Share This Page


Information Security, Privacy & Cybersecurity Tune-Up At #ISSAConf

September 09, 2016


CIOs, CISOs, & CTOs Don’t Go Alone, Take Your People to Dallas!

Twitter’s CISO, Michael Coates, will share few “must-hear” words of wisdom for survival in the cyber world.

I’ll mount the stage speaking IMG_5384on the privacy attitude security leaders must adopt to thrive in the cyber world. There’s more to expect when you get there. It’s not all work – Shhh! There’ll be a “Party In The Sky”! Seriously, hope to bump into you!

issa banner for blog

Here are the details. Scroll down for more exciting topics you won’t want to miss.

Keynote Address: To the Cloud: Ready or Not! 11/2/2016, 8:15 am – 9:45 am, Landmark B/C Track: General Session Audience Level: All Audience Levels

As the global cyber threat environment continues to evolve, organizations need to begin thinking differently about information security and the protection of their infrastructure.  The evolution from perimeter-centric, hardware-based environments to virtualized data centers and the cloud is underway and many organizations are late to the game.

As CIOs and CISOs are driven to transition their CapEx investments to OpEx spending, the economic efficiencies of the cloud provide a rational path to those goals.  From a security perspective, however, security models that don’t sufficiently address workload and application-aware segmentation, lateral traffic visibility, and network-based threat detection of on-premises data center and public cloud-based environments leave a huge gap in the overall security posture. This talk will provide CIOs and CISOs struggling with decisions about migration to the cloud with some thoughts about how the cloud can be the catalyst that improves security while also reducing costs and technology footprint. Mark Weatherford: Senior Vice President and Chief Cybersecurity Strategist, vArmour.


ISSA Career Central: Secure Your Future Open 11/2/2016, 9:45 am – 4:00 pm, Landmark A


Sponsored Session: Self-Learning Defense – Identifying Early-Stage Threats with an Enterprise Immune System 11/2/2016, 10:30 am – 11:15 am, Cumberland A/B Track: Incident Response

Unsupervised Machine Learning: A New Approach to Cyber Defense From insiders to sophisticated external attackers, the reality of cyber security today is that the threat is already inside. Legacy approaches to cyber security, which rely on knowledge of past attacks, are simply not sufficient to combat new, evolving attacks, and no human cyber analyst can watch so much or react quickly enough. A fundamentally new approach to cyber defense is needed to detect and investigate these threats that are already inside the network – before they turn into a full-blown crisis. Self-learning systems represent a fundamental step-change in automated cyber defense, are relied upon by organizations around the world, and can cover up to millions of devices. Based on unsupervised machine learning and probabilistic mathematics, these new approaches to security can establish a highly accurate understanding of normal behavior by learning an organization’s ‘pattern of life’.  Molly Slocum: Cyber Security Account Executive, Darktrace.

issa banner for blog

Cyber Security and the Need for a Root of Trust 11/2/2016, 10:30 am – 11:15 am, Cumberland G/H Track: Application Security Audience Level: Mid Career

Cyber security strategies increasingly use cryptographic applications to ensure the protection of critical data and other sensitive resources. As organizations deploy more devices and sensors connected to enterprise networks and to the Internet, their identification, authentication, and the integrity of the code they run become critically important. Counterfeit devices and devices running malware can pose significant cyber security risks with potentially catastrophic consequences. Since cryptography is only as good as the level of protection afforded to the cryptographic keys, a robust root of trust using an isolated hardware security modules (HSMs) is recommended to safeguard and manage underpinning application keys, including those used for device identity management and code signing. Juan Asenjo: Director of Cryptographic Integrations for Partner Solutions, Thales e-Security, Inc. @asenjoJuan


“Architecting” Your Cybersecurity Organization for Big Data, Mobile, Cloud, and Digital Innovation 11/2/2016, 10:30 am – 11:15 am, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Mid Career, Senior, Security Leader

The role technology as an engine of enterprise, innovation, and competitiveness has caught many IT leaders unprepared: For years they’ve been slow to address persistent human capital problems such as tech skill deficits, hiring/retention issues, pay inequalities, and murky career paths. This is hitting cyber/info security organizations particularly hard as cybersecurity threats continue to stun the industry regularly and as Big Data, Cloud, Mobile, and Digital Innovation popularity explodes. Bottom line is the pressure to fix longstanding “people problems” associated with securing the enterprise has never been greater. Coming to the rescue: applying traditional architecture practices to cyber/info security human capital and workforce management. Known as “People Architecture,” it is proving to be the most effective solution for executing mission-critical IT-business initiatives such as cyber/info security effectively and predictably. In this session industry analyst David Foote will define the pillars of people architecture for security, describe people architecture components, and reveal who’s doing it and how they’re doing it. David Foote: Chief Analyst and Chief Research Officer, Foote Partners, LLC.

issa banner for blog

Cyber Fraud Hunt Operations—Case Study Analysis 11/2/2016, 10:30 am – 11:15 am, Cumberland K Track: Incident Response Audience Level: Security Leader

The audience will be exposed to host-based and network incident response/digital forensics tactics utilized during several cases outlined during the presentation.  The presentation will discuss the process of collecting & analyzing several disparate evidentiary elements within a Fusion Cell methodology that the audience can utilize at their own corporation.  Leveraging these critical lessons learned from real-world case studies can be the key element that helps build a more successful defensive strategy. Jarrett W. Kolthoff: President & CEO, SpearTip LLC. @SpearTipCyberCI


Champagne Protection on a Beer Budget 11/2/2016, 10:30 am – 11:15 am, Cumberland L Track: Infrastructure Audience Level: Security Leader

Are you getting the most out of your information security dollar? Find out how to protect an enterprise while dealing with budget constraints with a little out of the box thinking, charm, and FUD. If all else fails this talk finishes with best practices for career development and temper tantrum throwing in today’s business environment. Justin Bumpus: Information Security Manager, Ozburn-Hessey Logistics. @justinbumpIS

issa banner for blog

Business Email Compromise – Your Company’s Greatest Uninsured Financial Risk 11/2/2016, 10:30 am – 11:15 am, Cumberland E/F Track: Laws and Regulations Audience Level: Senior

Every day business finance or HR professionals are duped into sending money or spreadsheets containing SSNs and other PII to cyber thieves. Fraudsters bypass all the security devices, firewalls, perimeter defenses, and even APT defenses and merely ask the people with the keys to the kingdom to hand over the goods . . . and they do so. Employees miss the fact the email is not from the CEO or CFO and the display name says the right name, but the email address does not! This presentation will focus on the social hack of BEC (Business Email Compromise/CEO Fraud) Fraud focusing on several areas: (1) how this attack happens, (2) controls to implement to reduce the effectiveness of these attacks, (3) how to train your employees, and (4) the legal aspects of whether or not you are protected and can get your money back. We will spend time discussing the lase law on BEC cases, the role that insurance does or does not play, tactics to mitigate this harm, controls you can request from your bank, and how to shift some of this burden to others. BEC Fraud is on the rise and you will not want to miss this security and legal talk! Dr. Christopher Pierson: CSO and General Counsel, Viewpost. @DrChrisPierson James T. Shreve: Attorney, BuckleySandler, LLP.


