September 10, 2012 | ||||
7:30 am - 8:30 am | Registration and Breakfast | |||
8:30 am - 8:45 am | Opening Remarks Bob Bragdon, Publisher, CSO magazine | |||
8:45 am - 9:40 am | Understanding Today’s Cyberthreats and Building Adaptive Security Patrick Gorman, Chief Information Security Officer (CISO), Bank of America Today’s cyberthreats are complex and evolving. Effective cybersecurity requires a proactive strategy that anticipates and mitigates risks, an operating model based on dynamic defense, a constant investment in evolving capabilities and controls, and an integrated approach that includes strong partnership, information sharing, and collaboration. Join us as the CISO of Bank of America shares his insights on how best to manage cybersecurity in today’s environment. | |||
9:40 am - 10:00 am | Embracing the IT Consumerization Imperative Barry Caplin, CISO , Department of Human Services, State of Minnesota Consumerization and mobility in the enterprise -- and our daily lives -- is not only here to stay, but its footprint and influence is expanding. What does the broader consumerization and mobile environment look like? How do you assess the drivers for adoption and the cost/benefit of a mobile-enabled organization? Join us for this session to get an understanding of how this large state agency took a proactive approach to enablement that ultimately set them ahead of the security challenges, rather than behind. | |||
10:00 am - 10:20 am | Why Your Supply Chain May Be Your Biggest Threat, and What to Do About It Vijay Viswanathan, CISO, HD Supply Unauthorized intrusion to your supply chain poses one of the most significant threats to the environment you’re trying to secure, but many organizations are unaware of the risks and how to mitigate them. Join us for this session to get an understanding of what to do to avoid a surprise. | |||
10:20 am - 10:40 am | The Future State is Mobile and Supply Chain Threats, But Are We Prepared?: A Panel Discussion Barry Caplin, CISO , Department of Human Services, State of Minnesota Vijay Viswanathan, CISO, HD Supply Bob Bragdon, Publisher, CSO magazine Join us as our panel of experts takes your questions. | |||
10:40 am - 11:10 am | Networking Break in the Security Showcase Visit the Security Showcase to find valuable solutions to your most pressing challenges. Or, discover what's new, as select sponsors each have a 6-minute open forum to educate attendees on current technologies and future solutions in the Security Showcase Classroom. Using Metrics to Measure Security Performance and Effectiveness Today’s enterprises continue to struggle with the best ways to measure performance of their security tools and processes. At the same time, other disciplines in the organization — like finance and sales — use a common set of metrics that are well understood and require little explanation at the executive and board level. Join us as we explore methodologies, examples and tools that enterprises are using to effectively measure, process and communicate security metrics -- along with best practices on how to implement an effective performance management program. Presented by nCircle A recent Aberdeen research study found a steady increase in the enterprise use of tokenization as an alternative to encryption for protecting sensitive data. The study also revealed that tokenization has 50% fewer security related incidents. Join us as we review key findings of the research and share a case study of exemplary tokenization use. Presented by Protegrity Information Security in today’s hyper-connected world is all about risk management. When determining security requirements, organizations must conduct risk assessment and measure its impact. There are different models available today that focus either on qualitative or quantitative risk analysis. In this session, TruOps (from SDG) will address these risk assessment models and their relative strengths and weaknesses. The session will also provide insight into how best practices in risk management can help stakeholders establish a robust risk management framework for their organizations. Presented by SDG Corporation Connecting Security to the Business: The CISO’s Challenge Translating Technical Risk Into Business Risk CISOs face the challenge of communicating technical risks to the business in a manner that non-technical executives can understand. Tripwire solutions provide the ability to present security data up, down and across the organization in the way each audience will find informative and actionable. Presented by Tripwire View Classroom Presentations | |||
