Past Cyber Security Speaking Events & Presentations

HALOCK cyber security presentations at industry conferences and events.

2024


ISSA February Cyber Executive Forum 2024

February 22, 2024

Speaker: Chris Cronin, ISO 27001 Auditor

CISOs Spearheading Cybersecurity. Embark on a journey into the future of cybersecurity leadership, where we explore the innovative and transformative role of the Chief Information Security Officer. This event will delve into the dynamic and ever-shifting landscape of cyber threats and associated challenges emphasizing the need for the CISO to not only adapt but to lead and advise on initiatives related to innovative technologies, risk management and culture. Chris Cronin presented on the Framework for Cyber Risk Management.



Midwest Cyber Security Alliance (MCSA): Managing Cloud Security in a Complex Environment

February 20, 2024

Speakers:

  • Terry Harper, CISSP, CISM Senior Sales Engineer, Tenable
  • Aaron TantleffCIPP/E Partner, Foley & Lardner, LLP
  • Terry KurzynskiCISSP, CISA, PCI QSA, ISO 27001 Auditor Senior Partner, HALOCK Security Labs

Tenable will provide valuable insights and practical tips for effectively addressing cloud security issues. From understanding the shared responsibility model to implementing robust access controls and staying updated on emerging threats, you will gain a comprehensive understanding of how to protect your cloud assets while maintaining agility and flexibility.

Discussion topics will include:

  • A success story managing cloud security issues
  • Negotiating cloud security agreements
  • Tips for visualizing and remediating access risk by removing excessive privileges, detecting behavioral anomalies, delivering “just-in-time” access to protect your data, and more


ISSA Milwaukee Chapter Meeting: 5 Things You Can Do Now to Survive a Breach

February 13, 2024

Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR

It’s probable. How can you limit the damage from your next breach incident? HALOCK Security Labs’ founder Terry Kurzynski will cover 5 must-haves to save the company. When the breach happens all eyes are on the security leadership with one question, how did this happen? Your governance process and risk methods tell a story about the organization’s security conscious.

  1. Were the correct controls prioritized?
  2. Did you think about who could be harmed?
  3. Was the breach incident foreseeable?
  4. What is the organization’s definition of acceptable risk?
  5. Did you have reasonable controls in place?
  6. How long were those vulnerabilities known?
  7. What is your last line of defense?

All that and more in a session you don’t want to miss.



FutureCon Cybersecurity Conference Chicago: Demonstrating Your Cybersecurity Program is Effective

January 25, 2024

Speaker: Glenn A. Stout, PHD
Partner, Reasonable Risk
CISSP, CISM, GSEC, PMP, ISO 27001 Lead Auditor, CMMC (RP)

Is your cybersecurity program effective? Does the C-Suite understand the progress you’ve made? Conveying the state of your security program shouldn’t leave Executives saying, “Why do we need to do these projects?” or “I don’t get it. Do we need to spend this much?”

In this session, Glenn Stout, Ph.D. will provide a way to communicate your security posture and remediation progress by answering straightforward questions such as “Are we ok?” and “How do we get to ok?” by using tools, graphs, and clear business language.


FutureCon Cybersecurity Conference Chicago: CISO Panel

January 25, 2024

Panel Moderator: Chris Cronin, ISO 27001 Auditor



2023


Compliance Week: Almost Everybody is Unprepared for SEC Cybersecurity Disclosures. But You Can Get Through This.

October 23, 2023

Just how, exactly, are you going to describe your company’s cybersecurity strategy, governance, and risk management program in your 10-K? You need to know what governance is, right? And how that’s different from strategy? And how cybersecurity risk management is … something that executives’ roles and … board director sign-off … and reasonable investors too … right? Oh, and materiality, too. Got it. For most companies, 10-Ks will be hard to fill out because U.S. companies generally don’t run cybersecurity through governance, strategy, or risk management programs. At least not in a way that could withstand review by inquiring analysts or investors. Most public companies do, however, provide demonstrable (and prudent) disclosures. So how will your 10-K cybersecurity disclosures be both accurate and not scare away reasonable investors?

In this presentation, Chris Cronin will help you understand what cybersecurity strategy, governance, and risk management are, and will show you how to use an emerging definition for reasonable cybersecurity controls to help you define materiality. Your first 10-K will likely be a light touch among many pretty weird 10-Ks that other companies will file. But your 2024 preparation for your second filing can put you ahead of your competitors.

Speaker: Chris Cronin



Understanding the Impact of the SEC Cybersecurity Rules

October 11, 2023

While the U.S. Securities and Exchange Commission’s (SEC) Cybersecurity Disclosure Rules may appear daunting, compliance is achievable. While the focus of the new Rules is on public companies, the impacts will be felt by nonpublic companies as well.

Join us on Wednesday, October 11, 2023 — in-person or live-streaming — at the next Midwest Cyber Security Alliance (MCSA) meeting, where sponsors HALOCK Security Labs and Foley & Lardner LLP will give you the combined legal and cyber risk management perspective. Know the dates of compliance. Understand the disclosure obligations. Identify steps to take and existing documents to leverage.

