sessions

Centralizing Identity, Policy and Privilege to Strengthen Security | Louise Popyk
Data Mining a Mountain of Zero Day Vulnerabilities | Chris Wysopal (Veracode)
Securing Your Physical, Virtual, Cloud Infrastructure | Matt Hubbard

#*%! my CISO Says | Barry Caplin

Many CISOs come from more of a technical, rather than a business, background. However, we need to be able to communicate with senior management, business-area leaders and users who may often not be technologists. In this talk we will look at some of the common topics CISOs need to cover and discuss how to rephrase the messages to better reach a business-oriented audience. We will discuss: How to think about security risks in a way business personnel do; How to translate technical security topics into more business-friendly language; and How to reach a broader audience with the information security message. Barry Caplin’s bio.

10 Information Security Principles to Live (or die) By | Evan Francen

As information security professionals we sometimes lose focus on the basic “rules of the game”. In our zeal to protect information we tend to forget that we operate within constraints, and when we fail to operate within these constraints we end up doing more harm than good. We will explain the ten information security principles that all information security professionals must live (or die) by: 1. We don’t work well in a bubble; 2. Information security isn’t an IT issue; 3. People are the most significant risk; 4. “Compliant” doesn’t mean “secure”; 5. Businesses are in business to make money; 6. There’s no common sense in information security; 7. “Secure” is relative; 8. Information security doesn’t always have to be a cost-center; 9. Information security isn’t a one size fits all solution; 10. There’s no “easy button.” Evan Francen’s bio.

500 Days in the Cloud | Ryan English

We’ve spent the past 500 days running a cloud service testing applications for security vulnerabilities. This ranged from government applications used by our troops overseas to ecommerce applications, from software that runs manufacturing plants or energy facilities to software that helps access health records. During this time, we’ve learned a lot about setting up and managing a cloud service to scan applications, and about the threats that exist in the software that surrounds us. In the process, we’ve also generated a wealth of metrics on the security of real-world applications, and gained unique insights into how to use these metrics. As a result, we know what vulnerabilities are the most prevalent. We know which industries tend to have the most secure software. We can rate the security of the most common open source packages. We can predict, based on the type of application (java, externally facing, finance application), how many vulnerabilities per line of code there will be. We can compare the effectiveness of different testing techniques (static versus dynamic analysis). We can see what threats are most prevalent in mobile applications. Ryan English’s bio.

2012 Data Breach Investigations Report (DBIR) | Jay Jacobs

Join Verizon and our globally recognized security experts to hear what we’ve learned by analyzing the data breaches that continue to plague organizations worldwide. Our findings are contained in the 2012 Data Breach Investigations Report, which includes contributions, in data and expertise, of the United States Secret Service (USSS) and the Dutch National High Tech Crime Unit (NHTCU). Together, we had the privilege and challenge of examining over 850 new data compromise incidents since our last report.

Are We There Yet? Information Security Grows Up | Christopher Veltsos

Information Security has finally been granted a seat at the table, so now what? Why did infosec get such visibility? How do we earn the attention given to us? What does the current state of threats look like and how can we appropriately convey the importance of those threats to best manage risks? If 2011 was the year of the breach, what can we learn from the major breaches to keep our organizations safe? Information security has definitely matured in the past decade, but are we catching up or falling behind? Christopher Veltsos’s bio.

Assessing Your Mobile Applications | Stephen Kerns

Mobile applications have become more prevalent in the business world and are being introduced with the security issues similar to other applications. Businesses are purchasing and developing these applications without any method to test or validate that best practices have been followed. In the presentation we will review a process to conduct security testing of mobile applications for commonly found vulnerabilities: Broken Authentication, Injection Flaws, Improper Error Handling, Information Leakage, Insecure Communications, Insecure Cryptographic Storage, Backdoor Identification and Failure to apply server-side controls. Stephen Kerns’ bio.

Authenticating mobile devices to the Cloud | Patrick Harding

Enterprise users are no longer bound to one device for access to cloud-based applications and services. Mobile devices such as smart phones and tablets are becoming an integral part of most corporate networks and need to adhere to the same corporate security policies as other devices. Knowing what it takes for these smart devices to access distributed services and data in the cloud and operate securely is critical to maintaining identity management and access control. This presentation demonstrates how mobile devices can evolve to become a secure participant in the cloud through the user of protocols that allow the workforce to access cloud applications and data based on their existing enterprise identities and roles. Patrick Harding’s bio.

Back to Basics: Pragmatic Risk Management For the 99% | Ben Tomhave

If you’ve spent any time investigating how to build or mature a risk management program, then you’ve likely had at least one moment where your eyes have crossed and you’ve thought “who would ever do this?” Much of the current literature comes to us from the financial services sector, but very little of it seems to translate well to other industries; especially not to the more than 99% of U.S. employer firms who qualify as small businesses. This situation begs the question: Just what can and should organizations be doing? This presentation will demonstrate how to make pragmatic use of risk analysis in any business and discuss how to scale risk management practices while still having a positive impact. Ben Tomhave’s bio.

Behavioral Security Modeling | John Benninghoff and Karl Brophey

This will be an updated version of AppSec USA 2011 presentation. John will release the BSM white paper at Secure360. Behavioral Security Modeling (BSM) describes interactions between information and people in terms of socially defined roles and expected or desired outcomes. Differences between the desired outcomes and the actual outcomes of the information systems that implement the interactions introduce security vulnerabilities. BSM allows these vulnerabilities to be anticipated and managed by comparing expected outcomes to the actual outcomes of proposed information systems, allowing for more predictable systems, and better decisions about security design. A practical example will be demonstrated by applying the approach to the tokenization of credit card numbers. John Benninghoff’s bio. Karl Brophey’s bio.

Benchmark Analysis: The State of Vulnerability Management | Tim Erlin

For more than a year, nCircle Benchmark has been collecting metrics from organizations. The data collected simply can’t be found anywhere else. At the time of this abstract, metrics are being collected for more than 180,000 assets across more than 50 organizations and most common vulnerability management products. This session will present an overview of the collection method, metrics analysis, including average risk score, average scan frequency, most commonly found vulnerabilities, and vulnerability distribution across operating system. While the conclusions won’t be clear until the analysis is complete, we’ll examine the composition of the data used, to determine the relevance of any conclusions. We’ll also look at how these metrics trend to identify patterns and answer questions such as “How do vendor patch cycles affect trends in discovered vulnerabilities?” Tim Erlin’s bio.

