Information Security Decisions 2009: Presentation downloads

Did you miss Information Security Decisions 2009, or just want to review your favorite presentations? This is the place to download talking points from Joel Snyder, Eric Holmquist, Rich Mogull and more.


Visit the Information Security Decisions 2009 website

At Information Security Decisions 2009, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to Chicago for this year's event, worry not. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Information Security Decisions 2009 presentations can be submitted via (Note: All presentations are in PDF format. Some presentations require registration.)


Justifying Security Expenditures in a Tough Economy
Sara Santerelli, Chief Network Security Officer, Verizon Business
Information security managers around the globe are facing the same challenge: how to take gigabytes of information, turn them into an actionable security program, and articulate the plan to executives to secure funding. This session takes a deep dive into creating a strategic security program and provides strategies to gain executive support. Key areas of emphasis include:
  • A 360 degree approach to planning; security is more than a simple operational or tactical function
  • Developing operational metrics for your security environment
  • Aligning your funding plan with the business
  • Ensuring your plans are realistic and represent a sound trade-off between cost and risk

Future-Proof Your Compliance Program
Eric Holmquist, President, Holmquist Advisory
The holy grail of compliance is a streamlined program that can easily accommodate new mandates and the changing regulatory environment. Case in point: Massachusetts and Nevada are in the process of enacting strict data protection regulations that will need to be integrated into your existing compliance program.

While CIO's and CISO's routinely list compliance as one of their top areas of concern and burden, a streamlined and comprehensive compliance program can be achieved. In this case study, Eric Holmquist details how such a program was implemented at one financial services company and offers best practices you can take home to your organization. Key points of emphasis include:

  • The compliance landscape relative to areas such as technology governance, information security and data privacy
  • The current environment and what may be anticipated in the years to come
  • How to address all various compliance requirements in one comprehensive program
  • How to develop GRC best practices that meet or exceed regulatory requirements
  • Planning for the "next wave" of compliance demand

The State of Computer Security
Marcus Ranum, CSO, Tenable Network Security
Everyone is talking about compliance testing and data leakage. What's really going on that's pushing the industry in that direction? And - will it work? Marcus Ranum, a world-renowned expert on security system design and implementation and recognized as an early innovator in firewall technology, candidly discusses how today's trends are likely to affect the future of security.

D A T A   P R O T E C T I O N   &   A C C E S S   C O N T R O L

Pragmatic Data Security
Rich Mogull, Founder, Securosis
While data breaches run rampant and every vendor under the sun claims to offer the most efficient data protection product, there is very little information available to build a practical, effective data security program. This session busts through hype, hyperbole, and complexity and details a pragmatic approach to information-centric security that you can implement in any organization. From tools, to techniques, to process, and even to satisfying those pesky auditors, discover a straightforward, step-by-step process to reduce risks, stay out of the headlines and keep your organization's most valuable information assets safe. Key points of emphasis include:
  • The top 5 actions you can take today for data protection
  • Why traditional data classification doesn't work, and how to fix it
  • A step by step process to building a data security program
  • All the major data security tools - and tell you which ones really work
  • Where encryption works, where it doesn't, and how to properly implement it

Identity Management Solutions and Today's Environment
Kelly Manthey, Partner, Solstice Consulting, LLC
Achieving compliance with auditor requirements and maintaining a secure environment remain a top priority in today's economy. Identity management solutions help companies implement sustainable processes that drive efficiency, accuracy, and compliance.

This presentation explores the business challenges exacerbated by today's financial crisis and reveals how identity management solutions can address these challenges. See where your organization fits on the capability maturity continuum and learn practical tips for how you can move further along the continuum. Key points of emphasis include:

  • Common business challenges: downsizing and doing more with less
  • Responding to regulatory requirements
  • Capability maturity model
  • IdM technology landscape
  • Enterprise IdM roadmap best practices
  • Best practices for IdM

Pragmatic Database Security
Rich Mogull, Founder, Securosis
Most days it seems there just aren't enough hours to keep corporate databases secure while meeting compliance requirements. This session explores practical steps to dramatically improve security while meeting compliance requirements and even reducing audit costs. From secure design and configuration, to vulnerability assessment and activity monitoring, Rich Mogulll lays out a step-by-step plan for improving your database security. Following his philosophy of "security first", Mogull also discusses leveraging the same investments to meet compliance requirements through documentation, reporting, and continuous controls. Key considerations include:
  • The top 5 steps for database security
  • How to align database security and compliance without additional investment
  • The best tools and techniques for database security and compliance

E M E R G I N G     T H R E A T S

Cloud Computing: Security Risks and Compliance Implications
David Sherry, CISO, Brown University
We've all heard the hype surrounding cloud computing and like all emerging technologies, it has many definitions and solutions, as well as many points to consider from a security perspective.

This discussion explains cloud's many uses, its current advantages and disadvantages, and most importantly, the security questions that must be considered. Key considerations include:

  • Cost considerations when utilizing the cloud
  • Practical uses for piloting and testing the cloud
  • Regulatory implications when moving to cloud computing
  • How cloud computing can be used securely within an organization

Reality Check: Emerging Internet Security Threats That You Need To Worry About Now
Lenny Zeltser, Security Consulting Manager, Savvis
Financial incentives are encouraging attackers to invest significant money and efforts into powerful techniques for breaching enterprise defenses. Now that fortune, rather than fame drives these attacks, it is critical to keep abreast of the latest attack trends.