Featured Speaker: App Sec: Start, Scale, Sustain 11/2/2016, 11:45 am – 12:30 pm, Landmark B/C Track: Application Security Audience Level: All Audience Levels

New research into application security practices at over 75 companies will be discussed, covering software security strategies and tactics as they are practiced “in the wild.” Statistics will be balanced with case studies from the field to illustrate foundational principles of starting, scaling, and sustaining programs, as well as “what not to do” gotchas that can kill an initiative in its tracks. Joel Scambray: Principal, Cigital. @joelscam


Game of Hacks – Play, Hack, and Track 11/2/2016, 11:45 am – 12:30 pm, Cumberland G/H Track: Application Security Audience Level: All Audience Levels

We created “Game of Hacks”—a viral web app marketed as a tool to train developers on secure coding—with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne. Within 24 hours we had 35K players test their hacking skills…we weren’t surprised when users started breaking the rules. Join us to:  • Play GoH against the audience in real time and get your claim to fame. • Understand how vulnerabilities were planted within Game of Hacks. • See real attack techniques (some caught us off guard) and how we handled them.  • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application.  • Hear what to watch out for on the ultra-popular node.js framework. Itai Heller: Senior Sales Engineer, Checkmarx.

issa banner for blog

Privacy Attitude of Security Leaders Who Survive the Cyber World 11/2/2016, 11:45 am – 12:30 pm, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Security Leader

Since there is no industry certification for a positive well-informed survival attitude, nobody demands, requires, or regulates it. But attitude has an effect on how well you are able to put a successful privacy program in place and survive the cyber world. Is your attitude fit?  The right attitude with sound strategies will propel you through today’s less structured and non-traditional data protection measures.  Having the wrong attitude can get you much closer to experiencing a devastating data breach today than you were before. Consumer data is the new critical asset that you must preserve with all you’ve got or can get. You need privacy in your cybersecurity strategies. And it takes the right attitude and diligence to do it successfully. Security and privacy require distinct tools and attitudes to accomplish a corporate mandate of data protection. Studies show the average cost of data breach on a global scale is $3.6 million. Consider your stakes, such as $500+ in incident expenses per record exposed, negative news media attention, public mistrust, loss of customers, liabilities, hours in court, and more. A data breach is inevitable. But how fast can your attitude help you fight back and bounce back with little financial damage? And save face? Master the attitude that will make the difference between a successful privacy implementation and a helpless scramble to survive a major attack.  THE PRIVACY ADVOCATE, @grace4privacy


Improving Incident Response Plan with Advanced Exercises 11/2/2016, 11:45 am – 12:30 pm, Cumberland K Track: Incident Response Audience Level: Mid Career

How mature is your cyber security exercise program? Are you evolving or checking the box?  Cyber security exercises present a plausible, relevant, and high impact scenario and offer opportunities to drill processes, evaluate personnel effectiveness, and observe gaps in people, processes, and technology in response to that scenario.  This session discusses how cyber exercises can be matured into integrated, multi-year strategic programs, leveraging different types of cyber security exercises, as evolved from the HSEEP (Homeland Security Exercise and Evaluation Program) framework.  Advanced concepts, addressing evolving threats and topics of scenario design, planning, execution, and the differences that make cyber security exercises relevant will be highlighted.  Leveraging the latest techniques based on proven frameworks, a strategic cyber security exercise program can provide realistic opportunities to train the way we need to defend and allow people, processes, and technology to train together and be evaluated jointly rather than individually.  Participants will discuss how to create an organic exercise program capability through capacity building, with emphasis on exercise capability as a central component of a broader cyber security preparedness program. Several case studies from both government and the commercial sector highlighting the benefits and key observations from cyber exercises are provided, adding a tangible outcome dimension to the session. Stephanie Ewing-Ottmers: Cyber Exercise Consultant, Delta Risk LLC.  Chris Evans: Vice President for Advanced Cyber Defense, Delta Risk LLC.

issa banner for blog

Forging Your Identity: Credibility Beyond Words 11/2/2016, 11:45 am – 12:30 pm, Cumberland L Track: Securing the End User Audience Level: Entry Level, Mid Career, Senior

Pretending to be an employee is one thing, but owning layers of identities is what has led to owning the data centers, PBX rooms, Security Control Centers and more. If a discerning employee is not buying into your backstory, your credibility can sometimes make or break an assessment. In this presentation, we will discuss how to help add that credibility through document and badge forgery, setting up and forwarding local phone numbers, fake employee web search results and other tactics. You will listen to real world scenarios that led to an armed security guard handing over the building keys, facilities opening two-factor authentication restricted areas and more! Tim Roberts: Security Consultant, Solutionary, Inc. @ZanshinH4X Brent White: Security Consultant, Solutionary, Inc. @brentwdesign


Featured Speaker: Protect to Enable 11/2/2016, 1:45 pm – 2:30 pm, Landmark B/C Track: Business Skills for the Information Security Professional Audience Level: All Audience Levels

Why does the information security team exist? How should we frame the context for computing to connect and enrich lives while also ensuring the obligations to do it right are appropriately addressed? Malcolm Harkins: Chief Security and Trust Officer, Cylance. @ProtectToEnable

issa banner for blog

Sponsored Session: The Eight Imperatives for Agile and Scalable Cloud Security 11/2/2016, 1:45 pm – 2:30 pm, Cumberland A/B Track: Application Security Audience Level: Mid Career, Senior Level, Security Leader

The momentum of cloud computing is continuing to build, but security of workloads in the cloud continues to be a key concern. There are many myths as well as real challenges. This presentation will explore the reasons why traditional security tools do not work well in cloud environments. Then we will discuss eight key imperatives for securing cloud-based infrastructure and application delivery, based on real-world results at large enterprise environments. Sami Laine: Principal Technologist, CloudPassage