Beyond The Breach – Lessons Learned from the RSA Attack | Kevin Flanagan

In 2011, RSA publicly disclosed that it had detected a very sophisticated cyber-attack on its systems, and that certain information related to the RSA SecurID® product had been extracted. During this presentation, Kevin Flanagan, from RSA, will share specifics of the attack including the details on the initial infiltration, exfiltration of data, and how RSA identified the attack in progress. This session will also cover Tactics, Techniques, and Procedures (TTPs) identified in similar attacks that have been recently uncovered. Finally, this session will cover lessons learned from the RSA breach and other breaches that many organizations can use to manage these types targeted attacks.

Can We Build Successful Vulnerability Management Programs? Yes! | Michael Kelly

This discussion leads the audience through real life examples of various methods and processes used to operationally manage threats – and ultimately vulnerabilities – all with varying degrees of investment and value returned. Different experiences across diverse industry sectors are brought together to detail the successes and the failures that were encountered when designing and running vulnerability management programs for large and small companies. Case studies highlight: the results of incomplete or untested processes, the pitfalls of inconsistent assessments methodologies, the successes of simple execution, how do tools, processes and people all come together and the importance of executive level partnering and acceptance. Michael Kelly’s bio.

Centralizing Identity, Policy and Privilege to Strengthen Security | Louise Popyk (Centrify)

Find out how to prevent insider attacks, simplify internal and external audits in mixed data centers comprised of Windows, UNIX, Linux systems, and control access and policy on Macs, iOS and Android devices. Learn how to protect systems and applications, manage user access and privileges, and audit and report on rights and privileges using an IT asset you already own – Active Directory.

Cloud Computing 101 | Kevin Riggins

This session is geared towards an audience that has heard of cloud computing, but doesn’t have a good understanding of exactly what that means. It will focus on providing a very clear and understandable base of knowledge around cloud computing, the different models of delivery and service, security issues that should be considered and how they might impact your business. It will draw on industry accepted sources like NIST documents, Jericho Forum concepts and Cloud Security Alliance guidelines. Kevin Riggins’s bio.

Cloud Computing in Healthcare: Key Security and Privacy Issues | Rebecca Herold

Cloud computing has drawn a great deal of attention as a way to reduce IT costs in healthcare. But are the companies that offer cloud computing well-prepared to meet the HIPAA privacy and security requirements? Join Rebecca for this session, where you’ll gain an in-depth understanding of issues relevant to all healthcare organizations, including: Working with cloud vendors to address key information security and privacy compliance issues; Strategies for satisfying HIPAA privacy and security legal requirements “in the cloud”; The impact of the pending modifications to the HIPAA privacy and security rules, in addition to the HITECH Act rules. Rebecca Herold’s bio.

Cloud Computing Risk Assessment and Assurance – Using a Case Study Approach | Sailesh Gadia

Cloud Computing is one of the key emerging technologies. One of the biggest values that IT audit, security, risk and/or governance practitioners can provide to clients is an understanding of cloud-related risks. Being better at managing emerging technologies and corresponding risks can be crucial in gaining strategic competitive advantage. So, is there an efficient way to gain comfort around internal control at a cloud service provider? This session will provide an understanding of the key risks and exposures in a cloud computing environment; provide tools and techniques for conducting a SOC attestation of cloud computing environments and summarize the findings. Sailesh Gadio’s bio.

Cyber Crime: They Will Not Stop for Lunch | Robert Cameron

The challenges of disrupting the money trail and thwarting affiliate networks: how our ISP’s, credit card companies, and money mules make the world go-around. Plus: evolving attack methodologies, and the mixed motivations of the CIO. Robert Cameron’s bio.

Darts, Dice, and Monte Carlo | Miles Edmundson

An examination of the flaws inherent in the current risk analysis process and the examination of a statistically valid method (Monte Carlo simulations). In short, the common and accepted methodology is based upon personal or “expert” opinion with no measurement of success. Several studies show that people regularly over estimate their abilities and under estimate risks. If this is true, the current, accepted methodology has inherent biases which corrupt any meaningful risk analysis. In short, the existing methodology is little better than throwing darts or rolling dice. Miles Edmundson’s bio.

Data Mining a Mountain of Zero Day Vulnerabilities | Chris Wysopal (Veracode)

Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. Which industries have the most secure and least secure code? What types of mistakes do developers make most often? Which languages and platforms have the apps with the most vulnerabilities? Should you be most worried of internally built apps, open source, commercial software, or outsourcers? These questions and many more will be answered as we tunnel through zero day mountain.

Developing a Global Business Continuity Strategy | Lenny Sharpe and Matt Blanco

This session will be an in-depth discussion around how the business and technology teams at Target worked together to develop an enterprise strategy for business continuity that is integrated, aligned, resourced, and supported throughout the organization. Lenny Sharpe’s bio. Matt Blanco’s bio.

Digital Identities | Chris Buse and Jim Steinwand

Digital Identities: What are they and why do I need one? Recent activity by the Federal Government, state governments, the National Association of State Chief Information Officers and the President of the United States has driven this question to the forefront, especially identities that pertain to accessing information across borders. We will explain how these disparate organizations are linking together on a national scale with programs such as FICAM, SICAM and NSTIC. And yes, we’ll explain these acronyms, too. The State of Minnesota is working with other states and the Federal Government to become an ID provider of choice for citizens, business partners and employees. We’ll tell you how we are progressing toward that goal, and what we expect will be the outcome. Chris Buse’s bio. Jim Steinwand’s bio.

Discussing Security with (Non-Security)Management | Tom Cocchiarella

Firewalls, A/V, Proxy Servers, Policy, Content Filtering, IDS, IPS, SIEM……what does it all mean to non-IT business management? They may have asked: Why do we spend so much money on all of this technology? Do we really need all these different technologies? Do you ever get these types of questions? Have you developed techniques to help explain why you need so many products and FTE’s to support them? Come to this interactive session and add some “tools to your tool box” that can help you develop better ways to communicate to non-IT management about Security! Tom Cocchiarella’s bio.

Enough on Mobile Problems, What About Solutions? | Yan Kravchenko

Mobile remains one of the most talk-about problems with regard to security. While better and less expensive Mobile Device Management (MDM) tools are still being developed, organizations are facing a very real risk that remains largely un-addressed. Some organizations chose to pretend that wireless does not exist, while other added policies that prohibit use of wireless technologies. This presentation will side-step the typical rhetoric of the size of the problem that wireless devices pose, and focus on real-world meaningful solutions that organizations can implement today. This session will provide a de-constructed view of the mobile dilemma, and introduce different techniques by which organizations can stop ignoring mobile and embrace its usefulness along with the risks in a more constructive manner. Yan Kravchenko’s bio.

