At Financial Information Security Decisions, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to New York City for this year's event, worry not. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Financial Information Security Decisions presentations can be submitted via SearchFinancialSecurity.com.
A thinking information security professionals guide to career management
While information security leadership positions are in high demand, the competition for these opportunities are increasing. In this presentation, Lee Kushner, president of LJ Kushner and Associates provides guidelines on how to maximize your current information security role and build the necessary skill sets to take your career toward your desired result. It will enable, you, to manage your own career, guide you in developing your "personal brand", and successfully compete in the quickly evolving CISO marketplace.
Are you paid what you are worth?
Foote Partner's most recent survey of 78,000 IT workers reveals that pay for security practitioners is outperforming most other categories of IT jobs and, despite gloomy economic conditions in North America, premium pay for infosec certifications has been rising. Security pros are benefiting from growing consumer concerns, regulation, the popularity of mobile computing and hot technologies requiring protection, and trends in business risk management and IT employment. Will this change as the economy worsens? In this session, David Foote discusses what all this means for the financial services industry and present his firm's 2008 infosec compensation benchmark data and projections drawn from Foote Partners' rigorous benchmark research involving 1,900 public and private sector employers in US and Canada.
Managing security in difficult market conditions
As information security continues to mature as a discipline, it will increasingly be measured in the same way as other technologies are, and security managers will be asked to apply additional financial rigor to their programs. Therefore, striking the right balance between efficiency and controls becomes a necessary part of every organization's security program. In this keynote, JPMorgan Chase's Anish Bhimani discusses how to: Strike the right balance between productivity, quality, and controls; prioritize investments, and self-funding investments through production efficiency; and leverage security investments that can yield additional non-security efficiencies.
Owning the enterprise
It is not a surprise or a new discovery that the level of security on internal enterprise networks is significantly less than on the same organization's external-facing networks. Even with draconian patching policies and operating system security settings, the vast scale and heterogeneity of internal networks forces significant security compromises. While an exploit may open the door, especially via a client-side web browser or application vulnerability, compromising enterprise networks rarely requires exploits. In this session, security researcher Dino Dai Zovi evaluates the current and future state of client-side application security and describea attacks that defeat or bypass current enterprise security defenses, such as 802.1x/NAC, Active Directory authentication, and Vista's Protected-Mode Internet Explorer.
Your strategic security metrics program
At the operational level, there are many metrics to pick from with varying levels of return to the enterprise. At the strategic level, we remain very much in red-yellow-green, thumbs-up, thumbs-down land when the CIO asks "are we secure?" In this session, Burton Group Senior Analyst Pete Lindstrom will explain how to bridge the gap to provide evidence-based, objective metrics at a strategic level. This session aims to set the bar high for security programs -- to drive away the ad hoc, management by exception environment that exists today and replace it with a program that is measurable and defensible, even in the face of varied levels of risk tolerance. Along the way, we will define a set of alternative paths that can be followed to achieve these objectives.
How effective is your network neighborhood watch?
The Internet is a rough neighborhood and how well are you policing your part of the Internet? Online fraud is pervasive, hackers continue to use sophisticated techniques to target financial and personal information. In this talk, Jerry Dixon, director of analysis for Team Cymru, provides an overview of the current trends affecting organizations, including, what enables online fraud, what the main barriers are, and what you should be doing to combat the problem.
Best practices in managing privileged access
Privileged user and password management (PUPM), also known as password vaulting, has recently become a topic of great interest for financial services organizations due to inefficiencies in privileged user and password management processes today. With an increased number of audit findings and internal security threats, security pros are finding holes and need to more effectively automate the process. Andras Cser, senior analyst, Forrester Research, provides an overview of the problems, processes, and products for meeting regulatory and security requirements in the area of PUPM.
The evolving value proposition and impact of identity management
For years now businesses have understood the value of adopting an identity management approach to securing data access. But for a variety of reasons they have chosen not to adopt it. In 2008, that seems to be changing. Driven by advances in the technology, and in response to regulatory requirements, many organizations are redefining their business cases to adopt an identity management solution. Building on a multi-year case study, David Sherry, vice president of enterprise identity and access management at Citizen's Financial Group, explores how you make and sell the business case for identity management, regulatory and business impacts, and some suggestions of important areas to consider in an overall solution.