Companies should think about this new rulemaking as being akin to Sarbanes-Oxley in that they will need to implement measurable cybersecurity risk management practices and controls from bottom-to-top-and-back to support new disclosure requirements. As a result, the risk of not meeting certain cybersecurity standards may come from the street, as well as regulators. The rules require that companies disclose their cybersecurity practices and incidents, not that they meet a specific standard of care, such as NIST 800-53 or CIS Controls.

At a high level, the new rules require the following:

  1. Disclosure in annual reports about your processes to assess, identify, and manage cybersecurity threats.
  2. New Form 8-K disclosure around material cybersecurity incidents.
  3. Disclosure of how your board of directors and executives identify and manage cybersecurity risks.
  4. Consideration of cybersecurity threats in terms of materiality — qualitative and quantitative — both to the organization and to others who might be harmed.

Speakers: Chris Cronin and Terry Kurzynski



The New SEC Cyber Security Rule – What EVERY Company Needs to Do Now!

October 3, 2023

Think of the New SEC Cyber Security Rule as Sarbanes-Oxley (SOX) for Cybersecurity. It applies to public companies and goes into effect December 15 of 2023. If any of your customers or vendors are publicly traded companies, it’s just a matter of time before they expect these capabilities from you, as part of their 3rd Party Security Assessments. Because of this, we will all need to comply with the major components of the SEC Cybersecurity rule. So what are these major components and how can you build the capability to address all of them quickly? This CAMP IT: Enterprise Risk session will cover how you can gain the following five capabilities:

  1. Ensure your security program is legally defensible and compliant with the new SEC Cybersecurity Rule, published July 26, 2023.
  2. Define a “clear line of acceptable risk” below which you accept risks and above which you remediate. This “clear line” allows you to define your “materiality“ as required by the SEC Cyber Security rule.
  3. Understand the “known risk” to your organization (i.e., your risk FICO score).
  4. Provide the Board of Directors a roadmap for your cybersecurity program that reduces risk to an acceptable level.
  5. Communicate risks and justify expenditure requests in business terms.

Speaker: Jim Mirochnik



SGS Certification Solutions: Meeting New Regulations Adopted by the SEC in 2023

September 28, 2023

In late July, the Securities and Exchange Commission (SEC) adopted rules that require registered companies to annually report on their cybersecurity risk management, strategy and governance.

As a result of this change, companies will need for Form S-K language that describes their cybersecurity risk management and governance programs. That language must describe the components of the risk management program, the Duty of Care Risk Analysis (DoCRA) process for evaluating cybersecurity risks.

In addition, there is a new requirement that companies must disclose a cybersecurity incident within four days of the determination that it is material.

There is limited time to meet these new requirements as they must be reported in 2023’s financial Form 10-K and Form 20-F disclosures.

SPEAKERS:
Willy Fabritius, Global Head of Strategy & Business Development Information Security, SGS; Chris Cronin, Partner, Halock Security Labs; Cindy Haight, Inside Sales Representative, Industrial & Medical Device, SGS North America, Inc.



ISACA Chicago Chapter’s Annual Conference: Convergence 2023

September 26-27, 2023

ISACA CONVERGENCE Conference 2023 The annual conference that brings together Chicagoland professionals from the fields of IT Audit/Assurance, Governance, Risk, Compliance, Cybersecurity, and Infosecurity. Complying with the new SEC Cybersecurity Rule – Five Deliverables Every Cybersecurity Team Needs to Survive, Thrive. Review tools and templates that help Information Security Teams justify technical investments by translating cybersecurity risks in the language of the C-Suite. Information security is speaking the language of threats, vulnerabilities, and impacts to technical assets. The C-suite is speaking the language of impacts to customers, business goals, and third-party obligations. By providing a “universal translator” between information security terminology and the language of the C-suite, you can:

  • Ensure your security program is legally defensible and compliant with the new SEC Cybersecurity Rule, published July 26, 2023.
  • Define a “clear line of acceptable risk” below which you accept risks and above which you remediate.
  • Understand the “total risk” (i.e., your risk FICO score) to your organization.
  • Provide C-suite a roadmap for your program that reduces risk to an acceptable level (answering the C-suite question of, “Are we where we need to be? If not, when will we get there?”)
  • Communicate risks and justify expenditure requests in business terms.

Speaker: Terry Kurzynski


ISACA: The Duty of Care Risk Analysis

August 24, 2023

Sometimes your risk assessment is the smoking gun.

If you’ve suffered a data breach and attorneys get involved, they will ask for your risk assessment: a document you must create according to regulations and cybersecurity standards. But if your risk assessment only evaluates risks to your company and not risks to those you may harm, you may have created a document that admits negligence. You may have admitted that your cybersecurity investments are to protect your profits despite the harms that others may suffer.

During this talk, Viviana Wesley – a career QSA and expert witness in data breach cases – will use legal cases and popular films to demonstrate what regulators and litigators look for as evidence of due care or negligence after a data breach. Audience members will be entertained and will learn how to make sure their company is uninteresting to lawyers when their data breach occurs.