Enterprise Vulnerability Management: Trends and Guidance | Ryan Wakeham and Seth Peter

Defending organizations against Internet borne malware, advanced persistent threats and application exposures is a complex and increasingly important job within corporate IT environments. In this presentation, NetSPI will review current vulnerability identification and management issues and update the audience on programs and approaches to enhance your information security program. In particular, the following topics will be addressed: Why vulnerability management is important; a formal approach to vulnerability management; and tips on how to ensure your approach to vulnerability management is successful. Security and IT leaders who are responsible for providing the business with a stable and secure IT environment will benefit from this session. Ryan Wakeham’s bio.

Examining the Chinese Cyber Warfare Threat | William Hagestad II

This session will include: Origins, history and composition of the 21st Century Chinese Cyber Warfare threat (cultural, history, linguistics); Hegemonic economic, military, nationalistic and political threads which contribute to ‘war without limits’ – ‘informization’; In depth review of cyber incursion case studies such as Ghost Net, Titan Rain, Night Dragon, Operations Aurora and Shady Rat; Statement of the Rules of Engagement (ROE), Short& Long Terms Recommendations and Conclusions about the 21st Century Chinese Cyber Warfare Threat to energy, gas and water utility companies. William Hagestad’s bio.

Exercising Response Plans as Part of Continuity Planning | Lillian McDonald and Barret Lane

Exercising business continuity plans is a critical part of emergency preparedness activities so public, private and non-profit organizations can respond to staff and stakeholders during a crisis that can impact operations. Including a robust exercise around response plans helps employees and clients know what to expect in order to carry out business continuity and emergency response efforts. This session will highlight the elements of exercising response plans using a case study from a small organization providing public information in multiple languages supporting public, private and non-profit messaging needs. Participants will gain ideas on the design and execution methods of exercising business continuity plans as illustrated by an actual exercise. Specific Objectives: Recognize activities to support a robust exercise to test business continuity planning; Knowledge of exercise design and execution and after action reporting; Case study demonstration of lessons learned following functional exercise. Lillian McDonald’s bio. Barret Lane’s bio.

Fearing the Auditor More Than the Hacker | Al Kirkpatrick and David Flora

For too many businesses, the goal of their information security program is to pass related audits. This presentation will address the pitfalls of this approach and then provide a roadmap for creating a risk conscious and security aware culture. The session will explain the differences and relationships between information risk management and information security. The session will then provide proved strategies for establishing effective goals and obtaining buy in from the top down. David Flora’s bio.

Free & Open Source Software (FOSS) in the Enterprise | Lynn Estes

Open Source software has become ubiquitous and has reached critical mass. FOSS components or utilities are present or used in nearly every enterprise and increasingly vendors are bundling FOSS components with their software. This adoption and implementation has often outpaced corporate policies, standards, and development guidelines. There may also be security concerns not addressed. This is indicative of a clear lack of understanding regarding licensing and insight into support, responsibilities for modified source, and risk. I will cover many of the common components and bundles and explain available support options. I will also provide a brief overview of OSS licensing and consumer/provider responsibilities in an effort to remove some of the FUD surrounding FOSS usage in a corporate environment. I will also identify resources and recent litigation in an area of emerging law. Lynn Estes’s bio.

From American Frontlines to Assembly Lines: U.S. Innovation & Competition in a Global Robotics Revolution | Andrew Borene

This topic concerns the dramatic developments taking place in the field of robotics, and their likely impact in the security and defense arenas. Consider the following: It is estimated that the global robotics industry will create more than one million jobs in the next 5 years. Unmanned air and ground systems are expected to be a one-hundred-billion dollar market. U.S. innovation has created significant strategic military advantages in robotics and unmanned systems technology. Robotics technologies that evolve for defense applications provide civilian applications and business growth downstream. This session will center around these topics as well as a discussion around the following questions: Can the U.S. maintain market leadership and create jobs domestically in this rapidly evolving high tech market? Can the Upper Midwest capture a significant share of the robotics growth in security, defense, and civilian applications such as agriculture and medicine? Andrew Borene’s bio.

Future-proof Your Network Against Advancing Cyberthreats | Jason Wright

Cyberthreats are evolving. Networks are evolving. And so are your security requirements. Against a backdrop of cyber opponents who are faster, smarter, more prevalent, more targeted, and more elusive than ever before, how can you protect the growing number and types of operating systems, applications, services and users on your network? Mr. Wright will discuss:The current threatscape in the context of today’s dynamic threats and dynamic networks. Security for the real world, protecting against evolving cyberthreats now and into the future. The Future of IT Security – developments in Next-Gernation IPS and the power of cloud-based advanced malware protection. Jason Wright’s bio.

Grafting PCI into Healthcare Compliance | Chris Secrest

The Healthcare industry has many regulations that they must adhere to, many which take the entire focus for Compliance. PCI is another, but is overshadowed by the others. As a result PCI catches many off balance and leaves them scrambling. Complicating the process is the continued push for Electronic Medical Records and the convergence of EMR with payment information. Blurring the lines of segmentation this can lead covered entities down a slippery compliance slope. Knowing the pitfalls and the areas is crucial to surviving a PCI assessment without having to spend a fortune for compliance. Successful merging of EMRs with PCI data is possible as long as it’s planned correctly from the start. This presentation will cover the common areas that can lead an organization into non-compliance and how to strike the balance between regulations such as HIPAA/HITECH and PCI. Chris Secrest’s bio.

Holistic and Flexible Risk Management | Kevin Thompson

There are a lot of different approaches to risk management out there, but some of the best tools only address a single area of risk management such as identifying threats or rating the severity of a single risk scenario. In this session I will present an approach to risk management that combines these techniques to identify risk scenarios, quantify the risk, select controls, report on risk, and keep historical data. This approach is based on developments by Verizon, Intel, and is flexible enough to be very detailed and rigid or abstract and lightweight. Kevin Thompson’s bio.

