Past Cyber Security Speaking Events & Presentations
HALOCK cyber security presentations at industry conferences and events.
2022
A Proven Methodology to Secure the Budget You Need
October 6, 2022
CAMP IT: Enterprise Risk & Security Management
Speaker: Jim Mirochnik
CIS RAM v2.1 for Implementation Group 3 (IG3) Workshop
June 21, 2022
The Center for Internet Security (CIS)
Speaker: Chris Cronin
Cyber Insurance Readiness: Preparing For Your Next Renewal
June 14, 2022
Midwest Cyber Security Alliance (MCSA)
Speaker: Terry Kurzynski
RSA 2022: A Proven Methodology to Secure the Budget You Need
June 7, 2022
RSA 2022
A Proven Methodology to Secure the Budet You Need
Speaker: Jim Mirochnik
CISO of the Year Mixer
May 31, 2022
Gibson’s at Rosemont
Cleveland-Marshall College of Law
May 19-20, 2022
2022 Cybersecurity and Privacy Protection Conference
Keynote Panel: Defining “Reasonable” Security
Panelist: Chris Cronin
Wisconsin Health Information Management Association (WHIMA)
May 12, 2022
TAKE CYBERCARE – PRACTICING DUTY OF CARE TO PROTECT PATIENT DATA AND MANAGE RISK
What is your Duty of Care? How do you define “reasonable” security safeguards? When do I know that I have done enough? Organizations need a method to establish acceptable risk for the business, regulators, and all interested parties – a method that considers harm outside the company, defines acceptable risk, and examines the burden of proposed safeguards. Duty of Care Risk Analysis, leveraged by the Center for Internet Security’s Risk Assessment Methods (CIS RAM), translates these requirements into business terms to develop reasonable security controls.
Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
MER Conference
May 11, 2022
Defining “Reasonable Security Measures” When it Comes to Data Protection
No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.
Key Issues This Presentation Will Address
- How to define reasonable security for your organization
- Using “reasonable” to manage risk and compliance
- Using “reasonable” to defend your security when things go wrong
Key Takeaways from this Presentation
For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.
Speaker: Chris Cronin
RIMS 2022
April 11, 2022
RiskWorld: The Questions a Judge Will Ask You After a Data Breach
In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach.
Speaker: Chris Cronin
Center for Internet Security, Inc. (CIS®)
February 8, 2022
CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop
CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. The workshop will enable attendees to learn: An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2 and a step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1
Speaker: Chris Cronin
2021
Center for Internet Security, Inc. (CIS®)
November 17, 2021
CIS Risk Assessment Method (RAM) v2.0 Webinar
CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.
“The CIS RAM is a powerful tool to guide the prioritization and implementation of the CIS Controls, and complements their technical credibility with a sound business risk-decision process,” said Tony Sager, Senior Vice President and Chief Evangelist at CIS. “We see the CIS RAM as a method that enterprises of all maturity levels can use.”
Through an ongoing partnership, CIS RAM v2.0 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.
What you will learn:
- How CIS RAM was updated to a family of documents starting with Core and Implementation Group 1 (IG1)
- How CIS RAM automates risk analysis by using the VERIS Community Database
- Why regulators are referencing CIS RAM to demonstrate reasonable security
- How CIS RAM helps technology executives make business decisions
- The basic steps IG1 organizations will take to conduct risk assessments using CIS RAM 2.0
Host
Valecia Stocchetti, Sr. Cybersecurity Engineer, CIS
Moderator
Chris Cronin, Partner, HALOCK Security Labs, and Chair, DoCRA Council
Panelists
- Conal Gallagher, CIO and CISO, Flexera
- Phil Langlois, Data Breach Investigations Report (DBIR) Author, Verizon
- Tim Murphy, Deputy Attorney General, Commonwealth of Pennsylvania
Midwest Cyber Security Alliance (MCSA)
November 9, 2021
You’re Expected to Know and Disclose the Foreseeable Cybersecurity Threats that Face Your Organization and Reasonably Defend Against Them: How Do You Do This?
Organizations are expected to perform their duty of care by protecting the organization, its clients, suppliers, and the general public from foreseeable harm. Until recently, the jobs of the Chief Information Security Officer, Risk Officer, and Compliance Officer have been challenging to determine what is foreseeable.
