Shostack + Friends Blog Archive


Reflections on the Microsoft CSO Summit

Adam’s Private Thoughts on Blue Hat, reminds me that I’ve been meaning to post about Microsoft’s recent CSO Summit.
This was an invitation-only spin off of Microsoft’s Executive Circle, and was a mix of MS product presentations, round table discussions, and non-MS folks speaking on how they dealt with real world scenarios in their various industries.
The round tables sessions were uniformly fantastic. The most interesting sessions though were the ones by folks on how they dealt with real life scenarios. Especially interesting were talks by Michelle Bealieu on how MS does identity management internally and CIO, Ron Markezich on how Microsoft itself was managing their infrastructure. Both their talks supported my own experience that this doesn’t have to be hard if you have a limited number of applications, only have one system of record, and centrally manage as much systems configuration as possible. I really pity my peers who have thousands of applications to manage and don’t have a tool like SMS to help manage end users. Frankly, I found the product pitches less than useful. They were essentially all material that was already available on the web.
Also of note was a talk by Brooke Paul from American Financial Group on how to articulate the value of security to upper management. He had a great discussion on not just ROI and metrics but also on managing risk.
Several interesting yet unsurprising things came to light over the course of the event. They are, in no particular order:

  • The big issue of the conference was identity management. Everyone cared about it, and no one had a solution that spanned multiple operating systems environments.
  • No one was getting extra funding to deal with compliance requirements, and yet they were spending a huge amount of time worrying about it.
  • The vast majority of attendees had been doing security for less than 2 years and almost no one actually had a CSO/CISO title and only marginally more were Director level or above. In fact, most of the VP or CSO/CISO level folks were speakers of some sort.

All in all, it was a worthwhile conference. The general consensus of the crowd was that next time there should be even fewer product related talks and more strategy based ones. Microsoft made it clear that the next one would follow that request. I look forward to heading back up to Redmond next year.
[Edit: Fixed link to the Executive Circle]