Last week Mike, Adrian, and myself were out at the Amazon re:Invent conference. It’s the third year I’ve attended and it’s become one of the core events of the year for me; even more important than most of the security events. To put things in perspective, there were over 19,000 attendees and this is only the fourth year of the conference.

While there I tweeted that all security professionals need to get their asses to some non-security conferences. Specifically, to cloud or DevOps events. It doesn’t need to be Amazon’s show, but certainly needs to be one from either a major public cloud provider (and really, only Microsoft and Google are on that list right now), or something like the DevOps Enterprise Summit next week (which I have to miss).

I always thought cloud and automation in general, and public cloud and DevOps (once I learned the name) in particular, would become the dominant operational model and framework for IT. What I absolutely underestimated is how friggen fast the change would happen. We are, flat out, three years ahead of my expectations, in terms of adoption.

Nearly all my hallway conversations at re:Invent this year were with large enterprises, not the startups and mid-market of the first year. And we had plenty of time for those conversations, since Amazon needs to seriously improve their con traffic management.

With cloud, our infrastructure is now software defined. With DevOps (defined as a collection of things beyond the scope of this post), our operations also become software defined (since automation is essential to operating in the cloud). Which means, well, you know what this means…

We live in a developer’s world.

This shouldn’t be any sort of big surprise. IT always runs through phases where one particular group is relatively “dominant” in defining our enterprise use of technology. From mainframe admins, to network admins, to database admins, we’ve circled around based on which pieces of our guts became most-essential to running the business.

I’m on record as saying cloud computing is far more disruptive than our adoption of the Internet. The biggest impact on security and operations is this transition to software defined everything. Yes, somewhere someone still needs to wire the boxes together, but it won’t be most of the technology workforce.

Which means we need to internalize this change, and start understanding the world of those we will rely on to enable our operations. If you aren’t a programmer, you need to get to know them, especially since the tools we typically rely on are moving much more slowly than the platforms we run everything on. One of the best ways to do this is to start going to some outside (of security) events.

And I’m dead serious that you shouldn’t merely go to a cloud or DevOps track at a security conference, but immerse yourself at a dedicated cloud or DevOps show. It’s important to understand the culture and priorities, not merely the technology or our profession’s interpretation of it. Consider it an intelligence gathering exercise to learn where the rest of your organization is headed.

I’m sure there’s an appropriate Sun Tsu quote out there, but if I used it I’d have to nuke this entire site and move to a security commune in the South Bay. Or Austin. I hear Austin’s security scene is pretty hot.

Oh- and, being Friday, I suppose I should insert the Friday Summary below and save myself a post.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences
A bunch of stuff this week, but the first item, Mike’s keynote, is really the one to take a look at.

Mike’s HouSecCon keynote.
Rich at GovInfoSecurity on the AWS not-a-hack.
Adrian at CSO on why merchants are missing the EMV deadlines.
Rich at the Daily Herald on Apple’s updated privacy site.
Rich at Macworld/IDG on the “uptick” of OS X malware. TL;DR, it’s still less than new Windows malware created every hour.
Rich, again on Apple privacy. This time at the Washington Post.
Rich on Amazon’s new Inspector product over at Threatpost
And one last Apple security story with Rich. This time over at Wired, on iOS malware.
Recent Securosis Posts
Building Security Into DevOps: The Role of Security in DevOps.
Building a Threat Intelligence Program: Using TI.
Building Security Into DevOps: Tools and Testing in Detail.
New Report: Pragmatic Security for Cloud and Hybrid Networks.
Building Security Into DevOps: Security Integration Points.
Pragmatic Security for Cloud and Hybrid Networks: Design Patterns.
Pragmatic Security for Cloud and Hybrid Networks: Building Your Cloud Network Security Program.
Favorite Outside Posts
Mike: US taxman slammed: Half of the IRS’s servers still run doomed Windows Server 2003. Uh, how do you lose 1300 devices?
Chris Pepper: How is NSA breaking so much crypto?
Rich: Teller Reveals His Secrets. As in the Penn and Teller. I’ve always loved magic, especially since I realized it is a pure form of science codified over thousands of years. So is con artistry, BTW.
Dave Lewis: [What’s Holding Back the Cyber Insurance Industry? A Lack of Solid Data](7
Research Reports and Presentations
Pragmatic Security for Cloud and Hybrid Networks.
EMV Migration and the Changing Payments Landscape.
Network-based Threat Detection.
Applied Threat Intelligence.
Endpoint Defense: Essential Practices.
Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications.
Security and Privacy on the Encrypted Network.
Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
Security Best Practices for Amazon Web Services.
Securing Enterprise Applications.
Top News and Posts
Beware of Oracle’s licensing ‘traps,’ law firm warns
Chip & PIN Fraud Explained – Computerphile
Hacker Who Sent Me Heroin Faces Charges in U.S.
Troy’s ultimate list of security links
Summary of the Amazon DynamoDB Service Disruption and Related Impacts in the US-East Region
Emergency Adobe Flash Update Coming Next Week
Researchers Find 85 Percent of Android Devices Insecure