Impostors, Insiders and Intruders: Mitigating the Threat from Within | Dr. Jarret Brachman

The insider threat is an organization’s worst nightmare. Difficult to detect and prevent, attacks from individuals who obtain authorized access to an organization’s networks, facilities or trust can do far more damage from within than from the outside. This session examines a series of case-studies where adversaries attacked from the inside-out, either because they had acquired legitimate access or dressed the part. Profiled cases include the Oslo shooter/bomber, Anders Breivik, who posed as a police officer before opening fire on the crowd of teenagers he had assembled; attacks by Al-Qaida who used stolen uniforms/identification and fraudulently painted/decaled vehicles to gain access to sensitive facilities; and a review of high profile insider cyber fraud, theft and sabotage cases. The session will conclude by presenting a range of potential tools, processes and best practices to help mitigate the risks and damage from future insider and impostor attacks. Jarret Brachman’s bio.

Is Cloud Identity Management right for you? | Arun Kothanath and Brian Baird

Info to come

IT Risk Assessment: Why You Need to Know What You Don’t Know | Michael Stead and Tim Payne

This session will take you through the ins and outs of an IT risk assessment – why you need to be doing it, what are the benefits, and what does it even look like? Through interactive exercises you will be given an opportunity to apply the concepts against a real life case study. You will learn about methodologies, frameworks and concepts for risk assessment such as those provided by the IT Risk Framework (COBIT), Westerman Four A’s, COSO Enterprise Risk Management (ERM), and Factor Analysis of Information Risk (FAIR). You will be taken through the process from selecting a methodology/framework, setting scope, identifying who to involve, actually get started, how to deliver a final product to management, and what is needed to maintain it going forward. Michael Stead’s bio. Tim Payne’s bio.

IT Consumerization – iPad’ing the Enterprise or BYOMalware? | Barry Caplin

Companies are increasingly encouraging employees to purchase their own devices such as smartphones, tablets and laptops to use at work according to a recent survey by CIO magazine. The acronyms BYOC and BYOD (Bring Your Own Computer/Device) have become mainstream technology terms. But what does BYOD mean for the enterprise? Can we mix personally owned devices and enterprise workstations/cell phones in our environment? How do we control configuration and data on personal devices? What about malware and other security concerns? What about improper disclosure of private data and intellectual property? And how will staff get work done when they are busy playing Angry Birds? Is BYOD the flavor of the week or is the future of end-user hardware? In this interactive session we will discuss: What is IT Consumerization/BYOD? What are the benefits and concerns? Is there a cost savings? What are the Security concerns – BYOMalware? How do we protect data? And how can I start BYOD in my organization? And yes, you can Bring Your Own Devices to this session! Barry Caplin’s bio.

IT Sourcing and Procurement – Cradle to Grave IT Asset Security | Deb Mogenson

How does Procurement work with Security and Risk Management to ensure assets are properly tracked, integrated smoothly and safely, and properly disposed of at end of life? Is there room for a partnership/collaboration? Join this interactive session to learn ways to address security and risk management concerns from prior to procurement through end of life disposal. These concerns are unique to IT hardware, software, and outside professional services. Disposal options of leased and owned assets at end of life will be specifically addressed. Deb Mogenson’s bio.

Job: Security – Lessons from the Front Lines | Robert Edinger, MSIA, CISSP

What if you could start your technical information security program again – from scratch? What would you do differently? How would you structure it? What would you leave out and what would you do later? Where would you start? How would you ensure that your technical capabilities meet your operational requirements? Rob Edinger has tackled these questions as a consultant, a CISO, an IT director, and as a vendor; now he wants to share what he has learned with you. From negotiating your vision, mission, and objectives with the CEO, to architecting and setting up an infrastructure vulnerability service then letting go of your baby and handing it off to the technical specialists, we will take a parachute jump from the edge of space and make a safe landing behind the front lines of information security. Robert Edinger’s bio.

Lean Security: A Practical Approach to Security Projects | Josh More

When you take a lean and practical approach to security projects, you not only improve your overall security, but you save money for the big projects that really matter. The RJS “Lean Security” approach is a process we developed in response to the frustration felt by those who don’t have the time to research the newest security solution for their business and are tired of the standard big-budget, big-timeline approach championed by other security firms and consulting organizations. There is a cost-conscious, less-is-more security strategy that works and Josh More will show you how to achieve this philosophy with great success. This presentation will include real world examples illustrating the advantage of maximizing your security department’s budget by going lean. Josh More’s bio.

Make the Leaderboard: Tactics to Achieve Security Performance Measures | Chris Rowland & Eng-Wee Yeo

Information Security often applies a focus on the ‘Stick’ verses the ‘Carrot’ tactic of motivating people to ensure compliance. This will form a culture focused on avoiding the Stick, meeting the minimum requirements to get by, rather than seeking the Carrot, outperforming to achieve recognition. A different model that promotes recognition is now emerging in enterprises. The tactic of gamification is being used create gaming scenarios which recognize achievements in order to motivate organizations to attain their performance objectives. In a nutshell, gamification can be defined as the application of game-design, game thinking, and behavioral economics in non-gaming contexts. This session explores possible scenarios and methods for gamification in the field of Information Security & Risk Management which can be used to acknowledge achievement, encourage organizational change and attain performance measures and metrics. Chris Rowland’s bio. Eng-Wee Yeo’s bio.

Millennials at Work: New Risks or Strong Assets? | Rodnie Williams

The video gaming, Twitter addicted, Facebook focused, ADD characterized, “Millennial generation”… Are these really the kinds of employees that we want to integrate into our industry? Regardless of your opinion of the newest generation to hit the workplace, Millennials are raising important issues amongst employers today. They present unique challenges with regard to recruiting, hiring, training, and integrating into the culture of information risk management and security functions. So what should our response be? Rodnie is continuously engaged in the topic of Millennials in the workforce, and training them through collaborative efforts. Rodnie Williams’ bio.

Mindsets and Toolkits: Thinking Positively About Security | Michael Brady

Security managers have personal, professional, and institutional biases that affect the way we see the world, evaluate hazards, and communicate risk. We’re frequently conservative and hierarchical and more risk averse that the executives who rely on us to guide their business decisions. Often we’re so focused on making sure bad things don’t happen we forget we are also responsible for making sure the right things do. This frequently sets us apart from peers in other business disciplines. We’ll examine the means by which we to approach the security process with a sense of corporate responsibility, critical thinking, and resist using fear as a lever. We’ll look behind the headlines for important clues for how our mindset is reflected in the way we approach the services we offer and look at skills we can add to our personal, professional, and institutional tool kit that make us more effective business partners. Michael Brady’s bio.