11:10 am - 11:30 am | Intelligent Threat Management, and Why It’s Critical Going Forward John Masserini, CSO, Miami International Holdings Today’s business intelligence and analytics tools are more capable and available than ever. If you’re not already applying them to how you manage threats, you’ll need to understand what you’re missing. Join us for this session where you’ll learn from a key champion of this vital approach. | |||
11:30 am - 11:50 am | Application Security Threats: Blocking the Silent Intruder Ken Pfeil, Global Security Officer, Pioneer Investments With the vast expanse of applications and their newfound exposure on mobile devices, a host of challenges are faced in the application lifecycle – through design, development, deployment, upgrade, and maintenance. Join us for this session as we learn the most contemporary advice on creating secure applications. | |||
11:50 am - 12:10 pm | Stand Your Ground Jerry Archer, CISSP, Senior VP and CSO of a major financial institution and founding board member for the Cloud Security Alliance At this moment in time, there is no sane, no rational, no informed person who doesn’t recognize that protection from the risks of Internet use comes down to a choice: blind faith or self-defense. All versions of “trust us, and you'll be okay” are probabilistic falsities. At this point, you have no choice but to properly arm yourself — just as nation states do. Remember, in no other arena of warfare than cyberwarfare is collateral damage so assured yet so unpredictable. Join us to hear about this and more from one of the industry’s top thought leaders. Download Whitepaper | |||
12:10 pm - 12:30 pm | Effectively Managing the Threat Landscape: A Panel Discussion Jerry Archer, CISSP, Senior VP and CSO of a major financial institution and founding board member for the Cloud Security Alliance John Masserini, CSO, Miami International Holdings Ken Pfeil, Global Security Officer, Pioneer Investments Bob Bragdon, Publisher, CSO magazine Join us as our panel of experts takes your questions. | |||
12:30 pm - 1:30 pm | Networking Lunch with Discussion Topics Join one of these moderated discussion tables to share strategies and connect with your peers to hear how they're resolving the same issues with which you grapple every day. Join us for this interactive discussion where we’ll listen as you and your peers explore the application threat landscape and describe the protective measures you need. Sponsored by AsTech Consulting How to Integrate Self-Service and Automation into Your Identity and Access Management Strategy You can avoid the pitfalls of IT-dependent IAM implementations by empowering business users with self-service capabilities that simultaneously improve security and increase adoption rates. Join us as we discuss how.Sponsored by Avatier Corporation Risky Business: Identifying and Managing Access Risk in Today’s Open Environment In today’s mobile, always-on, cloud-based environment, open is not a choice. It’s a requirement. Join Courion and your peers for a discussion on the importance of automating secure access to critical business information. Sponsored by Courion Corporation How to Use Spear Phishing to Change Employee Behavior Join us as we discuss how you can leverage phishing awareness training to turn on and fine-tune the human sensors in organizations. Sponsored by PhishMe The Convergence of Identity and Data Governance in a BYOD World New security challenges plague CSOs as end-users proliferate their environments with their personal devices. Should your solution focus on the device, or the data? Join us for this discussion with your peers. Sponsored by Quest Software Does your company transfer mission-critical information using insecure, ungoverned and inadequate file transfer technologies like email, FTP, YouSendIt or Dropbox? Join us as we discuss ways to secure and govern the exchange of sensitive information and how to minimize the risk of data leakage. Sponsored by SEEBURGER, Inc. Does Your Current Data Security Strategy Leave You at Risk? Is Security Awareness Training a Waste of Time and Money?How can you best protect the value of your corporate data across your extended enterprise? Join us as we discuss and explore a new paradigm on data-centric security. Sponsored by Voltage Security, Inc. Reducing Total Cost of Ownership for Full Disk Encryption Today’s organizations need encryption to prevent data breaches, meet compliance and regulatory objectives, protect customer information and preserve corporate reputation. Join us as we discuss how the benefits of full disk encryption can far outweigh the perceived costs. Sponsored by Winmagic, Inc. If security awareness training doesn’t remove all the risk of end users falling for attack, is it worth doing? Join us as we discuss this with you and your peers. Sponsored by Wombat Security Technologies | |||
