Sunday, August 18, 2019

Thoughts after the 2019 GRC Conference

For three years in a row, I've been invited to speak at an IIA (Institute of Internal Auditors) event. This year, I spoke at the 2019 GRC Conference which ISACA co-sponsored. It took place at a breath-taking resort in Fort Lauderdale, Florida. Thanks to Sheena Majette, Ashley Jones and the rest of the fantastic IIA crew, it was an event to remember.

I'd like to share with you my thoughts about this event while still fresh on my mind.

Venue: The venue was stunning to say the least. I wish I could wake up to this type of scenery every day of the week. On the professional front, the conference center was well-organized with the right levels of lighting, AC and good placement of screens. The staff both from IIA and the hotel was very attentive and caring. Wi-fi coverage was strong, and the hotel served good food.

2019 GRC Conference in Fort Lauderdale - enjoying the scenery before my speech

Speakers: The line-up of speakers was impressive. The event featured two well-known keynote speakers (Simon Bailey and Patrick Schwerdtfeger) both of whom I had the pleasure of watching at previous conferences.

Simon is an upbeat and inspirational motivator with a long pedigree in corporate life. He transformed himself into one of the sought-after speakers I enjoy watching on stage. He talks about how to be the best version of ourselves and offers various techniques to achieve our full potential.

Patrick is a futurist and has an optimistic view about how technology could improve and change our lives. He talked about Machine Learning, Virtual Currency, and Automation among many other topics. He stressed that government regulation may be the only trailing piece holding back mass adoption of many technologies (automated driving, bankless transactions etc.) that are already here.

There were two other sessions that stood out to me:

The first was led by Iman Joshua who gave an energetic speech about Risk Scoring Models and how they could be used to drive stakeholder engagement in corporations. While her ideas and examples were real and actionable, the way she delivered her speech made the difference for me. She connected immediately with her audience by joking about how to say her name without butchering it and never looked back. On the more technical side, she offered good ideas in terms of how to measure success of software security by focusing on key metrics such as "defect density" and gamifying how this information is shared with software development teams and senior leaders.

The second one featured Game of Thrones of which I am a big fan (who isn't?). Pam Nigro did an excellent job in comparing and contrasting cybersecurity issues to the popular HBO show. Examples she used were not only entertaining but also spot-on. Granted you would not appreciate it as much if you know nothing about the GoT, but there were so many parallels that resonated with me personally. For example, compromised insiders have been a real threat at GoT as well as in cybersecurity. Lord "Littlefinger" Baelish and Lord Varys "The Spider" are depicted as master manipulators on the show and are extremely adept at obtaining information by forming alliances with insiders. We all know that most cyber threats of today are caused by company insiders - especially IT administrators who have privileged access to the organization's crown jewels.

My Speech: I talked about Continuous Security Validation on the first day of the conference. If you're interested in the content, please take a look at a short blog post I wrote on the ISACA Now portal.

Being an analytics and measurement guy, I measure the success of my talks as follows:

- How many people showed up (Rating: 5/5): IIA gave me the biggest venue (Great Hall 4) where all the main sessions and keynotes took place. While I will get the official attendance numbers in a few weeks, my estimate is that 300-350 people turned out, which is a very healthy number.

2019 GRC Conference - checking out the venue the day before my speech

- How did the technology (audio etc.) stack up (Rating: 5/5): No issues with audio, slides, clicker... What I really loved was that I had two prompters in front of the stage facing me - one showing my current slide and the other displaying the next. In the middle of them was a timer which was counting me down. Overall, it was flawless - thanks to IIA's Samantha Lazo and her team for taking care of the technology.

- How was my content (Rating: 4/5): I must admit that I struggle from time to time with putting together the right level of content for an audience with varying degrees of knowledge in my topic. Questions I always think about before a session: Do I skip the theory and go right to the examples? Do I go in depth in one concept and neglect the others?

In this particular speech, I went for a 55-45 split and spent about 55% of my time introducing concepts and frameworks such as ATT&CK MITRE and OCTAVE. The remaining time was spent on practical examples and getting questions from the audience.

The next time, I may cut down the theory a bit more and go for a 50-50 split.

2019 GRC Conference - My speech is underway

- How was the audience engagement (Rating 4.5/5): Overall, I'm happy with how much the audience was engaged with my session. Due to the size of the room, I had to defer the live questions to the end, but was able to live-poll the audience by the very advanced "raise your hand" technique throughout the session. I am still evaluating whether I should switch to the live-polling apps. Maybe next time...

At the end, I allotted 12 minutes for questions of which I received and answered four well-thought-out ones. I also took several questions from participants who walked over to the stage at the end. People not walking out on you is usually a good sign.

2019 GRC Conference - A healthy turnout for Continuous Security Validation 

- How was my time management (Rating 5/5): When I was a less experienced speaker, I used to run out of time before being able to take questions. Thanks to the timer counting me down and some advance planning on my part, I wrapped up my content with plenty of time for questions. I think I nailed time management this time 😃

- How was my delivery (Rating: TBD): I got good feedback from several folks that came to talk to me after my session. However, I will wait for the IIA to give me my official score card before I start patting myself on the back. I hope the results will be similar to those from 2017, making a top-rated speaker and earning me a spot at the next All-Star Conference - an invitation-only event for top speakers. Fingers crossed...

My takeaways:
  • I love attending events in Florida and can't believe this was my first conference in Florida since my days with EY. For the record, the last conference I attended in Florida before this one was in 2009. 
  • Future is here. All of us in IT, Security, Risk Management or Audit need to quickly adapt to it or we'll be left behind. 
  • People seem to be interested in the concept of Continuous Security Validation, but there are not many companies that have started using it in a mature way. Case in point when I asked my audience about how many people know of ATT&CK MITRE, about half (150 or so) raised their hand. When I followed up with "who is actually using it", only a handful gave an affirmative hand-raise.
  • Personal Note: I feel I need to think about how I can incorporate more well-known anecdotes into my speeches.
PS: Photo credits go to Zeynep Mulayim of my team. She is not only a great leader in risk management at SVB, but she provides me with much needed support during these events.