The CISO’s Guide to Incident Response 11/2/2016, 1:45 pm – 2:30 pm, Cumberland K Track: Incident Response Audience Level: Mid Career

Security and IT practitioners often find themselves in an uphill battle to convince the C-Suite executives of the importance of a formal incident response (IR) program. One of the most common rebuttals from the business is the age old “It hasn’t happened to us” or “Nobody cares about attacking our organization.” This is simply not the case. We, as a security industry, finally have ample data from which to draw—without having to resort to fear, uncertainty, and doubt (FUD)—to justify the investment in tools, processes, and training to protect our respective organizations. This session aims to teach in-the-trenches practitioners how to communicate the need for a formal IR program in a way that resonates with your senior leadership team. Learn tips and tools for justifying the expense of training, personnel, and equipment in the face of common business objections. Andrew Hay: CISO, DataGravity. @andrewsmhay

issa banner for blog

Cyber Law Update 11/2/2016, 1:45 pm – 2:30 pm, Cumberland E/F Track: Laws and Regulations Audience Level: Mid Career

Data breach, cybersecurity and Internet of Things, including drone legislation and litigation will be the focus of this session. Topics will include pending federal legislative proposals, implementation of the CISA, the recent (at the time of proposal pending) SCOTUS decision in Spokeo, Inc v Robins and pending legislative proposals regarding drones. Monique Ferraro: Counsel, Cyber Practice, Munich Re US.


A Practitioner’s Guide to a Secure Agile Transition 11/2/2016, 1:45pm – 2:30pm, Cumberland G/H Track: Application Security Audience Level: Mid Career, Senior, Security Leader

Agile SDLC methodologies have a bad reputation when it comes to security because the fast pace of development cycles often leave little room for extensive security validation and frequent changes in requirements makes it harder to foresee potential security issues. Although the dynamic nature of agile is indeed a challenge, agility does not necessarily mean insecure software.   This session will overview the lessons we, as a mid-size network appliance and software vendor, learned during our transition from a traditional top-down SDLC methodology to a fast-paced agile/scrum environment. There are many challenges in transitioning to an agile methodology even when security is not a major concern. From the viewpoint of a security practitioner, the challenges are bigger as it is not always easy to convince product owners that security is not an impediment but a vital part of the business. Short development cycles combined with frequent changes in requirements make the software even harder to secure against threats.   There is no silver bullet, but with a lot of experimentation and research we were able to create a process where security is an integral part of our entire agile SDLC process with great results. This presentation will go over practical aspects of what we have tried to ensure that our agile process is secure; what worked well and what did not. We will present a list of actionable items, both managerial and technical, along with how we exactly implemented them, so that they can be used as guidelines. Cuneyt Karul: Chief Security Architect, BlueCat Networks.


The Architecture of a Secure IoT Gateway: A Technical Deep Dive 11/2/2016, 1:45pm – 2:30pm, Cumberland L Track: Infrastructure Audience Level: Senior

The pervasive spread of Internet connected devices into Operational Technology Ecosystems has spurred the growth of purpose built IoT Gateways that aggregate data from disparate IoT devices in an attempt to secure this data for transport via the Internet. Manufacturers are now forced to not only work in the confines of their specific technology but to also become experts in Cyber Security to ensure their devices meet the security needs of their clients. These teams must quickly become familiar with Cyber Security technologies found in traditional network appliances such as Deep Packet Inspection (DPI), SSL Decryption, Threat Intelligence and others, and then best determine how to implement these technologies in their gateways. The purpose of this presentation will be to walk through, in detail, the varying technologies available to device and appliance manufacturers and explain how these technologies interrelate to one another. The session will begin with an overview of a basic IoT Gateway and the components required to build such an appliance. It will then lead into a description of how SSL Decryption works, why it is relevant for traffic monitoring and considerations for the analysis of traffic encrypted using proprietary techniques. This will lead into a deeper discussion around the need for Deep Packet Inspection, how to effectively implement and build open source packet inspection tools for prototyping and considerations needed for moving from a prototype phase to production. The discussion around IoT Gateway functionality, packet inspection and decryption techniques will set the stage for implementing security technologies on the Gateway itself. David Dufour: Head of Security Architecture, IoT, Webroot, Inc. @davidmdufour

issa banner for blog

Featured Speaker: Posture Makes Perfect – Cyber Residual Risk Scoring 11/2/2016, 2:45 pm – 3:30 pm, Landmark B/C Track: Incident Response Audience Level: Mid Career

Survival in today’s Cyber World requires an answer to the question: “Why, with all the compliance mandates, certifications, tools, and training, are hackers so successful?” The answer, “Our Cyber-Risk posture is too fluid to define, measure, and adapt; thus we are never as protected as we think we are” is a cop out. We should be able to describe our Cyber-Risk posture today, even if it will be totally different tomorrow. In other words, Cyber-Risk processes must adapt as we move forward. This session provides a strategy for re-evaluation and assessment using adaptive Cyber-Risk analysis and Cyber Residual Risk scoring. Michael F. Angelo: Chief Security Architect, Micro Focus | NetIQ Corporation. @mfa0007


Sponsored Session: Protecting Sensitive Data in the Cloud 11/2/2016, 2:45 pm – 3:30 pm, Cumberland A/B Track: Application Security Audience Level: Pre-Professional, Entry Level, Mid-Career, Senior Level, Security Leader/Executive

As mentioned in the keynote, you’re moving to the cloud, ready or not. Both business unit agility requirements and shadow IT are driving your organization to public and private cloud service providers for business-critical workloads. Meanwhile, nearly every business function in your organization leverages a software as a service solution, be it, Marketo, or Workday, among many others. You have an imperative to ensure your sensitive data remains protected and secure across cloud providers. How do you get the most out of your cloud environments while maintaining control and protection of your sensitive data? In this breakout session, learn

What your peers are thinking about regarding cloud security, and what they are doing about it.   Questions to ask your cloud service provider regarding data security.  What IaaS and SaaS providers are doing, and should be doing, about securing your data. Eric Wolff: Senior Product Marketing Manager, Vormetric – A Thales company.

issa banner for blog

ISSA Healthcare SIG Sponsored Session: Ransomware & Health Information Exchanges – Is your data safe? 11/2/2016, 2:45 pm – 3:30 pm, Cumberland E/F Track: Securing the End User Audience Level: All Audience Levels