Fortunately, the data is available to predict the likeliest threat vectors — paths cybercriminals use to gain access and take advantage of vulnerabilities in networks or devices — for particular industry types. Join us at the next Midwest Cyber Security Alliance virtual meeting on Tuesday, November 16, 2021 where fellow sponsor HALOCK Security Labs will demonstrate how you can use publicly available breach data to forecast the most likely ways your organization will be attacked. See how the data that feeds Verizon’s Data Breach Investigations Report (DBIR) predicts your weaknesses in surprising detail.
Discussion topics include:
- Incorporating likely threat vectors into your organization’s existing risk analysis (Risk = Impact x Likelihood)
- Learn how Likelihood fits with Duty of Care Risk Analysis impact criteria (missions, objective, and obligations)
- Use the risk calculus as a guide to help your organization prioritize risks based on foreseeable threats that could harm the company itself or others outside the organization, including customers, vendors, and more
In addition, Bryan House, Foley partner and member of the firm’s Securities Enforcement & Litigation and Government Enforcement Defense & Investigations Practices, will provide an update on SEC guidelines on cyber risk reporting, including:
- Recent enforcement actions
- The SEC’s proposed rules regarding cyber disclosures (expected by the end of October 2021)
This presentation is intended for legal, compliance, risk, and technical roles. While some content is technical in nature, all staff responsible for your cybersecurity program will gain key insights to help protect your organization from cyber attacks.
SPEAKERS:
Jennifer Urban, CIPP/US
Partner, Cybersecurity Practice
Foley & Lardner LLP
Bryan House, Partner
Foley & Lardner LLP
Chris Cronin, ISO 27001 Auditor
Partner
HALOCK Security Labs
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor
Senior Partner
HALOCK Security Labs
(ISC)² Silicon Valley Chapter
November 9, 2021
The 8 Questions a Judge Will Ask You After a Data Breach
What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight, and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
SPEAKERS:
Terry Kurzynski (CISSP, CISA, PCI QSA, ISO 27001 AUDITOR), Senior Partner at HALOCK Security Labs
PCI DSS Virtual Workshop 2021
June 16, 2021
DoCRA for PCI DSS: What you should do to prepare
With PCI DSS 4.0 moving towards a risk-based approach, organizations will have to adapt their frameworks. The Duty of Care Risk Assessment (DoCRA) showcases how you can achieve reasonable security and achieve PCI DSS compliance. By balancing mission, objectives, and obligations, companies can streamline their risk strategies based on their specific work environment. The duty of care approach helps prioritize controls and budget while meeting the needs of all interested parties – card holders, regulators, litigators, business, public. Attendees will learn how to: Conduct your risk assessments so you are ready for PCI DSS 4.0; Estimate the likelihood of risks; Prepare and respond to regulatory investigations and plaintiffs’ lawsuits.
SPEAKERS:
Chris Cronin, Partner – ISO 27001 Auditor
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor
PCI DSS Virtual Workshop 2021
June 15, 2021
What Litigators and Regulators have taught a QSA about PCI Compliance and Reasonable Security
Having a PCI DSS compliant validation does not stop litigators and regulators from suing you after a breach. To reduce the impact of a breach, organizations have to be able to show lawyers that they were using reasonable security. Attendees will learn: What lawyers ask to see after a breach? How the checkbox approach hurts you after the breach. How to protect yourself and others.
SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor
RSA Conference 2021
May 19, 2021
Your Breached Controls May Have Been Reasonable After All
PANELISTS:
Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe
RSA Conference 2021
May 18, 2021
Forecasting Threats is Way Easier Than You Think
Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.
SPEAKER:
Chris Cronin, Partner – ISO 27001 Auditor
2021 NAPCP Commercial Card and Payment Conference
May 10-28, 2021
Using Pandemic Lessons and Risk Assessments to Prepare for PCI DSS 4.0
HALOCK will provide real examples of how scope reduction technologies have helped organizations manage their risk more easily through a pandemic. HALOCK will also explain the anticipated risk-based approach that is coming with PCI DSS 4.0 and how organizations can prepare for the new standard (and many new requirements) by strengthening their risk processes now.
- Learn how easy some organizations’ remote and on-premise working transitions have been because of Point-to-Point Encryption (P2PE) technology and why.
- Learn how PCI DSS version 4, to be published in 2021, will introduce a risk-based approach to validating compliance.
- Learn how to do risk analysis in a way that regulators expect.
SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor
SecureWorld Webinar: Privacy Compliance Hardship?
April 13, 2021
Data Privacy Experts Field the Tough Questions
With evolving compliance requirements and the exponential growth of private data that must be managed, organizations are struggling to balance security, regulations, and corporate business goals. How do you prioritize resources and budget? Most organizations do not know where their data lives and may not want to do the hard work to find it. Or maybe that’s not it; perhaps they simply don’t know how to start.
There is a path forward. Our panel of experts will share how they are achieving data privacy across the U.S. for big and small clients.
Discussion topics include:
• The biggest challenges in the data privacy compliance process
• Best methodologies to understand, protect, and govern your data
• Balancing state-mandated compliance regulations
• Methods for minimizing and controlling personal data
SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs
MIDWEST CYBER SECURITY ALLIANCE (MCSA)
February 18, 2021
They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA)
Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.
To address these issues, the next Midwest Cyber Security Alliance (MCSA) virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.
Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.
SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs
2020
National Foundation for Judicial Excellence (NFJE) 2020 Annual Judicial Symposium
October 15, 2020
Judging Efforts to Protect Personal Information:
What Test Should Apply?
In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty-of-care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel. Chris Cronin, Halock Security Labs, Schaumburg, IL William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO
BDO Alliance USA BRN
Oct. 15, 2020
Managing Cyber Risk with the Remote Workforce The BDO Alliance USA Business Resource Network (BRN) Client Focused Conversations (CFC). Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR.
InfraGard Wisconsin’s SuperCon 2020
Oct. 6, 2020
Getting to Reasonable – What regulators and judges want to see from every organization | Speaker: Terry Kurzynski, Senior Partner at HALOCK When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?
Cyber Security Summit: Denver
Sept. 10, 2020
Threat Forecasting: Using Open Source Data to Foresee Your Next Breach | Speaker: Chris Cronin, Partner at HALOCK We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.
Cyber Security Summit: Chicago
Sept 1, 2020
CMMC/CCPA. Using Duty of Care Risk to Comply With New Challenges | Speaker: Chris Cronin, Partner at HALOCK CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.
Can DoCRA Duty of Care Risk Analysis tell you if your cybersecurity controls reasonable Podcast
Aug 4, 2020
Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discusses DoCRA – Duty of Care Risk Analysis. It’s an approach that helps organizations figure out whether their cybersecurity controls are reasonable. And we’ll do that with the help of our guest, Chris Cronin.
Infragard: Duty of Care Risk Analysis, defining “Reasonable Security”
Aug. 26, 2020
Duty of Care Risk Analysis, defining “Reasonable Security” What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
SPEAKER: Terry Kurzynski
Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule
July 13, 2020
The FTC offered an online workshop concerning all of its proposed changes on Monday July 13 at 9:00 EDT. The event webcasted live on the FTC’s website and can be viewed by anyone who wishes to attend. One of the panelists was HALOCK partner Chris Cronin, who was involved in the discussion. Some of you may be familiar with Chris’s work wth DoCRA, Center for Internet Security’s risk assessment method (CIS RAM), and through his many public speaking engagements and publications. Chris also serves the Sedona Conference, a legal think tank that develops guidance for regulators and litigators for interpreting and applying complex legal questions, such as the reasonableness of cybersecurity controls.
PANELIST: Chris Cronin
NetDiligence: What is Reasonable Cyber Security?
July 7, 2020
The panel provided an overview of the risk-based analysis process that substantiates the method, and presented the legal, regulatory, and security best-practice history that informs the method. Each participant presented why the method successfully substantiates the term “reasonable” in their work and provided anecdotes that illustrate how it has been used on their experience. The panel described a practical method that organizations can use for defining how the term “reasonable” applies to them, all attendees received an immediately applicable, and tangible benefit from the session.
PANELIST: Chris Cronin
Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance
June 24, 2020, 1:00pm EDT
A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.
As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.
PANELIST: Chris Cronin
RSA Conference 2020:
Securing the Budget You Need! Translating Security Risks to Business Value. February 28, 2020
SPEAKERS: Jim Mirochnik
InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets. SPEAKER: Jim Mirochnik
CAMP IT Conference
The Cybersecurity Department: Making Cybersecurity a Business Competency Through Key Risk Indicators February 20, 202
SPEAKERS: Chris Cronin
CAMP IT Conference – Executives and Boards manage what they know, and stress about what they don’t know, And they stress over cybersecurity. Most organizations do not have cybersecurity specialists at their helm because their business has not relied on that capability until very recently. Cybersecurity has grown from the bottom-up in the hands of technicians, and from the top-down from regulators and engineers. But few organizations have articulated their cybersecurity objectives and risks in a manner that executives can engage with. This has resulted in alienating the people who approve our priorities, resources, and budgets. Chris Cronin will explain the root causes of the breakdowns between executive leadership and cybersecurity practitioners and will show how DoCRA-based analytics help executives make informed decisions about priorities, resources, and budgets.
CAMP IT Conference
Is There Such a Thing as Reasonable Privacy? February 20, 2020
SPEAKERS: Chris Cronin
CAMP IT Conference: U.S.-based organizations are finding that new and emerging privacy regulations are difficult to comply with. In many ways those regulations change our relationships with our customers and the public, and makes us stewards of information that they own. Many new privacy requirements are straightforward to implement (such as requiring opt-in and opt-out policies, and processes to field consumer inquiries). But some requirements, such as the right to be forgotten, reasonably verifying the identify of consumer requestors, and using reasonable security safeguards create a potentially expensive and harrowing grey area. During this session Chris Cronin will show a feature common among privacy regulations such as GDPR and CCPA that will help you clearly define what reasonable privacy controls are. By using Duty of Care Risk Analysis (DoCRA) your organization will be able to show that your controls are reasonable when you address your needs and the public’s needs as equally important.
CANCELLED due to pandemic – RIMS 2020 Annual Conference
2020 Annual Conference May 5, 2020
SPEAKERS: Chris Cronin
In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.
2019
Infosecurity ISACA North America conference: Duty of Care Risk Assessment (DoCRA)
Questions a Judge Will Ask You After A Data Breach November 20, 2019
SPEAKERS: Tod Ferran
A discussion of the new Duty of Care Risk Assessment methodology (DoCRA) for infosecurity also known as the Center for Internet Security Risk Assessment Method (CIS RAM) Discuss what sets this method apart and why it is an important business tool. After this session you will be able to: Understand what sets the Duty of Care Risk Assessment apart from all others. Understand what regulators are looking for in a complete and thorough risk assessment and how the Duty of Care Risk Assessment fulfills those regulations and standards. Understand what basic questions are asked during litigation after a breach and how the Duty of Care Risk Assessment answers those questions. Understand how to complete a Duty of Care Risk Assessment along with where to get the free tools to successfully complete the assessment. SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001 Managing Consultant Infosecurity ISACA North America Conference
(ISC)² Security Congress
The Questions a Judge Will Ask You After a Data Breach – What is “reasonable” security? October 30, 2019
SPEAKERS: Terry Kurzynski, DoCRA Council and Aaron DeMaster, Rexnord
If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.
Learning Objectives:
• Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
• Model and select threats that are relevant to information assets and controls.
• Estimate the likelihood of risks.
Institute of Real Estate Management (IREM) Cybersecurity Webinar
Safekeeping Your Online Accounts – How to stop hackers from taking your money and information | October 22, 2019
Speaker: Glenn Stout
Security professionals get asked all of the time “What are the top things that I should be doing right now to keep my online accounts safe?” There are many “attack paths” that bad actors take to attempt to get to your money. Knowing what these attacks are – and what to do to protect your online accounts is the answer to the question asked above. This session will cover how the attacks are planned and carried out, and the keys to protect your accounts and data. Some topics include the concepts of phishing attacks, spear-phishing attacks, call fraud, scareware, extortion and the ways to protect against them, such as password approach, protecting email, devices and social media accounts.
After attending this session, participants will be able to:
• Understand the various attack paths that bad actors take to get to user accounts.
• What users generally do wrong that helps the bad actors win.
• Be aware of the key things to do to protect online accounts.
CAMP IT Leadership Strategies
How to Secure the Budget You Truly Need by Translating Technology Costs to Business Value | October 17, 2019
Speaker: Jim Mirochnik | Strategies and techniques for leading and guiding IT through a business approach during dynamic times.