Speaker: Viviana Wesley, PCI Practice Lead, HALOCK Security Labs

Viviana Wesley is one of the few experts on the intersection of payment card security and cybersecurity risk management. Viviana helps organizations prepare for PCI DSS compliance so that they can demonstrate reasonable security as the law defines it and serves regulators to help them evaluate the reasonableness of controls in breached organizations.

Viviana has over 23 years of practical experience within information technology, with a focus on information security for the past 13+ years. Viviana has been the PCI Subject Matter Expert for HALOCK since 2012. Viviana has also been involved in developing HALOCK’s GDPR, CMMC, Privacy and Risk Management offerings for clients.


Compliance Week Webinar: Five Deliverables Every Security Team Needs to Survive and Thrive

August 15, 2023

In today’s fast-paced business world, firms must adapt to the ever-changing mobile compliance and technology landscape to stay competitive. While many organizations have fully embraced hybrid and work-from-home policies, most have not yet adjusted to the compliance issues a distributed workforce creates.

THIS SPECIFICALLY APPLIES TO COMPLIANCE WITH THE NEW SEC CYBERSECURITY RULE, PUBLISHED JULY 26, 2023

The information security team has a very difficult job. They have to protect their company by justifying technical investments to business professionals; yet, information security and the C-suite are speaking different languages.

Information security is speaking the language of threats, vulnerabilities, and impacts to technical assets. The C-suite is speaking the language of impacts to customers, business goals, and third-party obligations.

So, how do we solve the problem of speaking different languages? By providing a “universal translator” between information security terminology and the language of the C-suite.

Join this webinar to review tools and templates for the five deliverables to:

  1. Ensure your security program is legally defensible and compliant with the new SEC Cybersecurity Rule, published July 26, 2023.
  2. Define a “clear line of acceptable risk” below which you accept risks and above which you remediate.
  3. Understand the “total risk” (i.e., your risk FICO score) to your organization.
  4. Communicate risks and justify expenditure requests in business terms.
  5. Provide C-suite a roadmap for your program that reduces risk to an acceptable level (answering the C-suite question of, “Are we where we need to be? If not, when will we get there?”)

 



The Payments Academy 2023

May 8, 2023

Justin Evans, MBA, PCIP, CPC, CPC-I, COC, Senior IT Security Analyst, University of Iowa Information Security and Policy Office and Viviana Wesley, CISM, PCI QSA, Principal Consultant, Governance and Compliance Services, HALOCK Security Labs

Learn how the University of Iowa is using P2PE and fully outsourced eCommerce solutions to reduce compliance risk, scope, and validation efforts. Hear about our strategic reasoning, the positive impact it’s had on our compliance program, and the benefits we’ve found with this approach. Also, listen to talk about how schools that use this approach can quickly address common point of purchase inquiries.


Cleveland State University College of Law

April 20, 2023

Cybersecurity regulations and industry standards generally incorporate a “reasonableness” standard but defining reasonableness is notoriously challenging. This panel will discuss an emerging set of best practices for developing a defensible cybersecurity program, including: (1) Prove You are Ready: Using the test Pre- & Post-Breach; (2) Good Test results: Why it is a Valuable Tool!; and (3) How Test Documentation Prevails in Standing Up to Litigation & Claims.

Panelists:

  • Chris Cronin, Partner, HALOCK Security Labs
  • Timothy Murphy, Senior Assistant Attorney General, Pennsylvania
  • R. Jason Straight, Senior Managing Director, Ankura
  • Karen Worstell, Senior Cybersecurity Strategist, VMware

NetDiligence Cyber Risk Summit

February 21, 2023

Understanding the Reasonable Security Test – Prove You are Ready: Using the test Pre- & Post-Breach – Good Test results: Why it is a Valuable Tool! – How Test Documentation Prevails in Standing Up to Litigation & Claims

Panelists: Chris Cronin, HALOCK Security Labs Doug Meal, Orrick LLP Timothy Murphy, Pennsylvania Office of the Attorney General

2022

A Proven Methodology to Secure the Budget You Need

October 6, 2022

CAMP IT: Enterprise Risk & Security Management

Speaker: Jim Mirochnik


CIS RAM v2.1 for Implementation Group 3 (IG3) Workshop

June 21, 2022

The Center for Internet Security (CIS)

Speaker: Chris Cronin



Cyber Insurance Readiness: Preparing For Your Next Renewal

June 14, 2022

Midwest Cyber Security Alliance (MCSA)

Speaker: Terry Kurzynski



RSA 2022: A Proven Methodology to Secure the Budget You Need

June 7, 2022

RSA 2022

 A Proven Methodology to Secure the Budet You Need

Speaker: Jim Mirochnik



CISO of the Year Mixer

May 31, 2022

Gibson’s at Rosemont



Cleveland-Marshall College of Law

May 19-20, 2022

2022 Cybersecurity and Privacy Protection Conference

Keynote Panel: Defining “Reasonable” Security

Panelist: Chris Cronin



Wisconsin Health Information Management Association (WHIMA)

May 12, 2022

TAKE CYBERCARE – PRACTICING DUTY OF CARE TO PROTECT PATIENT DATA AND MANAGE RISK

What is your Duty of Care? How do you define “reasonable” security safeguards? When do I know that I have done enough? Organizations need a method to establish acceptable risk for the business, regulators, and all interested parties – a method that considers harm outside the company, defines acceptable risk, and examines the burden of proposed safeguards. Duty of Care Risk Analysis, leveraged by the Center for Internet Security’s Risk Assessment Methods (CIS RAM), translates these requirements into business terms to develop reasonable security controls.

Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor



MER Conference

May 11, 2022

Defining “Reasonable Security Measures” When it Comes to Data Protection

No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.

Key Issues This Presentation Will Address  

  • How to define reasonable security for your organization
  • Using “reasonable” to manage risk and compliance
  • Using “reasonable” to defend your security when things go wrong

Key Takeaways from this Presentation  

For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.

Speaker: Chris Cronin



RIMS 2022

April 11, 2022

RiskWorld: The Questions a Judge Will Ask You After a Data Breach

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach.

Speaker: Chris Cronin



Center for Internet Security, Inc. (CIS®)

February 8, 2022

CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop

CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. The workshop will enable attendees to learn: An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2 and a step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1

Speaker: Chris Cronin


2021

Center for Internet Security, Inc. (CIS®)

November 17, 2021

CIS Risk Assessment Method (RAM) v2.0 Webinar

CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.

“The CIS RAM is a powerful tool to guide the prioritization and implementation of the CIS Controls, and complements their technical credibility with a sound business risk-decision process,” said Tony Sager, Senior Vice President and Chief Evangelist at CIS. “We see the CIS RAM as a method that enterprises of all maturity levels can use.”

Through an ongoing partnership, CIS RAM v2.0 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.

What you will learn:

  • How CIS RAM was updated to a family of documents starting with Core and Implementation Group 1 (IG1)
  • How CIS RAM automates risk analysis by using the VERIS Community Database
  • Why regulators are referencing CIS RAM to demonstrate reasonable security
  • How CIS RAM helps technology executives make business decisions
  • The basic steps IG1 organizations will take to conduct risk assessments using CIS RAM 2.0

Host

Valecia Stocchetti, Sr. Cybersecurity Engineer, CIS

Moderator

Chris Cronin, Partner, HALOCK Security Labs, and Chair, DoCRA Council

Panelists

  • Conal Gallagher, CIO and CISO, Flexera
  • Phil Langlois, Data Breach Investigations Report (DBIR) Author, Verizon
  • Tim Murphy, Deputy Attorney General, Commonwealth of Pennsylvania


Midwest Cyber Security Alliance (MCSA)

November 9, 2021

You’re Expected to Know and Disclose the Foreseeable Cybersecurity Threats that Face Your Organization and Reasonably Defend Against Them: How Do You Do This?

Organizations are expected to perform their duty of care by protecting the organization, its clients, suppliers, and the general public from foreseeable harm. Until recently, the jobs of the Chief Information Security Officer, Risk Officer, and Compliance Officer have been challenging to determine what is foreseeable.

Fortunately, the data is available to predict the likeliest threat vectors — paths cybercriminals use to gain access and take advantage of vulnerabilities in networks or devices — for particular industry types. Join us at the next Midwest Cyber Security Alliance virtual meeting on Tuesday, November 16, 2021 where fellow sponsor HALOCK Security Labs will demonstrate how you can use publicly available breach data to forecast the most likely ways your organization will be attacked. See how the data that feeds Verizon’s Data Breach Investigations Report predicts your weaknesses in surprising detail.

Discussion topics include:

  • Incorporating likely threat vectors into your organization’s existing risk analysis (Risk = Impact x Likelihood)
  • Learn how Likelihood fits with Duty of Care Risk Analysis impact criteria (missions, objective, and obligations)
  • Use the risk calculus as a guide to help your organization prioritize risks based on foreseeable threats that could harm the company itself or others outside the organization, including customers, vendors, and more

In addition, Bryan House, Foley partner and member of the firm’s Securities Enforcement & Litigation and Government Enforcement Defense & Investigations Practices, will provide an update on SEC guidelines on cyber risk reporting, including:

  • Recent enforcement actions
  • The SEC’s proposed rules regarding cyber disclosures (expected by the end of October 2021)

This presentation is intended for legal, compliance, risk, and technical roles. While some content is technical in nature, all staff responsible for your cybersecurity program will gain key insights to help protect your organization from cyber attacks.

