Upload
lekhuong
View
215
Download
1
Embed Size (px)
Citation preview
Ireland Chapterwww.isaca.ie | @isacaireland
Friday 23rd October
ISACA_2015 Programme 2015(COVER).indd 2ISACA_2015 Programme 2015(COVER).indd 2 19/10/2015 10:3419/10/2015 10:34
.
CYBERSECURITY NEXUS
TM
PAGE 1 AGENDA
PAGE 2 WELCOME
PAGE 3 THOUGHT LEADERSHIP CORNER
PAGE 14 KEYNOTE ABSTRACTS
PAGE 15 ASSURANCE ABSTRACTS
PAGE 16 CYBERSECURITY ABSTRACTS
PAGE 17 RISK ABSTRACTS
PAGE 18 PRIVACY ABSTRACTS
PAGE 19 ENTERPRISE GOVERNANCE ABSTRACTS
PAGE 20 APPLICATION SECURITY/DEVOPS ABSTRACTS
PAGE 21 KEYNOTE SPEAKERS BIOS
PAGE 23 TRACK SPEAKERS BIOS
PAGE 27 PERSONAL NOTES
PAGE 29 CONFERENCE SPONSORS
m
Pitch
Window
Hogan Mezz I
KitchenStairs
Escalator s
Ba r
WC
WC
Hogan Mezz I I
Nally FoyerMezz II FoyerMezz I Foyer
C anal Foyer
Entrance/Exit
Entrance/Exit
VENUE MAP
ASSURANCE
ENTERPRISE GOVERNANCE
CYBERSECURITY
PRIVACY
KEYNOTES
RISK
APPLICATION SECURITY/DEVOPS
EXHIBITION PAVILION
LUNCH
ISACA_2015 Programme 2015(COVER).indd 3ISACA_2015 Programme 2015(COVER).indd 3 19/10/2015 10:3519/10/2015 10:35
Morning Keynotes
Shannon Lietz
Senior Manager, Cloud Security Engineering (DevSecOps) at Intuit
Dr. Jyn Schultze-Melling
Director for Privacy Policy, Europe at Facebook
Move Fast...And Safeguard User Trust -
How Facebook Handles Privacy And Data Protection
While Growing A Social Network For
1.5 Billion People.
Embracing DevSecOps To Support Rugged
Innovation At Speed And Scale
Assurance - Location: Canal Foyer
10:55- 11:20 - TEA BREAK
13:00 - 13:45 - LUNCH
CONFERENCE CLOSING 17:30
NETWORKING & DRINKS 17:30-19:00
15:25- 15:45 - TEA BREAK AND STANDS
PRIVACY - Location: Hogan Mezz II ENTERPRISE GOVERNANCE - Location: Canal Foyer
08:00 - 09:30 - REGISTRATION & NETWORKING BREAKFAST
MORNING TRACKS
AFTERNOON TRACKS
AFTERNOON KEYNOTES LOCATION: HOGAN MEZZ II
APPLICATION SECURITY/DEVOPS- Location: Naly Foyer
MORNING KEYNOTES LOCATION: HOGAN MEZZ II
Cybersecurity - Location: Hogan Mezz II Risk - Location: Naly Foyer
11:20
09:30
11:55
12:30
13:45
14:20
14:55
15:45
What We Missed At The Data Centre Audit.
Robert Findlay
Global Head of IT Audit at Glanbia Ireland
My Data My Responsibility.
Jenai Nissim
Data Protection Manager at Capital One (Europe) Plc
Entertainment Event Aprés Breach
Are You Ready? The Hitchhiker’s Guide To
The Integration Of Privacy And Security.
Gerard Smits
Founder at NedPrivacy
Legal Solutions To Technical Privacy
Problems.
David Fagan
Commercial Lawyer at Business Legal
Randy Shoup
CTO at Randy Shoup Consulting
Former Engineering Director DevOps at Google and Chief Architect at eBay
Theresa Payton
CEO and President at Fortalice Solutions LLC
Former Whitehouse CIO
Role Of Information Security Professional
In Tackling Terror.
Dr. Vishnu Kanhere
Consultant at V. K. KANHERE & CO / KCPL
Shadow IT Risk - Empirical Evidence From
Multiple Case Studies.
Christopher Rentrop
Professor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)
Getting Started With GEIT.
Peter Tessin
Technical Research Manager at ISACA
How To Talk About IT Governance With
Your Boss In The Elevator?
Bruno Horta Soares
Founder & Senior Advisor at GOVaaS - Governance Advisors as a Service
Leading A Successful DevOps Transition: Lessons From
The Trenches
Failsafe The Human Pysche To Advance Security And
Privacy
Is Protecting The Balance Sheet Really
Enough?
Joseph Mayo
President at J. W. Mayo Consulting, LLC
Understanding Today’s Mobile App Store
Ecosystem And Why You’re At Risk.
Jeff Lenton
Solutions Architect at RiskIQ EMEA
Threat Modeling: Finding Security Threats
Before They Happen.
Jeff Kalwerisky
VP & Director of Technical Training at CPE Intearctive, Inc
A Case Study: Standard Bank’s Journey Into
Security And DevOps.
Jock Forrester
Head of IT Cyber Security at Standard Bank
Making Friends With Internal Audit!
Andrea Simmons
Managing Consultant at i3GRC
Increasing Your Audit Relevance Using
Using COBIT 5.
Barry Lewis
President at Cerberus ISC Inc
New Cyber Defense Management
Regulation For Banks In Israel - Lessons
Learned From Implementing One Of The
World’s First Cyber Defense Management
Regulations.
Ophir Zilbiger
CEO at SECOZ
8 Security Lessons From 8bit Gaming.
Gavin Millard
EMEA Technical Director at Tenable Network Security
How To Make Rubbish Risk Decisions.
Michael Barwise
CEO at Integrated InfoSec
A Question Of Trust.
Wendy Goucher
Information Security Specialist at Goucher Consulting Ltd.
1
ISACA_2015 Programme 2015(INNERS)(V.2).indd 1ISACA_2015 Programme 2015(INNERS)(V.2).indd 1 19/10/2015 10:3619/10/2015 10:36
Ireland Chapterwww.isaca.ie | @isacaireland
2
Welcome to the ISACA Ireland 2015 Conference “TRUST, SECURITY,
AGILITY: Businesses Better Prepared For Tomorrow, Today”Dear Conference Delegate
Thank you for joining us at this year’s conference. A lot of exciting activities will be going on today, as we share knowledge on the most critical
IT and business issues facing our organisations. We hope that discussions held here will help us better understand the challenges today and the
solutions needed for tomorrow.
Themed “TRUST, SECURITY, AGILITY: Businesses Better Prepared For Tomorrow, Today”, the conference features sessions providing insights into
the latest thinking in the fi elds of Assurance, Cybersecurity, Risk Management, Privacy Management, Application Security/DevOps and Enterprise
Governance. The conference this year will focus on how we can help our business partners to be dynamic and faster in meeting their goals in a
well-managed way; against the backdrop of ever evolving risks and positive disruptive technology challenges.
We would like to take this opportunity to thank our conference sponsors and supporting organisations for their continued support and we invite our
delegates to make the most of the literature provided by them at the exhibitor stands over the duration of the conference.
Our appreciation goes out to all our conference speakers who have given up their time to speak at the conference. We wish to thank the conference
committee for their signifi cant contribution and continued hard work towards making the conference a success.
Your feedback is very important to us. If you have any further comments, please do not hesitate to contact any ISACA Ireland Committee Member.
We encourage you to become an active part of the sessions and thank you for taking time out of your busy schedule to attend the conference.
Neil Barlow CISA, CISM, CRISC Neil Curran CISA, CISM, CGEIT, CRISC
2015 Conference Chair Chapter President of ISACA Ireland
Gold Sponsors
Silver Sponsors
Bronze Sponsor
Supporting Organisations
BCS IRMA, CSA Ireland, IAPP, ICS, ICTFF, IIA, IISF, IRISS, ISC2 Ireland, ISF, MTUG Ireland & OWASP Ireland
ISACA_2015 Programme 2015(INNERS)(V.2).indd 2ISACA_2015 Programme 2015(INNERS)(V.2).indd 2 19/10/2015 10:3619/10/2015 10:36
3
Break All The (Security) Rules
If You Want To Protect Your
Company’s Digital AssetsTheresa Payton is CEO and President at Fortalice Solutions LLC & Former Whitehouse CIO
Everyone from elected offi cials, to your grandma, to Oscar winners, and
major corporations have become high value targets for cyber criminals.
Your company and your customers are no exception.
The one constant we can all depend on with cyber security is it is
constantly changing. Our tactics change quickly because the threats
are always imminent. As your industry evolves, how does the consumer
evolve? How do they adapt to the roadblocks we must design to keep
out the bad guys?
Warnings of security threats are almost overwhelming, aren’t they?
They inspire movies, books, and TV series. But the warnings are just
that—warnings. Companies are not responding fast enough because
the warnings are not actionable. If the news says, “Crime is going up!”
but does not say the type of crime, the geography, and what you can do
about it, will you act differently? Other than being afraid and looking
over your shoulder more, a warning alone is not helpful. The media
needs to ask more follow-up questions. Asking, “Thanks for that warning.
Now what can we do about it? Do we crawl under our desks, or do you
have a remedy for us?”
The security industry is designed to build a fortress, a defense. The
highest priority for consumers is easy access to transact business with
you while protecting their identity and information.
As a cyber security expert for over two decades, a former White House
Chief Information Offi cer, and an advocate for consumers, I have
examined how these universes have evolved into today’s new reality.
The key question: Are companies really responding to today’s headlines
or will meaningful change be enacted?
If spending money on cybersecurity is one metric, the answer is yes.
According to accounting and consulting fi rm PricewaterhouseCoopers,
the fi nancial services industry alone plans to spend an additional $2
billion across the next two years on top of what they already spend.(1)
What will the investment mean for the consumer? Candidly, not much
if things do not change across the fl ow of money and how we design
security for the user.
The pivotal moment for me that shifted how I design a security strategy
started my fi rst day on the job at the White House. It came down to the
people who served at 1600 Pennsylvania. We knew we had to address
the hearts and minds of the staff if we wanted to protect their privacy
and security.
After all, if solving cyber security and privacy issues were as simple
as following security best practices, we would all be safe. It’s not
that simple. Two key questions came to me the fi rst 90 days at the
White House and I had to answer them or we would have had a major
calamity:
Why, in spite of talented security teams and investments on security, do
breaches still happen? Why is it, that despite hours and hours of boring
computer based training and security campaigns, we still make mistakes
and click on links?
Incremental steps by businesses large and small means our overall
privacy and security will be doomed to failure! All security teams,
across all businesses need to see the problem not just as a technical
or economic issue - we need to also see it as a human psyche issue.
To make evolutionary change we need to incorporate the following
scenarios: Understand and educate the knowledge of human nature and
psyche into the cyber security profession; Incorporate that knowledge
into the design and implementation of all our systems; Innovate cyber
security technologies and policies that account for insecure human
behaviors and incentives; and unless we do so, our privacy and security
will perish.
We must critically re-examine how we assess our security technology,
procedures, and methodology to fully understand the full scope of risk
we bear daily and to determine the best course of action to mitigate this
risk.
Studies show that human error leads to a breach and that 78% of
advanced and targeted attacks tricked their way into a company’s
network using spear-phishing scams with infected attachments. (2)(3)
We all would like to think it’s someone else and not us personally that
would be tricked.
Keep in mind that everyone is a target and someone will make a
mistake; from the front desk clerk to the CEO, mistakes have been made.
Security teams and executives alike keep asking: “Why do we click on
links or attachments?” The better question is: “Why do we design the
security assuming our users will follow all the rules?”
The way we design security, we have zero empathy. If businesses around
the globe want to win the war against cybercrime, we must move to
a high empathy system. It’s all about design! We need to design all
applications to assume that users will do everything wrong, according to
the cybersecurity playbook - they will share passwords, they will forget
them, and they will do unsafe things to get their jobs done, such as use
free, unsecure WiFi.
Some companies are leading the way with human centered design and
asking systems to conform to the human and not the other way around.
For starters, many banks will use your social security number to check
your credit but not as your customer identifi er. If a hacker breaks in and
steals your data, on many of the back offi ce banking systems, they will
not steal your social security number.
At the White House, we knew breaches and incidents were inevitable.
Our best strategy was to segment data to save it. Instead of storing
something, such as the President’s schedule, in one place, we would
segment the ownership across multiple teams, multiple systems,
and disconnected networks. This practice requires a high level of
collaboration and fi nely tuned synchronization but the risk vs. reward
was worth it.
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 3ISACA_2015 Programme 2015(INNERS)(V.2).indd 3 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
4
Businesses have been improving their defenses yet cybercriminals
continue to add capabilities to their arsenal while we discuss the rules
we should play by for meeting regulatory requirements and enabling
information sharing. Is anyone else also fatigued by the talk, talk,
talk? Cybercriminals really have one rule: pay for performance. They
pay when their syndicated members perform. It’s pretty simple for
cybercriminals to operate. In most cases, they share the spoils they take
and they share techniques for hacking into organizations and they often
don’t require certifi cations, college degrees, or showing up at an offi ce.
Boards should take note of the dynamic qualities that the cybercrime
underground deploys and ask what the counterbalance is within their
own organization. This is not to say you should hire criminals or tell
people they don’t have to show up, but if you want to beat the enemy,
you have to study them and have a counterattack that takes advantage
of your strengths.
Businesses need to ask themselves what the critical data elements are
that are worth protecting and design for the human element. If you
segment it to save it and have high empathy for the human that needs
it, we will start winning this war against cybercrime.
At the end of the day, our economy works because we can trust each
other. I trust my money is in the bank even though I cannot see it.
The bank trusts other banks and businesses that they transact with.
If we keep doing the same security programs but just try to speed them
up with more money and resources, we are doomed to failure.
Customer trust will completely erode. In the words of American Express’
Chenault, “Trust is really what holds us together and that’s what holds
our society together and what we are really talking about is trust.”
Sources:
(1) “Financial Firms Bolster Cybersecurity Budgets Survey Finds
Companies Plan to Increase Spending by $2 Billion Over Next 2 Years”,
Daniel Huang, Emly Glazer, Danny Yadron, Wall Street Journal, November
17, 2014
(2) “Changing the Cyber Security Playing Field in 2015”, Paul Ferrillo,
Weil, Gotshal & Manges LLP, January 20, 2015
(3) Verizon and US Secret Service Data Breach 2014 report. See: http://
www.verizonenterprise.com/DBIR
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 4ISACA_2015 Programme 2015(INNERS)(V.2).indd 4 19/10/2015 10:3719/10/2015 10:37
CONFIDENCE | ASSURANCE | CERTAINTY
P: 01 642 9300 E: w:
CERTAINTNTTY
CHANGING STANDARDTHINKING
OUTSOURCING
TESTING
SERVICES
STANDARDS
ADVISORY
AUDIT AND
ASSURANCE
INFORMATION
SYSTEMS
RISK
MANAGEMENT
CYBER SECURITY
RISK & ASSURANCE
Sysnet is a true global market leader in cyber security risk and assurance, providing a comprehensive range of information security consultancy and assurance services in over 44 countries.
To find out more about what we can do
for your organisation contact Sysnet today.
Call: +353 (0)1 495 1300 or
Email: [email protected]
ISACA_2015 Programme 2015(INNERS)(V.2).indd 5ISACA_2015 Programme 2015(INNERS)(V.2).indd 5 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
6
Making Friends With Internal Audit
Andrea Simmons is Managing Consultant at i3GRC
Trust...but verify!
And sure why wouldn’t you – want to make friends, right?! From the
perspective of an information security professional, we’re notoriously
“the department of no”, sadly – and often erroneously. We lack
“friends” and rarely receive Christmas cards.... So when you take up a
senior security role, you need to work out where your allies are going
to be and reach out, forging relationships and ensuring that there is an
open dialogue being generated. For many security professionals, an
accusation thrown is that we are prone to FUD – Fear, Uncertainty and
Doubt – and yet we have to have mechanisms with which to share the
results of our fi ndings, through various avenues, be they the results
of Risk Assessments, Penetration Tests, Vulnerability Assessments,
Internal Audit reports and/or External Audit Reports. The results of
these activities invariably produce stark results which require contextual
explanation but ultimately the data doesn’t lie and there has to be a
point of organisational acceptance of reality. The hope is that Internal
Audit are “in your corner” to help with sharing the messages with the
Board and ensuring that the understanding is there, the appreciation of
the implications and therefore the support for the required change.
Security
However, what does this – security - mean, to whom, in what context?
We need to be careful about throwing around the term! If we start as
below for a high level, it will help us keep our bearings. At minimum, we
have the following stages:
1. Physical Security
2. Communications Security (COMSEC) [40s]
3. Operational Security (OPSEC) [50s]
4. Automated Data Processing Security [60s]
5. Computer Security (COMPUSEC) [90s]
6. IT Security (ITSEC) [90s]
7. Information Systems Security (INFOSEC) [90s] - merged COMSEC and
COMPUSEC following rapid change in technology; combined in a
new paradigm to become INFOSEC, internationally recognised in
Common Criteria
8. Information Assurance [00s] (but “Cyber” threats being investigated
in the background
9. “Cyber” in the media….. [10s]
10. Internet of things / Information Society [10s]
I have no doubt many of you would articulate that differently, add a few
more in, shuffl e them about a bit – but you get the idea! During a period
of PhD study undertaken by the author into the origins of Information
Assurance, its usage and adoption, one survey respondent articulated it
thusly:
Security > IT Security > Information Security > Information
Assurance > GRC : It’s an evolution.
In this dynamic world, we learn, unlearn and relearn [Respondent X, APJ]
In a similar vein, another IA scholar identifi ed and articulated “Security
epochs”1:
1) Revolutionary War to the mid 1820s, Mid 1830s to the 19th century
ended with WW1
2) WW1 and Soviet Union emerging
3) 1920 to 1946 global recession, rise of international communism as
Europe collapsed – leading to American democracy crisis
4) Cold War
5) Information age – technological developments, chemical and bio
logical weapons etc
6) Cyber Security through to the Internet of Things
If you take number 3) above – it is clear that as humans our ability to
repeat patterns of behaviour indicates an inability to learn lessons from
history, in spite of all the perception of progress.
This has recently been the focus of a McKinsey report – identifying the
following:
Pre-2007 Cybersecurity not a priority*
2007-2013 Cybersecurity as a control function
2014-2020 Digital resilience**
* Not entirely true, given the available material and those for whom it
has been a priority for a long time.
** This corroborates my fi ndings and conclusions that “cybersecurity”
is ‘not long for this world’ in terms of focus and will be replaced – but
ultimately all of this still represents a need to ensure good information
security controls are in place and that an information assurance
framework is in operation to provide oversight and governance. Internal
Audit spend a great deal of time assessing the effectiveness of the
implementation of these controls....
Agility in the Information Society
As a security professional, living in the information age, the job writes
itself on a regular basis (Blue Cross Shield in the US is the latest
casualty hot off the press at the time of writing)! The Web has provided
undeniable connectivity and information exchange opportunities, much
of which are to be welcomed. But regularly one wonders as to the
sanity of decisions made when, for instance, there are Data Centres and
military installations available on the Web, under the guise of public
relations, signposting their buildings and facility locations. Just because
you can, doesn’t mean you should – as the meme goes.
As in life, most things have an evolutionary cycle, a maturity path. The
information space is no different. The value of information and the
need to adequately protect it have been important societal tenets for
centuries. We are living in an interconnected Information Age where
there has never been greater access to information nor adoption of
technology. The Information Society has progressed apace, signifi cantly
enhanced as a result of the speed of technological developments and
the reach of the internet to parts of the world previously unconnected.
The speed of development(s) in many industries, in and of itself,
leads to skills crises. Legislative, regulatory, industry standards and
political changes can be shown to have had a signifi cant impact on
the understanding of requirements for information protection within
the information society. Industry experts have been articulating the
subject of Information Assurance (IA), the reasons and need for it for
several decades and yet progress to successful adoption still lacks
corresponding speed in alignment with the pace of the Information
Society - as evidenced by the increased volume of data lost or stolen and
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 6ISACA_2015 Programme 2015(INNERS)(V.2).indd 6 19/10/2015 10:3719/10/2015 10:37
7
the number of systems breached. Information assets are the oil of the
21st century and the “internet of things” (IoT) is providing the landscape
within which to really understand the synthesis and synergy required
across all sectors to understand the systems that need to be in place in
order to provide that effective protection. This is the landscape of proper
Information Governance - which crosses over a number of other inter-
related disciplines which the audience will be peripherally aware of.
Knowledge, Leadership and Communication are at the core of our
success in the future. I know that we all know this. However, multiple
attempts to engage with Boards and Directors does not appear to
have created the kind of enlightenment required to provide embedded
security. There is a level of middle management still blocking necessary
actions being taken.
The single biggest problem in communication is the illusion that it has
taken place. (George Bernard Shaw)
The conclusions of my doctoral research are:
• Enough of the right people do not know the ontology of Information
Security (InfoSec).
• Enough of the right people do not know the ontology of Information
Assurance (IA).
• Therefore, enough of the right people will not know nor be able to
see the relationships between InfoSec, IA and Information
Governance (IG). Much work has already been done in this area and
plenty of resources exist. The author has provided a reference link to
some of the outputs available below. Whilst the CIO role goes
through ongoing transformation and the CISO role continues to
be a poisoned chalice for many (a subject for another article in
itself!), the near term future will see more CIGO roles – Chief
Information Governance Offi cers – for those who can see the bigger
picture and can holistically bring all the strands together.
The above lead to the potential that we are at a cross roads where IA
either needs to combine with another complex system – the author
would suggest this to be Information Governance – or it will be lost
forever to the realm of “cyber” and, as a result, a dilution of intent and
ongoing breaches and bad security implementations will continue to
be the experience for the remainder of the 21st century. As a result of
the language used, there is a contingent impact on the culture of an
organisation in terms of its willingness to adopt the messages provided
and embed the best practice advice.
Internal Audit (the other IA) see largely the same risks and issues
that Information Security and Assurance professionals see (I continue
to struggle with the level of duplication of activities – assessments,
reviews etc....) so there is a real need to work closely together to achieve
appropriate outcomes for the businesses/organisations both groups
are serving – i.e. the same desired outcome, reduced (mitigated) risks
and improved security. 100% risk free, 100% security – they don’t
exist. So we need to be agile enough to be realistic in our endeavours –
collectively. Here’s to outstretched hands of friendship!
FROM YOUR BACK OFFICE TO THE FOREFRONT OF THE MARKETS.
Wherever you work to secure your next business opportunity, we are there to help make it real. Across your network. And around the world.
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 7ISACA_2015 Programme 2015(INNERS)(V.2).indd 7 19/10/2015 10:3719/10/2015 10:37
8
ISACA Ireland Chapter Certifi cation “Top Three” Roll of Honour
ISACA certifi cations are recognized globally as an industry standard and in many cases as a job
pre-requisite for IT audit, assurance, control, governance, risk, compliance and cybersecurity
related positions. Our certifi cations can help you as a professional demonstrate your expertise and
abilities to both your company and peers.
ISACA Ireland is delighted to continue to recognize chapter members who have achieved a “Top Three” exam score while taking one of our
CISA, CISM, CGEIT or CRISC certifi cation exams over the last twelve months (December 2014 & June 2015 exam sittings).
For further information on this initiative, please email certifi [email protected]
Lucy Bofi n
Jason Finnerty
Andy Peter Hartland
Dina Koehler
John McGinley
Tomas O Ceallaigh
Brian O’Reilly
Louise O´Sullivan
Jan Tilo Otterbach
Courtney Renee Rothe
Ivica Stipovic
Carl James Wainwright
John Bolger
Mark McDermott
Eoin Leonard
Theodoros Nikolakopoulos
Gary McPartland
Tomas O Ceallaigh
Patricia O’Gara
Shane Phelan
Slawomir Edward Prokop
John James Burns
Anthony John Clarke
Andrew Cooke
Naomi Mary Hegarty
Adam Kowal
Petr Profous, Jr.
Anthony John Clarke
Niall Clarke
Martin Cullen
InformationSecurity
ManagedServices
CloudSecurity
Consulting
Forensics,eDiscovery &
IncidentResponse
ApplicationDevelopment& Integration
Audit &Testing
Dublin [email protected] 6420100 www.ward.ie
Belfast [email protected] +44 (0) 2890 823688 www.wardinfosec.co.uk
We take complexity out of information security
ISACA_2015 Programme 2015(INNERS)(V.2).indd 8ISACA_2015 Programme 2015(INNERS)(V.2).indd 8 19/10/2015 10:3719/10/2015 10:37
At ICON, innovation means embracing change and finding better ways of working. Our integrated information platform, ICONIK, enables our clients to make faster more informed decisions and supports monitoring solutions that significantly reduce development time and cost by optimising monitoring time on-site.
That’s excellence delivered.
ICONplc.com
Innovationhears a different story
ISACA_2015 Programme 2015(INNERS)(V.2).indd 9ISACA_2015 Programme 2015(INNERS)(V.2).indd 9 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
10
The State Of InfoSec
Michael Barwise is CEO at Integrated InfoSec
“The signifi cant problems we face cannot be solved by the same level of
thinking that created them” Albert Einstein
Every time I hear of the latest ‘sophisticated attack’, I groan inwardly
and await the almost inevitable investigation fi nding that it was actually
rather a push over, even if it exploited a ‘zero day’. ‘Zero days’ are held
by many to represent a special high level of threat, but they are merely
exploitable mistakes in software that the bad guys found before we did.
Given the prevalence of such mistakes in all mainstream software it’s a
mere lottery who fi nds one fi rst, but whoever does, success in exploiting
it is commonly facilitated by inadequate general security.
The key factor in most of these incidents is not the ‘zero day’ that fi nally
broke in. It’s the slackness of the overall defence posture that left the
vulnerable entity exposed, and I contend that the root cause of this is
not technological failures, but the mindset with which we approach
defence at the conceptual level. Narrow specialisation is accompanied
by an overriding emphasis on technical facts rather than principles. As
such facts are frequently technology specifi c or even vendor specifi c, this
leads to a brand badged ‘how to’ approach to problem solving relying
on ‘dashboard knowledge’, defi ned by Owen Barfi eld as far back as the
1920s as manipulative skill unsupported by understanding. This type
of ‘knowledge’ directly triggered the Chernobyl nuclear explosion, so I
submit that it may not be suffi cient for controlling exposure to hazard.
But when we InfoSec practitioners possess neither the knowledge of
principles nor the facts, we frequently do worse. Instead of taking a deep
breath and investigating, we instantly fall back, not even on dashboard
knowledge, but on mantras: rote learned snippets of unexplained
received wisdom that we make no effort to validate before applying.
Let’s look at a couple of superfi cially disparate examples.
‘Everyone knows’ that passwords have to be ‘complex’: containing every
conceivable symbol including, according to Dilbert’s Pointy Haired Boss,
squirrel noises. This makes them ‘strong’, although nobody seems to be
able to explain on demand how it contributes to ‘strength’, or indeed
what ‘strength’ is. With my engineering hat on, the moment I hear the
word ‘complex’ I immediately look for an imaginary part, and in this case
it’s easy to fi nd. It’s the supposed relationship between typical password
rules and the effective control of attacks against passwords. Consider
the real problem. It’s actually twofold and not technological.
Whether or not they conceptualise it explicitly, the rule setter is
interested in ensuring that passwords are not obvious by applying
restrictions to their format and content. We’ll skip for the moment
whether such rules intrinsically deliver this objective, simply noting that
the mantra that defi nes a certain set of rules is believed in, so attention
is focused not on the rightness of the rules but merely on implementing
them; and that there is usually plenty to time to perform this relatively
undemanding task.
The password user who is restricted by these rules is interested in the
work for which they get paid. Periodically they are faced at short notice
with changing a password. This is generally under pressure as ‘real’
work is waiting to be done. They must think up an apparently arbitrary
string of characters that complies with a set of rules they hardly ever
refer to, and enter this string from short term memory into a fi eld on
screen without being able to see what they are typing. They must then
remember this apparently arbitrary string that they have never seen
until (most likely) the following day before using it again. To paraphrase
Edmund Blackadder, there’s just one tiny problem with that approach:
it’s easy for the rule setter and damned diffi cult for the user. The user
therefore, far from being ‘stupid’ as most password admins believe, is
extremely ingenious in fi nding ways to solve their own problem, not
yours: “Pa55w0rd!, which fulfi ls all your silly rules Sunshine.”
Risk assessment is another area where infosec practitioners perform
spectacularly. International standards require ‘risk based’ security
management, but almost everyone (including those setting the
standards) seems hazy about what the parameters of ‘risk’ actually are.
‘Qualitative’ risk assessment is advocated as being easier than
‘quantitative’, but they are both solely defi ned in primitive operant
terms: “’quantitative’ uses numbers, whereas ‘qualitative’ uses labels.”
This is no more valid than assuming that the right to left directionality
of Ishikawa diagrams is fundamental to root cause analysis.
Reliance on such mantras has led to several fl aws in qualitative
risk assessment that completely undermine its effectiveness. These
include a plethora of mutually incompatible ‘risk equations’ based
on pseudomath, meaningless naive arithmetic on category labels,
‘risk matrices’ with arbitrary and inconsistent transfer functions, and,
in one notable case, chaining of multiple successive matrix driven
approximations suffering from all these faults. The net result is that
qualitative infosec risk assessment as currently practiced is about as
trustworthy as fairground crystal gazing.
Furthermore, the output of such risk assessments (typically ‘high’,
‘medium’ or ‘low’) is so crude as to be useless for assigning treatment
options, even were the assessment to be trustworthy. It serves merely
to set coarse priorities for project planning and to satisfy auditors. The
greatest potential utility of risk assessment: discovery of the nature
and likelihood of causes and consequences to assist in implementing
controls; is completely lost in the fog, leaving decisions about the
critical matters we should be most interested in for defence to be made
using little more than unverifi ed received wisdom and guesswork. Since
nobody is entirely clear about what problem they are really trying to
solve, security theatre and ‘compliance’ take precedence over security
and most organisations are complete pushovers for the adversary.
MANDATORY FOOTNOTE:
Abridged from ‘The State of InfoSec’ , IISP Pulse Issue 19,
Summer 2015
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 10ISACA_2015 Programme 2015(INNERS)(V.2).indd 10 19/10/2015 10:3719/10/2015 10:37
11
Building Human Defences In A Cyber World
Wendy Goucher is Information Security Specialist at Goucher Consulting Ltd
My husband has a ‘T’ shirt baring the slogan “your computer is broken
and it’s my problem?” In his case it’s ironic, he is a computing and
security professional of long standing. In my case it’s a cry of fear, my
approach to information security is focused on people: how they operate
and how to infl uence their behaviour. So if your computer’s broken I can’t
fi x it, but I can help you come to terms with its loss. My human-centric
perspective of information security leads me to be even more concerned
about the growing use of the term ‘Cyber’. I often fi nd myself discussing
the design of effective security policies, and effective implementation
throughout organisations. Frustratingly often people will comment on
the ‘valuable’ insight an approach such as mine can bring. In this case
‘valuable’ is ironic because as often as soon as it comes to discussing
paying for that knowledge some potential customers pull back so fast
you can practically smell the burning clutch. The reason for this, so I’m
told, is that we are all people and therefore knowledge about the way
people behave, or can be encouraged to behave, is seen as ‘Common
Sense’, and thereby available to all for free. So why pay?
Anyone who has ever had their Saturday evening television scheduling
wrapped around ‘Dr Who’ will know the ‘Cybermen’ are one of the
scariest of the Dr’s long-term foes, not least because they look like
humans. In fact they are machines built around humans, with the
human element is supressed so that they are, in effect, machines
responding to orders from the central power. It strikes me that just when
the importance of a humanistic approach was beginning to become
accepted in some of the more enlightened organisations, this seedling is
being crushed under the boot of ‘cyber’ and it’s technical focus.
Peter Woods, a well known and respected member of the information
security community, said that staff are a “Human Firewall” in that well
trained and informed staff can signifi cantly improve the security both
from technical and social engineering attack.
However, it should be remembered that cyber attacks have their genesis
with humans because they have to be devised and implemented
somewhere. However, they also depend on the quality of the attack and
ineffectiveness of the people manning the defensive perimeter. The
users. Just because the vector is called ‘cyber’ that doesn’t take out the
human element, in fact, if anything it means people need to be better
informed and enabled. So how do we do that?
Lets think how we train our children to be safe. This is something that
causes parents plenty of challenges, not least because getting it wrong
can lead to all sorts of bad outcomes, including that the child may
be hurt unnecessarily. So how do we approach the vital challenge of
training children to protect themselves?
1. Developing understanding - Dealing with young children we can’t
assume that being safe is common sense, we need to show them
the dangers, the possible outcomes and the ways of avoiding them.
There is no point in putting up a poster with this information, it can
only re-enforce existing understanding.
2. Technical solutions - Some of the solutions we can use are, in the
broadest sense, technical; electric socket covers, child locks for
kitchen cupboards and fi re-guards. We don’t expect the children
to be able to apply them themselves, but they need to understand
that circumventing them is a bad idea.
3. Behavioural solutions - Some risks need appropriate behaviour to be
learnt and encouraged e.g. not climbing on kitchen steps, not
spilling water all over the dining table and not leaving the house and
garden on their own.
4. Skills training - There are also some risks that need the development
of skills to protect against them. These include riding a bike or
learning to swim.
Nobody can reasonably expect all the risks to be prevented, or mitigated
through technical solutions. While it can be argued that staff are not
infants, they may have little understanding the risk from operating in a
cyber environment. In fact I am willing to bet that most non-technical
staff, if asked, would struggle to explain any cyber risks, or know what to
do about them.
If we take these approaches to training, and apply them to the cyber
world, staff training can potentially be more effi cient and more effective.
1. Develop understanding – Have conversations with staff, pass on
stories that demonstrate the risks; people love stories,
especially ‘real life’ ones. Look at how many magazines rely on such
communication for readership, and not all rely on celebrities stories
either. ‘Real Life’ stories are popular too.
2. Technical solutions – Do staff have easy access to encrypted USB
or other secure storage methods? Do they know how to use them?
Just consider what the alternative approach might be if they can’t
use the safer methods. I have been involved in design work for
several organisations recently all who have the problem that
staff are using personal, insecure clouds for storage because the
they don’t know how to use safer methods, or they believe they are
too complicated.
3. Behaviour solutions. With adults this is actually easier than with
children because in many cases behaviours can be compared
with safe behaviour in a non-work environment, such as internet
communication at home. This can help to get attention.
4. Skills training. A common problem with cyber security for staff is
it is often designed, and possibly delivered, by IT staff. Skills
required will be part of their normal tool-box so they may fi nd it
frustrating when general staff fi nd it confusing.
Cyber threat to business is real, and growing. Raising awareness of
staff must start now and must make use of an appropriate mix of skills,
technology and behavioural and skills training. Design you approach
intelligently and it will help to mould your staff into a fl exible, informed
defence line. Who wouldn’t want that?
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 11ISACA_2015 Programme 2015(INNERS)(V.2).indd 11 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
12
Preventing The Lethal Breach - Supporting
Charities In Cyberspace
Recently, a charity, the British pregnancy Advisory Service BPAS, was
fi ned a signifi cant amount by the UK’s information Commissioner’s
offi ce or ICO.
A summary of what happened: An opportunist hacker, who had
anti-abortion views, tried and succeeded. He found an unlocked door to
an information treasure trove. The advisory service was unaware that
they were retaining information collected from the public and storing it,
for several years. Fortunately the data was not leaked as the police got
to him on time.
Regardless, the ICO decided to penalise the charity and served it a
£200,000 monetary penalty notice. The primary reason: A serious
contravention of the Seventh Data Protection Principle. Part of the
ruling included the following: “In particular, BPAS failed to take
appropriate technical and organisational measures against the
unauthorised processing of personal data stored on the BPAS website”
The Custodians
Charities are custodians of not only personal information but as I call it
super private and extremely sensitive information. This may not be true
in some cases but in many cases charities support the vulnerable, the
needy and those who are unable to defend for themselves. To offer this
help charities understandably must collect and process information that
a regular organisation selling a fi zzy drink would not need to for
example.
Let’s take one example of a medical charity: a charity offering advice on
cancer would need and would probably want to collect as much
personal medical information about the subject and possibly the
subject’s relatives to offer help advice and guidance. All of this
information has to be stored, processed, protected and importantly
it has to be available to those who need it so that they may offer the
necessary services to the members.
Charities and Cyberspace
Given the amount of information and the dependency on the
information it is totally understandable and completely natural that
charities are embracing cyberspace as much as other organisations.
They are rightfully seeking the benefi ts that cyberspace and technology
have to offer and that includes embracing the services in the cloud and
embracing cyberspace in general. But there is a problem.
The benefi t of adopting the Internet leads to the same consequences
that a commercial organisation would have to face up to. That of being
exposed to the hostilities of cyberspace, the hostilities of the opportunist
hackers often don’t think of consequences who often wonder aimlessly
in cyberspace looking for the next attack, the next victim and in the case
of the British pregnancy advisory service, mentioned in the
introduction, this is exactly what happened.
No Distinctions between a charity and a regular fi rm.
In an article in 2013, titled “Public won’t cut charities slack
on data protection issues, warns ICO” published by the
http://www.civilsociety.co.uk/ the ICO makes it very clear
that, for example, when it came to complaining about
misuse of call data, in their opinion “..the people pushing
that button (reporting a possible misuse of their data) on
our website are not drawing distinctions about who has
contacted them – they just see this as nuisance marketing”
The number one priority, after survival, for charities is cost
effective operations. Information security data protection
IT optimisation etc. are all good to have however, they are
not often a priority for most. In fact most charities probably
don’t have complicated and structured IT organisations.
Job titles awarded to one individual to save costs and
focus on their primary objective of giving back to the
community.
The Time is Now!
The GiveADay platform allows Charities to tap into High
Calibre Professionals to combat cybercrime. Up to 100
high calibre IT & Data security professionals, including
CISOs, VPs and CTOs from different UK organisations
have signed up and committed to give a day to help
charities in all aspects of IT, Security & Data Privacy.
Charities including Great Ormond Street Hospital, Future
First and Cancer Research have already signed up to the
GiveADay scheme prior to its offi cial launch on October
9th 2014.
Trust is Vital
In the end, charities, or the third sector as they are often
referred to, rely on the trust of their sponsors, donors and
benefi ciaries to function. A cyber breach that compromises
personal and sensitive information could severely
impact the delicate fabric of trust that all parties place in
charities. It is time for the skilled and experienced
amongst us to step up and share our knowledge and
support them.
GiveADay is a non-profi t organisation.
www.GiveADay.co.uk.
THOUGHT LEADERSHIP CORNER
ISACA_2015 Programme 2015(INNERS)(V.2).indd 12ISACA_2015 Programme 2015(INNERS)(V.2).indd 12 19/10/2015 10:3719/10/2015 10:37
YOU ARE A TRUSTED ACADEMICLEADER.BECOME A TRUSTED ACADEMICADVOCATE.PARTNERING WITH ISACA® ENABLES YOU TO SUPPORT YOUR STUDENTS, THE ACADEMIC COMMUNITY AND THE PROFESSION.
YOU HAVE THE TALENT. WE MAKE YOU AN ASSET. DISCOVER HOW AN ISACA® MEMBERSHIP CAN HELP YOU ADVANCE YOUR CAREER.
BE MORE
CYBER SECURITY SOLUTIONS THAT PERFORM AT SCALE
Threatscape are proven experts at securing business-critical IT assets
at network endpoints, perimeters, data-centres and in the cloud.
We’ve completed projects protecting up to a million users, a billiontransactions and even a trillion dollars in daily global financial trades.
ISACA_2015 Programme 2015(INNERS)(V.2).indd 13ISACA_2015 Programme 2015(INNERS)(V.2).indd 13 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
14
Failsafe The Human Pysche To Advance Security And PrivacyTheresa Payton - CEO and President at Fortalice Solutions LLC & Former White House CIO
We are in now in an era of the “loss of innocence and privacy.” Everyone from grandma, to Oscar winners, and major corporations are targets for
cyber criminals; everyone is a target, because of who they are, whom they know, what they do, or even the fact that they are connected to the
Internet. The internet of things just adds more points of presence to this ever evolving problem set. If we want to solve today and tomorrow’s privacy
and security problems we have to rethink how we deliver security. In other words, break ALL the old rules if you want to win.
Leading A Successful DevOps Transition: Lessons From The TrenchesRandy Shoup - CTO at Randy Shoup Consulting & Former Engineering Director DevOps at Google and Chief Architect at eBay
DevOps is no longer just for Internet unicorns any more. Today many large enterprises are transitioning from the slow and siloed traditional IT
approach to modern DevOps practices, and getting substantial improvements in agility, velocity, scalability, and effi ciency. But this transition is not
without its challenges and pitfalls, and those of us who have led this journey have the scar tissue to prove it.
A successful transition to DevOps practices ultimately involves changes to organization, to culture, and to architecture. Organizationally, we want
to create multi-skilled teams with end-to-end ownership and shared production responsibilities. Culturally, we want to prioritize solving problems
and improving the product over closing tickets. Architecturally, we want to move to an infrastructure with independently testable and deployable
components.
This keynote synthesizes the speaker’s experiences leading engineering teams at eBay, Google, and KIXEYE, as well as from his current consulting
practice, and offers practical suggestions that can help organizations be more successful in their DevOps journey.
Move Fast...And Safeguard User Trust - How Facebook Handles Privacy And Data Protection While Growing
A Social Network For 1.5 Billion PeopleDr. Jyn Schultze-Melling - Director for Privacy Policy, Europe at Facebook
Founded in 2004, Facebook’s mission is to give people the power to share and make the world more open and connected. People use Facebook to
stay connected with friends and family, to discover what’s going on in the world, and to share and express what matters to them. While doing so,
they entrust Facebook with a lot of very personal information and the company knows that this trust is the basis for its continuous success around
the world. But moving fast and being bold brings challenges in regard to many complex topics, amongst them such sensitive ones as privacy and
data protection. Remaining successful requires fi nding answers to a lot of fundamental questions: how to keep a promise such as “users fi rst”, how
to professionally set up privacy by design and how to quickly react to changes and challenges are just some from the top of the list. And given the
upcoming changes in the European legal privacy frameworks, preparing for tomorrow has become one of the most daunting tasks of today.
Embracing DevSecOps To Support Rugged Innovation At Speed And ScaleShannon Lietz - Senior Manager, Cloud Security Engineering (DevSecOps) at Intuit
Never has there been more demand for innovation at speed and scale from today’s business environment. Agile, DevOps, and the Public Cloud are
bringing to life the ideas that help transform business and make customer’s lives better. To accomplish this growing demand for customer focused
solutions, security has become the fi nal frontier and a friction that needs to become a weapon in the evolving business landscape. DevSecOps is
fasting becoming part of the answer because of the shared nature of innovation at scale. Come join us as we discuss how security can become a
secret ingredient in the race to meet customer needs.
KEYNOTE ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 14ISACA_2015 Programme 2015(INNERS)(V.2).indd 14 19/10/2015 10:3719/10/2015 10:37
15
What We Missed At The Data Centre AuditRobert Findlay - Global Head of IT Audit at Glanbia Ireland
This session is based on practical experience of running data centres and being on the receiving end and carrying out data centre audits. Too many
key risks are being overlooked and auditors are not targeting the issues that actually matter and the risks that actually bring down data centres.
Making Friends With Internal Audit!Andrea Simmons - Managing Consultant at i3GRC
The aims of the Security team and the Internal Audit team are not diametrically opposed; rather they are entirely aligned when it comes to Enterprise
Risk Management. Every effort should go into ensuring much closer working relationships that are positive for your environment and your clients,
customers or stakeholders, rather than behaving in an abrasive, negative or counter-productive manner. It’s not a battle ground between the two
disciplines! This session will discuss the overlap and articulate ways in which to improve the dynamic for better results for all. The easy extrapolation
is then from achieving harmony with internal audit to maintaining successful external audit ratings too - nirvana is only 25 mins away!
Increasing Your Audit Relevance Using COBIT 5Barry Lewis, CISSP, CISM, CRISC, CGEIT - President at Cerberus ISC Inc
Auditors need the skills and techniques that will hep them perform effective and effi cient audits. This seminar will show that even new auditors can
provide detailed governance audits by optimising their use of the various details that COBIT 5 offers. From high level gap analysis to detailed fairly
technical audits COBIT provides the auditor with the details they need. Using processes, practices and activities the new auditor has an number of
detail levels to choose from. Add in some experience and audits begin to shine.
ASSURANCE ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 15ISACA_2015 Programme 2015(INNERS)(V.2).indd 15 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
16
Role Of Information Security Professional In Tackling TerrorDr. Vishnu Kanhere - Consultant at V. K. KANHERE & CO / KCPL
Anatomy of terror and crime 1. Information systems – enabler, medium, technology for cyber crime, cyber war and cyber terror – the challenge of the
cyber criminal and cyber terrorist 2. Role of Information Security in tackling terror 3. Framework for anti terror initiatives – early warning systems, Key
Terrorism Indicators and Signatures, Tools & Techniques, Monitoring, reporting and Response. 4. Road Map and shape of things to come. Terrorism is
on the rise the world over. The reach, effectiveness and scale of terrorist attacks, cyber-warfare and cyber crime have acquired a new dimension with
the advent of Information technology as a medium, enabler and tool in the world of terrorism.
A comprehensive Information security framework as a state initiative with private partnership will prove effective in dealing with this menace. The
emerging threats to public networks, SCADA systems, energy, water, transport and communication infrastructure can be effectively neutralized
by deploying information security framework with appropriate people, processes and technology. The author had occasion to study the Mumbai
terror attacks and will share insights with the participants. The author suggests a strategy and outlines a solution based on early warning systems,
monitoring, and response teams.
New Cyber Defense Management Regulation For Banks In Israel - Lessons Learned From Implementing
One Of The World’s First Cyber Defense Management RegulationsOphir Zilbiger - CEO at SECOZ
“It is clear to every professional dealing with the management of cyber related risks that there’s a need for change. Classic information security
methods just don’t do the job. The Supervisor of Banks at the Bank of Israel is one of the fi rst fi nancial sector regulators to realize this by issuing
“Directive 361”, Cyber Defense Management aimed at banks and credit card companies. The directive is divided into two complementing parts –
Cyber Defense Management and Cyber Risk Management (note the Israeli banking system has adopted Basel II as the risk management foundation).
Two very important aspects of the directive are the appointment of a Chief Cyber Defense Offi cer (CCDO – as referred to in the directive) and clearly
defi ning the responsibilities of the board of directors in the cyber realm.
This session focuses on the actual, real world experience gained from the implementation of directive 361 in some of Israel’s leading banks. The
challenges of defi ning the difference between Cyber Defense and Information Security and the difference between the CISO role and the newly
defi ned role of the CCDO. Directive 361 and its implementation carry important lessons that professionals responsible with managing cyber risks
need to know in order to prepare for upcoming cyber defense regulations that would be issued by regulators in different countries and across various
industries.”
8 Security Lessons From 8bit GamingGavin Millard - EMEA Technical Director at Tenable Network Security
“What can Space Invaders teach us about attack path analysis? Mario about defending your users that are the weakest link? Even Pac Man about
focusing on the right goals? Join Gavin Millard, EMEA Technical Director of Tenable, who will explore the lessons to be learned from the games many
of us played years ago that are still valid in the reduction of security risks within all of our infrastructures. Key takeaways from the workshop will
include: How to game the system to get a high score in security. How to gain insight into the attack path used by hackers to gain access to your data.
What cheats can be used to reduce the risk of data loss.”
CYBERSECURITY ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 16ISACA_2015 Programme 2015(INNERS)(V.2).indd 16 19/10/2015 10:3719/10/2015 10:37
17
Is Protecting The Balance Sheet Really Enough?Joseph Mayo - President at J. W. Mayo Consulting, LLC
“This session examines 4 recent ERM lapses (defective GM sensor, defective Toyota speed control, Anthem data breach, Heathcare.gov) to show how
safety and reputation risks can impact an organization. Organizational culture was a large contributing factor in these ERM lapses and compounded
the risk impact. Mr. Mayo will discuss the role of the Enterprise Risk Management Organization (ERM), the effect of organizational culture on ERM,
and the need for a holistic approach to Enterprise risks. This session will explore High Reliability Organizations (HRO) and how HRO characteristics
can be introduced into the organizational culture to achieve a high performing ERM organization that can more effectively identify and manage
lapses in the risk management process. Mr. Mayo will demonstrate how to use risk scenarios from the COBIT Governance framework to enhance
existing ERM processes. Risk scenarios help drive an ERM organization to a more holistic risk management approach. Risk scenarios combined with
HRO characteristics will yield a highly effective ERM organization that can more effectively manage mission, safety, and reputation risk in addition to
conventional fi nancial risks.
Attendees will learn how safety risks costing pennies to treat can result in billions of dollars in exposure if left untreated. Attendees will learn how to
enhance ERM processes to include mission, safety and reputation risks in addition to conventional fi nancial risks. Finally, attendees will learn how to
develop risk scenarios and integrate them with existing ERM processes.”
How To Make Rubbish Risk DecisionsMichael Barwise - CEO at Integrated InfoSec
The infl uence of psychology on decision making is hardly ever considered in the infosec risk space, despite its powerful infl uence on the quality and
consistency of judgement. However there is a small but infl uential set of mental heuristics that bias judgement, largely regardless of the issue being
assessed. The speaker will take a practical look at these heuristics and the biases they contribute to, with examples from real world events, and
suggest ways of reducing their infl uence.
A Question Of TrustWendy Goucher - Information Security Specialist at Goucher Consulting Ltd.
When a device attempts to connect to a network that network needs to establish if that device is a trusted device. If it is then it can proceed to check
if the user is trusted by means of identifi cation and authentication. If all is ok then, in most cases, access is gained. Humans are different. Take your
neighbours. You may trust them to come to a party, but would you lend them your new car/house or smartphone? Possibly, “maybe”, or “it depends”
are the most likely answers. Trust in the technical world is binary. They trust or they don’t. In the biological world trust is much more granulated. One
of the hardest lessons for teenagers to learn is that most people are trustworthy in some situations, but maybe not in others. Finding the boundaries
of that trust is often painful trial and error until experience powers judgement.
When we issue a directive or policy that says “do not use public WiFi for working on sensitive business documents”. That may seem straightforward.
We know what is sensitive and we understand enough of the threats from public WiFi. But the user might say “but what about if the boss rings and
demands I send this email before I get on my fl ight in 15 minutes?” or any of a thousand other “What if?”s. They are probably not being diffi cult,
they simply see trust in a less straightforward way.
This presentation aims to make you to consider how some of our ‘common sense’ messages may not lead to secure action – and considers some
solutions.
RISK ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 17ISACA_2015 Programme 2015(INNERS)(V.2).indd 17 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
18
My Data My ResponsibilityJenai Nissim - Data Protection Manager at Capital One (Europe) Plc
Whilst we all know what’s happening to data within our organisation, the minute it is passed to third parties we start to lose control. This session
is to talk about the practical controls and monitoring arrangements you can put in place to ensure that your data is safe once it is passed or shared
with a third party.
Are You Ready? The Hitchhiker’s Guide To The Integration Of Privacy And SecurityGerard Smits - Founder at NedPrivacy
Risk assessments regarding security risks are a quite common practice. With the General Data Protection Regulation (GDPR) on the horizon privacy
risks are entering the board room. The fi nancial consequences are getting higher if you are not in control. But there is more…
• What about the reputational damage, potential liability?
• Have done your due diligence when looking at privacy risk assessments?
• Are you in control and prepared?
• Is your executive aware of the potential risks?
During this presentation, you will be taken onboard for a journey in building trust, integrating security and the understanding of potential harm for
staying ahead of the game. In other words: see what you can do by using privacy risk assessments to be and stay competitive and regain your agility.
Time for acting is now, be prepared!
Takeaways:
• How to determine privacy related risks
• Integration of security and privacy (not so different after all)
• Steps to prepare your organization
• How to communicate privacy and security risks in the boardroom
Legal Solutions To Technical Privacy ProblemsDavid Fagan - Commercial Lawyer at Business Legal
For almost all personal data Privacy issues, including Security issues, there are Legal Solutions as well as technical ones. The best results are often
found with a mix of technical solutions and legal solutions. In this session David will take you through common legal solutions for Privacy issues.
Solutions which can reduce technical spend, and require less concentration of scarce technical resources. Ultimately, data privacy is an issue arsing
almost entirely from the need for statutory compliance. From this session, you will have a grasp of the various tools available to you to navigate
through the privacy and data security area, in a practical cost effective way.
PRIVACY ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 18ISACA_2015 Programme 2015(INNERS)(V.2).indd 18 19/10/2015 10:3719/10/2015 10:37
19
Shadow IT Risk - Empirical Evidence From Multiple Case StudiesChristopher Rentrop - Professor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)
In many organizations, business departments and users autonomously implement Information Technology (IT) without integrating these systems in
the formal IT service management. Shadow IT, which partly evolved from non-transparent and unapproved end-user computing (EUC), is a term used
to refer to the phenomenon. It challenges IT controllability and can compromise business goals. Therefore it is becoming a major topic in the fi eld of
IT Governance, risk and compliance. Based on multiple case studies our research group has undertaken an in-depth analysis of the role of Shadow IT
in companies.
In these studies Shadow IT instances were surveyed by interviews. In a next step the quality of the solutions found has been assessed. Furthermore
necessary measures were derived for each single Shadow IT system. In the presentation a detailed insight to the usage patterns, related risks and
typical measures will be given. For example we found between 6 and 52 Shadow IT systems in every department, whereof 40% were used to make
operational or strategic decisions. Across all industries more than 60% of the instances needed management attention. As a result of the analysis
implications for the design of a company’s internal control system will be derived.
Getting Started With GEITPeter Tessin - Technical Research Manager at ISACA
Getting access to frameworks and standards to assist with governance is easy, applying those materials to everyday business problems isn’t always!
Join us for a discussion on the practical application of applying governance and COBIT to real-world business problems. Learn how to work through
identifi cation of an issue to documentation of resolution. We will focus on a specifi c business issue and work through:
• How to communicate to upper management what approach we’re going to take
• How to identify the key requirements to resolve the issue
• Applying a systematic approach to ensuring all necessary resources are identifi ed
• Designing a solution
• Documenting the entire effort
How To Talk About IT Governance With Your Boss In The Elevator?Bruno Horta Soares - Founder & Senior Advisor at GOVaaS - Governance Advisors as a Service
Before you do things right, you have to do the right things. Why good communication between business and IT areas is so important to help
organizations delivering value and how to put everyone speaking the same language using COBIT 5 related materials. Reality check and lessons
learned from projects and initiatives developed to improve IT savviness at small medium enterprises in “small medium country” like Portugal.
ENTERPRISE GOVERNANCE ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 19ISACA_2015 Programme 2015(INNERS)(V.2).indd 19 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
20
Understanding Today’s Mobile App Store Ecosystem And Why You’re At RiskJeff Lenton - Solutions Architect at RiskIQ EMEA
The on-going creation of mobile apps and the rapid proliferation of mobile app stores make it diffi cult, if not impossible, to keep tabs on all the apps
created by you or created in your name. As secondary app stores step in and grab apps from offi cial stores and re-deploy them to their sites without
your knowledge, the threat of your apps being exploited, attacked or copied becomes even greater. In this session we will explore the complexities of
the worldwide app store ecosystem and examine recent examples of malware, app re-packaging, data leakage and intellectual property violations
presented by fraudulent and unauthorised apps. We’ll show how you can take a proactive stance against malicious and rogue apps to take them
down before they compromise your organisation or your customers.
Threat Modeling: Finding Security Threats Before They HappenJeff Kalwerisky - VP & Director of Technical Training at CPE Intearctive, Inc
Threat Modeling is a formal methodology to identify risks and vulnerabilities as early as possible in the lifecycle of complex technology processes,
including software and hardware systems and even fi nancial systems. This approach helps the auditor, information security, internal control, or risk
professional to identify, classify, rank, and mitigate enterprise threats in complex systems, without “getting down in the weeds.”
The documentation in a Threat Model forms an important component of an Enterprise Risk Management System (ERMS). The model is also an
excellent communication tool to describe risk in a common format for different audiences: software developers, hardware engineers, business users,
auditors, security practitioners, IT staff, and senior management.
All of this information can be stored in a database which forms an electronic trail, over the entire lifecycle of the application or system, of the
vulnerabilities and control weaknesses inherent in the system and the corresponding resolution or corrective action. Review of the database records
can then be mapped to continuous monitoring and continuous auditing processes. This session provides an overview of building a Threat Model,
using data fl ow diagrams, a standard taxonomy of threats and vulnerabilities (“STRIDE”), and a more objective way to rank threats and vulnerabilities
for remedial action (“DREAD”.)
A Case Study: Standard Bank’s Journey Into Security And DevOps.Jock Forrester - Head of IT Cyber Security at Standard Bank
Ever read the Phoenix Project and wondered if John the security guy was “you”? You know, the guy who always says no, is seen to be driving an
agenda against the fl ow of the business and holds everyone back. Then everyone wants to use “Agile” as the silver bullet to respond to customer
demands faster and put features straight into production and as that guy, are you being bypassed? “Agile is not an excuse to be stupid!” How
does one change the approach to security in the SDLC to not only support but encourage a continuous delivery pipeline and therefore an Agile
methodology?
The answer is:
• Get more involved further left in the SDLC
• Expand and automate your security testing capabilities
• Embrace and exploit the velocity that a DevOps train brings
APPLICATION SECURITY/DEVOPS ABSTRACTS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 20ISACA_2015 Programme 2015(INNERS)(V.2).indd 20 19/10/2015 10:3719/10/2015 10:37
21
Theresa PaytonCEO and President at Fortalice Solutions LLC & Former White House CIO
United States
In the wake of recent, debilitating cyberattacks at hitting organizations large and small, Theresa Payton remains the
cybersecurity expert companies turn to regarding efforts to strengthen cybersecurity measures and understand the
impact of the Internet of Things and the importance of securing Big Data. Named one of the top 25 Most Infl uential
People in Security by Security Magazine, she is one of America’s most respected authorities on Internet security, data
breaches and fraud mitigation.
The fi rst female to serve as White House Chief Information Offi cer, Payton oversaw IT operations for the President
and his staff from 2006 to 2008. Previously, she held executive roles in banking technology at Bank of America and
Wells Fargo, facilitating her broad knowledge of cybersecurity risks and measures in the fi nancial services industry.
Currently, as the founder, president and CEO of market leading security consulting company, Fortalice Solutions, LLC,
she remains the expert that organizations go to for help understanding and improving their IT systems.
Payton collaborated with IT expert and attorney, Ted Claypoole, to author two books focused on helping others learn
how to protect their privacy online, after receiving a number of pleas from friends and strangers regarding account
hacking. Hailed as ‘must-reads,’ Privacy in the Age of Big Data and Protecting Your Internet Identity, outline peoples’
rights, as well as tips and strategies for building and maintaining a positive online image.
Recognized as a 2015 William J. Clinton distinguished lecturer by the Clinton School of Public Service, Payton will
provide ISACA attendees with a fascinating narrative on the world of cybersecurity, including insight and methods
critical to protecting organizations and information from rapidly evolving cyberattacks.
Theresa has been on The Daily Show with Jon Stewart and is the go to cybersecurity and privacy expert on various
news TV and radio shows such as the Today Show, Good Morning America, CBS news, MSNBC, Fox Business, Fox News
and Nationally Syndicated radio programs on Xirius FM and AM radio stations.
From the White House to your company, Theresa will provide you with tips to break all the rules to win the
cybersecurity war with criminals.
Randy ShoupCTO at Randy Shoup Consulting & Former Engineering Director DevOps at Google and Chief Architect at eBay
United States
Randy Shoup has worked as a senior technology leader and executive in Silicon Valley for the past 25 years at
companies ranging from small startups, to mid-sized places, to eBay and Google.
In his consulting practice, he applies this experience to scaling the technology infrastructures and engineering
organizations of his client companies. He was Director of Engineering in Google’s cloud computing group, leading
several teams building Google App Engine, the world’s largest Platform as a Service. He spent 6 1/2 years as Chief
Engineer at eBay, and served as CTO of KIXEYE.
Randy is a frequent keynote speaker and consultant in areas from scalability and cloud computing, to analytics and
data science, to engineering culture and DevOps. He is particularly interested in the nexus of people, culture, and
technology.
KEYNOTE SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 21ISACA_2015 Programme 2015(INNERS)(V.2).indd 21 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
22
Dr. Jyn Schultze-MellingDirector for Privacy Policy, Europe at Facebook
Ireland
Jyn is Facebook’s Director for European privacy policy. Operating out of the company’s international headquarters in
Dublin, he serves as a point of contact and a reliable source of information for policymakers and other stakeholders
who have questions about Facebook’s privacy efforts.
With a background as a former information technology lawyer in a major law fi rm, during his 15-year-career as an
international data protection and privacy professional he held both operational and leadership responsibilities in
various corporations, at last as Chief Privacy Offi cer of the Allianz Group, one of the world’s biggest providers of
insurance and fi nancial services.
Jyn also regularly speaks and publishes on privacy issues and serves on the International Association of Privacy
Professionals (IAPP) European Advisory board. Founded in 2000 as a not-for-profi t organisation, the IAPP is the
largest and most comprehensive global information privacy community and resource that helps defi ne, support and
improve the privacy profession globally.
Shannon LietzSenior Manager, Cloud Security Engineering (DevSecOps) at Intuit
United States
Shannon Lietz is an award winning innovator with over two decades of experience pursuing advanced security
defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is
responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support
of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow where she was responsible for
the cloud security engineering efforts. Prior to this, Ms. Lietz worked for Sony where she drove the implementation
of a new secure data center and led crisis management for a large-scale security breach. She has founded a metrics
company, led major initiatives for hosting organizations as a Master Security Architect, developed security software
and consulted for many Fortune 500 organizations. Ms. Lietz holds a Bachelors of Science degree in Biological
Sciences from Mount St. Mary’s College
KEYNOTE SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 22ISACA_2015 Programme 2015(INNERS)(V.2).indd 22 19/10/2015 10:3719/10/2015 10:37
23
Andrea SimmonsManaging Consultant at i3GRC
United Kingdom
Andrea is an experienced information security/ assurance/GRC evangelist with more than 17 years direct information
security, assurance and governance experience (20+ years in the IT industry), helping clients establish appropriate
controls and achieving and maintaining security certifi cations. Andrea’s most recent role as Chief Information Security
Offi cer for HP Enterprise Security was one of worldwide infl uence addressing Security Policy and Risk Governance seeking
to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work
has included development of a patentable enterprise governance, risk and compliance (eGRC) approach to transforming
and meeting information governance needs.
Andrea has always allowed time for volunteer involvement in various professional bodies – being a member of the BCS
Chartered Institute for IT Security Community of Expertise, Director of the Institute of Information Security Professionals,
Senior Member of the ISSA, ISACA member, volunteer delivering Safe and Secure Online programs to UK schools for ISC2
and has been involved with the management committee of the Information Assurance Advisory Council (IAAC) for many
years. The endeavour is always to shape the information security landscape and develop the Information Assurance
Profession for the future
Barry Lewis CISSP, CISM, CGEIT, CRISCPresident at Cerberus ISC Inc
Canada
Barry Lewis is President of Cerberus and has over 45 years of experience in information technology, specializing in
Information Security and IT Governance for more than 35 years. He began work in the consulting fi eld in 1987 and
worked for two major audit fi rms before starting his own company in 1991 and joining Cerberus in 1993.
He was awarded the John Kuyers Best Speaker/Conference Contributor Award in 2008. Mr. Lewis is co-author of numerous
books, including Computer Security for Dummies, Teach Yourself Windows 2000 Server in 21 Days and Wireless Networks
for Dummies. His books have been translated into numerous languages around the world. He is co-developer of the
COBIT 5 PAM and Assessor Guides and is Foundation accredited. Barry lectures and consults world-wide.
Bruno Horta SoaresFounder and Senior Advisor at GOVaaS - Governance Advisors as a Service
Portugal
With more than 15 years of Information Systems professional services experience, particularly in areas related with
Governance, Risk, Control, IS Audit, Information Security and Privacy and Project Management. Started his career at
Deloitte Consulting, worked for Information Risk Management area at KPMG and for Enterprise Risk Services area at
Deloitte Portugal. In 2012 he found GOVaaS - Governance Advisors as-a-service, where he is currently Senior Advisor,
and since then devoted enthusiastically to advising, teaching and training of subject matters related with governance
and management of enterprise IT and digital transformation, working with public and private Organizations in Portugal,
Angola, Brazil and Mozambique.
He has a 5 years degree in Management and Computer Science, from ISCTE and a post-degree in Project Management,
from ISLA Campus Lisboa. He is certifi ed in Project Management Professional (PMP), from Project Management Institute
(PMI), Certifi ed Information Systems Auditor (CISA), Certifi ed in the Governance of Enterprise IT (CGEIT) and Certifi ed in
Risk and Information Systems Control (CRISC) and COBIT 5 Foundation from ISACA, ITIL® version 3 Foundation, ISO/IEC
27001 Lead Auditor and Training for Trainers Certifi cation (CAP). He’s also APMG individual accredited trainer for COBIT
5. He’s advisor and visiting professor at ISCAC - Coimbra Business School, Instituto Superior Técnico (IST), Universidade
Portucalense (UPT), Universidade Europeia | Laureate International Universities, Universidade Católica Portuguesa (UCP)
and Unipê - Centro Universitário de João Pessoa - Paraíba, Brasil. He’s the founding President of the ISACA Lisbon Chapter,
member of several professional associations in the areas of Auditing (IIA), IT Governance (ISACA, IPCG), and Project
Management (PMI) and keynote speaker at various conferences and seminars.
TRACK SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 23ISACA_2015 Programme 2015(INNERS)(V.2).indd 23 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
24
Christopher RentropProfessor for Business Information Systems at HTWG Konstanz (University of Applied Sciences)
Switzerland
Christopher Rentrop started his career being a Group Controller and later a CFO for a distribution company an elevator
group. Since 2007 he is working as a professor for Business Information Systems at the Konstanz University of Applied
Science. In this position he has specialized in Strategic IT Management, IT Governance and Shadow IT.
David FaganDirector at Business Legal
Ireland
David Fagan is a commercial lawyer. Until recently he was a partner in the largest international commercial law fi rm
in Ireland, with offi ces in 47 locations around the globe, and with 200 staff in Ireland. Recently, he has set up own
consultancy practice in conjunction with a number of other equally experienced lawyers and professionals, Business
Legal. David has been involved in:
• Managing and leading multi-jurisdictional legal privacy projects across Europe, Africa, Asia and the Middle East.
• Dealing with Privacy issues in Courts, and with Regulators.
• Advising on practical matters such as transferring data to non EU servers, marketing restrictions etc.
Gavin Millard
Gavin MillardEMEA Technical Director at Tenable Network Security
United Kingdom
15 years ago, when he could make decisions on how to do his hair in the morning, he was told by his employer that he
could put in a leased line for internet access as long as it was “secure”. After playing with fi rewalls, IDS, content fi ltering
and anti virus, he realised securing stuff was a hell of a lot more interesting than dealing with support tickets from
people who had no business touching a keyboard.
He quickly discerned that to be able to secure an infrastructure he had to understand how to break into it, which led to
spending way too much time on ethical hacking courses and Astalavista. He made the move to working with security
vendors 11 years ago, fi rstly at Tripwire and then more recently at Tenable Network Security.
Today, with the hair mostly absent or grey, he spends his time helping other companies understand their security issues
and talking about how to effectively implement critical controls to protect the ever increasing data that they collect and
store.
Gerard Smits CRISC, CISSP, CIPP/E, ISO 27001 LAFounder at NedPrivacy
Netherlands
Gerard Smits is an international manager and have worked in senior management positions for multinationals, before
starting to work as an independent consultant with an emphasis on privacy, IT security and cloud technology. His
pragmatic view and creativity provides him the tools to look at problems from different perspective. He has an IT
background supplemented with executive education in fi nance, legal and strategy. He divides his time on consultancy,
research and building tools which helps his clients to be more effective.
Jeff KalweriskyVP and Director of Technical Training at CPE Interactive, Inc.
United States
Jeff Kalwerisky is director of technical training for CPE Interactive. He speaks frequently to ISACA chapters in North
America where he has delivered sessions to hundreds of ISACA members on leading-edge information security topics,
including data privacy, threat modeling, information security strategy, Cloud computing, and Big Data security. He was
recently keynote speaker at the IIA’s “Evolve” international conference in Johannesburg, South Africa.
As an executive at Accenture, Jeff focused on healthcare security. He acted as security architect for the UK’s National
Health Service, on the world’s largest EMR (electronic medical records) project, with over 1,500 developers. As global
security manager for VeriSign, he designed and deployed military-grade secure data centres around the world.
TRACK SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 24ISACA_2015 Programme 2015(INNERS)(V.2).indd 24 19/10/2015 10:3719/10/2015 10:37
25
Jeff LentonSolutions Architect at RiskIQ EMEA
United Kingdom
Jeff is a highly experienced technical consultant with over 15 years experience in a variety of senior pre and post sales
positions in the IT Security sector, architecting and supporting a wide range of threat intelligence, threat prevention,
compliance and audit products. He has extensive experience in supporting and guiding enterprise customers through
large scale projects from initial solution architecting through to production deployment. More recently Jeff has
specialized in cloud based, software-as-a-service solutions for Google, Symantec and currently as a solutions architect
with RiskIQ. Jeff holds a BA(Hons) in Political Science from the University of East Anglia.
Jenai NissimData Protection Manager at Capital One (Europe) Plc
United Kingdom
Jenai Nissim heads up the Data Protection Legal and Compliance Programme for Capital One (Europe) Plc. Prior to
undertaking this role Jenai was responsible for negotiating and advising on data protection contracts and third party
outsourcing agreements.
Jock ForresterHead of IT Cyber Security at Standard Bank
South Africa
Jock Forrester is responsible for the IT cyber security prevention, detection and response capabilities at Standard Bank. He
is also responsible for the bank’s penetration testing, where the greatest challenge is adding velocity to its assessments
in order to support its drive towards DevOps.
He recently completed his MSc in Computer Science specialising in Information security, at Rhodes University. His thesis
was entitled: “An Exploration into the Use of Webinjects by Financial Malware”, and was a deep dive into how fi nancial
malware is used to target organisations.
Joseph MayoPresident at J. W. Mayo Consulting, LLC
United States
Joseph W. Mayo is an Information Technology professional with over 20 years of experience. Mr. Mayo is a PMI certifi ed
Project Management Professional (PMP), Risk Management Professional (RMP), and a Certifi ed Risk and Information
Systems Control (CRISC) professional. Mr. Mayo has worked for a variety of professional services companies including
Computer Sciences Corporation, Keane Incorporated, ManTech International, and NTT DATA.
He is an author, frequent speaker and conference presenter on topics that include risk management, project
management, and quality assurance. Mr. Mayo is the author of Chaos to Clarity: The Tao of Risk Management. Mr.
Mayo was Program Manager for project #7 of the top 100 IT Projects of 2006 by InfoWorld. Mr. Mayo developed a risk
management maturity roadmap for a U.S. Government Agency.
Michael BarwiseCEO at Integrated InfoSec
United Kingdom
Michael Barwise has consulted in systems engineering and business risk for over 30 years, concentrating for the last
fi fteen on the strategic management of information security. He is a fellow of the RSA, a member of both the BCS and the
IISP and a Chartered Engineer. He has been a member of the DPA (EURIM) e-crime and cyber security panels since 2003,
and has contributed to national cyber security strategy and e-crime legislation. Michael has made an extensive study of
the psychology of decision-making, with the aim of improving the performance of a critical function on which the whole
edifi ce of risk management is founded and can founder.
TRACK SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 25ISACA_2015 Programme 2015(INNERS)(V.2).indd 25 19/10/2015 10:3719/10/2015 10:37
Ireland Chapterwww.isaca.ie | @isacaireland
26
Ophir ZilbigerCEO at SECOZ
Israel
Ophir Zilbiger, CRISC, CISSP is the CEO of SECOZ, a leading information security and cyber defense consulting group
based out of Israel. He is a seasoned expert with approximately 20 years in Information security. He is the chairman
of the ISACA Israel Cyber Security sub-committee. In his previous role, Ophir managed the Global Risk Management
Services practice for PwC in Israel and was the PwC global SME for network security. Ophir is a veteran speaker in various
Israeli and international conferences such as Check Point global conference, CA World, Microsoft and BMC partners and
customer events and more. Ophir is the chairman of the Israeli Info-sec conference and trade show.
Peter Tessin CISA, CRISC, MSA, PMPTechnical Research Manager at ISACA
United States
In his role at ISACA, Tessin has been project manager for COBIT 5 and led the development of other COBIT 5-related
publications, white papers and articles. Tessin also played a central role in the design of COBIT online, ISACA’s latest web
site that offers convenient access to the COBIT 5 product family and includes interactive digital tools to assist in the use
of COBIT. Prior to joining IASCA, Tessin was a senior manager at an internal audit fi rm, where he led client engagements
and was responsible for IT and fi nancial audit teams. Previously, he worked in various industry roles including staff
accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and
auditor. He has worked in many countries outside of his native US including Canada, Mexico, Germany, Italy, France, UK
and Australia. With more than 20 years of global business and IT experience, Tessin is able to address topical issues in
business leadership.
Robert FindlayGlobal Head of IT Audit at Glanbia
Ireland
Bob is an experienced IT professional having worked in most areas of IT including operations, software development,
project management, Information Security, IT Auditing and as a CIO. He has 30 years in the IT industry working across
a range of industries in multiple countries including signifi cant periods in the banking, airline, manufacturing, retail and
internet sectors in the UK, Ireland, Australia, India, Canada and the USA in addition to smaller IT and audit assignments
across Africa, Europe, North America and Asia.
Dr. Vishnu KanhereConsultant at V. K. KANHERE and CO / KCPL
India
Dr Vishnu Kanhere is a practicing Chartered Accountant, a qualifi ed Cost Accountant and a Certifi ed Fraud Examiner with
a brilliant academic record having won several gold medals and awards. Certifi ed in the Governance of Enterprise IT,
Systems Audit, Risk Management and Information Security he has over 30 years of experience in I S Audit and security,
consulting, assurance and taxation for listed companies, leading players from industry and authorities, multinational and
private organizations. His academic achievements and “hands on” working experience refl ect the wide canvas on which
he operates. A renowned faculty at several institutions, Dr Kanhere has been a key speaker at national and international
conferences and seminars on a wide range of topics and has several books and publications to his credit.
Wendy GoucherInformation Security Specialist at Goucher Consulting Ltd
United Kingdom
Wendy is an Information Security Specialist at Goucher Consulting and based in Scotland. Her proudest achievement
so far is helping to devise a school curriculum for security awareness for the UAE. She mostly works with organisations
to develop usable security guidelines, training materials and improve understanding of the potential risks of mobile
working. Wendy is researching at the University of Glasgow; focusing on mobile computing and the threats from
increasing use of a virtual offi ce. As an author she contributed to ‘Creating a Culture of Security’ in 2011 and the 2012
revision of the Information Security Management Handbook. Her book ‘Information Security Auditor’ for the British
Computer Society is in pre-publication and she is co-authoring a book on Incident Management.
TRACK SPEAKERS BIOS
ISACA_2015 Programme 2015(INNERS)(V.2).indd 26ISACA_2015 Programme 2015(INNERS)(V.2).indd 26 19/10/2015 10:3719/10/2015 10:37
27
NOTES
ISACA_2015 Programme 2015(INNERS)(V.2).indd 27ISACA_2015 Programme 2015(INNERS)(V.2).indd 27 19/10/2015 10:3719/10/2015 10:37
E U R OCACS 2016
DUBLIN, IRELAND 30 MAY – 1 JUNE 2016
Watch for information at www.isaca.org/conferences
ISACA_2015 Programme 2015(INNERS)(V.2).indd 28ISACA_2015 Programme 2015(INNERS)(V.2).indd 28 19/10/2015 10:3719/10/2015 10:37
29
CONFERENCE SPONSORS
Edgescan is a Managed Security Service delivered by BCC Risk Advisory. It is a highly accurate
cloud-based SaaS (Security-as-a-Service) solution which helps companies to discover and manage
vulnerabilities on a continuous or on-demand basis. With thousands of assets under vulnerability
management, Edgescan is a listed “Notable Vendor” in Gartner’s Magic Quadrant for Managed
Security Services and a “Sample Vendor” in the Gartner Security Hypecycle.
Edgescan is unique, being the only hybrid full-stack solution of its kind in Europe, Middle East and
Africa “EMEA” as it covers both network and application security. Our solution offers virtually false
positive free results due to expert manual verifi cation and risk rating.
Espion - Managing and Securing your Business Information
We provide expertise to our clients on Identifi cation, Protection, Compliance and Management of
their Information.
We work with clients across all industry sectors and business functions. We solve their Information
challenges through a combination of Consultancy, Technology, Research and Training. We provide
these innovative solutions so that our clients feel protected, assured and empowered, confi dent in
the knowledge that their challenges have been met.
Headquartered in Dublin, and operating in Ireland, the UK, continental Europe and the US, we
are unrivalled experts in managing the complexities of corporate information, giving your people
maximum access to and control of your company’s information..
ICON plc is a global provider of drug development solutions and services to the pharmaceutical,
biotechnology and medical device industries. The company specialises in the strategic development,
management and analysis of programs that support clinical development - from compound selection
to Phase I-IV clinical studies. With headquarters in Dublin, Ireland, ICON currently, operates from 81
locations in 37 countries and has approximately 11,300 employees.
Citi, the leading global bank, has approximately 200 million customer accounts and does business
in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments
and institutions with a broad range of fi nancial products and services, including consumer banking
and credit, corporate and investment banking, securities brokerage, transaction services, and wealth
management.
Our name ‘Threatscape’ is derived from our mission of ‘securing the digital threat landscape’ – in
other words, ensuring the security of our clients’ business critical IT systems. We provide business
critical IT security solutions & services to large corporate, multi national and state organisations in
the UK, Ireland and elsewhere.
Ward Solutions is Ireland’s largest Information Security provider. As Ireland’s leading provider
of Information security and risk management solutions, we provide a comprehensive range of
information security services centred on assessment and assurance, strategy and architecture,
through to systems integration and deployment, all wrapped in enterprise managed services from a
single source..
GOLD SPONSORS
BRONZE SPONSORS
SILVER SPONSORS
Thank you to our Sponsors for their support in making the ISACA Ireland 2015 Conference a great success!
ISACA_2015 Programme 2015(COVER).indd 4ISACA_2015 Programme 2015(COVER).indd 4 19/10/2015 10:3519/10/2015 10:35
YOU BUILT YOUR REPUTATION. LET OUR CERTIFICATIONS ELEVATE YOUR CAREER.GET AHEAD WITH CERTIFICATIONS THAT VALIDATE AND SHOWCASE YOUR EXPERIENCE.
EMPOWEREDMORE
ISACA CERTIFICATIONS 2014ISACA CERTIFICATIONS 2015
ISACA_2015 Programme 2015(COVER).indd 1ISACA_2015 Programme 2015(COVER).indd 1 19/10/2015 10:3419/10/2015 10:34