Compliance and outsourcing
Financial organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services. Partnering with other organizations brings with it risk, particularly when the information shared with the service provider is sensitive and is subject to regulatory requirements.
Most regulations from those specified by the FFIEC to GLBA to PCI require organizations to ensure that their service providers protect sensitive data according to the requirements of the regulation or contract. This requires a service provider management program and SLAs that clearly state the responsibilities of both parties.
In this presentation, compliance guru Richard Mackey, vice president, SystemExperts, discusses the requirements stated in various regulations and practices designed to help you effectively manage your service providers.
How I learned to stop worrying and love my compliance department
Financial institutions are unique as they are driven by countless regulations and other factors that make it essential to create a framework on which to base corporate and business-unit based risk management. In this session Matthew Todd, CSO and vice president, risk and technical operations at Financial Engines explains how he attacks this problem.
Common missteps when trying to meet PCI compliance
Interpreting and applying technology and controls to PCI can be confusing. In this session, SecurityCurve's Ed Moyle, outlines the six common mistakes organizations make and how to avoid them when you are trying to meet a PCI audit. He also outlines the key areas companies need to focus on when dealing with an assessment.
Meeting the new PCI application security requirements and creating secure code
In this session, SecurityCurve's Diana Kelley, explains Web-application security, PCI requirement 6 and 6.6, and the PA-DSS and why creating secure code is essential to protecting assets. She provides an explanation of how security, more generally, can be woven throughout the software development lifecycle and explain some of the most common web application security vulnerabilities, including the OWASP Top Ten. Finally, she will present an overview of web application penetration testing tools specifically created to help organization test and monitor web applications and how entities can get the most value from the tools and meet the latest PCI requirement.
Five myths of threat management
There are many common misconceptions thrown at you everyday about how to protect your organization. In this dynamic session, Joel Snyder, senior partner at Opus One, helps to demystify these defenses and gives you the straight answers. He reviews: Intrusion defense, malware protection, application layer threats, how to deal with upcoming threats, budget issues, and more.
Bringing operational discipline to network security
Christofer Hoff, chief security strategist for Unisys and former CISO for a $25 billion financial services company explains how to apply operational discipline to network security. He explores real-world examples of transforming the operational discipline of information security and build the foundation for service improvements. This practical case study introduces innovations in network and risk analytics that get to the root of change and risk management - transforming today's labor-intensive efforts of guesswork into predictable, automated, risk-driven business processes.
Understanding and selecting a data loss prevention solution
As networks become more porous and traditional network perimeters crumble, financial institutions are looking for ways to protect customer information from insider threats, accidents, and external attack. This session, Rich Mogull, principal of Securosis, looks at data loss prevention, one of the hottest technologies for limiting information loss. We'll explore the top five features to look for, how to run a selection process, and how to optimize your solution for the needs of financial services organizations.
Case study: Allstate Insurance Company's local data protection project
Protecting data-at-rest, data-in-transit and data-in-use in large information intensive enterprises is a daunting challenge from technological as well as financial perspectives. In this session, Eric Leighninger, chief security architect for Allstate Insurance Company, tells how his company is attacking this problem in general and in particular with regard to data-at-rest on mobile devices and removable media.
Creating successful information security governance
More than ever information security in financial services requires a thorough combination of governance elements, including policies, procedures, technology and, most importantly, training and awareness. In this session, Eric Holmquist, vice president, director of operational risk for Advanta Bank, explores the key elements of sound information security governance and how to successfully manage and coordinate all of the complex and important elements.
Lessons learned from Societe Generale
The events at Societe Generale, that led to an unprecedented $7 billion dollar loss, has been labeled as a failure of IT, process controls, management oversight and even management's crippling of the control program. In this session, Keith White, vice president of information technology risk at Credit Suisse, examines and analyzes the published facts taking into consideration principles of effective governance structures, compliance expectations, and control and monitoring strategies, all of which are critical to an effective information security program.
This was first published in June 2008