SPEAKERS:
Jennifer Urban, CIPP/US
Partner, Cybersecurity Practice
Foley & Lardner LLP

Bryan House, Partner
Foley & Lardner LLP

Chris Cronin, ISO 27001 Auditor
Partner
HALOCK Security Labs

Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor

Senior Partner
HALOCK Security Labs



(ISC)² Silicon Valley Chapter

November 9, 2021

The 8 Questions a Judge Will Ask You After a Data Breach

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight, and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

SPEAKERS:
Terry Kurzynski (CISSP, CISA, PCI QSA, ISO 27001 AUDITOR), Senior Partner at HALOCK Security Labs


PCI DSS Virtual Workshop 2021

June 16, 2021

DoCRA for PCI DSS: What you should do to prepare

With PCI DSS 4.0 moving towards a risk-based approach, organizations will have to adapt their frameworks. The Duty of Care Risk Assessment (DoCRA) showcases how you can achieve reasonable security and achieve PCI DSS compliance. By balancing mission, objectives, and obligations, companies can streamline their risk strategies based on their specific work environment. The duty of care approach helps prioritize controls and budget while meeting the needs of all interested parties – card holders, regulators, litigators, business, public. Attendees will learn how to: Conduct your risk assessments so you are ready for PCI DSS 4.0; Estimate the likelihood of risks; Prepare and respond to regulatory investigations and plaintiffs’ lawsuits. 

SPEAKERS:
Chris Cronin, Partner – ISO 27001 Auditor
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor


PCI DSS Virtual Workshop 2021

June 15, 2021

What Litigators and Regulators have taught a QSA about PCI Compliance and Reasonable Security

Having a PCI DSS compliant validation does not stop litigators and regulators from suing you after a breach. To reduce the impact of a breach, organizations have to be able to show lawyers that they were using reasonable security. Attendees will learn: What lawyers ask to see after a breach? How the checkbox approach hurts you after the breach. How to protect yourself and others. 

SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor

RSA Conference 2021

May 19, 2021

Your Breached Controls May Have Been Reasonable After All 

PANELISTS:

Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe


RSA Conference 2021

May 18, 2021

Forecasting Threats is Way Easier Than You Think

Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.

SPEAKER:
Chris Cronin, Partner – ISO 27001 Auditor


2021 NAPCP Commercial Card and Payment Conference

May 10-28, 2021

Using Pandemic Lessons and Risk Assessments to Prepare for PCI DSS 4.0

HALOCK will provide real examples of how scope reduction technologies have helped organizations manage their risk more easily through a pandemic. HALOCK will also explain the anticipated risk-based approach that is coming with PCI DSS 4.0 and how organizations can prepare for the new standard (and many new requirements) by strengthening their risk processes now.

  • Learn how easy some organizations’ remote and on-premise working transitions have been because of Point-to-Point Encryption (P2PE) technology and why.
  • Learn how PCI DSS version 4, to be published in 2021, will introduce a risk-based approach to validating compliance.
  • Learn how to do risk analysis in a way that regulators expect.

SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor


SecureWorld Webinar: Privacy Compliance Hardship?

April 13, 2021

Data Privacy Experts Field the Tough Questions

With evolving compliance requirements and the exponential growth of private data that must be managed, organizations are struggling to balance security, regulations, and corporate business goals. How do you prioritize resources and budget? Most organizations do not know where their data lives and may not want to do the hard work to find it. Or maybe that’s not it; perhaps they simply don’t know how to start.

There is a path forward. Our panel of experts will share how they are achieving data privacy across the U.S. for big and small clients.

Discussion topics include:

•  The biggest challenges in the data privacy compliance process
•  Best methodologies to understand, protect, and govern your data
•  Balancing state-mandated compliance regulations
•  Methods for minimizing and controlling personal data

SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs


MIDWEST CYBER SECURITY ALLIANCE (MCSA)

February 18, 2021

They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA)

Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.

To address these issues, the next Midwest Cyber Security Alliance virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.

Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.

SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs

2020


National Foundation for Judicial Excellence (NFJE) 2020 Annual Judicial Symposium

October 15, 2020

Judging Efforts to Protect Personal Information:
What Test Should Apply?

In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty-of-care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel. Chris Cronin, Halock Security Labs, Schaumburg, IL William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO


BDO Alliance USA BRN

Oct. 15, 2020

Managing Cyber Risk with the Remote Workforce The BDO Alliance USA Business Resource Network (BRN) Client Focused Conversations (CFC). Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR.


InfraGard Wisconsin’s SuperCon 2020

Oct. 6, 2020

Getting to Reasonable – What regulators and judges want to see from every organization Speaker: Terry Kurzynski, Senior Partner at HALOCK When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?


Cyber Security Summit: Denver

Sept. 10, 2020

Threat Forecasting: Using Open Source Data to Foresee Your Next Breach Speaker: Chris Cronin, Partner at HALOCK We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.


Cyber Security Summit: Chicago

Sept 1, 2020

CMMC/CCPA. Using Duty of Care Risk to Comply With New Challenges Speaker: Chris Cronin, Partner at HALOCK CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.


Can DoCRA Duty of Care Risk Analysis tell you if your cybersecurity controls reasonable Podcast

Aug 4, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discusses DoCRA – Duty of Care Risk Analysis. It’s an approach that helps organizations figure out whether their cybersecurity controls are reasonable. And we’ll do that with the help of our guest, Chris Cronin.


Infragard: Duty of Care Risk Analysis, defining “Reasonable Security”

Aug. 26, 2020

Duty of Care Risk Analysis, defining “Reasonable Security” What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

SPEAKER: Terry Kurzynski


Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule

July 13, 2020

The FTC offered an online workshop concerning all of its proposed changes on Monday July 13 at 9:00 EDT.  The event webcasted live on the FTC’s website and can be viewed by anyone who wishes to attend.  One of the panelists was HALOCK partner Chris Cronin, who was involved in the discussion. Some of you may be familiar with Chris’s work wth DoCRA, Center for Internet Security’s risk assessment method (CIS RAM), and through his many public speaking engagements and publications. Chris also serves the Sedona Conference, a legal think tank that develops guidance for regulators and litigators for interpreting and applying complex legal questions, such as the reasonableness of cybersecurity controls.

PANELIST: Chris Cronin


NetDiligence: What is Reasonable Cyber Security?

July 7, 2020

The panel provided an overview of the risk-based analysis process that substantiates the method, and presented the legal, regulatory, and security best-practice history that informs the method. Each participant presented why the method successfully substantiates the term “reasonable” in their work and provided anecdotes that illustrate how it has been used on their experience. The panel described a practical method that organizations can use for defining how the term “reasonable” applies to them, all attendees received an immediately applicable, and tangible benefit from the session.

PANELIST: Chris Cronin


Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance

June 24, 2020, 1:00pm EDT

A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.

As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.

PANELIST: Chris Cronin


RSA Conference 2020:

Securing the Budget You Need! Translating Security Risks to Business Value. February 28, 2020

SPEAKERS: Jim Mirochnik

InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets. SPEAKER: Jim Mirochnik


CAMP IT Conference

The Cybersecurity Department: Making Cybersecurity a Business Competency Through Key Risk Indicators February 20, 2020

SPEAKERS: Chris Cronin

CAMP IT Conference – Executives and Boards manage what they know, and stress about what they don’t know, And they stress over cybersecurity. Most organizations do not have cybersecurity specialists at their helm because their business has not relied on that capability until very recently. Cybersecurity has grown from the bottom-up in the hands of technicians, and from the top-down from regulators and engineers. But few organizations have articulated their cybersecurity objectives and risks in a manner that executives can engage with. This has resulted in alienating the people who approve our priorities, resources, and budgets. Chris Cronin will explain the root causes of the breakdowns between executive leadership and cybersecurity practitioners and will show how DoCRA-based analytics help executives make informed decisions about priorities, resources, and budgets.


CAMP IT Conference

Is There Such a Thing as Reasonable Privacy? February 20, 2020

SPEAKERS: Chris Cronin

CAMP IT Conference: U.S.-based organizations are finding that new and emerging privacy regulations are difficult to comply with. In many ways those regulations change our relationships with our customers and the public, and makes us stewards of information that they own. Many new privacy requirements are straightforward to implement (such as requiring opt-in and opt-out policies, and processes to field consumer inquiries). But some requirements, such as the right to be forgotten, reasonably verifying the identify of consumer requestors, and using reasonable security safeguards create a potentially expensive and harrowing grey area. During this session Chris Cronin will show a feature common among privacy regulations such as GDPR and CCPA that will help you clearly define what reasonable privacy controls are. By using Duty of Care Risk Analysis (DoCRA) your organization will be able to show that your controls are reasonable when you address your needs and the public’s needs as equally important.


CANCELLED due to pandemic – RIMS 2020 Annual Conference

2020 Annual Conference May 5, 2020

SPEAKERS: Chris Cronin

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.



2019

Infosecurity ISACA North America conference: Duty of Care Risk Assessment (DoCRA)

Questions a Judge Will Ask You After A Data Breach November 20, 2019

SPEAKERS: Tod Ferran

A discussion of the new Duty of Care Risk Assessment methodology (DoCRA) for infosecurity also known as the Center for Internet Security Risk Assessment Method (CIS RAM) Discuss what sets this method apart and why it is an important business tool. After this session you will be able to: Understand what sets the Duty of Care Risk Assessment apart from all others. Understand what regulators are looking for in a complete and thorough risk assessment and how the Duty of Care Risk Assessment fulfills those regulations and standards. Understand what basic questions are asked during litigation after a breach and how the Duty of Care Risk Assessment answers those questions. Understand how to complete a Duty of Care Risk Assessment along with where to get the free tools to successfully complete the assessment. SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001 Managing Consultant Infosecurity ISACA North America Conference


(ISC)² Security Congress

The Questions a Judge Will Ask You After a Data Breach – What is “reasonable” security? October 30, 2019

SPEAKERS: Terry Kurzynski, DoCRA Council and Aaron DeMaster, Rexnord

If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:
• Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
• Model and select threats that are relevant to information assets and controls.
• Estimate the likelihood of risks.


Institute of Real Estate Management (IREM) Cybersecurity Webinar

Safekeeping Your Online Accounts – How to stop hackers from taking your money and information | October 22, 2019

Speaker: Glenn Stout

Security professionals get asked all of the time “What are the top things that I should be doing right now to keep my online accounts safe?” There are many “attack paths” that bad actors take to attempt to get to your money. Knowing what these attacks are – and what to do to protect your online accounts is the answer to the question asked above. This session will cover how the attacks are planned and carried out, and the keys to protect your accounts and data. Some topics include the concepts of phishing attacks, spear-phishing attacks, call fraud, scareware, extortion and the ways to protect against them, such as password approach, protecting email, devices and social media accounts.

After attending this session, participants will be able to:
• Understand the various attack paths that bad actors take to get to user accounts.
• What users generally do wrong that helps the bad actors win.
• Be aware of the key things to do to protect online accounts.


CAMP IT Leadership Strategies

How to Secure the Budget You Truly Need by Translating Technology Costs to Business Value | October 17, 2019

Speaker: Jim Mirochnik | Strategies and techniques for leading and guiding IT through a business approach during dynamic times.


Health Management Academy

Risk Analysis 2.0, Health Care Data Security in the Age of Risk October 17, 2019

SPEAKERS: Terry Kurzynski and Jen Rathburn

Discussion of HIPAA’s risk analysis and risk mitigation plan requirements

  • How risk assessment frameworks are evolving, including the Duty of Care Analysis (DoCRA)
  • How duty of care risk analysis builds consensus from the board room to the court room
  • How best to prepare and respond to regulatory investigations and plaintiffs’ lawsuits
  • How IT and Compliance can be enablers of the organization’s mission


CISO of the Year Award Breakfast

October 15, 2019

This award has been established to publicly recognize top senior information security leaders through nominations, judges and support from within the local community. The award will be presented on October 15th at a Breakfast Ceremony at the Metropolitan Club of Chicago.


CyberNext Summit 2019 – KuppingerCole Analysts

October 8-10, 2019

Speaker: Chris Cronin

Cybersecurity is shifting toward more distributed and dynamic models. Decentralized security infrastructure brings its challenges and opportunities. CyberNext Summit (#CNS19) summit will focus on the capabilities needed to achieve security in such a distributed environment, especially in the context of ever-increasing security threats. GALLERY
The Questions a Judge Will Ask You After a Data Breach


The Sedona Conference Working Group 11 Midyear Meeting 2019

September 18, 2019

Panelist: Chris Cronin | A panel of Data Security and Privacy Liability – Working Group 11 (WG11) members led a dialogue with WG11 members at the 2019 midyear meeting – Proactive privacy and security governance: Complying with global data privacy and security regulations


CUNA Technology Council Conference

The Questions a Judge Will Ask You After a Data Breach – A Panel Discussion  September 13, 2019 

PANELISTS: Jacqueline Connor, Attorney, Federal Trade Commission, Washington, DC  |  Chris Cronin, Principal, HALOCK Security Labs, Schaumburg, IL  |  Bill Podborny, CISO, Alliant CU, Chicago, IL 

Federal regulators, including NCUA, increasingly urge organizations to use risk analysis to determine whether security controls are reasonable. However, regulators are restrained from describing how risk analysis should work. During this session we will show how organizations can use Duty of Care Risk Analysis (DoCRA) to demonstrate whether security controls and risks are reasonable, and to do so in a way that supports management objectives, regulatory requirements, and information security disciplines.


Cyber Security Summit Chicago

 August 27, 2019 

SPEAKER: Chris Cronin  The fourth annual Chicago Cyber Security Summit connects C-Suite & Senior Executives responsible for protecting their companies’ critical infrastructures with innovative solution providers and renowned information security experts. 

PRESENTATION: If you are breached and your case goes to litigation, you will likely be asked to demonstrate “due care” and that your controls were “reasonable.” Many are surprised to learn that a breach by itself often does not constitute negligence. Judges will ask a set of questions to determine whether your controls were reasonable. These questions bear a close resemblance to information security risk assessments; they both try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked. Request a copy of the presentation.

Cyber Security Summit Gallery


MIDWEST CYBER SECURITY ALLIANCE (MCSA) The California Consumer Privacy Act (CCPA)

Applicability, Requirements, and Practical Tips on Compliance September 12, 2019

SPEAKER: Terry Kurzynski

The California Consumer Privacy Act (CCPA) will be effective January 1, 2020, and enforced beginning six months later. Despite the quickly approaching effective date, there are still a number of pending legislative bills seeking to amend CCPA. This has created immense uncertainty for companies trying to bring their business into compliance with CCPA. We address the following types of questions to ensure attendees leave the presentation understanding whether CCPA applies to their business and, if so, the steps they should take to comply: Does CCPA apply to my business? How does CCPA affect our collection, use, and disclosure of personal information? What rights do individuals have under CCPA with regard to their personal information? What are the “reasonable security procedures and practices appropriate to the nature of the information” required by CCPA to protect personal information? What are the status of the various proposed amendments to CCPA? What are the potential penalties and risks of noncompliance, including private rights of action and the likelihood of class action lawsuits?