The moderated panel will inform participants about the latest in ransomware attacks and how healthcare organizations who use health information exchanges (HIE) may be vulnerable to attack by other HIE participating organizations not implementing needed security controls.  The panel will also focus on steps HIE participating organizations can prevent ransomware attacks and how to respond in the event of a ransomware attack. The panel will discuss: • The current risks associated with ransomware • The risks to healthcare organizations who participate in a HIE • Steps participants can take in their own organizations to protect against a ransomware infection • Steps participants can take to mitigate risk in the event of a ransomware attack • Current views on whether or not to pay the ransom Chris Apgar: CISSP, CEO and President, Apgar & Associates. @apgarandassoc Panelists: Kyle Miller: CISSP, Senior Consultant, CSG Government Solutions. @CSGGovSolutions.  Marty Edwards: MS, CHC, CHPC, HCLS Compliance Officer, Dell Services Healthcare and Life Sciences.  Stephen Fitton: Information Security Officer, Clinicient.


CISO Success Strategies: On Becoming a Security Business Leader 11/2/2016, 2:45 pm – 3:30 pm, Cumberland L Track: Business Skills for the Information Security Professional Audience Level: Entry Level, Mid Career, Senior

Learn three things that CISOs and security professionals can do to go beyond technical skills and make information security relevant and understandable to key stakeholders across your organization. The increased importance and visibility of cyber security as a vital component of business growth make it critical that security leaders understand how to how to connect with senior executives and business leaders. This session is a unique opportunity to hear from Frank Kim, seasoned security leader and CISO, as he explains three things that will make you a more effective security business leader. Frank Kim: CISO, SANS Institute.

issa banner for blog

Propel Your Career with Personal Strategic Planning 11/2/2016, 2:45 pm – 3:30 pm, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Security Leader

Your success as a professional in cybersecurity, audit, and risk professional depends on your ability to communicate effectively and influence people who may not report to you. You also have to stay up to speed with the latest regulations, threats, and technology. The challenge to inspire busy colleagues to cooperate and participate in the process to secure the organization is difficult. In fact, you are often accused of slowing down business workflows or holding up critical projects. The challenge is compounded with the outdated stereotypes and preconceptions that come with your technical title. Solution: When you invest in yourself and utilize a practical, personal strategic planning framework, you can develop your leadership, influence, and communication skills to find more success in your current position and future career.  Christa Pusateri: Team Lead, CISO Coalition. @cmpusateri Bobby Dominguez: Chief Security & Strategy, CISSP, PMP, CPP, CRISC, GSLC, ITIL, C|CISO, Lynx Technology Partners. @Moonraker069


Digital Investigations: Leveraging the Multitude of Records 11/2/2016, 2:45 pm – 3:30 pm, Cumberland K Track: Laws and Regulations Audience Level: Mid Career

Owing to advancing technologies like cloud, smartphones and the Internet of Things, the quantity of records relevant to any official investigation is expanding beyond imagination. There are SO MANY records in SO MANY places . . . email, text, photos, metadata, backups, social media, travel histories, deleted stuff . . . that traditional assumptions on how to advance an investigation or resolve a dispute have become obsolete. Today smart investigation teams are able to leverage the massive volume of records in new and surprising ways. The team does not necessarily need access to records in order to take advantage of their existence. This presentation teaches tips and strategies and tells war stories that simply were not applicable 10 years ago. These lessons help investigators and their employers reach more favorable outcomes in HR disputes, potential lawsuits, forensic audits, regulatory inquiries, criminal proceedings and corporate espionage cases. Benjamin Wright: Attorney and Senior Instructor, SANS Institute. @benjaminwright

issa banner for blog

The Man Behind the Curtain: Revealing the Truth of Overhyped Security Solutions 11/2/2016, 2:45 pm – 3:30 pm, Cumberland G/H Track: Securing the End User Audience Level: Senior

With all of the hype around the potential of artificial intelligence (AI), machine learning (ML) and deep learning, it’s not surprising that security companies have gotten their feet wet, declaring each new hype the fuel to their “next-gen” solution. It certainly sounds useful to leverage new math and machines to detect new threats, but what does all of this really mean? Al and ML unfortunately leave us with two challenges: vast amounts of data of unknown value that we don’t know when to discard, and nagging worries that the security team might have missed a needle in the haystack. Deep learning, on the other hand, is just a new term for an old technique, already proven unsuccessful. In this session, Bromium CTO and co-founder Simon Crosby will debunk the myth of “next-gen,” deep learning, and the AI/ML security solutions and discuss the benefits of investing in security experts, as well as tools which offer security by design, instead of banking on unproven and uncontextualized techniques. Simon Crosby: Co-founder and CTO, Bromium. @simoncrosby


Featured Speaker: Automotive Security: Challenges and Perspectives 11/2/2016, 4:00 pm – 4:45 pm, Landmark B/C Track: Application Security Audience Level: Pre-Professional, Entry Level, Mid Career, Senior

In recent years, there has been an sharp increase in the discussion of Automotive Security. Vehicle systems, which were once static and air-gapped, are now becoming connected devices. At the same time, automotive systems are becoming more automated, with computers in control of many aspects of vehicle operations. In this talk, we will discuss the current state of automotive security, and look at some of the recent attacks that have been performed. We will then talk about the systems in vehicles and why they are vulnerable, and the challenges of securing these systems. An overview of how you can get your feet wet with car hacking will be presented, and finally we will provide some insights into how the industry is moving forward, and how they can improve.  Eric Evenchick: Director, Linklayer Labs. @ericevenchick

issa banner for blog

Sponsored Panel: How Effective are Incident Response Plans? 11/2/2016, 4:00 pm – 4:45 pm, Cumberland A/B Track: Incident Response Audience Level: Pre-Professional, Entry Level, Mid Career, Senior

Every day we see a new story about a sophisticated new attack or big breach. The attackers are no longer just stealing data, they are holding it for ransom. In 2015 an Experian study said 81% of organizations had an incident response plan, which was an 8% increase from 2014. All these breaches point to an inevitable fact, we all need an effective Incident Response Plan.  It has been said that the ultimate measure of a security team’s capabilities is their ability to respond to a breach. As such, let’s explore what makes up an effective IRP, and how we can optimize them to go beyond reaction, to truly build a sustainable defense against attack. Moderator: Jim Robison: Director of Sales and Marketing, Anitian. Panelists: Andy Thompson: Strategic Advisor, Southwest Region, CyberArk. @ r41nm4kr Bil Harmer: CISSP, CISM, CIPP – Strategist, Office of the CISO, Zscaler. @wilharm3


