ISE® Southeast Schedule of Events 2011

March 16, 2011

11:00am : Registration

Location: Buckhead Prefunction (Lobby level)

11:30 AM : ISE Southeast Nominee Welcome Luncheon & Presentation   *Invitation Only

Location: Buckhead Ballroom 1

Sponsored by

  Core Security

Dr. Eric Cole, PhD

Dr. Eric Cole, PhD
Faculty Fellow & Course Author
SANS
Biography

Fighting Off an Advanced Persistent Threat and Defending Infrastructure and Data
Today's cybercrime industry is thriving and has transformed itself to improve efficiency, scalability and profitability through the introduction of Advanced Persistent Threats (APTs). The latest in cyber-risk, APTs are a broad pallet of attack possibilities that enabling attackers to break into systems, avoid detection, and maintain long-term access to compromised networks. Confronting the threat does not always require the implementation of new technologies but it does require rethinking some of the strategies that companies may be adopting to protecting data.

1:00 PM : Welcoming Remarks and Introductions

Location:Woodruff Room
Marci McCarthy

Marci McCarthy
CEO and President
T.E.N.
Biography

1:15 PM : Keynote Address

Location: Woodruff Room
name

Mark Leary
Chief Information Security Officer
TASC
ISE® Southeast Executive Award Winner 2010

Keynote Address: The Era of Outsourcing  > Download Presentation
Fears associated with outsourcing are bound to arise, which is only natural, and understanding the factors that are associated with outsourcing need to be carefully considered before any decision is made.  The security of critical data, of employee privacy and of business transactions tends to keep information security executives awake at night.  Mark will relate a CISO’s journey as a company moves from previously hosting it’s own business IT functions to one that embraces an IT outsourcing strategy.

2:15 PM : Interactive Executive Roundtables

Location:Woodruff Room

The Interactive Executive Roundtables brings together ISE® Nominees, industry leaders, invited guests, and sponsor delegates to meet each other and join in interactive discussions on key industry issues as well as share best practices.  The interactive roundtable discussions are hosted by our ISE® Judges and Nominees.

Advanced Persistent Threat: It Pays to be Paranoid

Tim Callahan

Tim Callahan
Group Vice President, Manager Business Continuity and Information Assurance
Sun Trust
ISE® Northeast People's Choice Award Winner 2009, ISE® North America Executive Award Finalist 2009, ISE® Northeast Executive Award Finalist 2009, ISE® Northeast Executive Award Finalist 2007, ISE® Southeast People's Choice Award Winner 2006, ISE® Southeast Executive Award Finalist 2006

Insider threat. Social engineering. Spear phishing. Pervasive botnet infections. Legitimate websites hosting malware. Polymorphic malware. Blended threats. Multiple infection vectors. Command & control servers. Some of the biggest and best companies in the world are being targeted by criminal and nation-sponsored groups seeking to obtain information on intellectual property, legal activities, trade negotiations, customers, employees, credit card numbers and other financials, production information and schematics – and more.

Theft of information and electronic data at global companies has overtaken physical theft for the first time, with losses rising from $1.4m to $1.7m per billion dollars of sales, according to the 2010/2011 Kroll Annual Global Fraud Report. A study conducted by the Ponemon Institute reveals that 83% of respondents believe their organization was the target of advanced attacks, with 44% believing they were victims of frequent targets.

Data Like Digital Water: Plugging the Leaks

John B. Sapp Jr.

John B. Sapp Jr.
Director, Product Development Standards - Security, Risk & Compliance
McKesson Corporation
ISE® West Executive Award Finalist 2010

It seems that everywhere we turn, organizations are leaking data. Headlines expose losses of data in industries across the board and now WikiLeaks, with its publication of leaked cables, has organizations wondering if such an event could happen to them.

Data leakage is virtually impossible to stop, but the problem often isn't technology. It's people. The WikiLeaks incident underscores the risks inherent in failing to compartmentalize and in granting employees inappropriate levels of access to data and IT resources. Disgruntled staff, tech-savvy contractors and dismissed employees may misuse privileged access, or gain unauthorized access, and exploit the data. On the other end of the spectrum, naïve employees and well-intentioned users inadvertently leak data through improper and insecure handling of sensitive data.

Cloud Computing: Security and Privacy and Contracts, Oh My!

