Past Cyber Security Speaking Events & Presentations

HALOCK cyber security presentations at industry conferences and events.

2022

A Proven Methodology to Secure the Budget You Need

October 6, 2022

CAMP IT: Enterprise Risk & Security Management

Speaker: Jim Mirochnik

CIS RAM v2.1 for Implementation Group 3 (IG3) Workshop

June 21, 2022

The Center for Internet Security (CIS)

Speaker: Chris Cronin

Cyber Insurance Readiness: Preparing For Your Next Renewal

June 14, 2022

Midwest Cyber Security Alliance (MCSA)

Speaker: Terry Kurzynski

RSA 2022: A Proven Methodology to Secure the Budget You Need

June 7, 2022

RSA 2022

 A Proven Methodology to Secure the Budet You Need

Speaker: Jim Mirochnik

CISO of the Year Mixer

May 31, 2022

Gibson’s at Rosemont

Cleveland-Marshall College of Law

May 19-20, 2022

2022 Cybersecurity and Privacy Protection Conference

Keynote Panel: Defining “Reasonable” Security

Panelist: Chris Cronin

Wisconsin Health Information Management Association (WHIMA)

May 12, 2022

TAKE CYBERCARE – PRACTICING DUTY OF CARE TO PROTECT PATIENT DATA AND MANAGE RISK

What is your Duty of Care? How do you define “reasonable” security safeguards? When do I know that I have done enough? Organizations need a method to establish acceptable risk for the business, regulators, and all interested parties – a method that considers harm outside the company, defines acceptable risk, and examines the burden of proposed safeguards. Duty of Care Risk Analysis, leveraged by the Center for Internet Security’s Risk Assessment Methods (CIS RAM), translates these requirements into business terms to develop reasonable security controls.

Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor

MER Conference

May 11, 2022

Defining “Reasonable Security Measures” When it Comes to Data Protection

No organization can achieve airtight, hermetically sealed security, so the legal standard for compliance with most data security regulations is that the security measures in place be “reasonable.” But what does that mean? The Sedona Conference’s Working Group 11 on Data Security and Privacy Liability published a Commentary in 2021 that evaluates what “legal test” a court or regulatory body should apply, or what other approach it should follow, where the issue is whether the organization has met that legal obligation. A Contributing Editor to the Commentary will summarize its main points and address your questions.

Key Issues This Presentation Will Address  

  • How to define reasonable security for your organization
  • Using “reasonable” to manage risk and compliance
  • Using “reasonable” to defend your security when things go wrong

Key Takeaways from this Presentation  

For two decades U.S. law has frustrated organizations by requiring that cybersecurity and privacy controls be “reasonable.” Regulators and litigators have signaled that if we could demonstrate this elusive standard that they would nod and let us pass after personal information was breached on our watch. But neither business nor regulators could articulate what “reasonable” meant, leaving organizations frustrated, confused, and fined, and the lawyers, once again, blamed. This session will demonstrate the Test for Reasonable Security in a way that IG, legal, cybersecurity, compliance, and privacy officers will be able to use in their own environments.

Speaker: Chris Cronin

RIMS 2022

April 11, 2022

RiskWorld: The Questions a Judge Will Ask You After a Data Breach

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn what basic questions the court will ask and how the duty of care risk assessment (DoCRA)—based on judicial balancing tests and regulatory definitions of reasonable risk—helps you answer them. Distinguish the risk assessment criteria that allow for comparison, reflect your organization’s values and hold up to public scrutiny. See how you can employ DoCRA to fulfill regulators’ requirements for a complete and thorough risk assessment following a data breach.

Speaker: Chris Cronin

 

Center for Internet Security, Inc. (CIS®)

February 8, 2022

CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop

CIS RAM v2.1 (Center for Internet Security® Risk Assessment Method) is an information risk assessment method designed to help justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM, a free tool, provides step-by-step instructions, examples, templates, and exercises for conducting risk assessments so that they meet the requirements of established information security risk assessment standards, legal authorities, and regulators. The workshop will enable attendees to learn: An overview of how to conduct a risk assessment using CIS RAM 2.1 for IG2 and a step-by-step tutorial of the activities an IG2 enterprise will take to conduct a risk assessment using CIS RAM 2.1

Speaker: Chris Cronin

 

2021

Center for Internet Security, Inc. (CIS®)

November 17, 2021

CIS Risk Assessment Method (RAM) v2.0 Webinar

CIS RAM v2.0 (Center for Internet Security® Risk Assessment Method) is an information security risk assessment method that helps enterprises plan and justify their implementation of CIS Critical Security Controls (CIS). Learn about the CIS RAM family of documents, a free tool, providing step-by-step instructions, examples, templates, and exercises for conducting a cyber risk assessment.