1:30 pm - 2:35 pm | Mobile Security Track | Cloud Security Track | ||
1:30 pm - 2:00 pm | The Hidden Threats of Bring Your Own Device Programs Lee Parrish, VP & CISO, Parsons Corporation For organizations considering bring your own device programs, they first need to make sure it’s the right move for their organization. Should employee-owned devices be used in the workplace? What happens when you police information on employee-owned devices? And what are the hidden threats? In this session, learn about the important technical, policy and legal considerations with BYOD. | Developing a Smart and Adaptable Social Media Policy Roy Post, CISO, AXA Equitable With social media sitting in widely accessible clouds, and employees using them on a widespread basis, you need to create a social media policy that is not only effective today, but adaptable to changing social venues and employee habits. What are the basic elements of an acceptable use policy? What good habits does it engender to protect the organization? What can you control with social media, and what can you only control through awareness? Join us for this session to learn the key best practices in establishing and maintaining social media policies. | ||
2:05 pm - 2:35 pm | Balancing Innovative Mobile User Experiences and Data Protection and Privacy Tim Choi, Senior Director of Product Marketing and Strategy, WatchDox Jay Leek, Chief Information Security Officer, Information Technology, The Blackstone Group Bob Bragdon, Publisher, CSO magazine For some organizations, smaller form factors like handhelds and tablets create significant productivity enhancements across large sectors of the workforce. And while striking a balance between the best possible user experience and ensuring that sensitive data is protected can be a challenge, there are proven ways to find the optimum service delivery. In this session, see how one organization has embraced mobility and addressed cutting-edge use cases for its inherently mobile workforce. | How to Properly Assess Risks and Providers of Cloud Services David N. Kroening, CISO, New York State Insurance Fund When organizations make a commitment to leveraging cloud services, they’re often also committing to housing sensitive data offsite, and the need for extensive vetting of processes, procedures and agreements designed to protect the organization. Join us for this session as we explore the critical importance of developing adequate non-disclosure and breach notification agreements when venturing into the cloud. | ||
2:35 pm - 3:05 pm | Networking Break in the Security Showcase Visit the Security Showcase to find valuable solutions to your most pressing challenges. Or, discover what's new, as select sponsors each have a 6-minute open forum to educate attendees on current technologies and future solutions in the Security Showcase Classroom. | |||
3:05 pm - 4:10 pm | Mobile Security Track | Cloud Security Track | ||
3:05 pm - 3:35 pm | There’s No Way to Avoid Widespread iPad Use, So Just Embrace It Eric Cowperthwaite, System Director of Enterprise Security and CSO, Providence Health & Services For Providence Health & Services, there’s no way to avoid incoming, 30-year-old, extremely intelligent doctors who’ve grown up on technology and plan to use their iPads (or all sorts of other devices) for their clinician work. And when you’re securing an enterprise of 50,000 professional employees plus 15,000 doctors, this culture helps you quickly understand the need to adapt. Providence has 20,000 mobile devices under active management plus all the other BYOD from their doctors and clinicians. Join us for this session to hear why the CSO of a $12.5 billion healthcare system has adopted widespread mobility and BYOD practices — along with the lessons they learned along the way. | Why Your Security Policies May be Woefully Out of Date Nick Akerman, Partner, Dorsey & Whitney LLP If your company falls victim to an insider threat or security breach, have you considered all of the new laws on the books that could help your company pursue criminal prosecution, and thereby inhibit future threats? Do your security policies reflect measures that would take advantage of these new laws? Find out what you may be missing in this session. | ||