Phil Agcaoili

Phil Agcaoili
Chief Information Security Officer
Cox Communications
ISE® Central Executive Award Winner 2009

Platform-as-a-Service. Infrastructure-as-a-Service. Software-as-a-Service. Dedicated private. Open public. Hybrid. While there is no single term that describes a cloud environment, the fact remains that more and more data is moving to the cloud. Forrester predicts that cloud computing PaaS will be $15.2B by 2016 and Gartner claims the cloud computing IaaS market will reach $23.5B by 2013.

Benefits of cloud computing include reduced operating costs, savings on hardware, simplified licensing arrangements, streamlined infrastructure environments, consolidated facilities, increased functionality and flexibility, ability to scale and speed of access.  But is it secure? As more information on individuals and companies is placed in the cloud, attention must be turned to how safe an environment it is and how we assess security and perceive risk.

The Consumerization of IT: Plague or Progress?

Tammy Moskites

Tammy Moskites
Chief Information Security Officer
The Home Depot
ISE® North America People's Choice Award Winner 2010
ISE® North America Executive Award Finalist 2010
ISE® Southeast Executive Award Finalist 2010
ISE® Central Executive Award Finalist 2009

Smartphones and tablets are washing across the enterprise like a tsunami. Whether driven by an executive push or because employees are simply just using them, consumer technology's momentum has reached a dizzying pace and keeping them off the network can be akin to whack-a-mole.

Boundaries between work and personal technologies are diminishing. Boomers and Gen-Xers are bringing personal devices to work. Millennials and the Gen-Zs grew up using PCs, laptops, mobile phones, iPhones, iPods – and now iPads; and are making the provision of mobile tools a condition of employment. Technologies originally aimed at consumers, such as thumb drives, instant messaging and handheld audio and video players, are now ubiquitous in the business world.

Outsourced or Outsmarted: How to Avoid the "Gotchas" in Outsourcing

Paul Huesken

Paul Huesken
Director of Information Assurance
The Coca-Cola Company
ISE® Southeast & North America Judge

Whether it’s driven by a desire to reduce costs, tap into deep expertise, streamline internal operations or gain the flexibility afforded by cloud services, organizations are increasingly outsourcing a wide range of functions. On the menu are non-critical commodity-type activities, network operations, application development, customer service and even infrastructure and security monitoring. Yet, deciding to outsource is difficult. The promised benefits are so attractive – but the stakes are so high. It’s not surprising that hesitancy is a common reaction when deciding to outsource.

Security challenges surface whenever business processes are moved outside of the confines of the firewall. Whether it be legal liability, compliance issues, brand risk or customer concern, the more eyes and hands you have on your data, the greater the risk of something going wrong. This problem is magnified by the fact that your data may be stored on many different computers and the people accessing your data may well be on the other side of the world.

Not Your Father’s Identity and Access Management: Moving from IAM to IAI

Kyle Duke

Kyle Duke
Information Security Officer
HealthSpring
ISE® Southeast People's Choice Award Winner 2010

The internal corporate network is now a connected web of people and devices as more employees work remotely; and partners, customers and vendors are given access to corporate systems and sensitive data. This connected business model many times means managing access for users the company knows little about, and accommodating SSO and less intrusive authentication. To complicate matters, cloud-based applications are on the rISE®, bringing more challenges to managing user security. Layered on top of these business considerations is the requirement to meet industry-specific standards and comply with regulations such as HIPAA, SOX and PCI. Businesses must prove accountability around data access and management.

Vendor Consolidation: A Tale of Two Meanings

Ed Sarama

Ed Sarama
Chief Security Officer and Senior Vice President, Enterprise Risk & Resilience
Fiserv
ISE Southeast Award Winner 2006

Within the industry, best of breed products offered by niche players and small vendors often fulfill our technology needs perfectly, whereas a larger vendor may not measure up. Smaller companies, whose success depends on your success, typically provide better customer service and are strongly motivated to help you succeed. To many a user’s chagrin, the security technology industry is consolidating due to mergers and acquisitions, resulting in fewer, larger players. What may happen to the acquired vendor and its technology is often an open question. Vendor consolidation impacts vendor relationships, technology direction and customer support; elevates concerns about the safety of existing and new investments; and adds uncertainty and risk that is best to be avoided.

