

Brandon also cited one of my favorite tools for organizing thought: Porter’s Value Chain analysis.  This model is used to develop systemic thinking across the lifecycle of whatever given service is at hand.  It puts you in touch with whatever is hitting you from upstream, and what you are impacting downstream. 

But what really set Brandon apart is that he was able to talk about these things in a coherent, interesting and ENTERTAINING manner.   It was almost disorienting how much fun it was to listen to someone speak so fluently about Information Security.   Definitely a skill I am working to master.

What’s more is that in the face of budget cuts, one speaker believes that security incidents will only go up.  Not exactly a bold prediction, but how do you feel about that? Presenting a business case for Information Security projects seems to be among the most difficult to perform concrete CBA on.   I obsess about this sort of thing.

Some other AppSec comments: Chinese hackers are coming for you, pen testing isn’t enough, do security testing as part of QA, XSS is the most common of the OWASP top 10- and they are getting more clever.

So I know this works if you have a PERSON filling that role, but what about if you have an APPLICATION filling that role?  That’s what the presenter’s company offers- an app called “TeamMentor” from Security Innovation.  Anyone check it out?  I will try to an let you know what happens.