Monday Events

8:30 - 9:30 AM Introduction & The Business of Security
SPEAKER: Hugh Thompson, Chief Security Strategist, People Security

9:30 - 10:15 AM Crypto 101/Encryption Basics, SSL & Certificates
SPEAKER: Ben Jun, VP of Technology, Cryptography Research Inc.

10:15 - 10.30 AM Break

10:30 - 11:15 AM Authentication Technologies
SPEAKER: Bill Duane, Distinguished Engineer, Office of the CTO, RSA, The Security Division of EMC

11:15 AM - 12:00 PM Application Security
SPEAKER: Jason Rouse, Principal Consultant, Cigital, Inc.

12 - 1 PM  Break for Lunch

1 - 1:45 PM Viruses, Malware and Threats
SPEAKERS: Dawn Cappelli, Technical Manager, CERT Insider Threat Center, Software Engineering Institute CERT Program; Juan Montelibano, Team Lead, Insider Threat Technical Solutions and Standards at Carnegie Mellon University

1:45 - 2:30 PM Mobile Security
SPEAKER: Alex Stamos, Founding Partner, iSEC Partners

2:30 - 3:15 PM Governance, Risk and Compliance
SPEAKER: Justin Peavey, Chief Information Security Officer, Omgeo (A DTCC I Thomson Reuters Company)

3:15 - 3:30 PM Break

3:30 - 4:15 PM Firewalls and Perimeter Protection
SPEAKER: Christofer Hoff, Senior Director, Juniper Networks

4:15 - 5 PM Professional Development
SPEAKER: Mike Gentile, Founder & CEO, Delphiis

8:30 - 8:40 AM Truth or Fiction: The rise of software vulnerabilities and the impact the vulnerabilities have on organizations
SPEAKER: Kathy Kriese, Principal Product Manager, Symantec Corporation

8:40 - 9:30 AM Security in the Software Development Lifecycle: For each lifecycle stage, what are the activities and responsibilities?
SPEAKER: Brad Arkin, Senior Director, Product Security and Privacy, Adobe

9:30 - 10:15 AM Secure Design Principles: Defense in depth, least privilege, compartmentalization, guest/tenant isolation, reduction of attack surface, fail-secure, no reliance on client-enforced security, secure interoperability, secure-by-default
SPEAKER: Paco Hope, Technical Manager, Cigital, Inc.

10:15 - 10:30 AM Break

10:30 AM- 12 PM Secure Coding: Demonstrate issues and illustrate prevention/remediation techniques.
SPEAKERS: Alexander Hoole, Principal Security Researcher, Fortify, an HP Company; Jacob West, Director of Security Research, Fortify, an HP Company

12 - 1 PM Break for Lunch

1 - 2 PM Secure Coding: Demonstrate issues and illustrate prevention/remediation techniques.
SPEAKERS: Alexander Hoole, Principal Security Researcher, Fortify, an HP Company; Jacob West, Director of Security Research, Fortify, an HP Company

2 - 3:10 PM Security Testing: Fuzzing, threat modeling, benefits/limitations of testing techniques, source code scanning, vulnerability scanners.
SPEAKER: Chris Eng, Vice President of Research, Veracode, Inc.

3:10 - 3:25 PM Break

3:25 - 4:10 PM Vulnerability Response: Representatives for defined roles, third-party tracking, regression testing, root cause analysis, patches - creation and communication.
SPEAKER: Katie Moussouris, Senior Security Strategist Lead, Microsoft Corporation

4:10 - 4:30 PM Security Resources: CERT, NIST, RSA Labs, RSA Share Community, (ISC)² and more.
SPEAKER: Kathy Kriese, Principal Product Manager, Symantec Corporation

8:30 - 9:50 AM Building Blocks of a Security Program

• 20/20 Hindsight
  The morning starts off with a review of various experiences leading a large security program with a focus on key lessons learned along the way. The best way to prepare you to lead a security program is to observe several different approaches to the role, and benefit from successes and failures of others. Learn how to keep the agenda of the security program moving forward while avoiding the common pitfalls that can threaten a new information security officer. Join these long-time security leaders as they share their tips for managing a successful program through the lens of their own experiences.

• Speaker: Dennis Devlin, Assistant Vice President, Information Security and Compliance Services, The George Washington University; Joseph Hammer, Managing Director of Technology and Information Risk, Morgan Stanley

• Assessing the Program’s Maturity
  Building a program from scratch can be difficult, but more often new security leaders will inherit an existing program in various stages of maturity.  Dealing with this baggage of previous decisions and directions that may not align well with the business can be very challenging.  Learn from the experience of successful security leaders how to first assess the various aspects of the existing program, and decide where to focus your resources.  The desire to fix previous directional mistakes needs to be balanced with the turmoil that too many changes can have on an organization.

• Speaker: Mark Clancy, CISO, Depository Trust & Clearing Corporation (DTCC)

• Presenting Metrics to the Executive Team
  Everyone talks about security metrics, but deciding which metrics will be meaningful to senior management can be difficult.  Good metrics can demonstrate the value of a security program through a reduction in risk exposure and cost savings, and the right metrics can also highlight the urgency of certain focus areas or drive process improvements. This session covers how to generate and package meaningful security metrics that are appropriate for executive management or board level presentations.

• Speaker: John Johnson, Global Security Program Manager, John Deere

9:50 - 10:30 AM - Security Program Strategy

• Establishing a Program Roadmap
  Now that you know what not to do, the seminar focuses on a roadmap that will guide you during the first few years of your new program.  Often, security leaders will have two plans: one that they share with the organization in general terms, and one that they keep to themselves with milestones for the program’s growth and success.  In this session attendees will learn how to balance the objectives and strategies that you share with the organization, versus those you should keep close to the chest as you influence and shape the culture of the organization.

• Speaker: Justin Peavey, CISO, Omgeo (A DTCC I Thomson Reuters Company)

• Sneaking Security In
  So often information security is one of the most visible programs in an organization through the various controls, assessments, awareness efforts, and this is intentional.  This session presents several strategies for relieving some of the perceived burden of information security within the organization by leveraging existing business activities to meet security objectives.  Perception is everything, and it is amazing what can be accomplished without ever invoking the dreaded security or compliance mandates.
• Speaker: Evan Wheeler, Director InfoSec, Omgeo (A DTCC I Thomson Reuters Company)

10:30 - 10:40 AM Break  

10:40 - 11:10 AM Leadership Roundtable: Tearing Down the Security Empire
Many security programs get caught up in the mode of ever expanding the security team to take on every aspect of information security across the organization.  Then inevitably it will go through some level of reorganization to better align these activities with similar functions in other teams.  The security team may grow, then be broken up and dispersed, and then sometime reformed.  Join this panel of experienced security leaders as they debate how to balance the growing responsibilities of information security as a function with the desire to manage a lean and mean security team that is focused on oversight and guiding strategy.  The pros and cons of several approaches will be discussed, including outsourcing security functions and decentralizing security responsibilities to better leverage capabilities in other teams.

• Moderator: Evan Wheeler, Director InfoSec, Omgeo (A DTCC I Thomson Reuters Company)
• Panelist: Dennis Devlin, Assistant Vice President, Information Security and Compliance Services, The George Washington University; John Johnson, Global Security Program Manager, John Deere; Justin Peavey, CISO, Omgeo (A DTCC I Thomson Reuters Company); Mark Clancy, CISO, Depository Trust & Clearing Corporation (DTCC); Joseph Hammer, Managing Director of Technology and Information Risk, Morgan Stanley

11:10 - 11:30 AM Questions & Answers