“The CIS RAM is a powerful tool to guide the prioritization and implementation of the CIS Controls, and complements their technical credibility with a sound business risk-decision process,” said Tony Sager, Senior Vice President and Chief Evangelist at CIS. “We see the CIS RAM as a method that enterprises of all maturity levels can use.”

Through an ongoing partnership, CIS RAM v2.0 was developed by HALOCK Security Labs with CIS. HALOCK had been providing CIS RAM methods for several years with a positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018. CIS is a founding member of the DoCRA Council that maintains the risk analysis standard that CIS RAM v1.0 is built upon.

What you will learn:

  • How CIS RAM was updated to a family of documents starting with Core and Implementation Group 1 (IG1)
  • How CIS RAM automates risk analysis by using the VERIS Community Database
  • Why regulators are referencing CIS RAM to demonstrate reasonable security
  • How CIS RAM helps technology executives make business decisions
  • The basic steps IG1 organizations will take to conduct risk assessments using CIS RAM 2.0

Host

Valecia Stocchetti, Sr. Cybersecurity Engineer, CIS

Moderator

Chris Cronin, Partner, HALOCK Security Labs, and Chair, DoCRA Council

Panelists

  • Conal Gallagher, CIO and CISO, Flexera
  • Phil Langlois, Data Breach Investigations Report (DBIR) Author, Verizon
  • Tim Murphy, Deputy Attorney General, Commonwealth of Pennsylvania

Midwest Cyber Security Alliance (MCSA)

November 9, 2021

You’re Expected to Know and Disclose the Foreseeable Cybersecurity Threats that Face Your Organization and Reasonably Defend Against Them: How Do You Do This?

Organizations are expected to perform their duty of care by protecting the organization, its clients, suppliers, and the general public from foreseeable harm. Until recently, the jobs of the Chief Information Security Officer, Risk Officer, and Compliance Officer have been challenging to determine what is foreseeable.

Fortunately, the data is available to predict the likeliest threat vectors — paths cybercriminals use to gain access and take advantage of vulnerabilities in networks or devices — for particular industry types. Join us at the next Midwest Cyber Security Alliance virtual meeting on Tuesday, November 16, 2021 where fellow sponsor HALOCK Security Labs will demonstrate how you can use publicly available breach data to forecast the most likely ways your organization will be attacked. See how the data that feeds Verizon’s Data Breach Investigations Report (DBIR) predicts your weaknesses in surprising detail.

Discussion topics include:

  • Incorporating likely threat vectors into your organization’s existing risk analysis (Risk = Impact x Likelihood)
  • Learn how Likelihood fits with Duty of Care Risk Analysis impact criteria (missions, objective, and obligations)
  • Use the risk calculus as a guide to help your organization prioritize risks based on foreseeable threats that could harm the company itself or others outside the organization, including customers, vendors, and more

In addition, Bryan House, Foley partner and member of the firm’s Securities Enforcement & Litigation and Government Enforcement Defense & Investigations Practices, will provide an update on SEC guidelines on cyber risk reporting, including:

  • Recent enforcement actions
  • The SEC’s proposed rules regarding cyber disclosures (expected by the end of October 2021)

This presentation is intended for legalcompliancerisk, and technical roles. While some content is technical in nature, all staff responsible for your cybersecurity program will gain key insights to help protect your organization from cyber attacks.

SPEAKERS:
Jennifer Urban, CIPP/US
Partner, Cybersecurity Practice
Foley & Lardner LLP

Bryan HousePartner
Foley & Lardner LLP

Chris Cronin, ISO 27001 Auditor
Partner
HALOCK Security Labs

Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor

Senior Partner
HALOCK Security Labs

(ISC)² Silicon Valley Chapter

November 9, 2021

The 8 Questions a Judge Will Ask You After a Data Breach

What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight, and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

SPEAKERS:
Terry Kurzynski (CISSP, CISA, PCI QSA, ISO 27001 AUDITOR), Senior Partner at HALOCK Security Labs

 

PCI DSS Virtual Workshop 2021

June 16, 2021

DoCRA for PCI DSS: What you should do to prepare

With PCI DSS 4.0 moving towards a risk-based approach, organizations will have to adapt their frameworks. The Duty of Care Risk Assessment (DoCRA) showcases how you can achieve reasonable security and achieve PCI DSS compliance. By balancing mission, objectives, and obligations, companies can streamline their risk strategies based on their specific work environment. The duty of care approach helps prioritize controls and budget while meeting the needs of all interested parties – card holders, regulators, litigators, business, public. Attendees will learn how to: Conduct your risk assessments so you are ready for PCI DSS 4.0; Estimate the likelihood of risks; Prepare and respond to regulatory investigations and plaintiffs’ lawsuits.