Prevent Ransomware with the Right Architecture 11/2/2016, 4:00 pm – 4:45 pm, Cumberland K Track: Application Security Audience Level: Senior

Thanks to advances in attack distribution, anonymous payments, and the ability to reliably encrypt and decrypt data, ransomware is on a tear. To protect your organization from having to pay attackers to free your data, you need to evolve beyond a layered security approach to a preventionoriented architecture—or face threats of Jurassic proportions. Key takeaways include:   Common ransomware attack vectors and how they get into the network, endpoint, or through SaaS applications  How to disrupt the attack lifecycle by reducing the attack surface, preventing known threats, and blocking unknown threats  Architectural requirements for providing the visibility, intelligence and enforcement to prevent sophisticated threats, like ransomware Scott Simkin: Sr. Manager, Threat Intelligence, Palo Alto Networks. @scottsimkin

issa banner for blog

Modernize Your Security for Critical Applications 11/2/2016, 4:00 pm – 4:45 pm, Cumberland G/H Track: Application Security Audience Level: Senior

A handful of critical applications power the IT infrastructure and control access to everything — applications, data, computers, storage, and the network. That’s why 70-90% of breaches involve compromising these applications, all too easy to do with current tools and techniques. To regain control of your environment, you need a modern approach that keeps malware out, valid administrators and trusted systems in, provides microsegmentation per application, doesn’t require instant patching of new vulnerabilities, and provides a reliable forensic trail. The good news is this is achievable — proven recommendations, tools and assistance exist so you can close the gap. This session will arm you with: Why the bad guys win so easily; Recommended guidelines to secure critical applications and why they work; A method to assess your current approach to application security; 5 key steps to follow for a secure environment  Russell Rice: Senior Director of Product Management, Skyport Systems.  Pete Fox: VP Cybersecurity, Ascent Solutions.


Building a Mature Cyber Intelligence Program 11/2/2016, 4:00 pm – 4:45 pm, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Senior

Many organizations claim to be creating intelligence for their corporate stakeholders. Most believe technology solutions provide the same. Tools, techniques, and protocols/procedures of adversaries is nothing more than data and information unless properly collected, produced, organized, analyzed and disseminated. This discussion covers how to establish the proper strategy using proven intelligence tradecraft methods. We will cover areas of vision, mission, goals and initiative. The discussion guides the attendees through the process of development methods of collection, outlines areas for producing intelligence using structured analytic techniques while extracting the required issues from leadership for focused delivery. Jeff Bardin: Chief Intelligence Officer, Treadstone 71. @treadstone71llc


Integrating Business Case Skills into GRC Regulatory Compliance Initiatives 11/2/2016, 4:00 pm – 4:45 pm, Cumberland L Track: Laws and Regulations Audience Level: Mid Career, Senior

This session uses examples of Laws and Regulations as they relate to business planning and business case decision-making to demonstrate the importance of holistic GRC program and a strong enterprise approach to use of GRC tools to survive in the face of Cyber challenges. Ken Lobenstein: Cyber Risk Specialist, Deloitte.  Neethu Thomas: Senior Consultant, Deloitte.

issa banner for blog

Protecting Data Everywhere it is Used, Shared and Stored 11/2/2016, 4:00 pm – 4:45 pm, Cumberland E/F Track: Securing the End User Audience Level: Mid Career

Too many CEOs and IT leaders address data security in broad strokes, as if everything inside the company ─ every email, every document, every system ─ must be protected with the same level of tenacity. While that is a noble effort, the defend-everything-at-all-costs approach can be as costly as it is ineffective. That’s because how one defends networks, servers, desktop and mobile devices is not suited to defend email, files, shares and sensitive information stored on popular services like OneDrive and Dropbox. When it comes to data security, the uncomfortable truth is that security professionals will never prevent every breach. That’s why leaders need to take inventory and assess where their company is most vulnerable. In this presentation, Joe Sturonas, CTO of PKWARE will bring attendees up to speed about how to develop a holistic data security strategy to protect information everywhere it is used, shared and stored. Joe will help attendees answer: Where is your data located? Who has access to it? What protects it? Joe Sturonas: Chief Technology Officer, PKWARE. @jsturonas


ISSA Career Central: Secure Your Future Open 11/3/2016, 8:00 am – 4:00 pm, Landmark  A

issa banner for blog

Keynote Address: Building a Security Program that Succeeds – Scale, Efficacy and Executive Support 11/3/2016, 9:00 am – 10:00 am, Landmark B/C Track: General Session Audience Level: All Audience Levels

How does an organization build a security program that is effective, elevates security to business level decisions but also doesn’t slow down productivity? It seems there is a never-ending list of adversaries including organized crime, hacktivists, adversarial governments, rampant malware and more. An insecure business won’t succeed; a business crippled by security overhead won’t succeed either. We’ll discuss strategies for building security programs, mitigating top risks and building an internal structure that elevates security visibility and decision-making across the business. Michael Coates: CISO, Twitter. @_mwc


Sponsored Session: Best Practices from the World’s Top Security Awareness Programs 11/3/2016, 10:15 am – 11:00 am, Cumberland A/B Track: Securing the End User Audience Level: All Audience Levels

The world’s most risk-aware companies know that enlisting their employees in the fight against cyberthreats takes a continuous program of training, reinforcement, communication, and analysis.  Steve and Tom have worked with hundreds of companies to create award-winning programs, and they’ll share the best practices from these companies—and ask you to brainstorm new ideas to improve your program. Steven Conrad: Managing Director, MediaPro. Tom Pendergast: Chief Strategist, MediaPro. @tommediapro.


Cyber Security Professional Career Study Findings 11/3/2016, 10:15 am – 11:00 am, Cumberland E/F Track: Business Skills for the Information Security Professional Audience Level: All Audience Levels

This session will provide an open collaborative discussion about the inaugural ESG/ISSA research detailing cyber security professional development, training, career management, and opinions. Jon Oltsik: Senior Principal Analyst, ESG. @JOltsik. Candy Alexander: Chair, Cyber Security Career Lifecycle, ISSA. @NH_Candy.

issa banner for blog

Artificial Intelligence: The Foundation for a Secure Cyber Future 11/3/2016, 10:15 am – 11:00 am, Cumberland G/H Track: Application Security Audience Level: Security Leader

Artificial Intelligence can identify emerging attacks the same way a human would by using a suite of machine-learning algorithms. These algorithms look at log data, such as firewall, proxy, or web logs, and aggregate threat intelligence from the web, view the DNA of downloaded files, and analyze user behaviors to find compromise within a system. This session will cover how to combine this intelligence with a massive, machinegenerated, curated database of security events to provide context, experience, and constant learning in your security ecosystem. Keith Moore: Senior Product Manager, SparkCognition.


