Thursday, May 25, 2006
Boston Marriott Long Wharf Hotel
Boston, MA
2:30 PM - 4:30 PM
 

Led by: Marc S. Sokol CISM, CHS-III, Chief Security Officer The Guardian Life Insurance Company of America ISE Tri-State Award Finalists and People's Choice Award Winner 2005 Biography >

Bridging the Gap Between Technical and Business Leaders

Today's security executive is successful if they can combine and articulate the business needs and manage the risk for security endeavors across the enterprise.

With the internet becoming more sophisticated and business dependent on it, security executives have to lead the protection and privacy initiatives on many fronts' communications, business continuity, financial transactions, e-business, compliance to name a few. They need to wear many hats-technology expert, law professor, auditor and business executive.

Discuss the challenges and what it takes to be a successful information security executive.

Back to Top

Guest Table Host Moderators

	Susan Bates Vice President and Manager, Information Systems Security and Compliance Solutions BJ's Wholesale Club Biography >		Tim Callahan CISSP, CPM, Group Vice President and Manager, Access Control and Support Services SunTrust Banks, Inc. ISE Southeast Finalists and People's Choice Award Winner 2006 Biography >
	Denise DeAmore Senior Vice President, Senior Director Information Technology State Street Corporation ISE New England Award Winner 2005 and People's Choice Winner 2005 Biography >		Jeff Huegel Chief Security Officer USinternetworking Annapolis, MD Biography >

Back to Top

Breakout Executive Roundtable Topics

Topic One  |  Topic Two  |  Topic Three  |  Topic Four  |  Topic Five

Thought Leadership Topic One:
Instituting and Sharing Best Practices for Complying to the PCI Data Standard

When customers offer their bankcard at the point of sale (POS), over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That's why Visa USA has instituted the Cardholder Information Security Program (CISP).

Mandated since June 2001, the program is intended to protect Visa cardholder data-wherever it resides-ensuring that members, merchants, and service providers maintain the highest information security standard.

The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with CISP, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands.

This standard is a result of collaboration between Visa and MasterCard and is designed to create common industry security requirements, incorporating the CISP requirements. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.

Discuss in this Executive Roundtable business challenges, the methods and technologies that you are planning or have deployed to meet this industry standard.
 

Back to Topic Links

Thought Leadership Topic Two:
Preserving Privacy without Forsaking Security: Complying the With Breach Notification Laws

The publicity surrounding breaches of sensitive personal information has been unprecedented. Much of this publicity can be traced to California's revolutionary breach notification law, which requires notification to California residents when the sensitive personal information of several hundred thousand individuals had been compromised.

To date, 21 additional states have passed some form of breach notification laws. The California law and its state counterparts require companies to notify state residents whenever their unencrypted personal information is reasonably believed to have been obtained by an unauthorized person.

This includes circumstances as simple as the theft of a laptop or Blackberry, or as troubling as penetration by a hacker. These laws apply to any person or business that conducts business within a U.S. state and that maintains computerized data about residents, such as customer information or employee records.

Moreover, the security breach need not occur within the state for that state's statute to apply -- all that matters is that the personal data of a resident of that state is compromised. Like California , several of the new state laws also require notification whenever a breach occurs, even if no harm would likely result. Discuss in this Executive Roundtable the strategies for compliance that include:

• How to identify and classify systems that contain personal information and enhance mechanisms to detect unauthorized conduct on networks
• The best methods of encrypting personal information
• Create and maintain an incident response plan to require that key decision-makers are immediately alerted when breaches are detected
• Deploy a corporate incident response policy that provides step by steps procedures for notification.
• Ensure that third-party contracts involving the transfer of personal data include appropriate information security provisions.

Back to Topic Links

Thought Leadership Topic Three:
How to Talk Information Security to Your Board of Directors and Be Heard

Some of today's security executives never stand before their boards of directors but in this Executive Roundtable you will discuss how to gain this access and make the most of this visibility for your career.

For example, if you are asked to submit preliminary paperwork ?how long should it be? How do you convey a concise and precise message that demonstrates value to the business without too much technical jargon?

Discuss how to effectively communicate with the board and how to reinforce your image as the head of information security so that they see you as an important player in the business. Show that you are meant to be in the board room.

Back to Topic Links

Thought Leadership Topic Four:
Eyes Wide Open - Selling the Importance of a Security Program to Your CFO

Security is a fundamental element of core business processes and security executives are enablers that allow the enterprise to meet business risk with its eyes wide open. So how do you sell your security program to your CFO?

Do you start with the scare tactics like Corporate Sentencing Guidelines or all the high-level resignations due to phony experience credentials? Depending on your business do play up the homeland security card ---consider international-and now domestic-terrorism threats? Or if you organization creates products or innovative services, do you leverage the fears about intellectual property theft and product diversion.

What about the high-level internal misconduct and criminal activity, and the daily reality of cybercrime and business interruption? Look at any one of those areas, and you've got yourself a good case for the bean counters.

Discuss how to overcome the thought that any activity that couldn't demonstrate a direct contribution to the revenue stream and profit margin was an albatross around the neck of the company. And share tips on how to convey the importance of your security program's mission and its relationship to the protection of the enterprise.

Back to Topic Links

Thought Leadership Topic Five:
Leading Security in an Everchanging Enterprise

Many new systems are installed faster than what the enterprise infrastructure was designed to handle, and organizations lack the IT staff to process security logs, integrate legacy architecture and other sources of threat intelligence.

Add company mergers and acquisitions to the mix and security executives become a lot less confident that they're catching every threat that comes along or even aware of every system on the network.

Do you rip everything out and start again? Or do you leverage what you have and try to blend a best of breed approach? Can these two polar ideas be synergized?

Discuss in this executive roundtable, how to assess the changing and new landscape and lead the charge of your information security programs in a dynamic environment.

Back to Topic Links