SPEAKERS:
Chris Cronin, Partner – ISO 27001 Auditor
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor

PCI DSS Virtual Workshop 2021

June 15, 2021

What Litigators and Regulators have taught a QSA about PCI Compliance and Reasonable Security

Having a PCI DSS compliant validation does not stop litigators and regulators from suing you after a breach. To reduce the impact of a breach, organizations have to be able to show lawyers that they were using reasonable security. Attendees will learn: What lawyers ask to see after a breach? How the checkbox approach hurts you after the breach. How to protect yourself and others.

SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor

RSA Conference 2021

May 19, 2021

Your Breached Controls May Have Been Reasonable After All

PANELISTS:

Bill Sampson, Partner at Shook Hardy & Bacon LLP
Phyllis Lee, Senior Director for Controls The Center for Internet Security, Inc. (CIS®)
Chris Cronin, Partner at HALOCK Security Labs
Jim Trilling, Attorney in the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC)
David Cohen, Counsel at Orrick, Herrington & Sutcliffe

RSA Conference 2021

May 18, 2021

Forecasting Threats is Way Easier Than You Think

Innovations by cybersecurity attackers intimidate managers into thinking that they cannot forecast attacks, but publicly sourced data shows that forecasting has more to do with knowing how organizations handle sensitive assets than with attacker innovations. The presenter will show how the audience can use an unmistakable pattern in the data to plan their security programs.

SPEAKER:
Chris Cronin, Partner – ISO 27001 Auditor

 

2021 NAPCP Commercial Card and Payment Conference

May 10-28, 2021

Using Pandemic Lessons and Risk Assessments to Prepare for PCI DSS 4.0

HALOCK will provide real examples of how scope reduction technologies have helped organizations manage their risk more easily through a pandemic. HALOCK will also explain the anticipated risk-based approach that is coming with PCI DSS 4.0 and how organizations can prepare for the new standard (and many new requirements) by strengthening their risk processes now.

  • Learn how easy some organizations’ remote and on-premise working transitions have been because of Point-to-Point Encryption (P2PE) technology and why.
  • Learn how PCI DSS version 4, to be published in 2021, will introduce a risk-based approach to validating compliance.
  • Learn how to do risk analysis in a way that regulators expect.

SPEAKER:
Viviana Wesley, Principal Consultant – CISM, PCI QSA, ISO 27001 Auditor

 

SecureWorld Webinar: Privacy Compliance Hardship?

April 13, 2021

Data Privacy Experts Field the Tough Questions

With evolving compliance requirements and the exponential growth of private data that must be managed, organizations are struggling to balance security, regulations, and corporate business goals. How do you prioritize resources and budget? Most organizations do not know where their data lives and may not want to do the hard work to find it. Or maybe that’s not it; perhaps they simply don’t know how to start.

There is a path forward. Our panel of experts will share how they are achieving data privacy across the U.S. for big and small clients.

Discussion topics include:

•  The biggest challenges in the data privacy compliance process
•  Best methodologies to understand, protect, and govern your data
•  Balancing state-mandated compliance regulations
•  Methods for minimizing and controlling personal data

SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs

 

MIDWEST CYBER SECURITY ALLIANCE (MCSA)

February 18, 2021

They Know You Can’t Get to 100% Compliance … and That’s Okay (HIPAA, CCPA/CPRA, GDPR, 23 NYCRR Part 500, CMMC, PCI, FISMA, FERPA)

Meeting old and new security requirements is about to change. For the first time, all requirements, even version 4.0 of the PCI DSS, are going to be driven by risk. What does that mean exactly? Each organization will need to decide what its definition of “acceptable risk” is, not only for the organization, but for its clients and business partners as well as the general public. Those who could be harmed by your service or product, and in how you conduct business, need to be considered in the risk equation.

To address these issues, the next Midwest Cyber Security Alliance (MCSA) virtual meeting will offer an update on some familiar topics including the concept of “reasonable controls” and “acceptable risk.” These terms have permeated our security regulations and standards over the last decade and have plagued organizations just as long — until today. Quite recently, regulators, judges, and security experts have all agreed to a common calculus to determine if an organization has reasonable controls. During this session, we will dissect the Sedona Conference’s new proposed legal test for reasonable security controls based on B2 – B1 < (P x H)1 – (P x H)2.

Understanding and leveraging the legal definition of “reasonable” will certainly have its advantages — please join Foley and HALOCK Security Labs on Thursday, February 18, 2021, for a discussion on what it is and how it can be applied to your organization.

SPEAKERS:
Jennifer L. Urban, CIPP/US – Moderator, Partner – Foley & Lardner LLP
Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 Auditor, Senior Partner – HALOCK Security Labs

2020

National Foundation for Judicial Excellence (NFJE) 2020 Annual Judicial Symposium

October 15, 2020

Judging Efforts to Protect Personal Information:
What Test Should Apply?

In LabMD, Inc. v. Federal Trade Commission, the United States Court of Appeals for the Eleventh Circuit vacated the FTC’s order that LabMD implement the FTC-designed security program on grounds it required an “indeterminable standard of reasonableness.” The panel will discuss LabMD, Inc. and the most promising standard that has emerged in the wake of it—one based upon a duty-of-care risk analysis. Such an approach has been adopted by the Center for Internet Security, and it has been used by Pennsylvania’s OAG in a settlement with Expedia. It is also the subject of an important, current study by the Sedona Conference; and two members from the Sedona Conference will be part of the panel. Chris Cronin, Halock Security Labs, Schaumburg, IL William R. Sampson, Shook Hardy & Bacon LLP, Kansas City, MO

BDO Alliance USA BRN

Oct. 15, 2020

Managing Cyber Risk with the Remote Workforce The BDO Alliance USA Business Resource Network (BRN) Client Focused Conversations (CFC). Speaker: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR.

InfraGard Wisconsin’s SuperCon 2020

Oct. 6, 2020

Getting to Reasonable – What regulators and judges want to see from every organization Speaker: Terry Kurzynski, Senior Partner at HALOCK When an interested party comes knocking after a breach, are you prepared to show your security program was reasonable and appropriate? The recently published Duty of Care Risk Analysis standard and related methods are now available for organizations to leverage. Terry Kurzynski, Senior Partner from HALOCK Labs, contributing author of the Center for Internet Security’s Risk Assessment Method (CIS RAM) and founding Board Member of the DoCRA Council (Duty of Care Risk Analysis), will present the facts on how to prepare your organization for scrutiny from any and all interested parties. Until recently the definition of “Reasonable Controls” and “Acceptable Risk” has been vague and left up to the security and risk practitioners in each organization. Most decisions are made ad hoc leaving the organizations open to fines and class action lawsuits related to an incident. In all breach/incident cases there is always a control or configuration that could have prevented the breach. The regulator, judge, or other interested party wants to understand; “why you did not have that particular control or configuration in place?” Having the calculus to demonstrate your understanding of the foreseeable harm that could come to you and others (outside of the organization) and how you were planning on addressing the reduction of impact or probability is what the interested parties want to see. Are you performing your duty?

Cyber Security Summit: Denver

Sept. 10, 2020

Threat Forecasting: Using Open Source Data to Foresee Your Next Breach Speaker: Chris Cronin, Partner at HALOCK We forecast cybersecurity events not to predict the future, but to change it. Regulators and litigators all hold us accountable for knowing foreseeable threats so we can avoid them. But what is foreseeable? And how do we evaluate risks knowing what is foreseeable? This session will demonstrate how open source information can help you prioritize your cybersecurity efforts, and demonstrate that you were being reasonable even if a breach does occur.

Cyber Security Summit: Chicago

Sept 1, 2020

CMMC/CCPA. Using Duty of Care Risk to Comply With New Challenges Speaker: Chris Cronin, Partner at HALOCK CMMC and CCPA are very different requirements that push security organizations in new directions. CMMC is specific and for the DoD supply chain. CCPA is generic and for any organization with certain personal information. But both specific and generic security requirements are difficult to comply with. During this session we will show you how Duty of Care Risk Analysis can help you move from either generic or specific requirements to “reasonable” security controls that regulators will understand.

Can DoCRA Duty of Care Risk Analysis tell you if your cybersecurity controls reasonable Podcast

Aug 4, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discusses DoCRA – Duty of Care Risk Analysis. It’s an approach that helps organizations figure out whether their cybersecurity controls are reasonable. And we’ll do that with the help of our guest, Chris Cronin.