Advances in Security Risk Assessment 11/3/2016, 10:15 am – 11:00 am, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Mid Career

Security risk assessments are required under most information security regulations (e.g., HIPAA, PCI, FISMA), yet few information security professionals are comfortable performing them. Mr. Landoll will guide attendees through tried and true methods for performing risk assessments and recent advances in the industry, based on decades of experience and lessons learned as documented in the best selling risk assessment book “The Security Risk Assessment Handbook.” Doug Landoll: CEO, Lantego LLC. @douglandoll

issa banner for blog

The Visible Attack Surface – What It Is and Why It Matters 11/3/2016, 10:15 am – 11:00 am, Cumberland K Track: Incident Response Audience Level: Security Leader

What are Indicators of Exposure and why pairing them with Indicators of Compromise makes for a more holistic and effective security strategy. For 20 years, security leaders have struggled to gain a satisfactory level of visibility over their attack surface, all the ways in which their IT systems are vulnerable to threats, including potential attack vectors. Conventional security approaches—such as vulnerability scanners, endpoint protection products, patch management solutions and network security configuration analysis—often fall short because they only give fleeting glimpses into an enterprise’s current state of security. When operational teams have partial, sporadic, and inconsistent information, they cannot analyze data in context, limiting their ability to make timely and effective decisions. To build a mature, proactive security management program, security leaders need a more holistic and continuous view of the attack surface with a consistent taxonomy of its various weaknesses and vulnerabilities. This includes Indicators of Exposures (IOEs), such as exploitable attack vectors, hot spots of vulnerabilities, network security misconfigurations, and noncompliant firewalls. While Indicators of Compromise (IOCs) provide incident response teams with important traces of an incident, Indicators of Exposure (IOEs) give insight into potential exploitable attack vectors before the incident happens. Indicators of Exposure are also useful in the event of an ongoing attack, as they reveal potential hots spots so security teams can prioritize operational activities for quick and effective containment. By combining IOEs and IOCs, security leaders gain greater visibility over the attack surface, which gives them the insight they need to develop a more effective strategy for shrinking it and detecting and containing security breaches. Gidi Cohen: CEO, Skybox Security. @gidicohen


Balancing Mobile Security with Privacy: A Prescription for Closing the Trust Gap 11/3/2016, 10:15 am – 11:00 am, Cumberland L Track: Securing the End User Audience Level: Security Leader

In a 2015 survey of 3,500 employees conducted by Harris Poll, MobileIron found that a whopping 30% would leave their jobs if their employer could see personal information on their mobile devices. And while most CIOs really do not want access to employees’ personal content, those surveyed still worry about the privacy of personal emails, texts or photos, browsing history, etc. on smartphones and tablets they use for both business and personal tasks. Part of the problem is a lack of clearly defined policies. Another part is that employees are confused about what employers can and cannot see, the actions employers can take on their mobile devices, and the reasons employers may have for viewing or taking action on the information they can access. The speaker will discuss establishing privacy-centric mobile device policies for preventing the loss or compromise of corporate information, best practices for communicating with employees, and leveraging new, mobile OS level controls. Every device today is a mixed-use device, which means IT must remember to protect employee privacy as fiercely as it protects corporate data. James Plouffe: Lead Security Architect, MobileIron.

issa banner for blog

Sponsored Panel: Culture Changes, Communicating Cyber Risk in Business Terms 11/3/2016, 11:30 am – 12:15 pm, Cumberland A/B Track: Business Skills for the Information Security Professional Audience Level: Mid Career, Senior, Security Leader

Cyber Security is gaining the required attention of business executives worldwide. One of the ongoing challenges is communicating what cyber security initiatives take precedence over other business unit priorities. From a business perspective, cyber security projects should align with the overall business strategy and allow the business to run more efficiently while reducing risk to the organization overall. Cyber security and risk management should be part of the business culture. The CIO and CISO should have a strong relationship with other business units to identify key processes, personnel and IT resource requirements so risk can be properly assessed and cyber related solutions can be planned, funded and implemented. It is vital that the CIO & CISO be able to communicate justification in business terms, how they address risk and bring value to the organization. This panel will discuss the requirement for CIOs, CISOs and IT leaders to have the ability to confidently justify and articulate risk related to IT and cyber security projects in a language that is understood by everyone. We will also discuss strategies on how to ensure executives back these initiatives as part of the organizational culture as well. Moderator: Dr. Shawn Murray: Principal Scientist, United States Missile Defense Agency. Panelists:   Mark Sanders: Senior Sales Engineer, Venafi.    Sam Elliott: Culture Changes, Communicating Cyber Risk in Business Terms, Bomgar. @samelliott


Scraping Together a Security Program 11/3/2016, 11:30 am – 12:15 pm, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Mid Career, Senior

Building a Security Program looks pretty easy on a one page graphic, but is a little more challenging to implement in reality. Join us as we describe building a security program from the ground up—going from a seemingly random set of individual activities to an integrated approach. The presentation is based on our experience doing this at a local higher education institution. Rob will describe how we pulled together governance, frameworks, policy, and requirements. David will describe how he was able to implement operational security activities designed to meet the requirements (and how to manage the unreasonable requirements). Politics, managing across organizational boundaries, influencing people who were uninterested and under-engaged, and of course balancing people, process, and technology in a resource-limited environment all played a part in the effort. More important than our story, we put together a structured approach you can use in your organization to start with whatever you have and build towards a functioning security program. While every environment is unique, we believe anyone faced with starting a security program from scratch can use our approach to accelerate their progress towards a functioning security program. Robert Rudloff: Partner, Cyber Security Advisory Services, RubinBrown LLP. @hfhrudloff David Hendrickson: Senior Cyber Security Specialist, RubinBrown LLP.

issa banner for blog

Digital Forensics – First Responders & Incident Management 11/3/2016, 11:30 am – 12:15 pm, Cumberland K Track: Incident Response Audience Level: Senior

