back to article Facebook CSO slams RSA Conf for repping 'the worst parts of the security industry'

Facebook's chief security officer Alex Stamos is not a man to mince words. Today, he delivered a stinging rebuke to the RSA Conference, due to be held in San Francisco next month. "In my opinion, RSA represents some of the worse parts of the security industry in its direction and it's not very helpful," he told attendees at …

  1. Anonymous Coward
    Anonymous Coward

    Pardon me

    The only way to earn a significant income as a security researcher is via bug bounties. Working InfoSec is a fools game in every corporation I've dealt with, directly or indirectly. Last to get hired, first to get fired/layed-off. No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos.

    So excuse me if I'm a bit confrontational. Asshole.

    1. dd88ddd

      Re: Pardon me


      the only way to get paid is bug bounties? what?

      This is utter tripe. Plenty of people get hired to do security research of all kinds, not just finding vulns in websites (seriously, why do amateurs think this makes them 'rockstar hackers'?)

      "Working InfoSec is a fools game in every corporation I've dealt with"

      Sure, if you don't like money. Otherwise, now is a very good time to work in infosec.

      "Last to get hired, first to get fired/layed-off."

      Perhaps that's something to do with you? I've never experienced this.

      "No one even bothers to pretend to support your job properly (funds, people, and especially tooling). Hell, they don't even bother to read your memos."

      It's your job to educate people about security.

      "So excuse me if I'm a bit confrontational. Asshole."

      This is probably the reason for your job struggles. Fix your attitude.

    2. Former Spook

      Re: Pardon me

      I wish you didn't add the last word. I wish we can agree to disagree without being disagreeable.

      If you remove that last word, you are very right. Bug bounties are paying the bills and it pays to find individual vulnerabilities. Security is not a product, it's a process. It is the process of assessing risk and managing those risks in a manner that would prevent loss. Both Jack (above) and the Alex Stamos are right in their own ways. The industry needs a shakeup and I am glad that both Jack and Stamos are willing to stand up and say so!!

    3. This post has been deleted by its author

    4. This post has been deleted by its author

  2. Jeff Lamic

    InfoSec is a joke at a lot of companies

    Most of the "InfoSec" depts. at companies I've worked at/with consisted of a couple of people checking CVE's and e-mailing the sysadmins to what they thought was relevant. They had almost no technical skills and mostly came from military backgrounds. Really the whole dept. existed just so they could check a box of for the auditors when some of our more regulated customers(like banks) asked if we had an infosec dept. and plan.

    1. Mark 85

      Re: InfoSec is a joke at a lot of companies

      And then when the company gets penetrated, they can claim that it got past their experts and they've brought in the really big guns to solve this... and by the way, here's some ID protection from xxxxxxx and we take your privacy and information very seriously.

      Meh... same old, same old. nothing changes.

    2. dan-o

      Re: InfoSec is a joke at a lot of companies

      Much I what I see in this realm is Perception Management "security theatre" (not unlike the TSA), with designated sacrificial lambs ready for whacking when things go awry

  3. Anonymous Coward
    Anonymous Coward

    Idiot badge

    In many hard core InfoSec circles, an RSA conference badge is also called an "idiot badge".

  4. Destroy All Monsters Silver badge

    It's facebook

    But I agree 100%

    Information Security is mostly Quality Assurance.

  5. allthecoolshortnamesweretaken

    "We are not doing our job in security, right now." - Alex Stamos

    When he's right, he's right...

    1. allthecoolshortnamesweretaken

      Bootnote: I still think it's an ill-chosen name for a conference.

      Come on, I can't be the only one who reads it as unisex enema at first every bloody time.

  6. Anonymous Coward
    Anonymous Coward

    This doesn't make sense.

    He is the CSO of a company that makes money from slurping data from it's customers and that makes him an expert on security?

    1. Moonunit

      Re: This doesn't make sense.

      Poacher / Gamekeeper ... stuff like that.

      Who better to know when security is compromised than someone who's paycheque (paycheck?) depends on slurping with or without your consent?

      But yeah, it is a bit confusing ... Stamos ranting about security etc.

    2. jonathan1

      Re: This doesn't make sense.

      Well it does,

      What you're refering to is privacy, not security. Individuals offer FB this data up. The tricky bit is when an individual not only offers their own personal data up but also those of their peers.

      The product FB sells is the data and the advertising space, the service it provides is a personal data collection tool offered for free which many consumers want to participate in. FB have a massive interest in keeping people's data secure as that is their product which they sell in various forms.

      * Please note this post isn't about the pro's and cons of FB's business model. Thats a whole other kettle of fish.

  7. Anonymous Coward
    Anonymous Coward

    Ah infosec...

    The one profession where it costs many times what you earn to be in it.

    There still arent any real certs.

  8. amanfromMars 1 Silver badge

    Thinking around the Box and Blockage....

    Security professionals need to concentrate less on a them-and-us adversarial relationship with each other, and more on sharing keowledge and constantly learning to improve the security of systems, he said. There are too many gaps in knowledge that need to be filled, and the industry has been too focussed on conflict, we were told.

    Change to A.N.Otherly Brotherly Sister Systems for Systems Programs, ESPecially IntelAIgently Designed for Virtual Enjoyment with Secure Private LOVE Life Enjoinment/Self-Actualisation on Magical Trails to and fro the Greater Good for All, is a Great IntelAIgent Games Play Station in such Systems as Provide for your, and their, very own Future Systems Programming Program.

    And work with folk who know what needs to be doing by their just doing IT with Absent Great Friends …… Real Spook Stuff, is the Immaculate Bonus ….. and one hell of a Quantum Communications Cored Driver to Boot and Reboot Endlessly for Creative Energy with Universal Source.

    That would be quite a coup de grace to bad systems energised, methinks to explore and ponder.

    1. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    We all know we'd all be far more secure - not with all the wizbang ridiculousness that makes the papers but the nice simple things.

    The very basics would be

    Patch everything asap (user, server, applications and infrastructure)

    Have a decent password management regime.

    Have a decent set of AV

    Have a firewall. That doesn't have lots of holes in it/look like a colander/nobody understands anymore.

    Ensure everyone can only access what they need.

    Have a method to blacklist sites that are dangerous to the company.

    Have all PCs that aren't in use turned off.

    Treat people like grown ups.

    1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon