2015 Conference Brochure - Trust Security Agility

Ireland Chapterwww.isaca.ie | @isacaireland

Friday 23rd October

ISACA_2015 Programme 2015(COVER).indd 2ISACA_2015 Programme 2015(COVER).indd 2 19/10/2015 10:3419/10/2015 10:34

.

CYBERSECURITY NEXUS

TM

PAGE 1 AGENDA

PAGE 2 WELCOME

PAGE 3 THOUGHT LEADERSHIP CORNER

PAGE 14 KEYNOTE ABSTRACTS

PAGE 15 ASSURANCE ABSTRACTS

PAGE 16 CYBERSECURITY ABSTRACTS

PAGE 17 RISK ABSTRACTS

PAGE 18 PRIVACY ABSTRACTS

PAGE 19 ENTERPRISE GOVERNANCE ABSTRACTS

PAGE 20 APPLICATION SECURITY/DEVOPS ABSTRACTS

PAGE 21 KEYNOTE SPEAKERS BIOS

PAGE 23 TRACK SPEAKERS BIOS

PAGE 27 PERSONAL NOTES

PAGE 29 CONFERENCE SPONSORS

m

Pitch

Window

Hogan Mezz I

KitchenStairs

Escalator s

Ba r

WC

WC

Hogan Mezz I I

Nally FoyerMezz II FoyerMezz I Foyer

C anal Foyer

Entrance/Exit

Entrance/Exit

VENUE MAP

ASSURANCE

ENTERPRISE GOVERNANCE

CYBERSECURITY

PRIVACY

KEYNOTES

RISK

APPLICATION SECURITY/DEVOPS

EXHIBITION PAVILION

LUNCH


Morning Keynotes

Shannon Lietz

Senior Manager, Cloud Security Engineering (DevSecOps) at Intuit

Dr. Jyn Schultze-Melling

Director for Privacy Policy, Europe at Facebook

Move Fast...And Safeguard User Trust -

How Facebook Handles Privacy And Data Protection

While Growing A Social Network For

1.5 Billion People.

Embracing DevSecOps To Support Rugged

Innovation At Speed And Scale

Assurance - Location: Canal Foyer

10:55- 11:20 - TEA BREAK

13:00 - 13:45 - LUNCH

CONFERENCE CLOSING 17:30

NETWORKING & DRINKS 17:30-19:00

15:25- 15:45 - TEA BREAK AND STANDS

PRIVACY - Location: Hogan Mezz II ENTERPRISE GOVERNANCE - Location: Canal Foyer

08:00 - 09:30 - REGISTRATION & NETWORKING BREAKFAST

MORNING TRACKS

AFTERNOON TRACKS

AFTERNOON KEYNOTES LOCATION: HOGAN MEZZ II

APPLICATION SECURITY/DEVOPS- Location: Naly Foyer

MORNING KEYNOTES LOCATION: HOGAN MEZZ II

Cybersecurity - Location: Hogan Mezz II Risk - Location: Naly Foyer

11:20

09:30

11:55

12:30

13:45

14:20

14:55

15:45

What We Missed At The Data Centre Audit.

Robert Findlay

Global Head of IT Audit at Glanbia Ireland

My Data My Responsibility.

Jenai Nissim

Data Protection Manager at Capital One (Europe) Plc

Entertainment Event Aprés Breach

Are You Ready? The Hitchhiker’s Guide To

The Integration Of Privacy And Security.

Gerard Smits

Founder at NedPrivacy

Legal Solutions To Technical Privacy

Problems.

David Fagan

Commercial Lawyer at Business Legal

Randy Shoup

CTO at Randy Shoup Consulting

Former Engineering Director DevOps at Google and Chief Architect at eBay

Theresa Payton

CEO and President at Fortalice Solutions LLC

Former Whitehouse CIO

Role Of Information Security Professional

In Tackling Terror.

Dr. Vishnu Kanhere

Consultant at V. K. KANHERE & CO / KCPL

Shadow IT Risk - Empirical Evidence From

Multiple Case Studies.

Christopher Rentrop

Professor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)

Getting Started With GEIT.

Peter Tessin

Technical Research Manager at ISACA

How To Talk About IT Governance With

Your Boss In The Elevator?

Bruno Horta Soares

Founder & Senior Advisor at GOVaaS - Governance Advisors as a Service

Leading A Successful DevOps Transition: Lessons From

The Trenches

Failsafe The Human Pysche To Advance Security And

Privacy

Is Protecting The Balance Sheet Really

Enough?

Joseph Mayo

President at J. W. Mayo Consulting, LLC

Understanding Today’s Mobile App Store

Ecosystem And Why You’re At Risk.

Jeff Lenton

Solutions Architect at RiskIQ EMEA

Threat Modeling: Finding Security Threats

Before They Happen.

Jeff Kalwerisky

VP & Director of Technical Training at CPE Intearctive, Inc

A Case Study: Standard Bank’s Journey Into

Security And DevOps.

Jock Forrester

Head of IT Cyber Security at Standard Bank

Making Friends With Internal Audit!

Andrea Simmons

Managing Consultant at i3GRC

Increasing Your Audit Relevance Using

Using COBIT 5.

Barry Lewis

President at Cerberus ISC Inc

New Cyber Defense Management

Regulation For Banks In Israel - Lessons

Learned From Implementing One Of The

World’s First Cyber Defense Management

Regulations.

Ophir Zilbiger

CEO at SECOZ

8 Security Lessons From 8bit Gaming.

Gavin Millard

EMEA Technical Director at Tenable Network Security

How To Make Rubbish Risk Decisions.

Michael Barwise

CEO at Integrated InfoSec

A Question Of Trust.

Wendy Goucher

Information Security Specialist at Goucher Consulting Ltd.

1

ISACA_2015 Programme 2015(INNERS)(V.2).indd 1ISACA_2015 Programme 2015(INNERS)(V.2).indd 1 19/10/2015 10:3619/10/2015 10:36


2

Welcome to the ISACA Ireland 2015 Conference “TRUST, SECURITY,

AGILITY: Businesses Better Prepared For Tomorrow, Today”Dear Conference Delegate

Thank you for joining us at this year’s conference. A lot of exciting activities will be going on today, as we share knowledge on the most critical

IT and business issues facing our organisations. We hope that discussions held here will help us better understand the challenges today and the

solutions needed for tomorrow.

Themed “TRUST, SECURITY, AGILITY: Businesses Better Prepared For Tomorrow, Today”, the conference features sessions providing insights into

the latest thinking in the fi elds of Assurance, Cybersecurity, Risk Management, Privacy Management, Application Security/DevOps and Enterprise

Governance. The conference this year will focus on how we can help our business partners to be dynamic and faster in meeting their goals in a

well-managed way; against the backdrop of ever evolving risks and positive disruptive technology challenges.

We would like to take this opportunity to thank our conference sponsors and supporting organisations for their continued support and we invite our

delegates to make the most of the literature provided by them at the exhibitor stands over the duration of the conference.

Our appreciation goes out to all our conference speakers who have given up their time to speak at the conference. We wish to thank the conference

committee for their signifi cant contribution and continued hard work towards making the conference a success.

Your feedback is very important to us. If you have any further comments, please do not hesitate to contact any ISACA Ireland Committee Member.

We encourage you to become an active part of the sessions and thank you for taking time out of your busy schedule to attend the conference.

Neil Barlow CISA, CISM, CRISC Neil Curran CISA, CISM, CGEIT, CRISC

2015 Conference Chair Chapter President of ISACA Ireland

Gold Sponsors

Silver Sponsors

Bronze Sponsor

Supporting Organisations

BCS IRMA, CSA Ireland, IAPP, ICS, ICTFF, IIA, IISF, IRISS, ISC2 Ireland, ISF, MTUG Ireland & OWASP Ireland


3

Break All The (Security) Rules

If You Want To Protect Your

Company’s Digital AssetsTheresa Payton is CEO and President at Fortalice Solutions LLC & Former Whitehouse CIO

Everyone from elected offi cials, to your grandma, to Oscar winners, and

major corporations have become high value targets for cyber criminals.

Your company and your customers are no exception.

The one constant we can all depend on with cyber security is it is

constantly changing. Our tactics change quickly because the threats

are always imminent. As your industry evolves, how does the consumer

evolve? How do they adapt to the roadblocks we must design to keep

out the bad guys?

Warnings of security threats are almost overwhelming, aren’t they?

They inspire movies, books, and TV series. But the warnings are just

that—warnings. Companies are not responding fast enough because

the warnings are not actionable. If the news says, “Crime is going up!”

but does not say the type of crime, the geography, and what you can do

about it, will you act differently? Other than being afraid and looking

over your shoulder more, a warning alone is not helpful. The media

needs to ask more follow-up questions. Asking, “Thanks for that warning.

Now what can we do about it? Do we crawl under our desks, or do you

have a remedy for us?”

The security industry is designed to build a fortress, a defense. The

highest priority for consumers is easy access to transact business with

you while protecting their identity and information.

As a cyber security expert for over two decades, a former White House

Chief Information Offi cer, and an advocate for consumers, I have

examined how these universes have evolved into today’s new reality.

The key question: Are companies really responding to today’s headlines

or will meaningful change be enacted?

If spending money on cybersecurity is one metric, the answer is yes.

According to accounting and consulting fi rm PricewaterhouseCoopers,

the fi nancial services industry alone plans to spend an additional $2

billion across the next two years on top of what they already spend.(1)

What will the investment mean for the consumer? Candidly, not much

if things do not change across the fl ow of money and how we design

security for the user.

The pivotal moment for me that shifted how I design a security strategy

started my fi rst day on the job at the White House. It came down to the

people who served at 1600 Pennsylvania. We knew we had to address

the hearts and minds of the staff if we wanted to protect their privacy

and security.

After all, if solving cyber security and privacy issues were as simple

as following security best practices, we would all be safe. It’s not

that simple. Two key questions came to me the fi rst 90 days at the

White House and I had to answer them or we would have had a major

calamity:

Why, in spite of talented security teams and investments on security, do

breaches still happen? Why is it, that despite hours and hours of boring

computer based training and security campaigns, we still make mistakes

and click on links?

Incremental steps by businesses large and small means our overall

privacy and security will be doomed to failure! All security teams,

across all businesses need to see the problem not just as a technical

or economic issue - we need to also see it as a human psyche issue.

To make evolutionary change we need to incorporate the following

scenarios: Understand and educate the knowledge of human nature and

psyche into the cyber security profession; Incorporate that knowledge

into the design and implementation of all our systems; Innovate cyber

security technologies and policies that account for insecure human

behaviors and incentives; and unless we do so, our privacy and security

will perish.

We must critically re-examine how we assess our security technology,

procedures, and methodology to fully understand the full scope of risk

we bear daily and to determine the best course of action to mitigate this

risk.

Studies show that human error leads to a breach and that 78% of

advanced and targeted attacks tricked their way into a company’s

network using spear-phishing scams with infected attachments. (2)(3)

We all would like to think it’s someone else and not us personally that

would be tricked.

Keep in mind that everyone is a target and someone will make a

mistake; from the front desk clerk to the CEO, mistakes have been made.

Security teams and executives alike keep asking: “Why do we click on

links or attachments?” The better question is: “Why do we design the

security assuming our users will follow all the rules?”

The way we design security, we have zero empathy. If businesses around

the globe want to win the war against cybercrime, we must move to

a high empathy system. It’s all about design! We need to design all

applications to assume that users will do everything wrong, according to

the cybersecurity playbook - they will share passwords, they will forget

them, and they will do unsafe things to get their jobs done, such as use

free, unsecure WiFi.

Some companies are leading the way with human centered design and

asking systems to conform to the human and not the other way around.

For starters, many banks will use your social security number to check

your credit but not as your customer identifi er. If a hacker breaks in and

steals your data, on many of the back offi ce banking systems, they will

not steal your social security number.

At the White House, we knew breaches and incidents were inevitable.

Our best strategy was to segment data to save it. Instead of storing

something, such as the President’s schedule, in one place, we would

segment the ownership across multiple teams, multiple systems,

and disconnected networks. This practice requires a high level of

collaboration and fi nely tuned synchronization but the risk vs. reward

was worth it.

THOUGHT LEADERSHIP CORNER



4

Businesses have been improving their defenses yet cybercriminals

continue to add capabilities to their arsenal while we discuss the rules

we should play by for meeting regulatory requirements and enabling

information sharing. Is anyone else also fatigued by the talk, talk,

talk? Cybercriminals really have one rule: pay for performance. They

pay when their syndicated members perform. It’s pretty simple for

cybercriminals to operate. In most cases, they share the spoils they take

and they share techniques for hacking into organizations and they often

don’t require certifi cations, college degrees, or showing up at an offi ce.

Boards should take note of the dynamic qualities that the cybercrime

underground deploys and ask what the counterbalance is within their

own organization. This is not to say you should hire criminals or tell

people they don’t have to show up, but if you want to beat the enemy,

you have to study them and have a counterattack that takes advantage

of your strengths.

Businesses need to ask themselves what the critical data elements are

that are worth protecting and design for the human element. If you

segment it to save it and have high empathy for the human that needs

it, we will start winning this war against cybercrime.

At the end of the day, our economy works because we can trust each

other. I trust my money is in the bank even though I cannot see it.

The bank trusts other banks and businesses that they transact with.

If we keep doing the same security programs but just try to speed them

up with more money and resources, we are doomed to failure.

Customer trust will completely erode. In the words of American Express’

Chenault, “Trust is really what holds us together and that’s what holds

our society together and what we are really talking about is trust.”

Sources:

(1) “Financial Firms Bolster Cybersecurity Budgets Survey Finds

Companies Plan to Increase Spending by $2 Billion Over Next 2 Years”,

Daniel Huang, Emly Glazer, Danny Yadron, Wall Street Journal, November

17, 2014

(2) “Changing the Cyber Security Playing Field in 2015”, Paul Ferrillo,

Weil, Gotshal & Manges LLP, January 20, 2015

(3) Verizon and US Secret Service Data Breach 2014 report. See: http://

www.verizonenterprise.com/DBIR



CONFIDENCE | ASSURANCE | CERTAINTY

P: 01 642 9300 E: w:

CERTAINTNTTY

CHANGING STANDARDTHINKING

OUTSOURCING

TESTING

SERVICES

STANDARDS

ADVISORY

AUDIT AND

ASSURANCE

INFORMATION

SYSTEMS

RISK

MANAGEMENT

CYBER SECURITY

RISK & ASSURANCE

Sysnet is a true global market leader in cyber security risk and assurance, providing a comprehensive range of information security consultancy and assurance services in over 44 countries.

To find out more about what we can do

for your organisation contact Sysnet today.

Call: +353 (0)1 495 1300 or

Email: [email protected]



6

Making Friends With Internal Audit

Andrea Simmons is Managing Consultant at i3GRC

Trust...but verify!

And sure why wouldn’t you – want to make friends, right?! From the

perspective of an information security professional, we’re notoriously

“the department of no”, sadly – and often erroneously. We lack

“friends” and rarely receive Christmas cards.... So when you take up a

senior security role, you need to work out where your allies are going

to be and reach out, forging relationships and ensuring that there is an

open dialogue being generated. For many security professionals, an

accusation thrown is that we are prone to FUD – Fear, Uncertainty and

Doubt – and yet we have to have mechanisms with which to share the

results of our fi ndings, through various avenues, be they the results

of Risk Assessments, Penetration Tests, Vulnerability Assessments,

Internal Audit reports and/or External Audit Reports. The results of

these activities invariably produce stark results which require contextual

explanation but ultimately the data doesn’t lie and there has to be a

point of organisational acceptance of reality. The hope is that Internal

Audit are “in your corner” to help with sharing the messages with the

Board and ensuring that the understanding is there, the appreciation of

the implications and therefore the support for the required change.

Security

However, what does this – security - mean, to whom, in what context?

We need to be careful about throwing around the term! If we start as

below for a high level, it will help us keep our bearings. At minimum, we

have the following stages:

1. Physical Security

2. Communications Security (COMSEC) [40s]

3. Operational Security (OPSEC) [50s]

4. Automated Data Processing Security [60s]

5. Computer Security (COMPUSEC) [90s]

6. IT Security (ITSEC) [90s]

7. Information Systems Security (INFOSEC) [90s] - merged COMSEC and

COMPUSEC following rapid change in technology; combined in a

new paradigm to become INFOSEC, internationally recognised in

Common Criteria

8. Information Assurance [00s] (but “Cyber” threats being investigated

in the background

9. “Cyber” in the media….. [10s]

10. Internet of things / Information Society [10s]

I have no doubt many of you would articulate that differently, add a few

more in, shuffl e them about a bit – but you get the idea! During a period

of PhD study undertaken by the author into the origins of Information

Assurance, its usage and adoption, one survey respondent articulated it

thusly:

Security > IT Security > Information Security > Information

Assurance > GRC : It’s an evolution.

In this dynamic world, we learn, unlearn and relearn [Respondent X, APJ]

In a similar vein, another IA scholar identifi ed and articulated “Security

epochs”1:

1) Revolutionary War to the mid 1820s, Mid 1830s to the 19th century

ended with WW1

2) WW1 and Soviet Union emerging

3) 1920 to 1946 global recession, rise of international communism as

Europe collapsed – leading to American democracy crisis

4) Cold War

5) Information age – technological developments, chemical and bio

logical weapons etc

6) Cyber Security through to the Internet of Things

If you take number 3) above – it is clear that as humans our ability to

repeat patterns of behaviour indicates an inability to learn lessons from

history, in spite of all the perception of progress.

This has recently been the focus of a McKinsey report – identifying the

following:

Pre-2007 Cybersecurity not a priority*

2007-2013 Cybersecurity as a control function

2014-2020 Digital resilience**

* Not entirely true, given the available material and those for whom it

has been a priority for a long time.

** This corroborates my fi ndings and conclusions that “cybersecurity”

is ‘not long for this world’ in terms of focus and will be replaced – but

ultimately all of this still represents a need to ensure good information

security controls are in place and that an information assurance

framework is in operation to provide oversight and governance. Internal

Audit spend a great deal of time assessing the effectiveness of the

implementation of these controls....

Agility in the Information Society

As a security professional, living in the information age, the job writes

itself on a regular basis (Blue Cross Shield in the US is the latest

casualty hot off the press at the time of writing)! The Web has provided

undeniable connectivity and information exchange opportunities, much

of which are to be welcomed. But regularly one wonders as to the

sanity of decisions made when, for instance, there are Data Centres and

military installations available on the Web, under the guise of public

relations, signposting their buildings and facility locations. Just because

you can, doesn’t mean you should – as the meme goes.

As in life, most things have an evolutionary cycle, a maturity path. The

information space is no different. The value of information and the

need to adequately protect it have been important societal tenets for

centuries. We are living in an interconnected Information Age where

there has never been greater access to information nor adoption of

technology. The Information Society has progressed apace, signifi cantly

enhanced as a result of the speed of technological developments and

the reach of the internet to parts of the world previously unconnected.

The speed of development(s) in many industries, in and of itself,

leads to skills crises. Legislative, regulatory, industry standards and

political changes can be shown to have had a signifi cant impact on

the understanding of requirements for information protection within

the information society. Industry experts have been articulating the

subject of Information Assurance (IA), the reasons and need for it for

several decades and yet progress to successful adoption still lacks

corresponding speed in alignment with the pace of the Information

Society - as evidenced by the increased volume of data lost or stolen and



7

the number of systems breached. Information assets are the oil of the

21st century and the “internet of things” (IoT) is providing the landscape

within which to really understand the synthesis and synergy required

across all sectors to understand the systems that need to be in place in

order to provide that effective protection. This is the landscape of proper

Information Governance - which crosses over a number of other inter-

related disciplines which the audience will be peripherally aware of.

Knowledge, Leadership and Communication are at the core of our

success in the future. I know that we all know this. However, multiple

attempts to engage with Boards and Directors does not appear to

have created the kind of enlightenment required to provide embedded

security. There is a level of middle management still blocking necessary

actions being taken.

The single biggest problem in communication is the illusion that it has

taken place. (George Bernard Shaw)

The conclusions of my doctoral research are:

• Enough of the right people do not know the ontology of Information

Security (InfoSec).

• Enough of the right people do not know the ontology of Information

Assurance (IA).

• Therefore, enough of the right people will not know nor be able to

see the relationships between InfoSec, IA and Information

Governance (IG). Much work has already been done in this area and

plenty of resources exist. The author has provided a reference link to

some of the outputs available below. Whilst the CIO role goes

through ongoing transformation and the CISO role continues to

be a poisoned chalice for many (a subject for another article in

itself!), the near term future will see more CIGO roles – Chief

Information Governance Offi cers – for those who can see the bigger

picture and can holistically bring all the strands together.

The above lead to the potential that we are at a cross roads where IA

either needs to combine with another complex system – the author

would suggest this to be Information Governance – or it will be lost

forever to the realm of “cyber” and, as a result, a dilution of intent and

ongoing breaches and bad security implementations will continue to

be the experience for the remainder of the 21st century. As a result of

the language used, there is a contingent impact on the culture of an

organisation in terms of its willingness to adopt the messages provided

and embed the best practice advice.

Internal Audit (the other IA) see largely the same risks and issues

that Information Security and Assurance professionals see (I continue

to struggle with the level of duplication of activities – assessments,

reviews etc....) so there is a real need to work closely together to achieve

appropriate outcomes for the businesses/organisations both groups

are serving – i.e. the same desired outcome, reduced (mitigated) risks

and improved security. 100% risk free, 100% security – they don’t

exist. So we need to be agile enough to be realistic in our endeavours –

collectively. Here’s to outstretched hands of friendship!

FROM YOUR BACK OFFICE TO THE FOREFRONT OF THE MARKETS.

Wherever you work to secure your next business opportunity, we are there to help make it real. Across your network. And around the world.



8

ISACA Ireland Chapter Certifi cation “Top Three” Roll of Honour

ISACA certifi cations are recognized globally as an industry standard and in many cases as a job

pre-requisite for IT audit, assurance, control, governance, risk, compliance and cybersecurity

related positions. Our certifi cations can help you as a professional demonstrate your expertise and

abilities to both your company and peers.

ISACA Ireland is delighted to continue to recognize chapter members who have achieved a “Top Three” exam score while taking one of our

CISA, CISM, CGEIT or CRISC certifi cation exams over the last twelve months (December 2014 & June 2015 exam sittings).

For further information on this initiative, please email certifi [email protected]

Lucy Bofi n

Jason Finnerty

Andy Peter Hartland

Dina Koehler

John McGinley

Tomas O Ceallaigh

Brian O’Reilly

Louise O´Sullivan

Jan Tilo Otterbach

Courtney Renee Rothe

Ivica Stipovic

Carl James Wainwright

John Bolger

Mark McDermott

Eoin Leonard

Theodoros Nikolakopoulos

Gary McPartland

Tomas O Ceallaigh

Patricia O’Gara

Shane Phelan

Slawomir Edward Prokop

John James Burns

Anthony John Clarke

Andrew Cooke

Naomi Mary Hegarty

Adam Kowal

Petr Profous, Jr.

Anthony John Clarke

Niall Clarke

Martin Cullen

InformationSecurity

ManagedServices

CloudSecurity

Consulting

Forensics,eDiscovery &

IncidentResponse

ApplicationDevelopment& Integration

Audit &Testing

Dublin [email protected] 6420100 www.ward.ie

Belfast [email protected] +44 (0) 2890 823688 www.wardinfosec.co.uk

We take complexity out of information security


At ICON, innovation means embracing change and finding better ways of working. Our integrated information platform, ICONIK, enables our clients to make faster more informed decisions and supports monitoring solutions that significantly reduce development time and cost by optimising monitoring time on-site.

That’s excellence delivered.

ICONplc.com

Innovationhears a different story



10

The State Of InfoSec

Michael Barwise is CEO at Integrated InfoSec

“The signifi cant problems we face cannot be solved by the same level of

thinking that created them” Albert Einstein

Every time I hear of the latest ‘sophisticated attack’, I groan inwardly

and await the almost inevitable investigation fi nding that it was actually

rather a push over, even if it exploited a ‘zero day’. ‘Zero days’ are held

by many to represent a special high level of threat, but they are merely

exploitable mistakes in software that the bad guys found before we did.

Given the prevalence of such mistakes in all mainstream software it’s a

mere lottery who fi nds one fi rst, but whoever does, success in exploiting

it is commonly facilitated by inadequate general security.

The key factor in most of these incidents is not the ‘zero day’ that fi nally

broke in. It’s the slackness of the overall defence posture that left the

vulnerable entity exposed, and I contend that the root cause of this is

not technological failures, but the mindset with which we approach

defence at the conceptual level. Narrow specialisation is accompanied

by an overriding emphasis on technical facts rather than principles. As

such facts are frequently technology specifi c or even vendor specifi c, this

leads to a brand badged ‘how to’ approach to problem solving relying

on ‘dashboard knowledge’, defi ned by Owen Barfi eld as far back as the

1920s as manipulative skill unsupported by understanding. This type

of ‘knowledge’ directly triggered the Chernobyl nuclear explosion, so I

submit that it may not be suffi cient for controlling exposure to hazard.

But when we InfoSec practitioners possess neither the knowledge of

principles nor the facts, we frequently do worse. Instead of taking a deep

breath and investigating, we instantly fall back, not even on dashboard

knowledge, but on mantras: rote learned snippets of unexplained

received wisdom that we make no effort to validate before applying.

Let’s look at a couple of superfi cially disparate examples.

‘Everyone knows’ that passwords have to be ‘complex’: containing every

conceivable symbol including, according to Dilbert’s Pointy Haired Boss,

squirrel noises. This makes them ‘strong’, although nobody seems to be

able to explain on demand how it contributes to ‘strength’, or indeed

what ‘strength’ is. With my engineering hat on, the moment I hear the

word ‘complex’ I immediately look for an imaginary part, and in this case

it’s easy to fi nd. It’s the supposed relationship between typical password

rules and the effective control of attacks against passwords. Consider

the real problem. It’s actually twofold and not technological.

Whether or not they conceptualise it explicitly, the rule setter is

interested in ensuring that passwords are not obvious by applying

restrictions to their format and content. We’ll skip for the moment

whether such rules intrinsically deliver this objective, simply noting that

the mantra that defi nes a certain set of rules is believed in, so attention

is focused not on the rightness of the rules but merely on implementing

them; and that there is usually plenty to time to perform this relatively

undemanding task.

The password user who is restricted by these rules is interested in the

work for which they get paid. Periodically they are faced at short notice

with changing a password. This is generally under pressure as ‘real’

work is waiting to be done. They must think up an apparently arbitrary

string of characters that complies with a set of rules they hardly ever

refer to, and enter this string from short term memory into a fi eld on

screen without being able to see what they are typing. They must then

remember this apparently arbitrary string that they have never seen

until (most likely) the following day before using it again. To paraphrase

Edmund Blackadder, there’s just one tiny problem with that approach:

it’s easy for the rule setter and damned diffi cult for the user. The user

therefore, far from being ‘stupid’ as most password admins believe, is

extremely ingenious in fi nding ways to solve their own problem, not

yours: “Pa55w0rd!, which fulfi ls all your silly rules Sunshine.”

Risk assessment is another area where infosec practitioners perform

spectacularly. International standards require ‘risk based’ security

management, but almost everyone (including those setting the

standards) seems hazy about what the parameters of ‘risk’ actually are.

‘Qualitative’ risk assessment is advocated as being easier than

‘quantitative’, but they are both solely defi ned in primitive operant

terms: “’quantitative’ uses numbers, whereas ‘qualitative’ uses labels.”

This is no more valid than assuming that the right to left directionality

of Ishikawa diagrams is fundamental to root cause analysis.

Reliance on such mantras has led to several fl aws in qualitative

risk assessment that completely undermine its effectiveness. These

include a plethora of mutually incompatible ‘risk equations’ based

on pseudomath, meaningless naive arithmetic on category labels,

‘risk matrices’ with arbitrary and inconsistent transfer functions, and,

in one notable case, chaining of multiple successive matrix driven

approximations suffering from all these faults. The net result is that

qualitative infosec risk assessment as currently practiced is about as

trustworthy as fairground crystal gazing.

Furthermore, the output of such risk assessments (typically ‘high’,

‘medium’ or ‘low’) is so crude as to be useless for assigning treatment

options, even were the assessment to be trustworthy. It serves merely

to set coarse priorities for project planning and to satisfy auditors. The

greatest potential utility of risk assessment: discovery of the nature

and likelihood of causes and consequences to assist in implementing

controls; is completely lost in the fog, leaving decisions about the

critical matters we should be most interested in for defence to be made

using little more than unverifi ed received wisdom and guesswork. Since

nobody is entirely clear about what problem they are really trying to

solve, security theatre and ‘compliance’ take precedence over security

and most organisations are complete pushovers for the adversary.

MANDATORY FOOTNOTE:

Abridged from ‘The State of InfoSec’ , IISP Pulse Issue 19,

Summer 2015



11

Building Human Defences In A Cyber World

Wendy Goucher is Information Security Specialist at Goucher Consulting Ltd

My husband has a ‘T’ shirt baring the slogan “your computer is broken

and it’s my problem?” In his case it’s ironic, he is a computing and

security professional of long standing. In my case it’s a cry of fear, my

approach to information security is focused on people: how they operate

and how to infl uence their behaviour. So if your computer’s broken I can’t

fi x it, but I can help you come to terms with its loss. My human-centric

perspective of information security leads me to be even more concerned

about the growing use of the term ‘Cyber’. I often fi nd myself discussing

the design of effective security policies, and effective implementation

throughout organisations. Frustratingly often people will comment on

the ‘valuable’ insight an approach such as mine can bring. In this case

‘valuable’ is ironic because as often as soon as it comes to discussing

paying for that knowledge some potential customers pull back so fast

you can practically smell the burning clutch. The reason for this, so I’m

told, is that we are all people and therefore knowledge about the way

people behave, or can be encouraged to behave, is seen as ‘Common

Sense’, and thereby available to all for free. So why pay?

Anyone who has ever had their Saturday evening television scheduling

wrapped around ‘Dr Who’ will know the ‘Cybermen’ are one of the

scariest of the Dr’s long-term foes, not least because they look like

humans. In fact they are machines built around humans, with the

human element is supressed so that they are, in effect, machines

responding to orders from the central power. It strikes me that just when

the importance of a humanistic approach was beginning to become

accepted in some of the more enlightened organisations, this seedling is

being crushed under the boot of ‘cyber’ and it’s technical focus.

Peter Woods, a well known and respected member of the information

security community, said that staff are a “Human Firewall” in that well

trained and informed staff can signifi cantly improve the security both

from technical and social engineering attack.

However, it should be remembered that cyber attacks have their genesis

with humans because they have to be devised and implemented

somewhere. However, they also depend on the quality of the attack and

ineffectiveness of the people manning the defensive perimeter. The

users. Just because the vector is called ‘cyber’ that doesn’t take out the

human element, in fact, if anything it means people need to be better

informed and enabled. So how do we do that?

Lets think how we train our children to be safe. This is something that

causes parents plenty of challenges, not least because getting it wrong

can lead to all sorts of bad outcomes, including that the child may

be hurt unnecessarily. So how do we approach the vital challenge of

training children to protect themselves?

1. Developing understanding - Dealing with young children we can’t

assume that being safe is common sense, we need to show them

the dangers, the possible outcomes and the ways of avoiding them.

There is no point in putting up a poster with this information, it can

only re-enforce existing understanding.

2. Technical solutions - Some of the solutions we can use are, in the

broadest sense, technical; electric socket covers, child locks for

kitchen cupboards and fi re-guards. We don’t expect the children

to be able to apply them themselves, but they need to understand

that circumventing them is a bad idea.

3. Behavioural solutions - Some risks need appropriate behaviour to be

learnt and encouraged e.g. not climbing on kitchen steps, not

spilling water all over the dining table and not leaving the house and

garden on their own.

4. Skills training - There are also some risks that need the development

of skills to protect against them. These include riding a bike or

learning to swim.

Nobody can reasonably expect all the risks to be prevented, or mitigated

through technical solutions. While it can be argued that staff are not

infants, they may have little understanding the risk from operating in a

cyber environment. In fact I am willing to bet that most non-technical

staff, if asked, would struggle to explain any cyber risks, or know what to

do about them.

If we take these approaches to training, and apply them to the cyber

world, staff training can potentially be more effi cient and more effective.

1. Develop understanding – Have conversations with staff, pass on

stories that demonstrate the risks; people love stories,

especially ‘real life’ ones. Look at how many magazines rely on such

communication for readership, and not all rely on celebrities stories

either. ‘Real Life’ stories are popular too.

2. Technical solutions – Do staff have easy access to encrypted USB

or other secure storage methods? Do they know how to use them?

Just consider what the alternative approach might be if they can’t

use the safer methods. I have been involved in design work for

several organisations recently all who have the problem that

staff are using personal, insecure clouds for storage because the

they don’t know how to use safer methods, or they believe they are

too complicated.

3. Behaviour solutions. With adults this is actually easier than with

children because in many cases behaviours can be compared

with safe behaviour in a non-work environment, such as internet

communication at home. This can help to get attention.

4. Skills training. A common problem with cyber security for staff is

it is often designed, and possibly delivered, by IT staff. Skills

required will be part of their normal tool-box so they may fi nd it

frustrating when general staff fi nd it confusing.

Cyber threat to business is real, and growing. Raising awareness of

staff must start now and must make use of an appropriate mix of skills,

technology and behavioural and skills training. Design you approach

intelligently and it will help to mould your staff into a fl exible, informed

defence line. Who wouldn’t want that?




12

Preventing The Lethal Breach - Supporting

Charities In Cyberspace

Recently, a charity, the British pregnancy Advisory Service BPAS, was

fi ned a signifi cant amount by the UK’s information Commissioner’s

offi ce or ICO.

A summary of what happened: An opportunist hacker, who had

anti-abortion views, tried and succeeded. He found an unlocked door to

an information treasure trove. The advisory service was unaware that

they were retaining information collected from the public and storing it,

for several years. Fortunately the data was not leaked as the police got

to him on time.

Regardless, the ICO decided to penalise the charity and served it a

£200,000 monetary penalty notice. The primary reason: A serious

contravention of the Seventh Data Protection Principle. Part of the

ruling included the following: “In particular, BPAS failed to take

appropriate technical and organisational measures against the

unauthorised processing of personal data stored on the BPAS website”

The Custodians

Charities are custodians of not only personal information but as I call it

super private and extremely sensitive information. This may not be true

in some cases but in many cases charities support the vulnerable, the

needy and those who are unable to defend for themselves. To offer this

help charities understandably must collect and process information that

a regular organisation selling a fi zzy drink would not need to for

example.

Let’s take one example of a medical charity: a charity offering advice on

cancer would need and would probably want to collect as much

personal medical information about the subject and possibly the

subject’s relatives to offer help advice and guidance. All of this

information has to be stored, processed, protected and importantly

it has to be available to those who need it so that they may offer the

necessary services to the members.

Charities and Cyberspace

Given the amount of information and the dependency on the

information it is totally understandable and completely natural that

charities are embracing cyberspace as much as other organisations.

They are rightfully seeking the benefi ts that cyberspace and technology

have to offer and that includes embracing the services in the cloud and

embracing cyberspace in general. But there is a problem.

The benefi t of adopting the Internet leads to the same consequences

that a commercial organisation would have to face up to. That of being

exposed to the hostilities of cyberspace, the hostilities of the opportunist

hackers often don’t think of consequences who often wonder aimlessly

in cyberspace looking for the next attack, the next victim and in the case

of the British pregnancy advisory service, mentioned in the

introduction, this is exactly what happened.

No Distinctions between a charity and a regular fi rm.

In an article in 2013, titled “Public won’t cut charities slack

on data protection issues, warns ICO” published by the

http://www.civilsociety.co.uk/ the ICO makes it very clear

that, for example, when it came to complaining about

misuse of call data, in their opinion “..the people pushing

that button (reporting a possible misuse of their data) on

our website are not drawing distinctions about who has

contacted them – they just see this as nuisance marketing”

The number one priority, after survival, for charities is cost

effective operations. Information security data protection

IT optimisation etc. are all good to have however, they are

not often a priority for most. In fact most charities probably

don’t have complicated and structured IT organisations.

Job titles awarded to one individual to save costs and

focus on their primary objective of giving back to the

community.

The Time is Now!

The GiveADay platform allows Charities to tap into High

Calibre Professionals to combat cybercrime. Up to 100

high calibre IT & Data security professionals, including

CISOs, VPs and CTOs from different UK organisations

have signed up and committed to give a day to help

charities in all aspects of IT, Security & Data Privacy.

Charities including Great Ormond Street Hospital, Future

First and Cancer Research have already signed up to the

GiveADay scheme prior to its offi cial launch on October

9th 2014.

Trust is Vital

In the end, charities, or the third sector as they are often

referred to, rely on the trust of their sponsors, donors and

benefi ciaries to function. A cyber breach that compromises

personal and sensitive information could severely

impact the delicate fabric of trust that all parties place in

charities. It is time for the skilled and experienced

amongst us to step up and share our knowledge and

support them.

GiveADay is a non-profi t organisation.

www.GiveADay.co.uk.



YOU ARE A TRUSTED ACADEMICLEADER.BECOME A TRUSTED ACADEMICADVOCATE.PARTNERING WITH ISACA® ENABLES YOU TO SUPPORT YOUR STUDENTS, THE ACADEMIC COMMUNITY AND THE PROFESSION.

YOU HAVE THE TALENT. WE MAKE YOU AN ASSET. DISCOVER HOW AN ISACA® MEMBERSHIP CAN HELP YOU ADVANCE YOUR CAREER.

BE MORE

CYBER SECURITY SOLUTIONS THAT PERFORM AT SCALE

Threatscape are proven experts at securing business-critical IT assets

at network endpoints, perimeters, data-centres and in the cloud.

We’ve completed projects protecting up to a million users, a billiontransactions and even a trillion dollars in daily global financial trades.



14

Failsafe The Human Pysche To Advance Security And PrivacyTheresa Payton - CEO and President at Fortalice Solutions LLC & Former White House CIO

We are in now in an era of the “loss of innocence and privacy.” Everyone from grandma, to Oscar winners, and major corporations are targets for

cyber criminals; everyone is a target, because of who they are, whom they know, what they do, or even the fact that they are connected to the

Internet. The internet of things just adds more points of presence to this ever evolving problem set. If we want to solve today and tomorrow’s privacy

and security problems we have to rethink how we deliver security. In other words, break ALL the old rules if you want to win.

Leading A Successful DevOps Transition: Lessons From The TrenchesRandy Shoup - CTO at Randy Shoup Consulting & Former Engineering Director DevOps at Google and Chief Architect at eBay

DevOps is no longer just for Internet unicorns any more. Today many large enterprises are transitioning from the slow and siloed traditional IT

approach to modern DevOps practices, and getting substantial improvements in agility, velocity, scalability, and effi ciency. But this transition is not

without its challenges and pitfalls, and those of us who have led this journey have the scar tissue to prove it.

A successful transition to DevOps practices ultimately involves changes to organization, to culture, and to architecture. Organizationally, we want

to create multi-skilled teams with end-to-end ownership and shared production responsibilities. Culturally, we want to prioritize solving problems

and improving the product over closing tickets. Architecturally, we want to move to an infrastructure with independently testable and deployable

components.

This keynote synthesizes the speaker’s experiences leading engineering teams at eBay, Google, and KIXEYE, as well as from his current consulting

practice, and offers practical suggestions that can help organizations be more successful in their DevOps journey.

Move Fast...And Safeguard User Trust - How Facebook Handles Privacy And Data Protection While Growing

A Social Network For 1.5 Billion PeopleDr. Jyn Schultze-Melling - Director for Privacy Policy, Europe at Facebook

Founded in 2004, Facebook’s mission is to give people the power to share and make the world more open and connected. People use Facebook to

stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them. While doing so,

they entrust Facebook with a lot of very personal information and the company knows that this trust is the basis for its continuous success around

the world. But moving fast and being bold brings challenges in regard to many complex topics, amongst them such sensitive ones as privacy and

data protection. Remaining successful requires fi nding answers to a lot of fundamental questions: how to keep a promise such as “users fi rst”, how

to professionally set up privacy by design and how to quickly react to changes and challenges are just some from the top of the list. And given the

upcoming changes in the European legal privacy frameworks, preparing for tomorrow has become one of the most daunting tasks of today.

Embracing DevSecOps To Support Rugged Innovation At Speed And ScaleShannon Lietz - Senior Manager, Cloud Security Engineering (DevSecOps) at Intuit

Never has there been more demand for innovation at speed and scale from today’s business environment. Agile, DevOps, and the Public Cloud are

bringing to life the ideas that help transform business and make customer’s lives better. To accomplish this growing demand for customer focused

solutions, security has become the fi nal frontier and a friction that needs to become a weapon in the evolving business landscape. DevSecOps is

fasting becoming part of the answer because of the shared nature of innovation at scale. Come join us as we discuss how security can become a

secret ingredient in the race to meet customer needs.

KEYNOTE ABSTRACTS


15

What We Missed At The Data Centre AuditRobert Findlay - Global Head of IT Audit at Glanbia Ireland

This session is based on practical experience of running data centres and being on the receiving end and carrying out data centre audits. Too many

key risks are being overlooked and auditors are not targeting the issues that actually matter and the risks that actually bring down data centres.

Making Friends With Internal Audit!Andrea Simmons - Managing Consultant at i3GRC

The aims of the Security team and the Internal Audit team are not diametrically opposed; rather they are entirely aligned when it comes to Enterprise

Risk Management. Every effort should go into ensuring much closer working relationships that are positive for your environment and your clients,

customers or stakeholders, rather than behaving in an abrasive, negative or counter-productive manner. It’s not a battle ground between the two

disciplines! This session will discuss the overlap and articulate ways in which to improve the dynamic for better results for all. The easy extrapolation

is then from achieving harmony with internal audit to maintaining successful external audit ratings too - nirvana is only 25 mins away!

Increasing Your Audit Relevance Using COBIT 5Barry Lewis, CISSP, CISM, CRISC, CGEIT - President at Cerberus ISC Inc

Auditors need the skills and techniques that will hep them perform effective and effi cient audits. This seminar will show that even new auditors can

provide detailed governance audits by optimising their use of the various details that COBIT 5 offers. From high level gap analysis to detailed fairly

technical audits COBIT provides the auditor with the details they need. Using processes, practices and activities the new auditor has an number of

detail levels to choose from. Add in some experience and audits begin to shine.

ASSURANCE ABSTRACTS



16

Role Of Information Security Professional In Tackling TerrorDr. Vishnu Kanhere - Consultant at V. K. KANHERE & CO / KCPL

Anatomy of terror and crime 1. Information systems – enabler, medium, technology for cyber crime, cyber war and cyber terror – the challenge of the

cyber criminal and cyber terrorist 2. Role of Information Security in tackling terror 3. Framework for anti terror initiatives – early warning systems, Key

Terrorism Indicators and Signatures, Tools & Techniques, Monitoring, reporting and Response. 4. Road Map and shape of things to come. Terrorism is

on the rise the world over. The reach, effectiveness and scale of terrorist attacks, cyber-warfare and cyber crime have acquired a new dimension with

the advent of Information technology as a medium, enabler and tool in the world of terrorism.

A comprehensive Information security framework as a state initiative with private partnership will prove effective in dealing with this menace. The

emerging threats to public networks, SCADA systems, energy, water, transport and communication infrastructure can be effectively neutralized

by deploying information security framework with appropriate people, processes and technology. The author had occasion to study the Mumbai

terror attacks and will share insights with the participants. The author suggests a strategy and outlines a solution based on early warning systems,

monitoring, and response teams.

New Cyber Defense Management Regulation For Banks In Israel - Lessons Learned From Implementing

One Of The World’s First Cyber Defense Management RegulationsOphir Zilbiger - CEO at SECOZ

“It is clear to every professional dealing with the management of cyber related risks that there’s a need for change. Classic information security

methods just don’t do the job. The Supervisor of Banks at the Bank of Israel is one of the fi rst fi nancial sector regulators to realize this by issuing

“Directive 361”, Cyber Defense Management aimed at banks and credit card companies. The directive is divided into two complementing parts –

Cyber Defense Management and Cyber Risk Management (note the Israeli banking system has adopted Basel II as the risk management foundation).

Two very important aspects of the directive are the appointment of a Chief Cyber Defense Offi cer (CCDO – as referred to in the directive) and clearly

defi ning the responsibilities of the board of directors in the cyber realm.

This session focuses on the actual, real world experience gained from the implementation of directive 361 in some of Israel’s leading banks. The

challenges of defi ning the difference between Cyber Defense and Information Security and the difference between the CISO role and the newly

defi ned role of the CCDO. Directive 361 and its implementation carry important lessons that professionals responsible with managing cyber risks

need to know in order to prepare for upcoming cyber defense regulations that would be issued by regulators in different countries and across various

industries.”

8 Security Lessons From 8bit GamingGavin Millard - EMEA Technical Director at Tenable Network Security

“What can Space Invaders teach us about attack path analysis? Mario about defending your users that are the weakest link? Even Pac Man about

focusing on the right goals? Join Gavin Millard, EMEA Technical Director of Tenable, who will explore the lessons to be learned from the games many

of us played years ago that are still valid in the reduction of security risks within all of our infrastructures. Key takeaways from the workshop will

include: How to game the system to get a high score in security. How to gain insight into the attack path used by hackers to gain access to your data.

What cheats can be used to reduce the risk of data loss.”

CYBERSECURITY ABSTRACTS


17

Is Protecting The Balance Sheet Really Enough?Joseph Mayo - President at J. W. Mayo Consulting, LLC

“This session examines 4 recent ERM lapses (defective GM sensor, defective Toyota speed control, Anthem data breach, Heathcare.gov) to show how

safety and reputation risks can impact an organization. Organizational culture was a large contributing factor in these ERM lapses and compounded

the risk impact. Mr. Mayo will discuss the role of the Enterprise Risk Management Organization (ERM), the effect of organizational culture on ERM,

and the need for a holistic approach to Enterprise risks. This session will explore High Reliability Organizations (HRO) and how HRO characteristics

can be introduced into the organizational culture to achieve a high performing ERM organization that can more effectively identify and manage

lapses in the risk management process. Mr. Mayo will demonstrate how to use risk scenarios from the COBIT Governance framework to enhance

existing ERM processes. Risk scenarios help drive an ERM organization to a more holistic risk management approach. Risk scenarios combined with

HRO characteristics will yield a highly effective ERM organization that can more effectively manage mission, safety, and reputation risk in addition to

conventional fi nancial risks.

Attendees will learn how safety risks costing pennies to treat can result in billions of dollars in exposure if left untreated. Attendees will learn how to

enhance ERM processes to include mission, safety and reputation risks in addition to conventional fi nancial risks. Finally, attendees will learn how to

develop risk scenarios and integrate them with existing ERM processes.”

How To Make Rubbish Risk DecisionsMichael Barwise - CEO at Integrated InfoSec

The infl uence of psychology on decision making is hardly ever considered in the infosec risk space, despite its powerful infl uence on the quality and

consistency of judgement. However there is a small but infl uential set of mental heuristics that bias judgement, largely regardless of the issue being

assessed. The speaker will take a practical look at these heuristics and the biases they contribute to, with examples from real world events, and

suggest ways of reducing their infl uence.

A Question Of TrustWendy Goucher - Information Security Specialist at Goucher Consulting Ltd.

When a device attempts to connect to a network that network needs to establish if that device is a trusted device. If it is then it can proceed to check

if the user is trusted by means of identifi cation and authentication. If all is ok then, in most cases, access is gained. Humans are different. Take your

neighbours. You may trust them to come to a party, but would you lend them your new car/house or smartphone? Possibly, “maybe”, or “it depends”

are the most likely answers. Trust in the technical world is binary. They trust or they don’t. In the biological world trust is much more granulated. One

of the hardest lessons for teenagers to learn is that most people are trustworthy in some situations, but maybe not in others. Finding the boundaries

of that trust is often painful trial and error until experience powers judgement.

When we issue a directive or policy that says “do not use public WiFi for working on sensitive business documents”. That may seem straightforward.

We know what is sensitive and we understand enough of the threats from public WiFi. But the user might say “but what about if the boss rings and

demands I send this email before I get on my fl ight in 15 minutes?” or any of a thousand other “What if?”s. They are probably not being diffi cult,

they simply see trust in a less straightforward way.

This presentation aims to make you to consider how some of our ‘common sense’ messages may not lead to secure action – and considers some

solutions.

RISK ABSTRACTS



18

My Data My ResponsibilityJenai Nissim - Data Protection Manager at Capital One (Europe) Plc

Whilst we all know what’s happening to data within our organisation, the minute it is passed to third parties we start to lose control. This session

is to talk about the practical controls and monitoring arrangements you can put in place to ensure that your data is safe once it is passed or shared

with a third party.

Are You Ready? The Hitchhiker’s Guide To The Integration Of Privacy And SecurityGerard Smits - Founder at NedPrivacy

Risk assessments regarding security risks are a quite common practice. With the General Data Protection Regulation (GDPR) on the horizon privacy

risks are entering the board room. The fi nancial consequences are getting higher if you are not in control. But there is more…

• What about the reputational damage, potential liability?

• Have done your due diligence when looking at privacy risk assessments?

• Are you in control and prepared?

• Is your executive aware of the potential risks?

During this presentation, you will be taken onboard for a journey in building trust, integrating security and the understanding of potential harm for

staying ahead of the game. In other words: see what you can do by using privacy risk assessments to be and stay competitive and regain your agility.

Time for acting is now, be prepared!

Takeaways:

• How to determine privacy related risks

• Integration of security and privacy (not so different after all)

• Steps to prepare your organization

• How to communicate privacy and security risks in the boardroom

Legal Solutions To Technical Privacy ProblemsDavid Fagan - Commercial Lawyer at Business Legal

For almost all personal data Privacy issues, including Security issues, there are Legal Solutions as well as technical ones. The best results are often

found with a mix of technical solutions and legal solutions. In this session David will take you through common legal solutions for Privacy issues.

Solutions which can reduce technical spend, and require less concentration of scarce technical resources. Ultimately, data privacy is an issue arsing

almost entirely from the need for statutory compliance. From this session, you will have a grasp of the various tools available to you to navigate

through the privacy and data security area, in a practical cost effective way.

PRIVACY ABSTRACTS


19

Shadow IT Risk - Empirical Evidence From Multiple Case StudiesChristopher Rentrop - Professor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)

In many organizations, business departments and users autonomously implement Information Technology (IT) without integrating these systems in

the formal IT service management. Shadow IT, which partly evolved from non-transparent and unapproved end-user computing (EUC), is a term used

to refer to the phenomenon. It challenges IT controllability and can compromise business goals. Therefore it is becoming a major topic in the fi eld of

IT Governance, risk and compliance. Based on multiple case studies our research group has undertaken an in-depth analysis of the role of Shadow IT

in companies.

In these studies Shadow IT instances were surveyed by interviews. In a next step the quality of the solutions found has been assessed. Furthermore

necessary measures were derived for each single Shadow IT system. In the presentation a detailed insight to the usage patterns, related risks and

typical measures will be given. For example we found between 6 and 52 Shadow IT systems in every department, whereof 40% were used to make

operational or strategic decisions. Across all industries more than 60% of the instances needed management attention. As a result of the analysis

implications for the design of a company’s internal control system will be derived.

Getting Started With GEITPeter Tessin - Technical Research Manager at ISACA

Getting access to frameworks and standards to assist with governance is easy, applying those materials to everyday business problems isn’t always!

Join us for a discussion on the practical application of applying governance and COBIT to real-world business problems. Learn how to work through

identifi cation of an issue to documentation of resolution. We will focus on a specifi c business issue and work through:

• How to communicate to upper management what approach we’re going to take

• How to identify the key requirements to resolve the issue

• Applying a systematic approach to ensuring all necessary resources are identifi ed

• Designing a solution

• Documenting the entire effort

How To Talk About IT Governance With Your Boss In The Elevator?Bruno Horta Soares - Founder & Senior Advisor at GOVaaS - Governance Advisors as a Service

Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help

organizations delivering value and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons

learned from projects and initiatives developed to improve IT savviness at small medium enterprises in “small medium country” like Portugal.

ENTERPRISE GOVERNANCE ABSTRACTS



20

Understanding Today’s Mobile App Store Ecosystem And Why You’re At RiskJeff Lenton - Solutions Architect at RiskIQ EMEA

The on-going creation of mobile apps and the rapid proliferation of mobile app stores make it diffi cult, if not impossible, to keep tabs on all the apps

created by you or created in your name. As secondary app stores step in and grab apps from offi cial stores and re-deploy them to their sites without

your knowledge, the threat of your apps being exploited, attacked or copied becomes even greater. In this session we will explore the complexities of

the worldwide app store ecosystem and examine recent examples of malware, app re-packaging, data leakage and intellectual property violations

presented by fraudulent and unauthorised apps. We’ll show how you can take a proactive stance against malicious and rogue apps to take them

down before they compromise your organisation or your customers.

Threat Modeling: Finding Security Threats Before They HappenJeff Kalwerisky - VP & Director of Technical Training at CPE Intearctive, Inc

Threat Modeling is a formal methodology to identify risks and vulnerabilities as early as possible in the lifecycle of complex technology processes,

including software and hardware systems and even fi nancial systems. This approach helps the auditor, information security, internal control, or risk

professional to identify, classify, rank, and mitigate enterprise threats in complex systems, without “getting down in the weeds.”

The documentation in a Threat Model forms an important component of an Enterprise Risk Management System (ERMS). The model is also an

excellent communication tool to describe risk in a common format for different audiences: software developers, hardware engineers, business users,

auditors, security practitioners, IT staff, and senior management.

All of this information can be stored in a database which forms an electronic trail, over the entire lifecycle of the application or system, of the

vulnerabilities and control weaknesses inherent in the system and the corresponding resolution or corrective action. Review of the database records

can then be mapped to continuous monitoring and continuous auditing processes. This session provides an overview of building a Threat Model,

using data fl ow diagrams, a standard taxonomy of threats and vulnerabilities (“STRIDE”), and a more objective way to rank threats and vulnerabilities

for remedial action (“DREAD”.)

A Case Study: Standard Bank’s Journey Into Security And DevOps.Jock Forrester - Head of IT Cyber Security at Standard Bank

Ever read the Phoenix Project and wondered if John the security guy was “you”? You know, the guy who always says no, is seen to be driving an

agenda against the fl ow of the business and holds everyone back. Then everyone wants to use “Agile” as the silver bullet to respond to customer

demands faster and put features straight into production and as that guy, are you being bypassed? “Agile is not an excuse to be stupid!” How

does one change the approach to security in the SDLC to not only support but encourage a continuous delivery pipeline and therefore an Agile

methodology?

The answer is:

• Get more involved further left in the SDLC

• Expand and automate your security testing capabilities

• Embrace and exploit the velocity that a DevOps train brings

APPLICATION SECURITY/DEVOPS ABSTRACTS


21

Theresa PaytonCEO and President at Fortalice Solutions LLC & Former White House CIO

United States

In the wake of recent, debilitating cyberattacks at hitting organizations large and small, Theresa Payton remains the

cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures and understand the

impact of the Internet of Things and the importance of securing Big Data. Named one of the top 25 Most Infl uential

People in Security by Security Magazine, she is one of America’s most respected authorities on Internet security, data

breaches and fraud mitigation.

The fi rst female to serve as White House Chief Information Offi cer, Payton oversaw IT operations for the President

and his staff from 2006 to 2008. Previously, she held executive roles in banking technology at Bank of America and

Wells Fargo, facilitating her broad knowledge of cybersecurity risks and measures in the fi nancial services industry.

Currently, as the founder, president and CEO of market leading security consulting company, Fortalice Solutions, LLC,

she remains the expert that organizations go to for help understanding and improving their IT systems.

Payton collaborated with IT expert and attorney, Ted Claypoole, to author two books focused on helping others learn

how to protect their privacy online, after receiving a number of pleas from friends and strangers regarding account

hacking. Hailed as ‘must-reads,’ Privacy in the Age of Big Data and Protecting Your Internet Identity, outline peoples’

rights, as well as tips and strategies for building and maintaining a positive online image.

Recognized as a 2015 William J. Clinton distinguished lecturer by the Clinton School of Public Service, Payton will

provide ISACA attendees with a fascinating narrative on the world of cybersecurity, including insight and methods

critical to protecting organizations and information from rapidly evolving cyberattacks.

Theresa has been on The Daily Show with Jon Stewart and is the go to cybersecurity and privacy expert on various

news TV and radio shows such as the Today Show, Good Morning America, CBS news, MSNBC, Fox Business, Fox News

and Nationally Syndicated radio programs on Xirius FM and AM radio stations.

From the White House to your company, Theresa will provide you with tips to break all the rules to win the

cybersecurity war with criminals.

Randy ShoupCTO at Randy Shoup Consulting & Former Engineering Director DevOps at Google and Chief Architect at eBay

United States

Randy Shoup has worked as a senior technology leader and executive in Silicon Valley for the past 25 years at

companies ranging from small startups, to mid-sized places, to eBay and Google.

In his consulting practice, he applies this experience to scaling the technology infrastructures and engineering

organizations of his client companies. He was Director of Engineering in Google’s cloud computing group, leading

several teams building Google App Engine, the world’s largest Platform as a Service. He spent 6 1/2 years as Chief

Engineer at eBay, and served as CTO of KIXEYE.

Randy is a frequent keynote speaker and consultant in areas from scalability and cloud computing, to analytics and

data science, to engineering culture and DevOps. He is particularly interested in the nexus of people, culture, and

technology.

KEYNOTE SPEAKERS BIOS



22

Dr. Jyn Schultze-MellingDirector for Privacy Policy, Europe at Facebook

Ireland

Jyn is Facebook’s Director for European privacy policy. Operating out of the company’s international headquarters in

Dublin, he serves as a point of contact and a reliable source of information for policymakers and other stakeholders

who have questions about Facebook’s privacy efforts.

With a background as a former information technology lawyer in a major law fi rm, during his 15-year-career as an

international data protection and privacy professional he held both operational and leadership responsibilities in

various corporations, at last as Chief Privacy Offi cer of the Allianz Group, one of the world’s biggest providers of

insurance and fi nancial services.

Jyn also regularly speaks and publishes on privacy issues and serves on the International Association of Privacy

Professionals (IAPP) European Advisory board. Founded in 2000 as a not-for-profi t organisation, the IAPP is the

largest and most comprehensive global information privacy community and resource that helps defi ne, support and

improve the privacy profession globally.

Shannon LietzSenior Manager, Cloud Security Engineering (DevSecOps) at Intuit

United States

Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security

defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is

responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support

of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for

the cloud security engineering efforts. Prior to this, Ms. Lietz worked for Sony where she drove the implementation

of a new secure data center and led crisis management for a large-scale security breach. She has founded a metrics

company, led major initiatives for hosting organizations as a Master Security Architect, developed security software

and consulted for many Fortune 500 organizations. Ms. Lietz holds a Bachelors of Science degree in Biological

Sciences from Mount St. Mary’s College

KEYNOTE SPEAKERS BIOS


23

Andrea SimmonsManaging Consultant at i3GRC

United Kingdom

Andrea is an experienced information security/ assurance/GRC evangelist with more than 17 years direct information

security, assurance and governance experience (20+ years in the IT industry), helping clients establish appropriate

controls and achieving and maintaining security certifi cations. Andrea’s most recent role as Chief Information Security

Offi cer for HP Enterprise Security was one of worldwide infl uence addressing Security Policy and Risk Governance seeking

to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work

has included development of a patentable enterprise governance, risk and compliance (eGRC) approach to transforming

and meeting information governance needs.

Andrea has always allowed time for volunteer involvement in various professional bodies – being a member of the BCS

Chartered Institute for IT Security Community of Expertise, Director of the Institute of Information Security Professionals,

Senior Member of the ISSA, ISACA member, volunteer delivering Safe and Secure Online programs to UK schools for ISC2

and has been involved with the management committee of the Information Assurance Advisory Council (IAAC) for many

years. The endeavour is always to shape the information security landscape and develop the Information Assurance

Profession for the future

Barry Lewis CISSP, CISM, CGEIT, CRISCPresident at Cerberus ISC Inc

Canada

Barry Lewis is President of Cerberus and has over 45 years of experience in information technology, specializing in

Information Security and IT Governance for more than 35 years. He began work in the consulting fi eld in 1987 and

worked for two major audit fi rms before starting his own company in 1991 and joining Cerberus in 1993.

He was awarded the John Kuyers Best Speaker/Conference Contributor Award in 2008. Mr. Lewis is co-author of numerous

books, including Computer Security for Dummies, Teach Yourself Windows 2000 Server in 21 Days and Wireless Networks

for Dummies. His books have been translated into numerous languages around the world. He is co-developer of the

COBIT 5 PAM and Assessor Guides and is Foundation accredited. Barry lectures and consults world-wide.

Bruno Horta SoaresFounder and Senior Advisor at GOVaaS - Governance Advisors as a Service

Portugal

With more than 15 years of Information Systems professional services experience, particularly in areas related with

Governance, Risk, Control, IS Audit, Information Security and Privacy and Project Management. Started his career at

Deloitte Consulting, worked for Information Risk Management area at KPMG and for Enterprise Risk Services area at

Deloitte Portugal. In 2012 he found GOVaaS - Governance Advisors as-a-service, where he is currently Senior Advisor,

and since then devoted enthusiastically to advising, teaching and training of subject matters related with governance

and management of enterprise IT and digital transformation, working with public and private Organizations in Portugal,

Angola, Brazil and Mozambique.

He has a 5 years degree in Management and Computer Science, from ISCTE and a post-degree in Project Management,

from ISLA Campus Lisboa. He is certifi ed in Project Management Professional (PMP), from Project Management Institute

(PMI), Certifi ed Information Systems Auditor (CISA), Certifi ed in the Governance of Enterprise IT (CGEIT) and Certifi ed in

Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC

27001 Lead Auditor and Training for Trainers Certifi cation (CAP). He’s also APMG individual accredited trainer for COBIT

5. He’s advisor and visiting professor at ISCAC - Coimbra Business School, Instituto Superior Técnico (IST), Universidade

Portucalense (UPT), Universidade Europeia | Laureate International Universities, Universidade Católica Portuguesa (UCP)

and Unipê - Centro Universitário de João Pessoa - Paraíba, Brasil. He’s the founding President of the ISACA Lisbon Chapter,

member of several professional associations in the areas of Auditing (IIA), IT Governance (ISACA, IPCG), and Project

Management (PMI) and keynote speaker at various conferences and seminars.

TRACK SPEAKERS BIOS



24

Christopher RentropProfessor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)

Switzerland

Christopher Rentrop started his career being a Group Controller and later a CFO for a distribution company an elevator

group. Since 2007 he is working as a professor for Business Information Systems at the Konstanz University of Applied

Science. In this position he has specialized in Strategic IT Management, IT Governance and Shadow IT.

David FaganDirector at Business Legal

Ireland

David Fagan is a commercial lawyer. Until recently he was a partner in the largest international commercial law fi rm

in Ireland, with offi ces in 47 locations around the globe, and with 200 staff in Ireland. Recently, he has set up own

consultancy practice in conjunction with a number of other equally experienced lawyers and professionals, Business

Legal. David has been involved in:

• Managing and leading multi-jurisdictional legal privacy projects across Europe, Africa, Asia and the Middle East.

• Dealing with Privacy issues in Courts, and with Regulators.

• Advising on practical matters such as transferring data to non EU servers, marketing restrictions etc.

Gavin Millard

Gavin MillardEMEA Technical Director at Tenable Network Security

United Kingdom

15 years ago, when he could make decisions on how to do his hair in the morning, he was told by his employer that he

could put in a leased line for internet access as long as it was “secure”. After playing with fi rewalls, IDS, content fi ltering

and anti virus, he realised securing stuff was a hell of a lot more interesting than dealing with support tickets from

people who had no business touching a keyboard.

He quickly discerned that to be able to secure an infrastructure he had to understand how to break into it, which led to

spending way too much time on ethical hacking courses and Astalavista. He made the move to working with security

vendors 11 years ago, fi rstly at Tripwire and then more recently at Tenable Network Security.

Today, with the hair mostly absent or grey, he spends his time helping other companies understand their security issues

and talking about how to effectively implement critical controls to protect the ever increasing data that they collect and

store.

Gerard Smits CRISC, CISSP, CIPP/E, ISO 27001 LAFounder at NedPrivacy

Netherlands

Gerard Smits is an international manager and have worked in senior management positions for multinationals, before

starting to work as an independent consultant with an emphasis on privacy, IT security and cloud technology. His

pragmatic view and creativity provides him the tools to look at problems from different perspective. He has an IT

background supplemented with executive education in fi nance, legal and strategy. He divides his time on consultancy,

research and building tools which helps his clients to be more effective.

Jeff KalweriskyVP and Director of Technical Training at CPE Interactive, Inc.

United States

Jeff Kalwerisky is director of technical training for CPE Interactive. He speaks frequently to ISACA chapters in North

America where he has delivered sessions to hundreds of ISACA members on leading-edge information security topics,

including data privacy, threat modeling, information security strategy, Cloud computing, and Big Data security. He was

recently keynote speaker at the IIA’s “Evolve” international conference in Johannesburg, South Africa.

As an executive at Accenture, Jeff focused on healthcare security. He acted as security architect for the UK’s National

Health Service, on the world’s largest EMR (electronic medical records) project, with over 1,500 developers. As global

security manager for VeriSign, he designed and deployed military-grade secure data centres around the world.

TRACK SPEAKERS BIOS


25

Jeff LentonSolutions Architect at RiskIQ EMEA

United Kingdom

Jeff is a highly experienced technical consultant with over 15 years experience in a variety of senior pre and post sales

positions in the IT Security sector, architecting and supporting a wide range of threat intelligence, threat prevention,

compliance and audit products. He has extensive experience in supporting and guiding enterprise customers through

large scale projects from initial solution architecting through to production deployment. More recently Jeff has

specialized in cloud based, software-as-a-service solutions for Google, Symantec and currently as a solutions architect

with RiskIQ. Jeff holds a BA(Hons) in Political Science from the University of East Anglia.

Jenai NissimData Protection Manager at Capital One (Europe) Plc

United Kingdom

Jenai Nissim heads up the Data Protection Legal and Compliance Programme for Capital One (Europe) Plc. Prior to

undertaking this role Jenai was responsible for negotiating and advising on data protection contracts and third party

outsourcing agreements.

Jock ForresterHead of IT Cyber Security at Standard Bank

South Africa

Jock Forrester is responsible for the IT cyber security prevention, detection and response capabilities at Standard Bank. He

is also responsible for the bank’s penetration testing, where the greatest challenge is adding velocity to its assessments

in order to support its drive towards DevOps.

He recently completed his MSc in Computer Science specialising in Information security, at Rhodes University. His thesis

was entitled: “An Exploration into the Use of Webinjects by Financial Malware”, and was a deep dive into how fi nancial

malware is used to target organisations.

Joseph MayoPresident at J. W. Mayo Consulting, LLC

United States

Joseph W. Mayo is an Information Technology professional with over 20 years of experience. Mr. Mayo is a PMI certifi ed

Project Management Professional (PMP), Risk Management Professional (RMP), and a Certifi ed Risk and Information

Systems Control (CRISC) professional. Mr. Mayo has worked for a variety of professional services companies including

Computer Sciences Corporation, Keane Incorporated, ManTech International, and NTT DATA.

He is an author, frequent speaker and conference presenter on topics that include risk management, project

management, and quality assurance. Mr. Mayo is the author of Chaos to Clarity: The Tao of Risk Management. Mr.

Mayo was Program Manager for project #7 of the top 100 IT Projects of 2006 by InfoWorld. Mr. Mayo developed a risk

management maturity roadmap for a U.S. Government Agency.

Michael BarwiseCEO at Integrated InfoSec

United Kingdom

Michael Barwise has consulted in systems engineering and business risk for over 30 years, concentrating for the last

fi fteen on the strategic management of information security. He is a fellow of the RSA, a member of both the BCS and the

IISP and a Chartered Engineer. He has been a member of the DPA (EURIM) e-crime and cyber security panels since 2003,

and has contributed to national cyber security strategy and e-crime legislation. Michael has made an extensive study of

the psychology of decision-making, with the aim of improving the performance of a critical function on which the whole

edifi ce of risk management is founded and can founder.

TRACK SPEAKERS BIOS



26

Ophir ZilbigerCEO at SECOZ

Israel

Ophir Zilbiger, CRISC, CISSP is the CEO of SECOZ, a leading information security and cyber defense consulting group

based out of Israel. He is a seasoned expert with approximately 20 years in Information security. He is the chairman

of the ISACA Israel Cyber Security sub-committee. In his previous role, Ophir managed the Global Risk Management

Services practice for PwC in Israel and was the PwC global SME for network security. Ophir is a veteran speaker in various

Israeli and international conferences such as Check Point global conference, CA World, Microsoft and BMC partners and

customer events and more. Ophir is the chairman of the Israeli Info-sec conference and trade show.

Peter Tessin CISA, CRISC, MSA, PMPTechnical Research Manager at ISACA

United States

In his role at ISACA, Tessin has been project manager for COBIT 5 and led the development of other COBIT 5-related

publications, white papers and articles. Tessin also played a central role in the design of COBIT online, ISACA’s latest web

site that offers convenient access to the COBIT 5 product family and includes interactive digital tools to assist in the use

of COBIT. Prior to joining IASCA, Tessin was a senior manager at an internal audit fi rm, where he led client engagements

and was responsible for IT and fi nancial audit teams. Previously, he worked in various industry roles including staff

accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and

auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK

and Australia. With more than 20 years of global business and IT experience, Tessin is able to address topical issues in

business leadership.

Robert FindlayGlobal Head of IT Audit at Glanbia

Ireland

Bob is an experienced IT professional having worked in most areas of IT including operations, software development,

project management, Information Security, IT Auditing and as a CIO. He has 30 years in the IT industry working across

a range of industries in multiple countries including signifi cant periods in the banking, airline, manufacturing, retail and

internet sectors in the UK, Ireland, Australia, India, Canada and the USA in addition to smaller IT and audit assignments

across Africa, Europe, North America and Asia.

Dr. Vishnu KanhereConsultant at V. K. KANHERE and CO / KCPL

India

Dr Vishnu Kanhere is a practicing Chartered Accountant, a qualifi ed Cost Accountant and a Certifi ed Fraud Examiner with

a brilliant academic record having won several gold medals and awards. Certifi ed in the Governance of Enterprise IT,

Systems Audit, Risk Management and Information Security he has over 30 years of experience in I S Audit and security,

consulting, assurance and taxation for listed companies, leading players from industry and authorities, multinational and

private organizations. His academic achievements and “hands on” working experience refl ect the wide canvas on which

he operates. A renowned faculty at several institutions, Dr Kanhere has been a key speaker at national and international

conferences and seminars on a wide range of topics and has several books and publications to his credit.

Wendy GoucherInformation Security Specialist at Goucher Consulting Ltd

United Kingdom

Wendy is an Information Security Specialist at Goucher Consulting and based in Scotland. Her proudest achievement

so far is helping to devise a school curriculum for security awareness for the UAE. She mostly works with organisations

to develop usable security guidelines, training materials and improve understanding of the potential risks of mobile

working. Wendy is researching at the University of Glasgow; focusing on mobile computing and the threats from

increasing use of a virtual offi ce. As an author she contributed to ‘Creating a Culture of Security’ in 2011 and the 2012

revision of the Information Security Management Handbook. Her book ‘Information Security Auditor’ for the British

Computer Society is in pre-publication and she is co-authoring a book on Incident Management.

TRACK SPEAKERS BIOS


27

NOTES


E U R OCACS 2016

DUBLIN, IRELAND 30 MAY – 1 JUNE 2016

Watch for information at www.isaca.org/conferences


29

CONFERENCE SPONSORS

Edgescan is a Managed Security Service delivered by BCC Risk Advisory. It is a highly accurate

cloud-based SaaS (Security-as-a-Service) solution which helps companies to discover and manage

vulnerabilities on a continuous or on-demand basis. With thousands of assets under vulnerability

management, Edgescan is a listed “Notable Vendor” in Gartner’s Magic Quadrant for Managed

Security Services and a “Sample Vendor” in the Gartner Security Hypecycle.

Edgescan is unique, being the only hybrid full-stack solution of its kind in Europe, Middle East and

Africa “EMEA” as it covers both network and application security. Our solution offers virtually false

positive free results due to expert manual verifi cation and risk rating.

Espion - Managing and Securing your Business Information

We provide expertise to our clients on Identifi cation, Protection, Compliance and Management of

their Information.

We work with clients across all industry sectors and business functions. We solve their Information

challenges through a combination of Consultancy, Technology, Research and Training. We provide

these innovative solutions so that our clients feel protected, assured and empowered, confi dent in

the knowledge that their challenges have been met.

Headquartered in Dublin, and operating in Ireland, the UK, continental Europe and the US, we

are unrivalled experts in managing the complexities of corporate information, giving your people

maximum access to and control of your company’s information..

ICON plc is a global provider of drug development solutions and services to the pharmaceutical,

biotechnology and medical device industries. The company specialises in the strategic development,

management and analysis of programs that support clinical development - from compound selection

to Phase I-IV clinical studies. With headquarters in Dublin, Ireland, ICON currently, operates from 81

locations in 37 countries and has approximately 11,300 employees.

Citi, the leading global bank, has approximately 200 million customer accounts and does business

in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments

and institutions with a broad range of fi nancial products and services, including consumer banking

and credit, corporate and investment banking, securities brokerage, transaction services, and wealth

management.

Our name ‘Threatscape’ is derived from our mission of ‘securing the digital threat landscape’ – in

other words, ensuring the security of our clients’ business critical IT systems. We provide business

critical IT security solutions & services to large corporate, multi national and state organisations in

the UK, Ireland and elsewhere.

Ward Solutions is Ireland’s largest Information Security provider. As Ireland’s leading provider

of Information security and risk management solutions, we provide a comprehensive range of

information security services centred on assessment and assurance, strategy and architecture,

through to systems integration and deployment, all wrapped in enterprise managed services from a

single source..

GOLD SPONSORS

BRONZE SPONSORS

SILVER SPONSORS

Thank you to our Sponsors for their support in making the ISACA Ireland 2015 Conference a great success!


YOU BUILT YOUR REPUTATION. LET OUR CERTIFICATIONS ELEVATE YOUR CAREER.GET AHEAD WITH CERTIFICATIONS THAT VALIDATE AND SHOWCASE YOUR EXPERIENCE.

EMPOWEREDMORE

ISACA CERTIFICATIONS 2014ISACA CERTIFICATIONS 2015


Documents

2015 Conference Brochure - Trust Security Agility