3:40 pm - 4:10 pm | Mobile Device Security: One Size Doesn’t Fit All Stephen Sparkes, CIO, Head of Technology and Information Risk, Morgan Stanley IT and risk managers know their mobile security strategies must balance employee productivity, costs and protection of their firms’ assets. In a diverse, global company, however, they must perform this three-way balancing act over and over again. The tradeoffs vary widely depending on employees’ roles, the devices and platforms they use, and even the regulatory regimes in the countries where they work and travel. Join us in this session to learn how one large bank formulated a nuanced global strategy for mobile device security that considers each factor. | Is It Possible to Transition to Secure Clouds Without Spending a Fortune? Roland Cloutier, Vice President and Chief Security Officer, ADP Moving to clouds has its hidden security costs. How do you leverage existing security investments to avoid a lot of additional net expense? Find out from someone who’s secures one of the worlds largest SAAS platforms and learn about the technologies they are looking to for tomorrow. | ||
4:15 pm - 5:00 pm | New Technology Demonstrations See lightning-round demonstrations of new security products and services. Using Tokenization to Protect PII Data Data breaches are all too common in today’s business world, and current studies show that hackers are moving to PII data as the next best target for vulnerable data. Join us to learn how tokenization can protect all types of PII data, regardless of where the data is stored. Presented by Protegrity Combating today’s cyber-based threats requires a more proactive and automated continuous monitoring methodology that can quickly identify and mitigate IT risk. Join us to learn how the RedSeal platform can give you continuous insights into your security infrastructure, controls and policies effectiveness, help enforce compliance and improve your governance while strengthening your organization's cyber-defenses. Presented by RedSeal Networks, Inc. Information security in today’s hyper-connected world is all about risk management, and when determining security requirements, organizations should be prepared to conduct risk assessments and quickly measure the impacts to the business. There are many applications available today that focus either on qualitative or quantitative risk analysis, yet none that do both well. Join us for this session as we discuss risk assessment models and their relative strengths and weaknesses, and explore how best practices in risk management can help stakeholders establish a robust risk management framework for their organizations. Presented by SDG Corporation I T organizations often need to compete for security project resources and must increasing appeal to non-technical executives to get them. In this session, we’ll discuss how to communicate the "tactics" of security in a way that matters to the rest of the business. Presented by Tripwire, Inc. | |||
5:00 pm - 5:30 pm | Achieving Cybersecurity Together Mark Weatherford, Deputy Under Secretary for Cybersecurity, U.S. Department of Homeland Security Achieving cybersecurity is a shared responsibility that we all share – public sector, private sector, and citizens. As the sophistication of cyber threats continues to evolve, so must our approach to combat these threats that could have virtual and/or physical consequences. Join us for this session to learn about how the Department of Homeland Security continues to achieve operational excellence by strengthening partnerships across all sectors in the face of the grown spectrum of threats and actors and how we can work together to build the cyber workforce that is needed. | |||
5:30 pm - 6:30 pm | Networking Reception in the Security Showcase |
September 11, 2012 | ||||
8:00 am - 9:00 am | Registration and Breakfast Breakfast Sponsored by RiskIQ | |||
9:00 am - 9:15 am | Opening Remarks Bob Bragdon, Publisher, CSO magazine | |||
9:15 am - 10:00 am | Government Perspectives on Cybersecurity: The Similarities and Differences at the State and Federal Levels Michael Locatis III, Assistant Secretary of Cybersecurity and Communications, U.S. Department of Homeland Security Cybersecurity requires a whole-of-Nation approach, particularly from those responsible for Federal government networks and state government networks. Join us for this session to understand the issues facing governments of all levels and initiatives that have been undertaken to improve their cybersecurity. | |||
10:00 am - 10:20 am | Modern Approaches to Vendor Management Bruce Jones, CISO, Eastman Kodak Company Selecting and managing vendors today involves skilled contracting, auditing, monitoring and ongoing analysis of service levels. Join us for this session for some helpful tips on the best ways to tackle these approaches and more.
| |||
10:20 am - 10:40 am | Building Meaningful Talent Pipelines Gene Fredriksen, CISO, Tyco International The quality of the security team is pivotal to success, and building that team requires significant thought and effort. What are the more effective ways to find the right people? How do intern programs matter? And how can you implement performance programs and accountability through metrics? Join us as we explore proven ideas on building your pool of talent. | |||
10:40 am - 11:00 am | Leveraging the Talent and Vendor Resource: A Panel Discussion Gene Fredriksen, CISO, Tyco International Bruce Jones, CISO, Eastman Kodak Company Bob Bragdon, Publisher, CSO magazine Join us as our panel of experts takes your questions. | |||
11:00 am - 11:30 am | Networking Break in the Security Showcase Visit the Security Showcase to find valuable solutions to your most pressing challenges. Or, discover what's new, as select sponsors each have a 6-minute open forum to educate attendees on current technologies and future solutions in the Security Showcase Classroom. Leveraging IP Reputation with Security Information and Event Management By sharing information related to the source and nature of attacks, we -- as a security community -- can quickly isolate malicious or compromised hosts. In addition, this shared information about attack patterns can help to identify new attack tools that can lead to new defense strategies and technologies. Join us for this session to learn about the AlienVault Open Threat Exchange™ (AV-OTX™), a system for sharing threat intelligence among OSSIM users and AlienVault customers. With AV-OTX™, an attack on any member of the community alerts and arms the entire community with timely intelligence to better manage future attacks. Sponsored by AlienVault A recent ESG report among over 1,600 large enterprise security executives on Security Management and Operations reveals that leading organizations have implemented continuous monitoring programs to insure the effectiveness of their mitigating controls across the enterprise. Join us as we review the report findings and discuss how business leaders are transforming their security effectiveness with more proactive security solutions. Sponsored by RedSeal Networks Today’s shadow IT run by non-IT employees presents an intellectual property risk to the enterprise. In these scenarios, documents lost to unauthorized parties can create negative and avoidable financial impact. At the same time, organizations that stifle the use of collaboration tools will also impede their organizational effectiveness. Join us for this session as we explore how enterprise users and security practitioners can balance their objectives to create effective document collaboration. Sponsored by WatchDox Adopting a Trust-based Security Model The standard approach to security is backward: AV, HIPS, firewalls, etc. try to detect and reject malware. This is fighting a losing battle. The new approach that hundreds of organizations are using and analysts are recommending is to only allow trusted software to run. This session will describe the logic behind this approach and how it worked to stop Flame, the malware behind the RSA breach, and other advanced attacks that bypassed traditional security tools. Sponsored by Bit9 | |||
11:30 am - 11:50 am | Communicating Security Programs to Achieve Buy-In Steve Fried CISSP, CISM, CISO, Peoples United Bank How do you communicate security performance in a way that resonates with business leaders? What frameworks can you use to effectively discuss security performance issues with board of directors? How do you communicate security direction and strategy to the security workforce to gain internal buy-in? Join us as we explore best practices.
| |||
11:50 am - 12:10 pm | How to Brand the Privacy Program for Maximum Effectiveness Al Raymond, V.P. Privacy & Records Management, ARAMARK Corporation One of the most effective tools to build multi-directional security awareness across the organization -- from the workforce to the board to the outside world -- is through effective privacy program branding. To do this involves: enhancing privacy as a clear value proposition to clients; implementing a 'privacy by design' model internally to establish privacy and protections into core business practices; promoting a strong and mature privacy and security program to boost competitive advantage; and finally, listening to your consumer demand as a privacy driver. Join us for this session as we explore how to effectively develop and convey the privacy brand.
| |||
12:10 pm - 12:30 pm | Mastering the Art of Security Communication: A Panel Discussion Steve Fried CISSP, CISM, CISO, Peoples United Bank Al Raymond, V.P. Privacy & Records Management, ARAMARK Corporation Jim Acquaviva, Vice President of Product Strategy, nCircle Bob Bragdon, Publisher, CSO magazine Join us as our panel of experts takes your questions. | |||
12:30 pm - 12:35 pm | Morning Wrap-Up and New Technology Demonstration Awards Recognition Bob Bragdon, Publisher, CSO magazine Derek Slater, Editor in Chief, CSO magazine and CSOonline.com | |||
12:35 pm - 1:30 pm | Lunch | |||
1:30 pm - 2:00 pm | Dessert Reception in the Security Showcase | |||
2:00 pm - 3:05 pm | Cybersecurity Track | Data Governance and Risk Track | ||