4th & Final 2019 Chicago CISO of the Year Social Mixer

Aug. 20, 2019


2019 EXPO.Health Conference

The Questions a Regulator Will Ask You After a Data Breach, Aug. 2, 2019

SPEAKER: Chris Cronin

The 2019 EXPO.health conference is focused on 5 main topic areas which are of interest to health IT professionals at hospitals, health systems, and ambulatory organizations – Security and Privacy, Analytics, Communication and Patient Engagement, IT Dev Ops, Operational Alignment and Support. HALOCK partner and the DoCRA Council Chair, Chris Cronin, will be speaking at the event. The Questions a Regulator Will Ask You After a Data Breach If you are breached and are visited by regulators, they will ask you to demonstrate that your safeguards were reasonable. Their questions resemble information security risk assessments. Regulators try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. In this session we will show you how to conduct your risk assessments so you are ready to answer these tough questions.


3rd 2019 Chicago CISO of the Year Social Mixer

July 23, 2019



ITAC: W3 The Cycle of Cybersecurity: Integrating Cyberdefense Into Your Risk Decision-Making Process

, July 18, 2019

SPEAKER: Chris Cronin

ITAC is the premier event for IT audit executives and those tasked with ensuring that businesses are governing data in a secure and responsible way, while addressing risks related to information technology. ITAC is produced by MIS Training Institute (MISTI), the international leader in audit, IT audit and information security training, with offices in Boston and London. MISTI’s expertise draws on experience gained in training more than 200,000 delegates across five continents.



2nd CISO of the Year Mixer

June 18, 2019


IREM WEBINAR – Cyber Security: How to Secure Your Devices and Data,

July 16, 2019

SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP


American Health Lawyers Association (AHLA) Webinar: Duty of Care Risk Analysis (DoCRA)

“Adopting Duty of Care Risk Analysis to Drive GRC” June 5, 2019

SPEAKERS: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR, Senior Partner; Board Member on The DoCRA Council and Jennifer L. Rathburn, Partner at Foley & Lardner LLP


Techno Security & Digital Forensics Conference

– The Questions a Judge Will Ask You After a Data Breach. June 3, 2019

SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001


Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019.

May 30, 2019

PANELIST: Chris Cronin, ISO 27001 Auditor


CAMP IT: Enterprise Risk / Security Management.

Know Where Your Next Attack is Coming From. Attack prediction and resource prioritization using community-sourced data May 30, 2019

SPEAKERS: Todd Becker, PCI QSA, ISO 27001; Steve Lawn, CIPP CAMP IT GAllery


1st CISO of the Year Mixer

May 21, 2019


Institute of Real Estate Management (IREM) Cybersecurity Webinar: Phishing, Smishing and Whaling – Oh My!

May 7, 2019

SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP


CAMP IT – Data Breaches: Defending Against and Responding To.
Third Party Assessment Prioritization: “Vendor Tiering and Due Diligence Levels” May 2, 2019

SPEAKER: Ken Squires, CISSP, HCISPP, CISA, CRISC, ISO 27001 AUDITOR CAMP IT Gallery


Compliance Week Webinar:

The Questions a Judge Will Ask You After a Data Breach Webcast. March 21, 2019

SPEAKER: Chris Cronin, ISO 27001 Auditor


RSA: Author! Author! Happy Hour.

March 6, 2019 Experts Todd Fitzgerald, author of CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, and Chris Cronin, principal author of CIS RAM, the CIS® (Center for Internet Security) Risk Assessment Method.

2018

CIS® (Center for Internet Security) – CIS RAM Workshop Dec. 10, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor

Midwest Cyber Security Alliance – How to Develop and Maintain an Effective Security Awareness Training Program  Dec. 5, 2018 SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP

NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method Nov. 9, 2019

SPEAKER: Chris Cronin, ISO 27001 Auditor

The Center for Internet Security Risk Assessment Method (CIS RAM) provides detailed and practical guidance that builds on NIST 800-30, and is consistent with regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The proposed panel discussion will feature the authors of CIS RAM who will present the method, its basis in security frameworks and law, and case studies that illustrate its use in legal and non-legal contexts.

Louisiana Hospital Association Webinar – Acceptable Security Risk and Negligence: It’s a Fine Line Nov. 7, 2018 SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001

UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA Oct. 18, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR

CAMP IT: Enterprise Risk / Security Management –
The Industry Risk Assessment Dilemma and the Solution Oct. 3, 2018 SPEAKER: Jim Mirochnik, MBA, PMP, QSA, ISO 27001

Midwest Cyber Security Alliance – Duty of Care Risk Analysis (DoCRA) and CIS RAM Sept. 19, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR

Forrester Privacy & Security 2018 Sept. 25, 2018

SecureXII – 12th Annual ISSA and ISACA Chicago Chapters Security Conference June 12, 2018

CISO Executive Summit June 6, 2018

Cyber Security Summit: Chicago – CIS RAM: This Math Will Save You Aug. 29, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor

CIS RAM (Risk Assessment Method) Launch Event April 30, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor