My week in review at RSA

For most CISOs, RSA always starts with the best intentions, namely, trying to schedule way more meetings than we can handle and forgetting that some involve a cross-town marathon to make it on time. This RSA still included those hallmarks and numerous early work calls and meetings as I am an east coaster, but a clear theme emerged—Cyber ethics and Community.?

Here is how I came to this theme, RSA started early on April 22nd?with a lively Jeffersonian-style dinner hosted by Victor Fang, Ph.D. , and the AnChain.AI team. It was attended by the who’s who of Web 3.0 and AI fields. We covered so much that it is worth summarizing. I was honored to lead the group in discussing what Safety and Soundness mean for using AI/ML from a regulatory perspective. When applied to AI and ML, safety and soundness refer to the degree to which an AI or ML system is reliable, robust, and trustworthy.

Safety refers to the system's ability to operate without causing harm to users or the environment, while soundness refers to the system's ability to produce accurate and reliable results. We spent a good amount of time on governance, transparency, and explainability. Many elements go into transparency and explainability, so I will save those details for a more detailed article. We also covered that, currently, most emergent AI has unexplainable aspects. As a former regulator, there is much work to do here because “I trust the box” for an explanation does not resonate well. I haven’t fully bought into Skynet, but it is concerning when only the data scientist or a small handful of people can explain a model used by thousands or more. This discussion took me back to all the work that Anthony Habayeb and the Monitaur team have done long before ChatGPT, and others were part of our vocabulary. Overall, ensuring safety and soundness in AI and ML systems is crucial to avoid potential negative consequences, such as biased decisions, errors, or accidents. AI and ML developers must follow ethical principles, use high-quality data, conduct rigorous testing, and implement appropriate security measures to achieve this. Additionally, regulatory frameworks and standards should be established to ensure the safety and soundness of AI and ML systems in various domains. Thank you to my peer discussion leaders for their great sessions as well:?

·??????What is counterintuitive in AI x Cybersecurity?? Victor Fang, Ph.D. ,?

·??????Rise of Generative AI and its Impact on Cybersecurity.? Richard Seiersen ,

·??????AI x Cyber Investment areas by? Chris McCann .

I met many great people at this dinner and look forward to continuing our conversations. Congratulations to Victor Fang, Ph.D. , and the AnChain.AI team for being a finalist in the RSAC Innovation Sandbox, and thank you for making tools and services that make my life easier in the crypto world.

Sunday started with a baseball game and great conversations ranging from what’s new in research from John J. Masserini and hacking discussions from people I recognize from?defcon, ?? Silas Cutler , and Marc Rogers . This was a great lead into the talk by Daniel Garrie and me on “Keeping Hacking Ethical and Legal” at RSAC on Tuesday. Post-game on Sunday, I was fortunate to meet Alon Shahak , who introduced Juliana Teibel and me to many new and innovative companies throughout the conference.?

Monday was a blur as my body adjusted to starting work meetings around 3 am, heading for the CISOs Circle, and having a great discussion with Lamont Orange , Prashant Vadlamudi , and Tony Gauda on the Evolving Role of the CISO and how to prioritize security during times of Uncertainty. In addition, it was great to hear from the Amazon Web Services (AWS) team Clark Rogers , Mark Ryland , Rod Wallace , Neha Rungta , Andrew Thomas, and Margaret Salter on How AWS is Building Security for the Future.??Thanks, Saul Rosales and Marija A. , for the invitation. Monday night dinner with the AnChain.AI team, we continued a very technical discussion on Web 3.0 security and how their products and services continue to evolve. Keep up the great work. It was great seeing friends and colleagues shout out to the CISOs Connect? Community, the B&Y, and Fireside chat mods group members (iykyk) too many to name, but they can always be found at the W.

Tuesday started with our session on Keeping Hacking Ethical and Legal—special thanks to my distinguished colleague Daniel Garrie for co-speaking with me. Bug bounty programs are important to cybersecurity because they provide an effective way for organizations to identify vulnerabilities in their software, websites, or systems before malicious hackers can exploit them. By offering rewards or incentives to security researchers who find and report these vulnerabilities, organizations can leverage the knowledge and expertise of a large community of skilled professionals to improve their security posture.

Bug bounty programs can be especially beneficial for organizations lacking the resources or expertise to conduct comprehensive security testing. By working with a community of ethical hackers and security researchers, these organizations can gain valuable insights into potential vulnerabilities and develop effective strategies for remediation.

Furthermore, bug bounty programs can help organizations to build trust with their customers and stakeholders by demonstrating a commitment to security and transparency. By publicly acknowledging and rewarding researchers for their contributions, organizations can establish themselves as leaders in their respective industries and demonstrate a willingness to protect their customers and data proactively.

Ethics, protocols, and procedures are essential for bug bounty programs. Organizations must ensure they include legal terms of engagement, explicit safe harbor, and defining authorized methods to discover vulnerabilities and how?they?may be disclosed. In summary, bug bounty programs can help organizations to improve their security posture, build trust with customers and stakeholders, and demonstrate a commitment to proactive security practices. Thank you to Russell Eubanks , Tomás Maldonado , and Fitzroy R Gordon, CISSP, CISM, CRISC, CCSP (a former student of mine and Daniel’s at Harvard) for being in the front row.

It was great to hear the panel with Gustavo Rodriguez MA, MPA on the evolution of the digital-first responder on Tuesday afternoon. Awesome to see what they are doing and how it continues to evolve, and thank you, Gus, for the kind words. As a former paramedic and still a current firefighter and rescue swimmer, civic duty, giving back, and community are essential to me. Tuesday continued with seeing the extraordinary work by Larry Whiteside Jr. and the Cyversity team to bring up the next generation of cyber professionals focusing on DEI. Then I had a stimulating random conversation on ethics with Elad Yoran while walking to meetings.

Wednesday, early morning work meetings, then an attempt to catch up with as many colleagues as possible. It was great seeing the IBM team, especially Chris McCurdy and Fabio L. Campos . Also great catching up with Chris Esemplare and seeing the work he is doing at DeepSeas and then speaking with Heather Hinton and comparing our teaching sessions. There needed to be more time in the day; Timothy Eades , Ben de Bont , Laz , Chris Ancharski , Valmiki Mukherjee, CISSP, CRISC , Aimee Rhodes , Jennifer Tanner , Pergrin Pervez , John D. Johnson we must catch up soon. Thank you, Sameer Sait . It is great hearing about your journey from CISO to founder. The evening began with a spontaneous meeting with Renee Guttmann while walking through the W. It concluded with a great discussion about cyber policy and driving change with Amit Elazari, Dr. J.S.D , Kyle Tobener , Alon Shahak , Gustavo Rodriguez MA, MPA , and Juliana Teibel .

Thursday early am work meetings, then transition to Seattle for the ABA Business Law Section for the Spring Hybrid Meeting.?

Friday. Thank you to the Hon. Saliann Scarpulla, Bradford Newman for having me on a panel to discuss: Blockchain, Smart Contracts, Crypto, and Web 3.0 For Business Lawyers -- Understanding the Technology and Key Legal Issues. Here is a link to the?article?we published to support the session. Thank you to the ABA Business Law Section for having me as a speaker with such distinguished colleagues.

If you are at Harvard for continuing ed this summer, Daniel Garrie and I would love?to see you at either?CSCI S-140 Ethics of Cybersecurity?or?CSCI S-147A Fundamentals of the Law and Cybersecurity at Harvard Extension School .

This community has come a long way, and we still have a way to go. It was great seeing the diversity of thought, backgrounds, inclusion, and sense of community among participants with such a large and varied backgrounds. This is a team sport, and no one should ever feel they must go it alone.

Thank you to everyone I met for great conversations!