The Digital Forensics market is anticipated to grow by 125% before the year 2020—and this, associated with the mass of successful digital and cyber-attacks becoming more frequent, drives the need to evolve skills and associated capabilities into both public and private organisations with a coordinated lifecycle which will support them to operationally: Engage > Contain > Respond > Acquire > Mitigate > Report.  Based on 5 years of delivering Digital Forensics, First Responder Capabilities, and CSIRT Frameworks, and Expert Witness engagements in the UK High Courts supporting International cases, this session will present pragmatic solutions which may be exploited to engage any internal miscreant user, or external cyberattack, and seek to expand on the future role of digital investigations across private laboratories, government agencies, commercials, and international police forces. The session will focus on how the organisation can build in their own internal robust capabilities, and will introduce the importance of processes, security artifacts [both physically and logically], intentional legislations, ranging from the implications of the Patriot Act, State Bills such as 1386, through the UK and EU Data Protection Acts, and the ITA 2000 [Indian technology Act 2000], and the associated implications when engaging as a First Responder. We will also examine the complexities of dealing with Child Abuse Images, the COPINE and SAP scale, and qualify how such incidents should be legally dealt with. We will also investigate the value of virtualised flow-the sun CSIRT Incident Management Teams, and the value of coordinated capabilities driven by Run-Books to support the operational, in-flight incident engagement lifecycle.  Prof John Walker: Visiting Professor School of Science and Technology NTU; Assessor Society for Forensic Sciences, HEXFORENSICS LTD. @hexforensics


Transform from Surviving to Thriving by Preparing for the Next Wave of Cyber-Attacks and Information Borne Threats 11/3/2016, 11:30 am – 12:15 pm, Cumberland L Track: Infrastructure Audience Level: Security Leader

Cybersecurity leaders that play vital a role in protecting their organization’s critical resources and enabling new business outcomes in this accelerating cyber world need to rethink how they can pro-actively defend against the next wave of cyber-attacks and information borne threats, two of today’s most pressing and employee centered security challenges. Dr. Bunker will analyze the latest attack techniques and information risks while discussing how new adaptive detection technology and non-disruptive protection methods influence employee collaboration and take the organization’s security culture from surviving to thriving. Dr. Guy Bunker: SVP, Products, Clearswift. @guybunker


Secure User Application Access in a Hurry 11/3/2016, 11:30 am – 12:15 pm, Cumberland G/H Track: Securing the End User Audience Level: Mid Career, Senior, Security Leader

Too often there are information technology applications stood up to support first responders only to require those first responders to create and remember yet another username and password to use the application. The problem continues as more applications are activated. Furthermore, each application has to keep track of these users and provision users with the right permissions within the application. Leveraging grant funds, and on behalf of the National Capital Region, Fairfax County sponsored and manages a service called the Identity and Access Management Service (IAMS) which has successfully overcome these challenges. IAMS is a self-contained authentication service which enables personnel to use his/her locality credential to access regional applications when properly authorized. It does this by communicating, via the NCRNet, with properly authorized end user directories within each participating locality. IAMS merely works to query those directories to validate the user for the purposes of accessing the application. IAMS can also perform certain provisioning and workflow functions to easily and properly authorize access for the end user (including those who do not possess a locality identity) to applications and application entitlements. Scott Scheurich: Program Manager, Ashburn Consulting, LLC.  Marc Boorshtein: CTO, Tremolo Security, Inc.  Michael Dent: Chief Information Security Officer, Fairfax County, VA.

issa banner for blog

Featured Speaker: Weaponizing Your Words For Talent Retention 11/3/2016, 2:30 pm – 3:15 pm, Landmark B/C Track: Business Skills for the Information Security Professional Audience Level: All Audience Levels

Our words are powerful. With CISO attrition at an all-time high and practitioners leaving technical careers more than any other field, it’s clear our industry is experiencing breakdown. People are leaving information security, especially women. Talent retention is more than competitive salaries; it’s about having an empowered vocabulary and eliminating limiting words. Positive communication weaponizes our words, creating measurable agreements and clear responsibilities. Communication skills can be tactical or destructive, and it’s up to us to choose and use them wisely. Let’s discuss our talent retention challenge and learn the five words that must be eliminated from our vernacular. Deidre Diamond: Founder and CEO, CyberSN. @deidrediamond


Sponsored Session: Stepwise Security – A Planned Path to Reducing Risk 11/3/2016, 2:30 pm – 3:15 pm, Cumberland A/B Track: Securing the End Users  Audience Level: Mid Career

Attackers are making major headway into our businesses with simple tactics that exploit our weakest points. It’s clear that we need to bolster our defenses, but prioritization can seem daunting. Join Wade Tongen, Western Area System Engineering Director from Centrify, as he walks through some proven practices for prioritizing a risk mitigation strategy, starting with the easy gaps that most often lead to data breach, and moving to sophisticated and comprehensive control.  Wade Tongen: Western Area System Engineering Director, Centrify. @Centrify


ISSA WIS SIG Sponsored Session: Get the Right People in the Right Places to Maximize Your Cyber Team Performance  (Two Part Workshop) 11/3/2016, 2:30 pm – 4:15 pm, Cumberland E/F Track: Business Skills for the Information Security Professional Audience Level: Senior Level

Understanding the significance of team roles and incorporating that into your cyber portfolio allows your team to more quickly and efficiently respond to any cyber-related incident or organizational inquiry. This session clarifies the necessity for a balanced approach and explains how the different team role behaviors impact and provide greater value to the overall team. A FREE personal Team Role Assessment (a strong peopleoriented tool that helps increase your cyber team effectiveness) with analysis is included. Exercises prepare you for application of the principles learned. This workshop will make a huge difference in how your team operates, interacts, and performs! DeeDee Smartt Lynch: President/ Chief Resource Investigator, Smartt Strategies LLC. @ddsmarttlynch

issa banner for blog

What Happens in the Cloud Stays in the Cloud: Data Protection of Public Cloud Storage 11/3/2016, 2:30 pm – 3:15 pm, Cumberland G/H Track: Application Security Audience Level: Pre-Professional, Entry Level, Mid Career

Many cloud service providers are now offering encryption of object stores through a Java or other API. Amazon S3 and Azure Blob Storage are examples. Developers may use these services in one of two ways: allow the cloud provider to store the encryption keys or retain keys on-premises and “loan” them to the cloud provider during encrypting and decrypting API calls. This session will demonstrate Java code that implements the latter approach: generating and storing keys via KMIP interface while providing keys only when necessary to a cloud storage API. Jason Paul Kazarian: Senior Architect, Hewlett Packard Enterprise.