Health Management Academy
Risk Analysis 2.0, Health Care Data Security in the Age of Risk October 17, 2019
SPEAKERS: Terry Kurzynski and Jen Rathburn
Discussion of HIPAA’s risk analysis and risk mitigation plan requirements
- How risk assessment frameworks are evolving, including the Duty of Care Analysis (DoCRA)
- How duty of care risk analysis builds consensus from the board room to the court room
- How best to prepare and respond to regulatory investigations and plaintiffs’ lawsuits
- How IT and Compliance can be enablers of the organization’s mission
CISO of the Year Award Breakfast
October 15, 2019
This award has been established to publicly recognize top senior information security leaders through nominations, judges and support from within the local community. The award will be presented on October 15th at a Breakfast Ceremony at the Metropolitan Club of Chicago.
CyberNext Summit 2019 – KuppingerCole Analysts
October 8-10, 201
Speaker: Chris Cronin
Cybersecurity is shifting toward more distributed and dynamic models. Decentralized security infrastructure brings its challenges and opportunities. CyberNext Summit (#CNS19) summit will focus on the capabilities needed to achieve security in such a distributed environment, especially in the context of ever-increasing security threats. GALLERY
The Questions a Judge Will Ask You After a Data Breach
The Sedona Conference Working Group 11 Midyear Meeting 2019
September 18, 2019
Panelist: Chris Cronin | A panel of Data Security and Privacy Liability – Working Group 11 (WG11) members led a dialogue with WG11 members at the 2019 midyear meeting – Proactive privacy and security governance: Complying with global data privacy and security regulations
CUNA Technology Council Conference
The Questions a Judge Will Ask You After a Data Breach – A Panel Discussion September 13, 2019
PANELISTS: Jacqueline Connor, Attorney, Federal Trade Commission, Washington, DC | Chris Cronin, Principal, HALOCK Security Labs, Schaumburg, IL | Bill Podborny, CISO, Alliant CU, Chicago, IL
Federal regulators, including NCUA, increasingly urge organizations to use risk analysis to determine whether security controls are reasonable. However, regulators are restrained from describing how risk analysis should work. During this session we will show how organizations can use Duty of Care Risk Analysis (DoCRA) to demonstrate whether security controls and risks are reasonable, and to do so in a way that supports management objectives, regulatory requirements, and information security disciplines.
Cyber Security Summit Chicago
August 27, 2019
SPEAKER: Chris Cronin The fourth annual Chicago Cyber Security Summit connects C-Suite & Senior Executives responsible for protecting their companies’ critical infrastructures with innovative solution providers and renowned information security experts.
PRESENTATION: If you are breached and your case goes to litigation, you will likely be asked to demonstrate “due care” and that your controls were “reasonable.” Many are surprised to learn that a breach by itself often does not constitute negligence. Judges will ask a set of questions to determine whether your controls were reasonable. These questions bear a close resemblance to information security risk assessments; they both try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked. Request a copy of the presentation.
MIDWEST CYBER SECURITY ALLIANCE (MCSA) The California Consumer Privacy Act (CCPA)
Applicability, Requirements, and Practical Tips on Compliance September 12, 2019
SPEAKER: Terry Kurzynski
The California Consumer Privacy Act (CCPA) will be effective January 1, 2020, and enforced beginning six months later. Despite the quickly approaching effective date, there are still a number of pending legislative bills seeking to amend CCPA. This has created immense uncertainty for companies trying to bring their business into compliance with CCPA. We address the following types of questions to ensure attendees leave the presentation understanding whether CCPA applies to their business and, if so, the steps they should take to comply: Does CCPA apply to my business? How does CCPA affect our collection, use, and disclosure of personal information? What rights do individuals have under CCPA with regard to their personal information? What are the “reasonable security procedures and practices appropriate to the nature of the information” required by CCPA to protect personal information? What are the status of the various proposed amendments to CCPA? What are the potential penalties and risks of noncompliance, including private rights of action and the likelihood of class action lawsuits?
4th & Final 2019 Chicago CISO of the Year Social Mixer
Aug. 20, 2019
The Questions a Regulator Will Ask You After a Data Breach, Aug. 2, 2019
SPEAKER: Chris Cronin
The 2019 EXPO.health conference is focused on 5 main topic areas which are of interest to health IT professionals at hospitals, health systems, and ambulatory organizations – Security and Privacy, Analytics, Communication and Patient Engagement, IT Dev Ops, Operational Alignment and Support. HALOCK partner and the DoCRA Council Chair, Chris Cronin, will be speaking at the event. The Questions a Regulator Will Ask You After a Data Breach If you are breached and are visited by regulators, they will ask you to demonstrate that your safeguards were reasonable. Their questions resemble information security risk assessments. Regulators try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. In this session we will show you how to conduct your risk assessments so you are ready to answer these tough questions.
