Conferences that solve current IT challenges

Enterprise Risk / Security Management

Strategies for adopting a comprehensive IT GRC (Governance/Risk Management/Compliance) approach to managing information adhering to business needs

February 7, 2013


7 CPE / 0.7 CEU / CISSP / 7 PDU Credits Awarded


Conference location: Donald E. Stephens Convention Center Rosemont (O'Hare) Illinois


In today’s highly regulatory environment it is essential that you have a clear understanding of risk across the enterprise. A risk management framework can bring visibility to key business and compliance risks and enable a company to make decisions on where to prioritize its limited resources. It is through a risk management framework that real value to the business can be achieved.

With all of these challenges, how do you make this happen?

In this one day conference, attendees will be provided with examples of approaches to managing information and compliance risk through a risk management framework.

What You Will Learn

In this one day conference attendees will learn:

  • IT Risk & Social Engineering: Establishing Metrics to Manage the Human Layer

  • How to Design an Effective Risk Assessment

  • How Security and the CSO Can Provide Business Value

  • How to Reduce the Risk of Data Loss and Audit Failures: Implementing a Response Plan

  • Mobile Technology in the Enterprise: How to Manage Security Risks of BYOD

  • Big Data - Didn't We Used to Call it SEIM?

Conference Program

8:00am - 9:00am - Registration and Continental Breakfast



IT Risk & Social Engineering: Establishing Metrics to Manage the Human Layer

Mark T. Chapman, CFE CISSP CISM CRISC, President and Founder,

The most damaging information security attacks often use low-tech social-engineering methods to trick users into sharing sensitive information. In spite of the significant money spent on email and web content filtering technologies, organizations ultimately must rely on the generally unreliable “human firewall” to thwart phishing attempts. For such an important class of critical security controls, it is surprisingly rare to formally configure and manage the human layer beyond ad-hoc techniques based on anecdotal, incomplete and inaccurate information.

There are now ways to safely use some of the methods employed by attackers to provide objective, understandable and actionable metrics to proactively measure, manage and improve the effectiveness of the last line of defense.


  • Take a real-world look at “configuring” the human firewall in the enterprise beyond generic security awareness training.
  • Define objective, understandable and actionable metrics around social engineering.
  • Discuss stories-from-the-trenches with examples that measured and improved the effectiveness of people, process and technology controls.
  • Help establish an “Information Security Awareness Operational Plan”, where employees thwart unauthorized attempts to obtain sensitive information.

10:00am -10:30am - Refreshment Break



Risk, Security and Compliance: Notes from the Field

Chris Cronin, Governance & Strategy Consultant, ISO 27001 Auditor, HALOCK Security Labs

Laws and regulations are telling us to manage our information security by identifying our risks and reducing them to a reasonable level, and for good reason. Risk management makes information security and compliance more attainable and more meaningful than when we use a compliance checklist. So why has American business been so slow to adopt risk management?

This talk will present case histories of organizations that initially avoided risk management but who eventually found a surprising payoff: Managing information security and compliance through risk management coordinated the interests of the executive team, operations, IT, legal, sales, compliance and audit. As a result, information security became easier to implement and maintain.

As well, we will present the basics of implementing risk management to achieve the successes of these organizations.






How Security and the CSO Can Provide Business Value (Panel)

Bill Amedeo, BDM, Column Technologies
John Germain, Chief Information Security Officer, Xylem
Neil Witek, VP, Information Security Governance, AIM Specialty Health (subsidiary of WellPoint)
Jim Huddleston, Director, Global IT Risk Management, US Resources
Paul Kunas, Director, Information Security, Sidley Austin
and other CISOs/Security Directors from Enterprise IT Departments

In this session, attendees will learn from a panel of IT security executives as to the strategies they are leveraging to insure their efforts are in sync with business priorities.

Topics covered:

  • How to identify leverage the following areas of value: reputation, regulation, revenue, resilience, and recession for continued investment and security spending
  • How to assess, understand and define security’s current and future roles in the extended enterprise
  • Where are security investments being made on personnel, processes, and technologies
  • What does security need to specifically achieve for the enterprise in terms of protecting current business processes and enhancing future revenue growth

12:30pm - 1:30pm Luncheon



How to Reduce the Risk of Data Loss and Audit Failures: Implementing a Response Plan

Joe Skehan, Sr. Director, Product Management, Venafi

In today's fast-paced, high tech ‘cloud’ and ‘BYOD’ world, encryption keys and digital certificates serve as the primary security mechanisms (authentication & encryption) for protecting usernames, passwords, and other sensitive data transferred in and out of corporate networks and between computers.

Most organizations today are unprepared to handle the day-to-day security, operational and compliance risks related to managing their encryption keys and certificates. What will happen to your company or government agency when (NOT IF) your Certificate Authority is compromised?

In 2011, for the first time publically recorded in history, 4 public CA’s were compromised, forcing public and private sector organizations to immediately and manually locate, revoke and replace the compromised certificates.

Notably, the Dutch government was crippled by the DigiNotar CA compromise which disabled all secure online operations for a prolonged period of time. This incident caused the Dutch government the expensive and embarrassing action of informing their citizens to “only use pen and paper, or fax” as a means of secure communication.

This session provides a risk overview, security best practices and lessons learned from recent CA compromises on a global scale. The session will also provide guidance to organizations looking to implement a CA compromise response plan.

2:30pm - 3:00pm - Refreshment Break







Mobile Technology in the Enterprise: How to Manage Security Risks of BYOD (Panel)

Mic McCully, Senior Mobile Architect, WatchDox
Speakers will include:
Greg Bee, CISO, Country Financial
Mark Guth, Director of Security, AGL Resources/Nicor
Michael Corn, CISO, University of Illinois
Chris Merkel, Director IS Security, Brunswick
and other CISOs/security leaders sharing their experiences and lessons learned

As employees become increasingly mobile through consumer technologies, IT systems and information become more vulnerable to security risks and breaches. The major challenge becomes how to effectively manage these risks while maximizing employee productivity.

In this session, attendees will learn from a group of seasoned IT security executives as to how they are handling these challenges.



Big Data - Didn't We Used to Call it SEIM?

Derek Milroy, Senior IS Security Engineer, U.S. Cellular

This presentation will examine what Big Data is/may be as it relates to Information Security. Many times, there is a lot of data that must be optimized/put in use, prior to implementing Big Data. The presentation will then focus on steps to reaching a point where Big Data analytics may be possible. A structured approach will be presented so that Organizations can optimize and use existing data while preparing for a Big Data initiative or implementation.

Conference Price: $269.00 per person

Each attendee will receive a certificate awarding 7 CPE credits for CISSP continuing education, in addition to 0.7 CEUs and 7 PDUs. CISSP is a registered certification mark of (ISC)², Inc.


As is always the case at CAMP IT Conferences events, the talks will not include product presentations.  During the continental breakfast, coffee breaks, and the luncheon break you will have the opportunity to informally meet representatives from the following sponsoring companies, who have solutions in the area of the conference.