3:30 PM : Break

3:40 PM : Nominee Showcase Presentations

Location: Woodruff Room
Glen Taylor

Glen Taylor
Vice President
The Walt Disney Company

Aligning Security to Deliver Results to the Walt Disney Company > Download Presentation
In this presentation, Glen Taylor will share the three step model Disney used to align their information assurance with the increasing corporate investment and business demands over the last 12 months. With the increased volume of organizational and technical change the risk of new vulnerabilities and threat to Disney’s confidentiality and integrity was significant.  Using this three step model (Information Security Assessment, Vulnerability Scanning and Security Validation) Disney’s Security & Compliance team was able to safeguard against any security issues while delivering an online dining reservation initiative, doubling their cruise capacity, and replacing the Walt Disney World property management system.

Kevin Charest

Kevin Charest
Deputy Director
U.S. Department of Health and Human Services

The HHS CyberSecurity Technology Project > Download Presentation
Daniel Galik and Kevin Charest will discuss how the US Department of Health & Human Services HHS CyberSecurity project provided HHS Operational Divisions with the supporting infrastructure to build secure enclaves to house management components of essential information security technologies. They will share more about the enclaves they secured that are a combination of network taps, firewalls, routers, switches & authentication technologies to allow seamless integration of Intrusion Detection/Prevention Systems, Security Incident & Event Management for event correlation and Network Forensics tool for malware analysis.

Chris Ray

Chris Ray
2nd VP, Information Security and Software Change Management (CISO)
Aflac

The Virtualized Laptop > Download Presentation
Prior to 2010, the only way sales agents could get a laptop supported by Aflac was to purchase it already provisioned with the appropriate software.  Aflac ultimately paid the agents back for the laptop by offering credits for every customer policy written with that laptop until the laptop was paid for.  In addition to the initial burden of expense to the sales agent and the ultimate cost going to Aflac, the model also made it difficult for integrating new business partners who already maintained their own company devices or for those who may have already owned their own laptop.  Chris will share with us how he developed, proposed, and tested an idea which was brought to fruition in 2010.  By creating a self-contained image of the laptop (virtualizing) and putting it on an external hard drive (or even USB drive), the sales agents could spend a minimal amount of money to conduct their business and have the flexibility to use the external hard drive on any desktop/laptop they choose.  All security was maintained on the virtualized hard drive itself – including antivirus, encryption, access controls, and the like.  Join us to learn more!

Brad Sanford

Brad Sanford
Chief Information Security Officer
Emory University

Building Consensus to Achieve Effective Leadership > Download Presentation
Brad Sanford is an information security leader who leverages his knowledge of and passion for information security to persuasively engage executive leadership and obtain direct buy-in for critical information security initiatives. Brad has been successful in obtaining executive level support for his initiatives at Emory, in part because he has striven to ensure that the Information Security program and its initiatives are well aligned with the institution’s mission and strategy. These initiatives are prioritized and Emory’s institutional leadership is directly engaged to validate these priorities and to determine specifically which initiatives to fund, and thereby which risks get addressed and which do not. By leveraging this approach Brad was share how he was able to procure over $1M in funding for new Information Security initiatives (including new staff) at a time when most of the institutional was experiencing reductions in budget and shrinking staff levels.

5:00 PM : VIP Reception (invitation only)

Location: Buckhead Ballroom I

ISE® Nominees, sponsors and special guests will have the opportunity to network in a private setting with beverages and appetizers.

6:00 PM : Sponsor Pavilion and Dinner Buffet

Location: Prefunction Grand Ballroom, 4th floor

Guests enjoy gourmet dinner while networking and meeting the sponsors.  Honoring and celebrating the Canada Award Nominees for 2013, this exciting occasion will bring together top security executives to recognize the individuals who have made significant and positive impact on their organizations through exemplary performance.

7:00 PM : ISE® Southeast Awards Gala

Location: Grand Ballroom AB, 4th floor

Honoring and celebrating the ISE® Southeast Award Nominees, this exciting occasion will bring together top security executives to recognize the individuals and the project teams who have made significant and positive impact on their organizations through exemplary performance.

9:00 PM : Champagne & Dessert Reception

Location: Prefunction Grand Ballroom, 4th floor

Enjoy champagne and dessert while celebrating the winners, nominees and project teams. Don't miss the Passport for Prizes drawing and a chance to win outstanding gifts from our ISE® sponsors.