At the Privacy & Security Forum: What I Saw
By David Sheidlower
CISO Global Media and Advertising
Privacy folks and security folks were finally intermingling by design and not by accident or through one or the other being adventurous. I’m a huge proponent of the two being intermingled (my post Security and Privacy walk into a bar is an example).
So I was glad to attend the inaugural Privacy & Security Forum hosted at George Washington University and organized by Drs. Daniel Solove and Paul Schwartz. "The Privacy + Security Forum went incredibly well in Year One. We had amazing presenters, an impressive audience, and an exciting interchange exchange of ideas at sessions," Schwartz said.
I did more than attend. I also presented. My co-panelists and I, more on them below, were presenting in the last session of day one of the two-day conference and I’d already attended three sessions.
There were two different representatives from the Federal Trade Commission (FTC) talking about security and privacy. First was a panel talking about how to deal with FTC investigations. Then, after lunch, FTC Commissioner Terrell McSweeny walked the audience through a security primer that they’ve published called Start with Security: a guide for business. After that, I attended one additional panel on how to manage the risk we all face from third parties.
Then they served ice cream.
And then our session where Dr. Stuart Shapiro, Principal Cyber Security and Privacy Engineer at the MITRE Corporation and Ian Glazer, Vice Chair of the Management Council of the Identity Ecosystem Steering Group (IDESG), and myself had the privilege of addressing an audience who had just had ice cream sundaes in the break room.
Our topic? Loosely stated, we wanted to look at the different aspects of how controls relate to frameworks. Each from our own point of view. Our “case in point” was authentication.
Shapiro kicked off our session with a detailed look at how standards like NIST Special Publication 800-53 and methods like System Theoretic Process Analysis (STPA-Sec) can be used to design an authentication control. When he was done, the audience had no doubt that controls can themselves be in control and that their design and fitness for purpose did not have to be haphazard.
"Whether top-down or bottom-up, systematic processes and thinking can get you to a rational and defensible set of implemented controls," said Shapiro, summing it up.
Then Ian Glazer walked us through how a Presidential order led to the creation of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and how NSTIC led to IDESG. Think no one is thinking about the over-arching infrastructure for Identities? Think again.
“IDESG recently released the Identity Ecosystem Framework, Version 1 (IDEF v.1) – a policy foundation for the Identity Ecosystem,” said Glazer. “The IDEF v.1 establishes previously non-existent ‘rules of the road’ for companies, government agencies, other organizations and consumers to navigate the constantly evolving landscape of the Identity Ecosystem. We’re actively soliciting feedback on the framework, encourage all potential stakeholders to view it at IdentityRevolution.org and provide us with their comments.”
I’ll cover my presentation in a separate article.
The following day, I was only able to attend one session. It was Bruce Schneier being interviewed by Peter Swire.
Swire was the Chief Counsel for Privacy at the White House when the US and the EU negotiated the recently struck down “Safe Harbor” provisions. Now a law professor at Georgia Tech specializing in Privacy and Cybersecurity, he was well suited to the session as he and Schneier discussed privacy and surveillance.
Do I sound like I had a blast at an industry conference? I did. I’m a working CISO. I don’t get out much.