Mitigating Risk in the Era of APTs and Mobile Computing | Joe Rogalski (Symantec)

Advanced Persistent Threats are very real, and quite serious. Even if you’re not a target, you need to understand them to get the full picture of the threat landscape. In the fast-moving world of cybercrime, today’s APT technique will become tomorrow’s standard practice so it’s critical to have an in-depth defense strategy. In addition, the increasing value of your strategic information means you not only have to keep the bad guys out, but also keep the good stuff in. In the era of mobile computing, more people are accessing more data from more points than ever before. How do you ensure the right people have the right access, and keep out everyone else?

Mobile & Social: A Transformation | Jon Gordon

Two major trends are driving change across all sectors of the economy: mobile technology and social media. In his presentation, Jon Gordon will examine the explosive growth of mobile computing/communications technology and social networks such as Twitter, Facebook and Google Plus. He’ll explore the impact of these trends on how we live and work and take a look at how these trends are presenting new security problems. Questions to be addressed include: Where is social media heading? How is it changing the news business and government? How mobile will we go, and is the PC dead? Is “hacktivism” the new activism? Jon Gordon’s bio.

Myths, Mistakes and Outright Lies (when it comes to your IT Security) | Kellman Meghu

A lighthearted look at common pitfalls to building an information security architecture, this presentation does not intend to be all encompassing, but to encourage people to reconsider and re-evaluate the responsibilities of network security. Open discussion on techniques, tricks and tips is encouraged. Using a subjective threat guide, various policy based deployments are examined at a high level to measure risk versus cost. Sometimes we spend so much to accomplish so little; other times we get so much with very little cost. Assessing how we manage and deploy our security does not have to be a complex task, but it does need to be done at a regular pace. I invite you to compare your own situation, with some real life scenarios depicted in this presentation. Kellman Meghu’s bio.

New Federal Business Continuity Guidelines | Erik Pakieser, MnCEM, CBCP

A comparison between the recently unveiled FEMA Business Continuity Guidlines and current industry standards, with discussion about compliance strategy. Historically, “guidelines” eventually become “requirements”. Many of these “guidelines” are already required for businesses who want to contract with the government. Erik Pakieser’s bio.

New More Relevant Examinations to Former SAS 70 Audits | Jeffrey Locketz

Service Organization Control (SOC) reports specifically the SOC 2 and SOC 3 reports address controls at a service organization that relate to operations and compliance. Specifically the controls addressed relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy (the Trust Services Principles and Criteria). SOC 2 and 3 reports demonstrate to organizations customers its compliance with the Trust Services Principles and Criteria. The session will provide information on how an organization can first comply with the Trust Services Principles and Criteria and second obtain a SOC 2 and/or 3 report(s) for the use of its existing and potential customers. Jeffrey Locketz’ bio.

New School Risk Management: Theory Driven Practice | Alex Hutton and Jay Jacobs

Interested in how innovative and progressive risk management programs operate? How (and more importantly, what) forward thinking risk practitioners translate a great idea into a great win for the business? Most security practitioners and even decision makers have an aversion to “theory” and seek out practices, “best” practices. However, establishing a best practice requires an assumption that cause and effect are consistent and the rules never change. The effect of a practice-driven practice is money being wasted in some areas while serious weaknesses go undetected in others. This talk will explore the next generation of risk management in terms of theory-driven practices that will be the future of information security. Alex Hutton’s bio. Jay Jacobs’ bio.

Order from Chaos: Building a Crisis Management Program | Bryan Strawser

In today’s chaotic world of reputational challenges for corporations, uprising in the middle east, and disrupted supply chains around the world from natural and man-made disasters, building a sustainable crisis management program is often a challenge. How do you bring stakeholders, leaders, and senior executives in your company together to build strategies and leaders capable of leading your company through a major disruption? How do you gain the resources that you need to prepare and monitor the risks ahead? Hear perspectives on these challenges along with potential solutions for your company in this session. Bryan Strawser’s bio.

PCI Myths and Mistakes | Brian Serra

PCI compliance is a tricky topic. The PCI Security Council revised the Data Security Standard. The PCI SCC is continuing to clarify guidelines and requirements for credit card merchants to become and remain PCI compliant. Since the initial roll out of the PCI standard, a number of significant changes have occurred including an increase in frequency of fines and penalties, a revamp of validation requirements based on merchant status levels, and in some cases, the impact of state legislation affecting additional needed security controls. As the pressure for organizations to become PCI compliant increases, there are a number of common myths and mistakes around this process. Brian Serra, Accuvant PCI Practice Manager, will identify these myths and mistakes and how to address them. Brian Serra’s bio.

People Online: Security, Privacy and Reputation @the Office and @Home | Meghan Wilker and Nancy Lyons

There’s an increasingly blurry line between ‘at work’ and ‘at home’ and that line becomes that much more poorly defined when social media is in the mix. These new ways of communicating introduce a whole new set of risks to personal and professional security and privacy. This session will address those risks and provide a framework for how to think about using social media safely and effectively both personally and professionally. Meghan Wilker’s bio. Nancy Lyons’s bio.

Physical Security on the Front Lines | Deviant Ollam

Last year’s session discussed the nuance and finesse of lockpicking with specialized tools and toward the end, the topic of bypassing techniques was broached, where often no sophisticated or specialized tools are needed! This talk continues where last year’s left off… with a look at some of the more novel ways that people can gain entry using cursory tactics. As always, tactical and military analogies will be employed to make direct connections between INFOSEC and any other engagement where assailants must be kept at bay for as long as possible using the resources you have available. Remember the “Three R’s?” If you don’t, you’ll learn them this time. Deviant Ollam’s bio.

Practical Measures for Measuring Security | Chris Mullins

Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider. Chris Mullins’ bio.

Pragmatic Cloud Security | David Mortman

At last year’s Secure360, I taught about the realities of cloud security as opposed to the hype. This year, I’m going to take things a step further and teach how one can pragmatically deploy to the cloud in a way that takes security, privacy and operational concerns into account without hindering the business. It’s not as hard as it sounds, it just requires leveraging the right people, process and technology and I’ll show you how. David Mortman’s bio.

Principles of Patrolling for Information Security | Patrick Tatro

Army Ranger School is a leading school on developing leaders’ ability to make decisions, adapt to situations, and accomplish the mission. Information Security Professionals face situations that don’t fall under a framework or a standard. I offer a different perspective on how to address the ever changing business requirements Information Security Professionals face. Security frameworks and standards allow us to implement security programs or become “compliant” yet don’t provide the means for making decision on “grey area” issues or trail behind technology. Ranger students are provided with the 5 Principles of Patrolling to assess situations and make decisions. I will present on how Planning, Reconnaissance, Security, Control, and Common Sense can be applied to situations Information Security Professionals face. Patrick Tatro’s bio.

Process Not Outcomes – Architecture Risk Management Capturing the Upside and Avoiding the Downside | Gunnar Peterson

Security architecture is the art and science of tradeoff analysis. The decisions based on fluid timelines of software development and ever evolving attack landscape. This talk shows how to enable the business goals in software architecture while managing the inherent risk in IT and Web systems. This talk takes the position that the work “risk” must never be used without an adjective – by itself risk is meaningless abstract – and we will explore architecture risk, business risk, technology risk, and operational risk. Gunnar Peterson’s bio.

Reverse engineer the flag – Taking hacking to the classroom | Aaron Wampach

Hacking competitions like capture the flag can be a creative and innovative learning opportunities for students. With proper guidance and the constant assurance of ethical well being, instructors can promote a positive environment that teaches and exposes students to ethical hacking. This presentation will discuss the need and the required learning objectives needed to successfully integrate hacking principals within a classroom environment. Aaron Wampach’s bio.

Risk Management – Beyond the Smoke & Mirrors | Evan Wheeler

There has been a lot of published work on how to perform risk assessments and various analysis methods, but they never tell you how to actually build a Risk Management Program from scratch and successfully integrate it into your organization. This session will demonstrate how to build out the core components and successfully integrate it into your environment with minimal resistance. We will discuss the basic building blocks for any good Information Security Risk Management Program including several prerequisites. We will also look at approaches to building this program from scratch and where to focus resources initially. By the end of this session, attendees should have a solid understanding of security risk assessment fundamentals and tools to implement a security risk management program in their own organization. This session will present a proven roadmap. Evan Wheeler’s bio.

Secure Cloud-Based Identities and Transactions | Ron Stamboly (Safenet)

Maintaining requisite levels of trust and security in the cloud entails employing cryptographic operations, such as data encryption and digital signatures, to ensure the confidentiality and integrity of data and business processes. During this session, SafeNet will provide direction on how organizations may realize a range of significant benefits: maximize security, reduce administrative costs and overhead and realize long-term scalability and flexibility, by establishing digital ownership and root of trust in virtual environments.

Scenario Analysis: Moving Beyond Penetration Testing | Matt Hynes and Steve Currie

Many companies spend a significant amount of time and expense at conducting vulnerability assessments and misguided penetration tests in search of compliance rather than security. The results are usually exactly what could be expected before the exercise starts. During this session, you’ll learn how “Scenario Analysis” will give you real results that you can take to non-IT management to get them to pay attention to the company’s information security posture. You’ll find that this awareness is the first step to obtaining the funding you need to operate your function in line with the threats presented in today’s ever-evolving world. This session is appropriate for all audiences, from hard core technicians to those with limited IT savvy. Matt Hynes’ bio. Steve Currie’s bio.

Securing Enterprise Data & Best Practices for Secure Mobility | Scott Ashdown (Imation)

A recent Harris Interactive survey of 302 IT decision makers in theU.S.andCanadarevealed 91% of companies allow removable storage devices on their corporate networks, but only 34% enforce encryption. Workers are moving mass amounts of data through unsecured devices out of the network every day making businesses vulnerable to loss or theft of corporate and customer data. Join us to hear the research findings of the Harris Interactive Survey and best practices for secure mobility.

Securing Your Physical, Virtual, Cloud Infrastructure | Matt Hubbard

Protect confidential data, ensure compliance and prevent costly damage, without hindering productivity. Join Trend Micro and learn how to secure your data at rest or in motion; accessible on servers, desktops/laptops, tablets, smartphones and even removable media. Let Trend empower you to prevent unauthorized access and data breeches throughout your enterprise, regardless of whether your infrastructure is physical, virtual or in the cloud. Matt Hubbard’s bio.

Security Beyond the Operating System | Dan Larson

Today’s security threat landscape is rapidly evolving. From an explosion of mobile devices and IT consumerization to more advanced and persistent threats, the complexity of IT security is greater than ever before. Hear directly from McAfee on how you can incorporate hardware-based PC security to gain unprecedented protection for your clients and business data. Learn how McAfee is using Intel hardware to increase protection from modern threats and expand the security administrator’s ability to manage security in their environment. Dan Larson’s bio.

Security Issues With an International Perspective | Al Kirkpatrick and David Flora

As more and more businesses expand their scope to international sales, distribution, supply chain, processing/servicing, many information risk professionals are caught wondering what they need to know with respect to related challenges. Based on his more than ten years experience working with domestic corporations’ information risk issues with respect to their offshore activities, Mr. Kirkpatrick will share learnings, tip and techniques, along with some humorous stories, that will be helpful to those faced with the new international frontier. David Flora’s bio.

Security: Don’t forget the people! | Ron Woerner

People are and always will be the weakest link in security. If we fail to understand people, we fail to properly implement security controls. Yet, it’s an often overlooked topic within security curriculum and training. You cannot effectively manage security without understanding people. In this session, we will talk about human weaknesses and the best ways to protect and defend against human threats and vulnerabilities. The presenter will discuss the topics of human factors, social engineering, influence, and leadership. This session will discuss why humans must be a part of the security solution and how that can be effectively accomplished. It will include a short segue on social engineering and how humans can be hacked. Lastly, the presenter will discuss the importance of influence and persuasion and how anyone and learn to be an affective security leader and coach. Ron Woerner’s bio.

See What, Say it to Whom? | Lizabeth Lehrkamp

Department of Homeland Security has a great program in See Something, Say Something. This is a great way to expand national security efforts without expanding government budget. The problem is that many people want to help but don’t understand what DHS is asking for or how to report it if they see it. FBI Special Agent Lizabeth Lehrkamp will discuss what law enforcement is looking for. For example, what does the insider threat look like or what type of computer compromise makes the United States (or your company) vulnerable? Once you “see something”, do you report it to local law enforcement, state police or one of the many federal agencies? Is it worth a 911 call? Liz will walk you through the differences, jurisdictions and accessibility of the law enforcement agencies.

Seeing through the Clouds: Tactics to Deal with Limited Cloud Visibility | Mike Rothman

One of the key issues in moving infrastructure into the “cloud” is the lack of visibility. In your own datacenter, you can see from Layer 1 on up. In the cloud, not so much. Thus, the cloud requires a different approach to monitoring. Mike Rothman, President of Securosis, will address how security management changes in the cloud, and will discuss tactics to monitor within the areas of the cloud you can see. Mike will discuss the following topics: The (re)importance of patching and configuration management; Monitoring instances (with and without the cloud providers help; Database activity monitoring in cloud-space; Gaining application level visibility (and buddying up to your developers). Mike Rothman’s bio.

Software Security Goes Mobile | Jacob West

Mobile devices and the security risks introduced by the software that runs them are proliferating, especially with the open and fragmented Android ecosystem. This talk scrutinizes challenges faced in securing mobile apps, focusing particular attention on the unique challenges of the Android platform, and contrasts them with legacy and more mature software security initiatives. We discuss how consumerization confounds security efforts, how the mobile app lifecycle makes risk a hot potato, and conclude with the top mobile threats and how to avoid them. Jacob West’s bio.

Solving Data Breach Points of Egress with Analysis | Chris Andrews

Data breaches are becoming more and more common. Claims of fraud, financial tampering, computer crime, employee misconduct and other wrongdoing require corporations, law firms and government agencies to follow digital trails to piece together facts that lead to the truth. During the investigation, it’s important to engage forensic experts who can uncover important facts without compromising the integrity and admissibility of electronic evidence. This session will cover basic forensic analysis of workstations, servers and volatile memory for evidence of unauthorized access and exfiltration of data. Special attention during this session will be given to log analysis, timeline analysis and witness interviews. Chris Andrews’ bio.

Stopping Next-Generation Threat Protection | Dan Walters

Advanced malware, zero-day and targeted APT attacks aggressively evade signature-based defenses and compromise the majority of today’s enterprise networks. The primary mission for any organization dealing with advanced malware is integrating defenses to block known malware, stop outbound data exfiltration attempts, and detect zero-day, targeted attacks. Dan Walters will give five guiding principles for integrated, next-generation threat protection.
* Security techniques leading institutions can use to protect themselves from advanced malware
* Understanding and naming the five principles that can be implemented for advanced malware protection
* Discussion around how advanced persistent threats are using advanced malware to further their objectives

Terrible Things in Network Security | HD Moore

This presentation focuses on a series of network security vulnerabilities that many organizations are struggling to protect against and have little chance of solving in today’s technology environment. This session will encompass the high-level risks that information security executives should be aware of, the technical details of how these are exploited, and why they are so difficult to protect against, with examples of existing failed strategies. Understanding these risks and the right way to approach them is critical for anyone responsible for the security of a modern enterprise environment.

The Downfall of the BC Professional: Setting Up a Personal Plan to Quit Bad Habits and Shine at Your Organization | Frank Perlmutter

It’s no secret that BC professionals are losing their jobs every day, while many of our other colleagues continue to wallow in uncertainty. Yes, the economy is partly to blame, but our profession as a whole is extremely susceptible to job loss. And to an extent, we are to blame. Now, more than ever, we must clearly show our value and eliminate the practices that have been plaguing professionals for years. Join this seminar as we discuss expert tips on how to increase your job security by proving your worth to executives and plan users, and eliminate traditional, widespread methods that have led to the downfall of many of our colleagues. Specifically, we will lay out a step-by-step plan to maximize our professional value. Frank Perlmutter’s bio.

The Ethics of Engagement and Trust | Chad Weinstein

Organizational ethics – like security – is too often used only to avoid negative outcomes. And yet, ethical transgressions still make headlines. This presentation will present a more positive view of ethics – ethical leadership – and share how some core concepts and skills can drive real performance gains through improved engagement and trust. Using real-life stories and examples, Chad Weinstein will demonstrate how security professionals can ignite and sustain engagement among team members and play a leading role in building stronger, value-based relationships with customers, vendors, and other stakeholders. This lively presentation will show how ethics and security can go beyond risk management, to become positive investments in the strength of an organization. Participants should come prepared to think, laugh, and learn. Chad Weinstein’s bio.

The Failure of Risk Management | Douglas Hubbard

What is your organization’s greatest risk? Chances are, your biggest risk is that your risk analysis–and therefore your risk management–has some serious flaws and may not be improving decisions at all. Even the most quantitative analysis methods have been found to have systemic–but avoidable–biases and errors. Douglas will review the following problems and how to avoid them. For example:

While most quantitative models have at least some subjective estimates, research shows that experts are consistently overconfident in their assessments of their own uncertainty.
Empirical analysis is vastly underutilized in quantitative risk assessments and when it is applied, it tends to be applied to the wrong problem.
Research shows that there is a strong placebo effect in the use of “structured” methods causing decision makers to feel more confident in their choices, even when the decisions and forecasts were measurably worse.

Douglas will show research collected from a variety of fields that show that 1) quantitative methods work best, 2) but even quantitative methods often have avoidable problems and 3) the growing popularity of “qualitative” methods will make us feel better about decisions without actually improving them (or even making them worse). Douglas Hubbard’s bio.

The Genie’s Out of the Bottle: BYOD Policies That Work | Jeff Schmidt

With the proliferation of smartphones & other mobile devices in today’s workplace, organizations continue to wrestle with security challenges inherent in allowing mobile access to corporate data. While benefits of the “bring your own device” (BYOD) concept are recognized ñ increased productivity/responsiveness, communications anywhere/anytime – myriad security issues, including risk of security leaks, data breaches/loss, noncompliance, infrastructure control — are keeping countless executives awake at night. The session will outline security/technical challenges of a BYOD approach, how to determine if a BYOD program is right for your business. It will also highlight proactive BYOD strategies that work, what to include (& pitfalls to avoid) in creating BYOD policies, how to implement BYOD programs that protect organization’s assets but enable employees to benefit in today’s mobile world. Jeff Schmidt’s bio.

The Internals of Identity-theft Attacks | Tim Armstrong

Specialized malware aimed at global businesses are being used to hijack sensitive information, including financial data like bank accounts and logins for eBay, PayPal and Amazon.com. In this presentation, Tim will provide an in-depth look at the internals of a typical identity-theft attack and identify some basic steps that global corporations can implement to stay protected.

The TL:DR Guide to Cloud Computing | Kevin Riggins

The NIST guide to cloud computing security and privacy is 80 pages long. The CSA guidance is over 170. Numerous books of many many pages have been published that explain the cloud and what it means to you. All these resources contain good and important information, but there is a lot of it. This talk is the ‘Too long;didn’t read’ version of that same topic. We will explore several key areas of cloud computing with a very pragmatic approach to what we really need to be thinking about when we consider this technology for our organizations. Kevin Riggins’ bio.

There is no Bigger Data Than Your Big Security Data | Marc Maiffret

The idea of “big data” has technology vendors and customers alike scrambling to come up with ways to manage the limitless amounts of data being generated by apps, API’s, databases, web services, etc. For orgs with aggressive security and compliance requirements, the security data driving today’s modern threat and risk intelligence (assessments, compliance reports, attack and mitigation data, etc.) is “big data” in itself. In fact, it might be the biggest data in your organization, with regards to its value and impact to operations. It is one thing to collect this data (no small feat, actually), but the real challenge is in making sense of all of this valuable information in an actionable format. This session will discuss the most effective ways that today’s large enterprises are not only managing their big security data, but using it to their advantage in crafting security strategy. Marc Maiffret’s bio.

Unbelievable, Now I Need to Secure the Application? | Robert Sullivan

Your boss just came in and announced your application was compromised, resulting in a data loss incident. The customers have demanded proof that your code is secure! Where do you turn? During this presentation, we will discuss resources to help you understand what secure coding is, what processes can assist you and tools to help move you into the realm of having truly secure code. These are also the same areas that many regulations such as PCI and HIPAA require. By attending this session, you will learn: What secure software development means; What secure development models to follow; What resources are available to continue learning about secure coding; and what needs to be done to secure the code. Robert Sullivan’s bio.

Update on HITRUST: Are we there yet? | Yan Kravchenko

HITRUST is now 3 years old and is gaining more interest every day. In this session, attendees will learn about HITRUST as an organization and some of the changes it has undergone, learn about the framework and its most recent changes, and will finally learn some of the feedback that was gathered from the local HITRUST SIG. Yan Kravchenko’s bio.

Update Your Software or Die | Wolfgang Kandek

Recent highly publicized data breaches beg the questions: why are we so vulnerable and what can be done to prevent such “advanced” attacks? This session will explore recent threat vectors and show some of the highly publicized malware and zero-day exploits that were used in these attacks. The speakers will then go over the preventative measures that organizations should take to increase their protection and demonstrate the benefits of software hygiene to keep systems patched and up-to-date with recent software updates. Learning objectives from this session will include: Recent threats and 0-day exploits that were used in recent high-profile attacks; Live demonstration and examples of tools used to track and detect these attacks; Countermeasures that could have prevented these attacks; Patching and configuration guidelines for prevention; and Research data based on current statistics that shows the state of software-hygiene within enterprises. Wolfgang Kandek’s bio.

What to Do When Your Management Doesn’t Want to Complete a BIA | Fred Klapetzky

We’ve all heard it before – We don’t need a BIA, We don’t have time to update our plans. Worst of all, it’s our management team saying it! This session is designed to help us explain, persuade and inform our leadership teams to support the continuity planning process. We’ll take a look at common complaints and equip you with some strategies to counter them and turn the situation around. Bring your issues and complaints – this is an interactive session and everyone should leave better prepared. Fred Klapetzky’s bio.

Where’s the beef: Educating an organization on risk and decisions | Aaron Wampach

People make bad decisions. Organizations make bad decisions, but are these decisions based on bad information or a lack of information to make a decision. This presentation will define a simple process that an organization can follow to compile information that can be used for making decisions and determining the level of risk that will be accepted. Aaron Wampach’s bio.

World Tour of Privacy Legislation | Jay Cline

This session will provide an overview of GAPP – the privacy world’s version of the ISO 27001 framework – and use that reference point to detail how various jurisdictions have legislated on privacy since 1974. Other topics to be discussed include: Generally Accepted Privacy Principles, North American privacy legislation: HIPAA/HITECH and GLBA Privacy Rules, CAN SPAM, COPPA, FCRA/FACTA, Privacy Act 1974, FERPA, and state-level laws; concepts of federal pre-emption and private right of action; Canada’s PIPEDA, provincial laws, and commissioner findings; European privacy legislation: EU directives on data protection, data retention, and electronic communications; Article 29 Working Party key documents; unique member state legislation; U.S.-EU Safe Harbor, model contracts, and binding corporate rules; data-breach notification; Other privacy legislation around the world, outlook, and enforcement. Jay Cline’s bio.

What’s Hot & What’s Not: Screening & Security | Mary Poquette

Background screening generally does not garner much notice on the radar screen of security professionals. It’s not particularly high tech or exciting and is generally assumed to be working. Is it working in your organization? When was it last evaluated? Is it flexible and ready to change given current legislative, regulatory, and societal activity? This session looks at what is new in background screening, what is working, and what is not. It explores new screening tools and trends; examines current legislative, regulatory, and societal activity; presents the practical impact of changing laws and regulations; and provides a 10-point checklist for security professionals to use when examining their programs. Screening employees and contingent workers remains a critical component of any security program. Learn how to maximize your program effectiveness and mitigate risk. Mary Poquette’s bio.

Where’s the beef: Educating an organization on risk and decisions | Aaron Wampach

Why Mobile Device Management (MDM) needs mobile security | Stacey Garcia

Mobile threats are constantly changing, and an MDM solution will not address your primary concerns around securing your data. Learn how to safely allow mobile devices in the workplace while protecting against mobile threats and data loss. Stacey Garcia’s bio.

Winning Presence for Make-or-Break Moments | Dean Hyers and Pete Machalek

We all experience them: those “in the spotlight” make-or-break moments where success or failure seems to be entirely on our shoulders. We might be pitching to prospects, up-selling clients, or looking to generate support from our superiors, commitment from our teams, or credibility with an outside group. We feel the pressure of these moments, and don’t know how to consistently handle them with confidence and influence. In this game-changing presentation, we will address this challenge from our unique vantage as filmmakers who specialize in helping performers deliver optimal performance in high-pressure scenarios: A powerful new paradigm for thinking about high-pressure moments, a unique technique for transforming anxiety into excitement and a process for organizing your thoughts. Dean Hyers’ bio. Pete Machalek’s bio.

Preconference sessions | May 7

Keynotes

Conference sessions | May 8

Conference sessions | May 9

important details

contact us