Infragard: Duty of Care Risk Analysis, defining “Reasonable Security”

Aug. 26, 2020

Duty of Care Risk Analysis, defining “Reasonable Security” What is “reasonable” security? If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

SPEAKER: Terry Kurzynski

Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule

July 13, 2020

The FTC offered an online workshop concerning all of its proposed changes on Monday July 13 at 9:00 EDT.  The event webcasted live on the FTC’s website and can be viewed by anyone who wishes to attend.  One of the panelists was HALOCK partner Chris Cronin, who was involved in the discussion. Some of you may be familiar with Chris’s work wth DoCRA, Center for Internet Security’s risk assessment method (CIS RAM), and through his many public speaking engagements and publications. Chris also serves the Sedona Conference, a legal think tank that develops guidance for regulators and litigators for interpreting and applying complex legal questions, such as the reasonableness of cybersecurity controls.

PANELIST: Chris Cronin

NetDiligence: What is Reasonable Cyber Security?

July 7, 2020

The panel provided an overview of the risk-based analysis process that substantiates the method, and presented the legal, regulatory, and security best-practice history that informs the method. Each participant presented why the method successfully substantiates the term “reasonable” in their work and provided anecdotes that illustrate how it has been used on their experience. The panel described a practical method that organizations can use for defining how the term “reasonable” applies to them, all attendees received an immediately applicable, and tangible benefit from the session.

PANELIST: Chris Cronin

Online Meeting on The Sedona Conference Draft Commentary on Proactive Privacy and Data Security Governance

June 24, 2020, 1:00pm EDT

A panel of WG11 drafting team members will discuss their June 2020 draft Commentary, which is designed to assist organizations in creating a privacy and data security program that takes into account the ever-increasing number of privacy and data security laws around the world, including data localization laws. The draft Commentary is intended to be applied to all privacy and data security programs, no matter the size or type of an organization.

As the online meeting will focus on in-progress work product of WG11, only Working Group Series (WGS) members are permitted to attend. The online meeting is scheduled for 90 minutes, during which time you may make comments or ask questions of the panel via live chat. We aim to closely as possible replicate a typical dialogue between dialogue leaders and attendees at an in-person Working Group Meeting. The drafting team members welcome your feedback as the draft nears publication for public comment.

PANELIST: Chris Cronin

RSA Conference 2020:

Securing the Budget You Need! Translating Security Risks to Business Value. February 28, 2020

SPEAKERS: Jim Mirochnik

InfoSec speaks the language of risks and costs, while Business speaks the language of rewards and revenue. The lack of a common language leads to InfoSec struggling to secure the budgets they truly need. This session demonstrates, using case studies, how the invention of Duty of Care Risk Analysis (DoCRA) can create a common language with the Business and help secure appropriate budgets. SPEAKER: Jim Mirochnik

CAMP IT Conference

The Cybersecurity Department: Making Cybersecurity a Business Competency Through Key Risk Indicators February 20, 202

SPEAKERS: Chris Cronin

CAMP IT Conference – Executives and Boards manage what they know, and stress about what they don’t know, And they stress over cybersecurity. Most organizations do not have cybersecurity specialists at their helm because their business has not relied on that capability until very recently. Cybersecurity has grown from the bottom-up in the hands of technicians, and from the top-down from regulators and engineers. But few organizations have articulated their cybersecurity objectives and risks in a manner that executives can engage with. This has resulted in alienating the people who approve our priorities, resources, and budgets. Chris Cronin will explain the root causes of the breakdowns between executive leadership and cybersecurity practitioners and will show how DoCRA-based analytics help executives make informed decisions about priorities, resources, and budgets.

CAMP IT Conference

Is There Such a Thing as Reasonable Privacy? February 20, 2020

SPEAKERS: Chris Cronin

CAMP IT Conference: U.S.-based organizations are finding that new and emerging privacy regulations are difficult to comply with. In many ways those regulations change our relationships with our customers and the public, and makes us stewards of information that they own. Many new privacy requirements are straightforward to implement (such as requiring opt-in and opt-out policies, and processes to field consumer inquiries). But some requirements, such as the right to be forgotten, reasonably verifying the identify of consumer requestors, and using reasonable security safeguards create a potentially expensive and harrowing grey area. During this session Chris Cronin will show a feature common among privacy regulations such as GDPR and CCPA that will help you clearly define what reasonable privacy controls are. By using Duty of Care Risk Analysis (DoCRA) your organization will be able to show that your controls are reasonable when you address your needs and the public’s needs as equally important.

