Conferences that solve current IT challenges

Enterprise Risk / Security Management

Strategies for adopting a comprehensive IT GRC (Governance/Risk Management/Compliance) approach to managing information adhering to business needs.

February 5, 2014


7 CPE / 0.7 CEU / CISSP / 7 PDU Credits Awarded


Conference location: Donald E. Stephens Convention Center Rosemont (O'Hare) Illinois


In today’s highly regulatory environment it is essential that you have a clear understanding of risk across the enterprise. A risk management framework can bring visibility to key business and compliance risks and enable a company to make decisions on where to prioritize its limited resources. It is through a risk management framework that real value to the business can be achieved.

With all of these challenges, how do you make this happen?

In this one day conference, attendees will be provided with examples of approaches to managing information and compliance risk through a risk management framework.

What You Will Learn

In this one day conference attendees will learn:

  • Leveraging Behaviors to Make Better Security Decisions

  • The Kaizen of Information Risk and Security

  • How Security and the CSO Can Provide Business Value (Panel)

  • Malware and APTs; How Do We Defend Against These Modern Threats?

  • Cloud Risk Reduction: How to Keep Your Data Safe in the Cloud (Panel)

  • Big Data - Didn't We Used to Call it SEIM?

Conference Program

8:00am - 9:00am - Registration and Continental Breakfast



Leveraging Behaviors to Make Better Security Decisions

Tom Bain, Sr. Director, Security Strategy, CounterTack 

Many of today’s attacks on enterprise systems typically use social-engineering methodologies to help attackers execute on their objectives. This often involves tricking users into sharing sensitive information, or applying a new twist on tried-and-true methods to exfiltrate data.

Behavior is a fundamental element often overlooked in the wake of attacks. Understanding how your employees behave is just as important as knowing the behavioral characteristics of your attackers.
Security models need to evolve into more proactive and measureable programs, giving consideration to using intelligence to make better security decisions across the entire organization, from IT to Security, all the way through general employees.

In spite of the significant money spent on email and web content filtering technologies, organizations ultimately must rely on the generally unreliable “human firewall” to thwart phishing attempts.
For such an important class of critical security controls, it is surprisingly rare to formally configure and manage the human layer, yet integrate it with other areas of security.

It’s time to start looking at security from a different perspective. Leveraging best practices in technology and methodologies that attackers employ and integrating that with practical training programs can help organizations establish an innovative set of objectives to reduce damage caused by employee error and motivated attackers alike.


  • Take a behavioral assessment across the board to evaluate the impact of those behaviors
  • Devise an innovative approach to how you address non-desirable behavior to decrease negative impacts
  • Real-world examples for how you can configure the human firewall in the enterprise beyond generic security awareness training
  • Define objective, understandable and actionable metrics around security that include: data protection, social engineering and training
  • Help establish an “Information Security Awareness Operational Plan”, where employees thwart unauthorized attempts to obtain sensitive information.

10:00am -10:30am - Refreshment Break



The Kaizen of Information Risk

Chris Cronin, Principal Consultant, Halock

The days of blaming hackers for our data breaches are long behind us. If we get breached, it is our fault. The reason we can no longer solely blame the bad guys - or fate - for our breaches is that many organizations have long figured out how to reduce their security risks to a defensibly reasonable level. If your organization has not figured out how to secure information reasonably, then your liability will be high when you do get breached.

Luckily, the processes for reducing information security risk is well established. Chris will describe for you the processes that organizations use to constantly improve their security risk posture, using the same “kaizen” processes of continual improvement that have created some of the most reliable brands in the world.

Chris will describe and illustrate a set of practical, measurable steps that are currently being used in thousands of organizations globally to reduce their information security risks and to demonstrate information security compliance with laws, regulations and contracts.






How Security and the CSO Can Provide Business Value (Panel)

Mike Skurko, Director, Utimaco
Chris Merkel, Director IS Security, Brunswick Corporation
Sarah Buerger, Sr. Director, IT Risk Management, US Foods
Edward Marchewka, Information Security Manager, Chicago Public Schools
Victor Hsiang, CISO, GATX
Larry Lidz, Director, Information Security, Risk Management & Compliance, CNA Insurance
and other Security Executives sharing their experiences and lessons learned

In this session, attendees will learn from a panel of IT security executives as to the strategies they are leveraging to insure their efforts are in sync with business priorities.

Topics covered:

  • How to identify leverage the following areas of value: reputation, regulation, revenue, resilience, and recession for continued investment and security spending
  • How to assess, understand and define security’s current and future roles in the extended enterprise
  • Where are security investments being made on personnel, processes, and technologies

12:30pm - 1:30pm Luncheon



Malware and APTs; How Do We Defend Against These Modern Threats?

David Serafine, Technical Marketing Engineer, Hexis Cyber Solutions

The online world is becoming more troubling every day. The motivations of these attackers can be profit, ideology and nationalism. Beyond the reasons, what can you do to understand these threats and mitigate them before they cause significant damage to your enterprise?

In this session, attendees will learn:

  • Who are the attackers and why
  • What are the most common threats
  • Steps you can take to mitigate their actions
  • How to refine your security risk framework to plan for advanced persistent threats

2:30pm - 3:00pm - Refreshment Break





Cloud Risk Reduction: How to Keep Your Data Safe in the Cloud (Panel)

Ric Centracco, Regional Manager, Fox-T
Jeff Lossau, Information Governance and Business Risk, Motorola Solutions
Fred Kwong,  Senior Security Manager, US Cellular
Paul Niser, Vice President, Information Technology, Grosvenor Capital Management
and other Security Executives sharing their experiences and lessons learned

Many users are leveraging the cloud independent of IT which continues to be a huge risk. How do you embrace the benefits of cloud while maintaining security controls over your enterprise’s assets? When using a third party cloud provider, how can you maintain confidence that your data is secure? How do you manage reporting, compliance and regulatory mandates?

In this session, attendees will learn from a panel of security executives as to how they are mitigating cloud risk.



Big Data - Didn't We Used to Call it SEIM?

Derek Milroy, Senior IS Security Engineer, US Cellular

This presentation will examine what Big Data is/may be as it relates to Information Security. Many times, there is a lot of data that must be optimized/put in use, prior to implementing Big Data. The presentation will then focus on steps to reaching a point where Big Data analytics may be possible. A structured approach will be presented so that Organizations can optimize and use existing data while preparing for a Big Data initiative or implementation.

Conference Price: $279.00 per person

Each attendee will receive a certificate awarding 7 CPE credits for CISSP continuing education, in addition to 0.7 CEUs and 7 PDUs. CISSP is a registered certification mark of (ISC)˛, Inc.


As is always the case at CAMP IT Conferences events, the talks will not include product presentations.  During the continental breakfast, coffee breaks, and the luncheon break you will have the opportunity to informally meet representatives from the following sponsoring companies, who have solutions in the area of the conference.