Best Practices for Responding to a Cyberattack and Working with Law Enforcement in the Aftermath 11/3/2016, 2:30 pm – 3:15 pm, Cumberland K Track: Incident Response Audience Level: Security Leader

Organizations are increasingly operating under the assumption that their network has already been compromised or will be. Cybercriminals are constantly looking for new ways to bypass security measures. As a result, no organization is immune from attack. Forty-three percent of organizations surveyed by the Ponemon Institute in 2014 said they had suffered a data breach. Yet, 27 percent of companies didn’t have a data breach response plan or team in place. The human instinct is to try to find those responsible for an attack. However, companies should resist this course of action. Any attempt to access, damage or impair another system that appears to be involved in an attack without law enforcement involvement is most likely illegal and can result in civil and/or criminal liability. Since many intrusions and attacks are launched from compromised systems, there’s also the danger of damaging an innocent victim’s system. Government agencies have repeatedly stressed the value of working closely with the government to mitigate the damage from attacks and to protect consumers. This year, the FTC stated that it is more likely to view companies that have worked with the agency involved in a cybersecurity investigation favorably than those who have not. In this session, Assistant US Attorney Edward McAndrew and Guidance Software President and CEO Patrick Dennis will discuss best practices for preparing and responding to a cyberattack and working effectively with law enforcement. Edward McAndrew: Assistant United States Attorney, Cybercrime Coordinator, US Attorney’s Office Patrick Dennis: President, CEO, Guidance Software. @_Patrick_Dennis

issa banner for blog

The 100 Minute MBA for Information Security Professionals (Two Part Workshop) 11/3/2016, 2:30 pm – 4:15 pm, Cumberland I/J Track: Business Skills for the Information Security Professional Audience Level: Pre-Professional, Entry Level, Mid Career

Many security professionals (even most information technology workers) did not go to college to pursue a business degree. Most don’t have an MBA. This isn’t all bad, because we don’t place ourselves in the box of business history. But MBAs do tend to come with some negative connotations (they’re just suits that think they know everything, right?) The reality is that the degree aims to prepare students to manage the details of a business, from finance to ethics, strategy to operations. As a member of the security team, you are a business inside of your business. You are a service to the end goal of the company. You are a cost center. You have an important offering, but it will only be accepted if it meets the needs of the business. Whether you work at a small startup or a large enterprise, learn the skills that will help you make security important to your entire organization. James K. Adamson: Principal Consultant, Urbane Security. @jameskadamson Branden R. Williams: VP, Head of Strategy, FirstData. @brandenwilliams


Is Your Vulnerability Management Program Evolving? Introducing the Vulnerability Management Maturity Model – VM3 11/3/2016, 2:30 pm – 3:15 pm, Cumberland L Track: Infrastructure Audience Level: Senior, Security Leader


The information security landscape has evolved significantly during the last 5 years with the emergence and wider use of new technologies such as Cloud, BYOD, Mobile and the Internet of Things. Alongside this landscape, corporate organizations’ key defense leaders, CIOs, CSOs and CISOs, have evolved in their information security defense strategies, as well as in how they think and approach information security. This different and evolved landscape, combined with defense leaders’ new mindset, has influenced key information security processes and in particular, has resulted in a greater understanding of the process of Vulnerability Management. This session presents a Vulnerability Management Maturity Model, referred to as VM3, and which identifies six different levels of vulnerability management maturity within which different organizations operate. Detailed findings and lessons learned from of a recent study on vulnerability management maturity are shared. The session covers the six high level activities, as well as a surrounding business environment which characterize an organization’s execution of the vulnerability management process. Key challenges present within each of the six high level activities of vulnerability management, as well as challenges imposed by the organization’s surrounding business environment are identified and described. Attendees will learn and appreciate how these key challenges impede one’s ability to achieve higher levels of maturity, as well as strategies on overcoming these identified challenges. Attendees will learn how they may help their organization evolve to higher levels of vulnerability management maturity, with the goal of achieving lower levels of information security risk. Gordon Mackay: Executive Vice President, Chief Technology Officer, Digital Defense Inc. @gord_mackay


Featured Speaker: Mr. Robot – Can it Really Happen? 11/3/2016, 3:30 pm – 4:15 pm, Landmark B/C Track: Business Skills for the Information Security Professional Audience Level: Pre-Professional, Entry Level

We’ve all seen how hackers are portrayed in movies and television shows. From Mr. Robot to CSI Cyber, this presentation will debunk the Hollywood view of cyber security and make it real. Time to separate the fact from the fiction! Candy Alexander: Director, ISSA Cyber Security Career Lifecycle. @NH_Candy


Business Continuity and Cyber Security – Partners in Crime (Cyber) 11/3/2016, 3:30 pm – 4:15 pm, Cumberland K Track: Incident Response Audience Level: Senior

Crime fighters Laura and Ron will lead you through how to integrate Business Continuity and Cyber Security to ensure a comprehensive Assessment, Plan and Response is in place to protect your organization. So put on your capes and superhero glasses and be prepared to participate in a workshop where you will walk through the basics of business continuity and identify integration points for cyber components. This will be a highly collaborative workshop session. Laura Mosley: Business Continuity Program Manager, Southern Wine & Spirits.  Ron LaPedis: Workforce Continuity Strategist, SunGard Recovery Services.


Compliance in the Cloud 11/3/2016, 3:30 pm – 4:15 pm, Cumberland L Track: Infrastructure Audience Level: Entry Level, Mid Career, Senior

We are all in the cloud. But, are we compliant in the cloud? As organizations move a big part of their infrastructure into the cloud, compliance has to adapt to this changing environment. In some ways, compliance in the cloud is simpler than on-premise. However, there are many misconceptions about compliance in the cloud. Anitian has built a comprehensive library of strategies and reference architectures that can both accelerate and sustain compliance with common standards such as PCI DSS, ISO 27001, and HIPAA. In this presentation, the Anitian team will present some of those strategies. Furthermore, we will discuss how to make compliance efforts more dynamic and agile using risk-based methods. Additionally, we will demonstrate how you can accelerate compliance using cloud services, such as key management and directory services. Andrew Plato: CEO, Anitian. @andrewplato

Yes, you’re done reading. Register now and book your hotel. Looking forward to seeing you!

– Grace

Comments are closed.

Share This Page

Social media & sharing icons powered by UltimatelySocial