CANCELLED due to pandemic – RIMS 2020 Annual Conference

2020 Annual Conference May 5, 2020

SPEAKERS: Chris Cronin

In post-data breach litigation, you must demonstrate due care and reasonable control. Learn how information security risk assessments can provide meaningful answers to technicians, businesses and authorities based on judicial balancing tests and regulatory definitions of reasonable risk.

2019

Infosecurity ISACA North America conference: Duty of Care Risk Assessment (DoCRA)

Questions a Judge Will Ask You After A Data Breach November 20, 2019

SPEAKERS: Tod Ferran

A discussion of the new Duty of Care Risk Assessment methodology (DoCRA) for infosecurity also known as the Center for Internet Security Risk Assessment Method (CIS RAM) Discuss what sets this method apart and why it is an important business tool. After this session you will be able to: Understand what sets the Duty of Care Risk Assessment apart from all others. Understand what regulators are looking for in a complete and thorough risk assessment and how the Duty of Care Risk Assessment fulfills those regulations and standards. Understand what basic questions are asked during litigation after a breach and how the Duty of Care Risk Assessment answers those questions. Understand how to complete a Duty of Care Risk Assessment along with where to get the free tools to successfully complete the assessment. SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001 Managing Consultant Infosecurity ISACA North America Conference

(ISC)² Security Congress

The Questions a Judge Will Ask You After a Data Breach – What is “reasonable” security? October 30, 2019

SPEAKERS: Terry Kurzynski, DoCRA Council and Aaron DeMaster, Rexnord

If you are breached and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonable.” Organizations must use safeguards to ensure that risk is reasonable to the organization and appropriate to other interested parties at the time of the breach. This presentation references case law, regulatory oversight and the Center for Internet Security Risk Assessment Method (CIS RAM), with a discussion on the future implications of this approach toward defining reasonableness. CIS RAM is based on the Duty of Care Risk Analysis standard (DoCRA.org) and is recognized by attorneys, regulators and interested parties for its ability to demonstrate reasonable implementation of controls.

Learning Objectives:
• Define risk assessment criteria so they allow for comparison, reflect the organization’s values and will hold up to public scrutiny.
• Model and select threats that are relevant to information assets and controls.
• Estimate the likelihood of risks.

Institute of Real Estate Management (IREM) Cybersecurity Webinar

Safekeeping Your Online Accounts – How to stop hackers from taking your money and information | October 22, 2019

Speaker: Glenn Stout

Security professionals get asked all of the time “What are the top things that I should be doing right now to keep my online accounts safe?” There are many “attack paths” that bad actors take to attempt to get to your money. Knowing what these attacks are – and what to do to protect your online accounts is the answer to the question asked above. This session will cover how the attacks are planned and carried out, and the keys to protect your accounts and data. Some topics include the concepts of phishing attacks, spear-phishing attacks, call fraud, scareware, extortion and the ways to protect against them, such as password approach, protecting email, devices and social media accounts.

After attending this session, participants will be able to:
• Understand the various attack paths that bad actors take to get to user accounts.
• What users generally do wrong that helps the bad actors win.
• Be aware of the key things to do to protect online accounts.

CAMP IT Leadership Strategies

How to Secure the Budget You Truly Need by Translating Technology Costs to Business Value October 17, 2019

Speaker: Jim Mirochnik | Strategies and techniques for leading and guiding IT through a business approach during dynamic times.

Health Management Academy

Risk Analysis 2.0, Health Care Data Security in the Age of Risk October 17, 2019

SPEAKERS: Terry Kurzynski and Jen Rathburn

Discussion of HIPAA’s risk analysis and risk mitigation plan requirements

  • How risk assessment frameworks are evolving, including the Duty of Care Analysis (DoCRA)
  • How duty of care risk analysis builds consensus from the board room to the court room
  • How best to prepare and respond to regulatory investigations and plaintiffs’ lawsuits
  • How IT and Compliance can be enablers of the organization’s mission

CISO of the Year Award Breakfast

October 15, 2019

This award has been established to publicly recognize top senior information security leaders through nominations, judges and support from within the local community. The award will be presented on October 15th at a Breakfast Ceremony at the Metropolitan Club of Chicago.

CyberNext Summit 2019 – KuppingerCole Analysts

October 8-10, 201

Speaker: Chris Cronin

Cybersecurity is shifting toward more distributed and dynamic models. Decentralized security infrastructure brings its challenges and opportunities. CyberNext Summit (#CNS19) summit will focus on the capabilities needed to achieve security in such a distributed environment, especially in the context of ever-increasing security threats. GALLERY
The Questions a Judge Will Ask You After a Data Breach

The Sedona Conference Working Group 11 Midyear Meeting 2019

September 18, 2019

Panelist: Chris Cronin | A panel of Data Security and Privacy Liability – Working Group 11 (WG11) members led a dialogue with WG11 members at the 2019 midyear meeting – Proactive privacy and security governance: Complying with global data privacy and security regulations

CUNA Technology Council Conference

The Questions a Judge Will Ask You After a Data Breach – A Panel Discussion  September 13, 2019 

PANELISTS: Jacqueline Connor, Attorney, Federal Trade Commission, Washington, DC  |  Chris Cronin, Principal, HALOCK Security Labs, Schaumburg, IL  |  Bill Podborny, CISO, Alliant CU, Chicago, IL

Federal regulators, including NCUA, increasingly urge organizations to use risk analysis to determine whether security controls are reasonable. However, regulators are restrained from describing how risk analysis should work. During this session we will show how organizations can use Duty of Care Risk Analysis (DoCRA) to demonstrate whether security controls and risks are reasonable, and to do so in a way that supports management objectives, regulatory requirements, and information security disciplines.

Cyber Security Summit Chicago

 August 27, 2019 

SPEAKER: Chris Cronin  The fourth annual Chicago Cyber Security Summit connects C-Suite & Senior Executives responsible for protecting their companies’ critical infrastructures with innovative solution providers and renowned information security experts.

PRESENTATION: If you are breached and your case goes to litigation, you will likely be asked to demonstrate “due care” and that your controls were “reasonable.” Many are surprised to learn that a breach by itself often does not constitute negligence. Judges will ask a set of questions to determine whether your controls were reasonable. These questions bear a close resemblance to information security risk assessments; they both try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. This presentation will explain judicial balancing tests, how they relate to regulatory definitions of “reasonable” risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked. Request a copy of the presentation.

Cyber Security Summit Gallery

MIDWEST CYBER SECURITY ALLIANCE (MCSA) The California Consumer Privacy Act (CCPA)

Applicability, Requirements, and Practical Tips on Compliance September 12, 2019

SPEAKER: Terry Kurzynski

The California Consumer Privacy Act (CCPA) will be effective January 1, 2020, and enforced beginning six months later. Despite the quickly approaching effective date, there are still a number of pending legislative bills seeking to amend CCPA. This has created immense uncertainty for companies trying to bring their business into compliance with CCPA. We address the following types of questions to ensure attendees leave the presentation understanding whether CCPA applies to their business and, if so, the steps they should take to comply: Does CCPA apply to my business? How does CCPA affect our collection, use, and disclosure of personal information? What rights do individuals have under CCPA with regard to their personal information? What are the “reasonable security procedures and practices appropriate to the nature of the information” required by CCPA to protect personal information? What are the status of the various proposed amendments to CCPA? What are the potential penalties and risks of noncompliance, including private rights of action and the likelihood of class action lawsuits?

4th & Final 2019 Chicago CISO of the Year Social Mixer

Aug. 20, 2019

2019 EXPO.Health Conference

The Questions a Regulator Will Ask You After a Data BreachAug. 2, 2019

SPEAKER: Chris Cronin

The 2019 EXPO.health conference is focused on 5 main topic areas which are of interest to health IT professionals at hospitals, health systems, and ambulatory organizations – Security and Privacy, Analytics, Communication and Patient Engagement, IT Dev Ops, Operational Alignment and Support. HALOCK partner and the DoCRA Council Chair, Chris Cronin, will be speaking at the event. The Questions a Regulator Will Ask You After a Data Breach If you are breached and are visited by regulators, they will ask you to demonstrate that your safeguards were reasonable. Their questions resemble information security risk assessments. Regulators try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. In this session we will show you how to conduct your risk assessments so you are ready to answer these tough questions.

3rd 2019 Chicago CISO of the Year Social Mixer

July 23, 2019

ITAC: W3 The Cycle of Cybersecurity: Integrating Cyberdefense Into Your Risk Decision-Making Process

July 18, 2019

SPEAKER: Chris Cronin

ITAC is the premier event for IT audit executives and those tasked with ensuring that businesses are governing data in a secure and responsible way, while addressing risks related to information technology. ITAC is produced by MIS Training Institute (MISTI), the international leader in audit, IT audit and information security training, with offices in Boston and London. MISTI’s expertise draws on experience gained in training more than 200,000 delegates across five continents.

2nd CISO of the Year Mixer

June 18, 2019

IREM WEBINAR – Cyber Security: How to Secure Your Devices and Data,

July 16, 2019

SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP

American Health Lawyers Association (AHLA) Webinar: Duty of Care Risk Analysis (DoCRA)

“Adopting Duty of Care Risk Analysis to Drive GRC” June 5, 2019

SPEAKERS: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR, Senior Partner; Board Member on The DoCRA Council and Jennifer L. Rathburn, Partner at Foley & Lardner LLP

Techno Security & Digital Forensics Conference

– The Questions a Judge Will Ask You After a Data Breach. June 3, 2019

SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001

Cleveland-Marshall’s Cybersecurity and Privacy Protection Conference 2019.

May 30, 2019

PANELIST: Chris CroninISO 27001 Auditor

CAMP IT: Enterprise Risk / Security Management.

Know Where Your Next Attack is Coming From. Attack prediction and resource prioritization using community-sourced data May 30, 2019

SPEAKERS: Todd Becker, PCI QSA, ISO 27001; Steve Lawn, CIPP CAMP IT GAllery

1st CISO of the Year Mixer

May 21, 2019

Institute of Real Estate Management (IREM) Cybersecurity Webinar: Phishing, Smishing and Whaling – Oh My!

May 7, 2019

SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP

CAMP IT – Data Breaches: Defending Against and Responding To.
Third Party Assessment Prioritization: “Vendor Tiering and Due Diligence Levels” May 2, 2019

SPEAKER: Ken Squires, CISSP, HCISPP, CISA, CRISC, ISO 27001 AUDITOR CAMP IT Gallery

Compliance Week Webinar:

The Questions a Judge Will Ask You After a Data Breach WebcastMarch 21, 2019

SPEAKER: Chris Cronin, ISO 27001 Auditor

RSA: Author! Author! Happy Hour.

March 6, 2019 Experts Todd Fitzgerald, author of CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, and Chris Cronin, principal author of CIS RAM, the CIS® (Center for Internet Security) Risk Assessment Method.

2018

CIS® (Center for Internet Security) – CIS RAM Workshop Dec. 10, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor

Midwest Cyber Security Alliance – How to Develop and Maintain an Effective Security Awareness Training Program  Dec. 5, 2018 SPEAKER: Glenn Stout, Ph.D., CISSP, CISM, GSEC, PMP

NIST Cybersecurity Risk Management Conference – Evaluating “Reasonable” Cyber Risk Using the Center for Internet Security Risk Assessment Method Nov. 9, 2019

SPEAKER: Chris Cronin, ISO 27001 Auditor

The Center for Internet Security Risk Assessment Method (CIS RAM) provides detailed and practical guidance that builds on NIST 800-30, and is consistent with regulatory and legal expectations for establishing “reasonable” and “appropriate” risk. The proposed panel discussion will feature the authors of CIS RAM who will present the method, its basis in security frameworks and law, and case studies that illustrate its use in legal and non-legal contexts.

Louisiana Hospital Association Webinar – Acceptable Security Risk and Negligence: It’s a Fine Line Nov. 7, 2018 SPEAKER: Tod Ferran, CISSP, QSA, ISO 27001

UW E-Business Consortium: Information Technology Peer Group Meeting – DoCRA Oct. 18, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR

CAMP IT: Enterprise Risk / Security Management –
The Industry Risk Assessment Dilemma and the Solution Oct. 3, 2018 SPEAKER: Jim Mirochnik, MBA, PMP, QSA, ISO 27001

Midwest Cyber Security Alliance – Duty of Care Risk Analysis (DoCRA) and CIS RAM Sept. 19, 2018 SPEAKER: Terry Kurzynski, CISSP, CISA, PCI QSA, ISO 27001 AUDITOR

Forrester Privacy & Security 2018 Sept. 25, 2018

SecureXII – 12th Annual ISSA and ISACA Chicago Chapters Security Conference June 12, 2018

CISO Executive Summit June 6, 2018

Cyber Security Summit: Chicago – CIS RAM: This Math Will Save You Aug. 29, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor

CIS RAM (Risk Assessment Method) Launch Event April 30, 2018 SPEAKER: Chris Cronin, ISO 27001 Auditor