2:00 pm - 2:30 pm | Don't Be Distracted By Bright Shiny Things David Escalante, Director of Computer Security, Boston College Patrick Morley, President & CEO, Bit9 Derek Slater, Editor in Chief, CSO magazine and CSOonline.com All too often, we see security practitioners chasing the latest audit/compliance issue, or the latest headline about a security threat, or the latest software or hardware to address the previous two items. But in order to stop chasing the latest concern and be prepared for security instead of being reactive, we have to avoid these "bright shiny things" and focus on building out a balanced security program that anticipates threats. Join us for this session as we learn more about this approach. | Here’s How to Help the CEO Intelligently Devote Capital to Operational Risk Management Joel Tietz, Chief Privacy Officer and Operational Risk Program Leader, AXA Equitable Dwayne Melancon, Chief Technology Officer, Tripwire, Inc. Bob Bragdon, Publisher, CSO magazine Company leadership is worried about what they don’t know and how to balance risk management needs with other competing priorities. They know their Board of Directors will hold them accountable for a corporate blind spot that has catastrophic implications. Moreover, they want to understand an existential threat that’s invisible to the organization in the big picture, but presents itself through clues that could have been pieced together through some preventative, systematic process. And once they know what should keep them up at night, CEOs want to know from security and risk leaders how they can apply capital to appropriate risk mitigation. Learn how to apply the process in this session. | ||
2:35 pm - 3:05 pm | Using Social Media and Other Tools for Gathering Security Intelligence Richard Jankowski, Information Security Officer, Memorial Sloan-Kettering Cancer Center The pervasiveness of social media and its continuously informing nature are creating opportunities to mine it for threat intelligence. Join us for this session and learn how this creates a new opportunity for securing industry and government. | Are You Ready for Big Data Governance? Mark Clancy, Managing Director, Technology Risk Management, Depository Trust & Clearing Corporation (DTCC) Barmak Meftah, President & CEO, AlienVault Bob Bragdon, Publisher, CSO magazine As your company organizes more and larger data sets, do you know if the controls you have in place will scale? Are you able to conduct real-time data analysis with growing volumes of data? And what about data discovery, and establishing where all of the organization resides? Join us for this session to help determine just how ready you are for big data governance. | ||
3:10 pm - 4:15 pm | Cybersecurity Track | Data Governance and Risk Track | ||
3:10 pm - 3:40 pm | Cybersecurity: Finding Synergy Between Industry and Government Curtis K. Levinson CISSP-CAP MBCP CCSK, Advisory Subject Matter Expert on Cyber Defense, NATO Bob Bragdon, Publisher, CSO magazine When CSOs and CISOs in government compare notes with their counterparts in corporate settings like banks, consumer-facing companies, cloud companies among others, much can be learned and shared in countering cyber threats. How do we maintain awareness of emerging technologies? What processes do we use to evaluate the efficacy of the vendors claims? What products will become tomorrow’s standards and how long will they last? How do we determine when to adopt major new technology platforms or when to sit it out? What are the major cycles that drive security models and their adoption, i.e., budgetary, legal requirements, catastrophic events, etc. that produce sudden and often substantial investments? Join us as top government security experts shares what they know about leveraging the best practices from industry and government. | Managing Identity Through Enormous Change Robert Mazzocchi, VP, Global Information Security, AIG Few companies have been through the massive change experienced by AIG in recent years. So just what is it like to manage identities through a period of such enormous change and unpredictability? Join us for this session to learn how AIG did it, and the valuable lessons they learned along the way. | ||
3:45 pm - 4:15 pm | The Future of the Cybersecurity Organization Derek Benz, CSO, Honeywell – Specialty Materials As we move further into the 21st century, we’ve seen one-time events become trends, slow growth drive consolidation, and CEOs -- who were once more insulated and less accessible -- call us directly on our mobile devices. We’re in a different world than the highly reactive days of the 1990s and early 2000s -- and we’re still evolving. But what will we become? What should we become? How should we operate? To whom should we report? What should we look like? Where will we be working? Join us for this session as we gaze into the crystal ball, tie together some global trends and their impact upon our industry, and lay out some probable scenarios about how we may look by the end of the decade. | Using Big Data for Information Security Ravi Devireddy, VP, Security Information Analytics, Visa The concept of big data can enable enterprises to move away from rule-based monitoring to a security intelligence model that has many advantages. That said, this new and promising way of monitoring security is not for the faint of heart. In this session, understand the huge advantages and the important challenges when considering big data for information security. | ||
4:15 pm | Conference Concludes |