Luis Grangeia A personal blog

On Risk Management and Policies, C-Days 2015

Earlier this October I attended C-Days 2015, an annual conference on cyber security, organized by CNCS.

It was a very interesting conference, mostly because it got to gather in the same room some interesting and different people from the information security field, and – a rare thing for a Portuguese infosec conference – did so without almost any vendor talks promoting the next great product/service xyz.

I had the honor of being invited to talk on a panel with the theme “Risk Management & Policies – No shortcuts for security”, alongside Fernando Fevereiro Mendes.

The talk was recorded and is available on Youtube. It’s in portuguese and is a bit long so here are the main topics I talked about:

  • Attacker methodologies are fairly unchanged over the years because defenders are so slow to adapt; how do we close the gap between a successful attack strategy and successful defense strategy?

  • There’s still a gap between “tech geeks” and “strategists” and these two groups snub and devalue each other’s work. This divorce between strategy and operations is one of the biggest setbacks for a good security posture;

  • Security products are a risk in themselves. Here in Portugal we rely more on products than on know-how. Products increase complexity and risk, and are not agile: When a security product reaches maturity required to be effective, attackers have already moved on to the next attack.

  • I basically concluded saying we need more “disrupters” in the infosec field in Portugal. We need to bring the hacker / breaker spirit to big organizations and put them to good use: test security policies by running red team exercises, security audits, phishing campaigns, and try new attack methods. If we snub hackers that want to help organizations we will be blind and unprepared to the real attackers when they hit.

Here is the video in full. I start at around the 17m mark.

I was also present at B-Sides Lisbon earlier this year which was also great, and a bit more comfortable for me, a true “hacker conference”. I hope next year the audience for both these conferences will be pretty much the same. It would be a good sign of maturity for the industry.