Yesterday I attended the 2nd ISACA Athens Chapter Conference. Time and money did not permit attending the workshop the day before, but I heard it was a great success. So here are some of the highlights:
Paul Spirakis talked about “Trust in the Web”. His talk followed closely the spirit of “Reflections on Trusting Trust” with a bit of mathematics and more time at his disposal. He concluded with a metatheorem (a conjecture really) that we cannot achieve perfect trust in the web and in his line of thought this closely resembles Arrow’s Impossibility Theorem. In my mind and following the same path of thought, this is not similar to Arrow’s theorem, but more closely to the Good Regulator which also depicts the complexity needed in order to achieve this.
Spirakis’s talk made me think that we System Administrators love to say that trust is not transitive, or as my good friend George loves to recite “I trust my friend who trusts the President; do I trust the President?”. And yet, although we say this thing like we believe it, at the same time we demand using protocols that depend on PKI or other third part infrastructure all the time. And we feel good about this and our users do not complain since their browser (who also trusts a set of third parties) does not complain too. The truth is that trust decays upon transition. We trust someone to a degree of certainty (which can be absolute) but when we introduce that someone to a third person, a lower degree comes along with the introduction. Why? Because it is always possible that the person we introduced do something we did not expect. The person accepting the introduction, accepts it with even less certainty that we do (yes they may accept our word blindly, so multiply by one in this case) and the two newly introduced parties work their trust from there. So given time, trust either builds up or dies out. But I digressed long enough.
@kpapapan (Greek OWASP chapter leader) presented the idea where bugs in code are debt waiting to be paid later. I had never considered this point of view and I liked it very much. I surely hope he can have the opportunity to present again the subject this time with the aid of numbers from a real software project that costs money to develop and support. I sure hope that there can be one or two software vendors that can provide him the numbers to support the “bugs as debt” point of view. It would help project managers deciding realistic deadlines.
This was part of a “20 slides in 20 seconds” track where George Raikos gave an excellent presentation based on the “Ginetai” (it can be done) rebranding strategy for Greece. I am opposed to “Ginetai” but I have to acknowledge excellence even to stuff that I do not agree with. In the same session there were also two presentations from the ISACA Athens Chapter board members thanks to which I learned that in Greece there exist 192 CISAs, 71 CISMs, 24 CGEITs and 52 CRISCs. That was Friday. Saturday was ISACA test day, so I am guessing these numbers will grow.
The best presentation in the room was given by Ramses Gallego. Forget all he spoke about going beyond identity management and towards access governance. The man asked the audience the Drucker question:
If you were outside the industry that you are in now and you had all the information that you have now, would you join it?
– If not run away; otherwise embrace the field.
Pretty generic, but that is what you take away from impressive speakers. Stuff that can be applied in multiple cases. Closer to home Ramses also insisted on asking the right questions (about access) at the right time. Because this gives you control of the world that you are supposed to be managing: Who? What? When? Where? Why? How?
And of course there was the “hallway track”. Usually the most important part of a conference. I did not have the chance to talk to a lot of people but really exchanged a few ideas with some, triggered mostly by what was presented. Even though it may be unconscious to many of the attendees, they are employing a systems approach on the (well) systems that they manage. To that end a bit of studying system dynamics is needed, since it will enrich the view we have on the behaviour of the systems (people, machines, processes and information) that we manage. The hallway track is always the best part of the conference and this time I left with a whole lot of pointers for stuff to look up.
There were four or five people tweeting from the conference, less than 3% of the attendees. That was bad. I would have loved to see what others made of the presentations while they were being given.
Congratulations to the ISACA Athens Chapter board members for organising what seems to be a conference that will last many years. Congratulations to them also for making it possible for unemployed members of the Chapter to attend free of charge.