In this presentation, security expert Lenny Zeltser explores today's emerging Internet security threats to help fine-tune your organization's defenses. Attend and examine attack patterns that have included the use of email as a gateway for fraud, the mighty power of network bots, the fertile ecosystem for web-based attacks, and the increased precision of modern attacks. Get real-world examples of cyber attacks, and explore the financial incentives behind the malicious activities that occur on the Internet. Key considerations include:

  • What is driving modern-day attackers to large-scale and targeted attacks
  • Which recent breaches exemplify threat categories that organizations need to track
  • Various ways that Internet criminals employ to trick victims and bypass defenses
  • Whether you should adjust security architecture to match today's threat landscape

Web 2.0 Technologies
David Sherry, CISO, Brown University
LinkedIn, Facebook, Twitter. social networks, blogs, wikis. SAML, XML, AJAX. These terms and solutions are all part of the Web 2.0 revolution, and are (or will soon be) facts of life in the enterprise. While there are many positives to these dramatically emerging technologies, there is also the potential for your employees to disclose confidential corporate information and compromise the security of your environment. Web 2.0 is something to be embraced, but not without consideration of the risks and how to mitigate them. Key highlights include:
  • A holistic view of 2.0 with a goal of raising awareness on industry standards, best practices, and interoperability
  • Strategies for developing, implementing and enforcing a tight policy around Web 2.0 technologies

G O V E R N A N C E ,   R I S K   &   C O M P L I A N C E

How to Evolve Your Compliance Program As Technologies and Mandates Change
Richard Mackey, Vice President, SystemExperts
Compliance questions are always top of mind. As technologies change and audit processes evolve, so does the interpretation of regulatory requirements. For instance, how do you deal with the explosion of virtualized machines when it comes to segregation of function? Further, how do you deal with the responsibilities for administration of the virtual machine versus the administration of the underlying environment in meeting compliance requirements? And, how do you take existing standard regulations and apply them to new and ever-changing technologies?

This session describes how to effectively interpret particular requirements from regulations such as HIPAA and PCI and implications these interpretations have on compliance activities, administration, and auditors. Key areas of emphasis include:

  • How the use of virtualization affects system administration requirements, segregation, and network security
  • How to make decisions about what to encrypt and how those decisions affect key management and archival of information
  • How to test the security of your applications and environment, as required by PCI, among others

Change Management and Compliance: The Challenge of Organizational Culture
Eric Holmquist, President, Holmquist Advisory
All compliance certifications ("yes, we are compliant") rely on one indisputable constant: that nothing material changes. Ironically, nothing could be further from the truth. Every day people, process, technology and external influences change, any one of which can have a dramatic impact on a company's compliance status and program. Creating and maintaining a sound compliance program requires that companies address the implications of change and build dynamic governance mechanisms that can not only be proactive, but react and respond quickly and efficiently. Without these mechanisms in place companies will constantly be dealing with surprises and an ever present threat of compliance violations. Key areas of emphasis include:
  • The cultural effect of change
  • Assessing the risk of change relative to compliance risk
  • Attacking change at the root, not the result
  • Building dynamic systems that adapt quickly
  • Creating world-class response systems for unexpected change

New Regulations on the Rise
Richard Mackey, Vice President, SystemExperts
While there is no doubt new regulations increase the compliance burden on financial institutions, the commonality of requirements between the new and existing regulations offer a possible solution. Key areas of emphasis include:
  • Various aspects of regulations like MA 201 CMR 17 and the Nevada data protection regulations
  • How to structure a compliance program to address both the areas that are common to many and those that are unique to particular regulations and contracts
  • Examples from the Red Flag Rules, the Massachusetts Identity Theft Law, PCI, HIPAA, and GLB

ISD Time Machine

Download presentations from Information Security Decisions 2008.

Download presentations from Information Security Decisions 2007.
N E T W O R K   S E C U R I T Y

Securing the Application Layer
Joel Snyder, Senior Partner, Opus One
All of today's biggest threats are at the application layer. The complexity of web-based applications and the tenacity of those who wish to break them have combined to form a massive snarl--one that leaves network and security managers wondering what they can do to help secure their Internet-facing web applications. Traditional tools, such as firewalls are ineffective at blocking application layer attacks. Building a secure application layer requires new knowledge of the attacks, ways of thinking about security, and tools. While the final responsibility for application security lies with application developers, network and security managers must provide defense in depth all the way up to the application layer. Key areas of emphasis include:
  • What the main threats are to the application layer
  • How existing tools can be used to help protect application layer
  • Where you can--and cannot--provide protection
  • New tools and techniques that reduce application layer threats

SaaS Security Checklist: Data, Management and Liability
Diana Kelley, Partner, SecurityCurve
When an enterprise uses a SaaS - who owns the data? What is the liability if a loss or outage occurs? How much money will the company really save is a SaaS solution is adopted? Spending a few moments to think through these points before moving to a SaaS vendor can save time and aggravation down the road. Key areas of emphasis include:
  • Who will own the data and transferability issues
  • Understanding "hidden costs" and savings calculation
  • Licensing and support
  • What risks can be transferred? And what can't
  • Quantifying cost of loss for data leakage and downtime

How To Build a Security Dashboard to Streamline Your Data
Joel Snyder, Partner, Opus One
With security tools bolted into all parts of our networks, we're now left with two big questions: First, is all this doing any good, and second, how will I know when something is wrong?
The answers to these can be found by paying close attention to what these devices are telling you, but, unfortunately, security products are too chatty and easily overwhelm us with raw data that can't be easily absorbed. One solution to this problem is the creation of a "Security Dashboard," a set of carefully considered measurements and key performance indicators that help you turn the data coming from your security products into useful, actionable, information. Key focuses include:
  • Finding the critical information coming from your security products
  • Understanding the importance of aggregation and summarization
  • Identifying areas where trend graphs give valuable information
  • Correlation rules and policies that identify trouble spots quickly

This was last published in October 2009

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.