Last week I reached another career milestone in public speaking - my first-ever father/son conference presentation with my son Thomas! We were scheduled to do this presentation at InfoSec World in 2021, but, well, COVID. For a couple of reasons, I think it worked out even better at the 2022 Minnesota CyberSecurity Summit. The content is more mature, and the timing of the topic was even better.
Like many of us, Thomas did not take a straight-line path into his cyber career. He majored in Economics at St Mary's College of Maryland. Despite his best intentions to study and save birds and wildlife, he wound up working in our industry. But he wasn't exactly a cyber rookie. As an undergrad, Thomas interned with the late and truly great Mike Assante in his cyber non-profit (the National Board of Information Security Examiners). Thomas had the opportunity to learn from a great cyber professional, and one of the best human beings in the industry. He’s been with us at the Center for Internet Security for over two years now, and leads the mapping from CIS Security Best Practice content to every other security framework we can find.
Speaking of which, here's the title and abstract for our presentation.
Here Be Dragons - Navigating an Ocean of Security Frameworks
Tony Sager Senior Vice President & Chief Evangelist, Center for Internet Security
Thomas Sager Associate Cybersecurity Engineer, Center for Internet Security
Cybersecurity frameworks, requirements, regulations, and standards must be wonderful, because we have so many of them. But enterprises today often need to report to several of them, each with its own focus, language, level of abstraction, and assessment/audit approach. Cross-mapping among them has become a way of life for many enterprises and has led to a sea of mappings that include commercial services, vendor tools, volunteer donated, hand-crafted one-offs, and everything else you can imagine. While some of this is inevitable, we believe the creators of such frameworks need to simplify this problem for adopters.
At the Center for Internet Security (CIS), we’re doing our part by creating and openly sharing authoritative and vetted cross-mappings from our products and services (like the CIS Benchmarks and Controls) into the ocean of similar schemes. We’ll describe how we go about creating, validating, and sharing these – as well as our thoughts on how to make this simpler and more valuable for everyone.
If you are interested in this topic (and if you work in this business, you should be), we're putting together an article to share.
But what I really wanted to share with you was how much I enjoyed the preparation and delivery of this talk with Thomas. After the presentation, numerous people came up to talk to me - not so much about the content, but to ask about working with one of my kids. All seemed to be parents of young teenagers, and all were gracious and excited to offer how exciting that must have been to share the stage with one of my children. Exactly right! We don't all the chance to do this in such a direct way, but as a parent, it's an amazing feeling to see your children grow up to be professionals and adults.
When Thomas decided to go full speed into the cyber business, he asked me, "Pops, is it too late for me to get into this?"
My reply: "Of course not! In fact, it's really clear that my generation will not solve a single foundational problem in computer security during my professional lifetime. We clearly need some new minds, with new skills, to take over. So - lifetime employment for you, my son! But I need you to quickly clean up some of this mess we've left you - I need my retirement check to show up every month!"