InfoSec & Risk Management Track

The threat of cyber security breaches and compromises has become one of business’ greatest – and most unpredictable – risk factors. Understanding your attackers – their motivations, their methods of operation, and the exploits they create – is crucial to developing the right defenses and to measuring the risk that your organization faces.

The InfoSec and Risk Management Track offers a comprehensive look at the current threats posed by cyber attackers, the security vulnerabilities they exploit, and the potential impact of these attacks on your organization. Attendees will get firsthand descriptions of the latest exploits targeted at the enterprise, and recommendations on how to mitigate them. Attendees will also receive some common-sense guidance on how to quantify and measure the cyber risks they face – and how to use that risk measurement to build an IT security strategy that is both effective and affordable for the business. Attendees will get firsthand descriptions of the latest exploits targeted at the enterprise, and recommendations on how to mitigate them. They will also get a look at potential vulnerabilities and security issues created by today’s newest technologies – including mobile, cloud, and Internet of things – as well as a peek at next-generation security solutions.

Track Sponsors

Featured InfoSec & Risk Management Sessions
A CISO's Perspective
Details to Come

Debate: Where Are The Weakest Links In Cyber Security?
Security experts and vendors often spur fear and concern by stating that a particular vulnerability is the “weakest link” in enterprise security defense. The problem is that the “weakest link” differs depending on who’s talking. This makes life confusing for enterprise security professionals, who must prioritize their activities and seek to build comprehensive defenses. In this debate, a panel of experts will discuss the most troublesome vulnerabilities among enterprise defenses and choose the “weakest links,” aiding attendees to prioritize their upcoming security projects. Potential arguments could be made for: Insider threats, end users, applications, cloud vulnerabilities, mobile/endpoint devices, targeted/sophisticated attacks, next-generation malware, or other threats/vulnerabilities. Which should be the enterprise’s greatest concerns? You will hear the argument.

Ending The Tyranny of Expensive Security Tools: A New Hope
A long time ago, in a galaxy far far away, AV was invented. Then firewalls and IDS and SIEM and NAC and DLP and on and on. With all these products, it seems like a career in information security is really more about managing tools than defeating a galactic empire of hackers and miscreants. But like the Rebel Alliance, you can take back your enterprise, because many of our existing monitoring systems and network devices also have security functionality. Moreover, there are many excellent open source applications that work just as well as commercial ones.

Friend or Foe: Risk and Security in the Information Supply Chain
The modern enterprise is often both the client and customer to many organizations. The use of third party vendors, service providers, and partners are a normal and growing part of many businesses' operations today and are a growing concern for information risk and security professionals. An organization’s security posture is only as strong as its weakest link. While many information risk and security organizations are effectively managing information risk they have direct control over, third parties often challenge them due to their limited governance and oversight capabilities. This session will focus on how to effectively navigate supply and execute supply chain security from both the customer and provider perspective. The speaker will explore industry-leading methods and practices of risk-based supply chain security approaches supported by case studies and real world examples.

Joining the Intelligence-Led Revolution
The market for cyber threat intelligence may be young, but the work of intelligence collection, analysis and dissemination is not – it dates back to the earliest days of human conflict and, realizing that we are in the midst of cyber conflict, our model involves the application of those approaches to cyber. These forward-leaning security practitioners realize that their adversaries gather intelligence on them on a daily basis, and they are turning to cyber threat intelligence in order to turn the tables. This discussion will focus on the core fundamentals of building the business case for implementing and sustaining a successful cyber threat intelligence program following the model executed by some of the largest and most sophisticated programs in the world.

Managing Insider Risks and Building a Culture of Security
Although media coverage of data breach incidents tends to focus on external malicious actors carrying out "hacking" attacks, it is insider-related vulnerabilities and threats that create the most serious risks for many organizations. Whether it is a trusted insider abusing authorized access for personal gain, or a well-intended but unaware employee falling victim to a social engineering attack such as spear phishing, insider risks cannot be overlooked. This session will detail some recent statistics that emphasize the role of insiders in creating cyber security risk and will provide practical guidance on how to transform your biggest potential liability into a key asset of your information security program. Achieving a true shift in attitudes and awareness and fostering a culture of security is not easy – but it can be done if there is commitment from the top.

Pull Up Your SOCs: Best Practices for Building and Operating a Security Operations Center
Today’s cyber security threats come from a wide variety of actors using an even wider variety of exploits. Identifying new attacks and launching a defense means having an effective command and control center that not only seeks out and manages information about potential attackers, but also ensures that end users are maintaining secure access to all essential corporate data and applications. In this session, experts will walk attendees through the process of building and managing an effective security operations center (SOC), including the tools and systems required to monitor and benchmark enterprise security posture. The speakers will also discuss the ways that the SOC can be linked to IT and network operations centers and help desks to create a more comprehensive and effective IT operations environment.

Social Engineering: Lessons From the Real World
Most of the major security breaches in the last few years have begun with a simple phishing email or social engineering attack. In general, people are easier to fool than computers and security systems. What are the methods that cyber criminals and other attackers are using today to trick users into clicking on an attachment or giving up their logon credentials? What do these attacks look like, and how can end users be trained to avoid them? In this unique session, social engineering experts will offer real-life demonstrations of these attacks and show you, step by step, how end users are fooled into downloading malware or giving away sensitive information. There will also be a discussion of how to defend against these attacks through both training and technology.

Understanding Your Attackers
A few years ago, the primary concerns in cyber security were cyber criminals and a few teen hackers who were out for a joyride. Today, however, the threat has become much more complex. Hacktivists have attacked companies with a political agenda; competitors have been seen launching corporate espionage campaigns to collect information about their rivals. State-sponsored hacking appears to be at an all-time high, as government-backed entities seek out information that might give them an advantage in business or military conflict. Who are your attackers and how are they motivated? What different methods do each of these groups use to attack an organization? How do they define success and how can you build and prioritize your defenses against them? In this session, top experts will discuss the different types of threat actors out on the Internet, the differences in their methods and motivations, and how to tailor a cyber strategy that strengthens your defenses against your most likely adversaries.

What's Next? Emerging Trends in Information Risk Management and Security
Information risk management and security never stay still. Attackers find new ways to exploit software, hardware and people. The security industry rolls out new technology to address the latest threats. Now add to the mix the troubling revelations about government surveillance (breaking SSL, watering down encryption standards, tapping into Web and service provider communications and so on). Where do we go from here? This panel discussion will highlight emerging trends in information risk management and security from a business and technology perspective.

Featured InfoSec & Risk Management Workshops
Go Hack Yourself: Offensive Security Tools for Enterprise Defenders
Offensive security tools aren’t just for penetration testers. Enterprise defenders can take advantage of the same tools and techniques to identify weaknesses in their networks and the humans contained within. Need to find your exposed vulnerabilities and get them fixed before the bad guys exploit them? Want to clean up the low-hanging fruit before a pen test so you can focus on more realistic, targeted threat scenarios? This class is a hands-on immersion in offensive security tools including tools like nmap, Metasploit, Arachni, recon-ng, and Phishing Frenzy. Participants will be provided a virtual machine pre-loaded with tools to use throughout the class. The focus will be on imparting practical skills that students will be able to apply immediately upon returning to work.
Instructor: John Sawyer, Senior Security Analyst, InGuardians

Integrating Risk and Security Into Your Organization’s DNA
Risk management practices and security controls are often perceived of as burdens or roadblocks by end users and executives. The goal of this workshop is to help you change those attitudes so that individuals don’t just comply with risk and security practices, but instinctively integrate them into everyday business activities. Adapting an organization’s DNA to effectively integrate risk and security requires a fundamental shift from authoritative and consequence-oriented approaches to consultative and benefit-oriented ones.  Instead of focusing on protecting the organization and its constituents from themselves, risk and security professionals will learn to empower individuals with information and insights to make business-appropriate decisions. This will ultimately make risk and security a business enabler instead of a roadblock to success. Topics will include information risk profiles, threat and vulnerability analysis, approaches to culture change, and risk and security considerations for the information supply chain.  Interactive discussions, examples, and cross-industry case studies will be presented throughout the workshop.
John Pironti, President, IP Architects, LLC

How to Register

The following passes will get you access to the Interop program:

Track Chair

Photo of John Pironti

John Pironti

President, IP Architects, LLC

John P. Pironti is the President of IP Architects, LLC. He has designed and implemented enterprise wide electronic business solutions, information security and risk management strategy and programs, enterprise resiliency capabilities, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, insurance, energy, government, hospitality, aerospace, healthcare, pharmaceuticals, media and entertainment, and information technology on a global scale. John has a number of industry certifications including Certified in the Governance of Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information System Control (CRISC), Information Systems Security Architecture Professional and (ISSAP) and Information Systems Security Management Professional (ISSMP). John frequently provides briefings and acts as a trusted advisor to senior leaders of numerous organizations on information security and risk management and compliance topics and is also a member of a number of technical advisory boards for technology and services firms. He is also a published author and writer, highly quoted and often interviewed by global media, and an award winning frequent speaker on electronic business and information security and risk management topics at domestic and international industry conferences.

Photo of Tim Wilson

Tim Wilson

Editor-in-Chief and Co-Founder, Dark

Tim Wilson is editor-in-chief and co-founder of Dark, the IT industry’s most widely-read online community for computer security. In this role, Wilson is responsible for managing the site, assigning and editing much of the content, and writing breaking news stories. Wilson also directs the content behind Dark Reading's webcasts, digital issues, and the Dark Reading University program, and is a contributor to UBM’s Black Hat and Interop events. Wilson has been recognized three times as one of the top cybersecurity journalists in the U.S. in voting among his peers held by the SANS Institute. In 2011, Wilson was named one of the 50 Most Powerful Voices in Security in research conducted by SYS-CON Media. Prior to joining Dark, Wilson was the business editor for Network Computing, one of the industry’s leading communities on IT infrastructure and networking. A veteran of the IT industry, Wilson has spent 20 years as a journalist, including eight years as a top editor and reporter for CMP Media’s InternetWeek (originally called Communications Week). As executive editor of DataTrends Publications Inc., a newsletter publisher, Wilson founded four industry newsletters on the subject of data communications, edited several others, and wrote a half-dozen books on the topic. Wilson also has served as an industry analyst with two globally-recognized IT consulting firms: Decisys Inc. (now part of Gartner) and Enterprise Management Associates.


Join the mailing list to get the latest news, promos.