3rd 2019 Chicago CISO of the Year Social Mixer
July 23, 2019
ITAC: W3 The Cycle of Cybersecurity: Integrating Cyberdefense Into Your Risk Decision-Making Process
, July 18, 2019
SPEAKER: Chris Cronin
ITAC is the premier event for IT audit executives and those tasked with ensuring that businesses are governing data in a secure and responsible way, while addressing risks related to information technology. ITAC is produced by MIS Training Institute (MISTI), the international leader in audit, IT audit and information security training, with offices in Boston and London. MISTI’s expertise draws on experience gained in training more than 200,000 delegates across five continents.
2nd CISO of the Year Mixer
June 18, 2019
IREM WEBINAR – Cyber Security: How to Secure Your Devices and Data,
July 16, 2019
SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP
American Health Lawyers Association (AHLA) Webinar: Duty of Care Risk Analysis (DoCRA)
“Adopting Duty of Care Risk Analysis to Drive GRC” June 5, 2019
SPEAKERS: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR, Senior Partner; Board Member on The DoCRA Council and Jennifer L. Rathburn, Partner at Foley & Lardner LLP
Techno Security & Digital Forensics Conference
– The Questions a Judge Will Ask You After a Data Breach. June 3, 2019
SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001
Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019.
May 30, 2019
PANELIST: Chris Cronin, ISO 27001 Auditor
CAMP IT: Enterprise Risk / Security Management.
Know Where Your Next Attack is Coming From. Attack prediction and resource prioritization using community-sourced data May 30, 2019
SPEAKERS: Todd Becker, PCI QSA, ISO 27001; Steve Lawn, CIPP CAMP IT GAllery
1st CISO of the Year Mixer
May 21, 2019
Institute of Real Estate Management (IREM) Cybersecurity Webinar: Phishing, Smishing and Whaling – Oh My!
May 7, 2019
SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP
CAMP IT – Data Breaches: Defending Against and Responding To.
Third Party Assessment Prioritization: “Vendor Tiering and Due Diligence Levels” May 2, 2019
SPEAKER: Ken Squires, CISSP, HCISPP, CISA, CRISC, ISO 27001 AUDITOR CAMP IT Gallery
Compliance Week Webinar:
The Questions a Judge Will Ask You After a Data Breach Webcast. March 21, 2019
SPEAKER: Chris Cronin, ISO 27001 Auditor
RSA: Author! Author! Happy Hour.
March 6, 2019 Experts Todd Fitzgerald, author of CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, and Chris Cronin, principal author of CIS RAM, the CIS® (Center for Internet Security) Risk Assessment Method.
2018
CIS® (Center for Internet Security) – CIS RAM Workshop Dec. 10, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor
Midwest Cyber Security Alliance – How to Develop and Maintain an Effective Security Awareness Training Program Dec. 5, 2018 SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP
NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method Nov. 9, 2019
SPEAKER: Chris Cronin, ISO 27001 Auditor
The Center for Internet Security Risk Assessment Method (CIS RAM) provides detailed and practical guidance that builds on NIST 800-30, and is consistent with regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The proposed panel discussion will feature the authors of CIS RAM who will present the method, its basis in security frameworks and law, and case studies that illustrate its use in legal and non-legal contexts.
Louisiana Hospital Association Webinar – Acceptable Security Risk and Negligence: It’s a Fine Line Nov. 7, 2018 SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001
UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA Oct. 18, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
CAMP IT: Enterprise Risk / Security Management –
The Industry Risk Assessment Dilemma and the Solution Oct. 3, 2018 SPEAKER: Jim Mirochnik, MBA, PMP, QSA, ISO 27001
Midwest Cyber Security Alliance – Duty of Care Risk Analysis (DoCRA) and CIS RAM Sept. 19, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR
Forrester Privacy & Security 2018 Sept. 25, 2018
SecureXII – 12th Annual ISSA and ISACA Chicago Chapters Security Conference June 12, 2018
CISO Executive Summit June 6, 2018
Cyber Security Summit: Chicago – CIS RAM: This Math Will Save You Aug. 29, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor
CIS RAM (Risk Assessment Method) Launch Event April 30, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor