Can't miss educational sessions at ASIS 2016

    Sept. 8, 2016
    A brief overview of some of the continuing education opportunities at this year's conference
    Photo: ASIS Intl.
    This year's ASIS conference is jam-packed with can't miss educational opportunities.
    This year's ASIS conference is jam-packed with can't miss educational opportunities.

    In creating this short list of recommended sessions (including one of mine), I kept in mind three things:

    • You can’t attend all the ASIS Annual Seminars & Exhibits sessions that you want to. Too many good sessions are scheduled at the same time (can’t be helped).
    • After the event, registered seminar attendees to the seminars from 2012 through 2016 have free online access to the recordings and handouts of educational sessions. (You can access prior years now.)
    • It helps to have some criteria for selecting which sessions to sit in on in person, and which to watch or listen to after the event.

    Simple Decision

    It’s never really a simple or easy decision. If it were physically possible, I’d attend more than half of the educational sessions. Here are the criteria that I use myself, in case they may be helpful to you:

    • Is this session just providing general educational points (such as I might find in a book or in articles), or is there specific case study or situational experience being presented? I highly rate the experience factor.
    • What perspective will the presenter have? Is this a perspective that will give me new points of view? Often this is revealed in the session description. The more insight I can get into the perspectives of people like my clients, the more I value the session.
    • Would I like to meet the presenters? Most presenters are open to questions on the topic of their presentations, even after the event is over. Sometimes my best questions come to mind after the event!
    • Is the presentation topic new to me? If the topic is something new to me or is a something I need a deeper understanding of, I may want to ask questions during or after the presentation. I also may want to ask the presenter where to find more information about some specific what I’m interested in. This advice almost always turns out to be give me better results than searching the web.
    • Would the information I get also be helpful to one of my clients or colleagues? This can be a tie-breaker when all other things are equal.
    • Is the presenter a friend or colleague? I rarely get enough time to socialize with friends and colleagues, and I have often been impressed with the skills, abilities, and knowledge of colleagues whom I’ve never seen present before.

    Whether or not these criteria are helpful to you, it can speed up your decision time to have selection criteria ready in advance.

    The session recommendations that follow are based upon the criteria above.  After each session description, I have provided the reason why I included it in the list. I also put the session number after the title.

    Most, but not all, of these sessions are technology-related. Three are about drones—each one from a different perspective.

    If we cross paths in the conference hallways, please do say, “Hello!”

    - Ray Bernard

    Monday, Sept. 12

    Managing Facility Expectations During a Crisis or Emergency (2111)
    11:00 am – 12:00 pm, Location: W308AB
    Mike Fagel, Greg Benson, Lawrence Fenelly

    Gain valuable insights into a public safety response protocol from agencies that will be tasked with responding when a facility faces a crisis. What happens during a major event that differs from a routine call? Managing expectations at the facility and responder level will go a long way to create a keen understanding of where the gaps may be during an event. With planning, education, and exercises, each component involved in the response and recovery can help lead the event to a successful conclusion.

    This session is packed with highly helpful information across a wide spectrum of crisis and emergency response concerns.

    You've Identified Security Risks with SaaS Vendor. So What? (2130)
    11:00 am – 12:00 pm, Location: W103A/W103B
    Sandy Silk

    If your vendor security assessment process is a checklist and a go/no-go recommendation, you may be providing a disservice to your business. Just as there is no one-size-fits-all security questionnaire, there is no absolute right answer for business choices – it always depends. Help your business stakeholders to recognize the implications of realistic security exposures with a vendor, and help your security team to understand the current risks of “business as usual.” Let go of absolute control and focus instead on where and when you can influence changes that benefit business.

    From the Director, IT Education & Consulting at Harvard University, this session presents an approach to evaluating cloud-based offerings that makes business sense. If you are a security practitioner, this will help put you on the same page thinking-wise as the decision makers and other cloud services stakeholders in your organization. If you are an integrator or a consultant, this give you good insight into the business mindset around deploying cloud services.

    Keep Mobile Electronics Safe While Traveling 2106
    11:00 am – 12:00 pm, Location: W308D
    Keith Flannigan, Ron Lander, Leonard Ong, Werner Preining

    All employees, including executives, face vulnerabilities when they use laptops or smart phones while traveling locally, domestically, or internationally. As wireless and phone technologies have advanced, criminals have also advanced their tactics for stealing information, hacking into a company's system, cloning, or launching an unauthorized internal attack. Explore how a company's communication traffic can be intercepted through an internal modem, smart phone, tablet, laptop, or WiFi. Hear case studies and tips on keeping employees who travel safe and preventing thefts when they use hotels, taxis, rental cars, or public transportation.

    This is both an information protection and an asset protection subject. These risks keep escalating, so it’s necessary to keep on top of them.

    Dealing with Extreme Organizational Resilience Challenges (2208)
    1:45 PM - 3:00 PM, Location: W311E
    Ray Bernard, Victor Rocha, Kelly Stewart

    How do you secure an organization whose business operations have unavoidable high-risk elements? How can you achieve a safe and secure workplace when the business charter requires, and its income depends on, high-risk circumstances? Learn how to use the ANSI/ASIS resilience standard to achieve a maximally effective, business-aligned program that will significantly improve your organization’s ability to recover from or adjust to change or adversity. If it works for organizations with extreme resilience challenges, it can work for you.

    Kelly and I have selected some key resilience concepts that are not widely known, but are very helpful in getting all of the resilience stakeholders on the same page conceptually. This really helps get support for any resilience-related initiative, and especially for implementing the ASIS standard. Victor Rocha is the security director for Goodwill of Los Angeles, and has some amazing workplace risk stories to share. I am also presenting a conceptual framework that has a place for all the various resilience disciplines including IT Operations Resilience, Banking Operations Resilience, and Supply Chain Resilience—and relates them all to Enterprise Security Risk Management.

    Quantifying Cloud Risk (2430)
    3:15 PM - 4:15 PM, Location: W103A / W103B
    Jack Jones

    Business executives are unlikely to ever really understand risk statements like “High risk,” “Medium risk” and “Low risk”. As a result, they sometimes discount higher risk situations as “infosec conservatism.” Risk quantification can be a powerful tool to help them better understand and appropriately prioritize infosec risk scenarios. In this session, Jack will walk participants through an analysis of a specific cloud service leveraging the Factor Analysis of Information Risk (FAIR) framework. The analysis results will be described in business terms that any executive would understand. This session will demonstrate a pragmatic approach to quantifying cloud-related risk.

    The whole idea for this (ISC)2 session is about how to develop and present risk information in a way that is understandable and actionable for management.

    Critical Thinking Skills for Security Professionals (2302)
    4:30 pm – 5:30 pm, Location: W311A
    Kathy Pherson

    CSOs tell ASIS that critical thinking is a key skill for professional success in security. Their comments have led to the introduction of an ASIS certificate program on critical thinking. The new certification focused on how thinking techniques can frame solutions for problems affecting corporate, homeland, and national security. Analytic strategies can improve rigor, avoid mental traps, and allow managers to communicate clearly with others. Specific security examples demonstrate the importance of understanding context, checking key assumptions, considering alternative explanations, seeking consistent data, and focusing on drivers and indicators. Leverage these skills to improve your work by protecting against biased thinking, spurring imagination, and collaborating with others both inside and outside the organization.

    The higher up you are in your organization, the more important this session is. If you are the senior security leader, this is a “don’t miss” session. Your organization depends upon you and expects you to perform the security risk critical thinking. Plus, this will help you be more articulate in expressing the business case factors around risk initiatives.

    Protecting Homeland Security Enterprise through Internet of Things and Science (2314)
    4:40 pm – 5:50 pm, Location: W308C
    Cuong Luu, Donald Zoufal, Steve Surfaro

    Review guidelines on the Internet of Things (IoT) from the U.S. Department of Homeland Security as it relates to security, surveillance, and safety operation. Explore media rich elements, including video clips of solutions in action and security device failures. The guidelines caution data-driven organizations to first distinguish between components that adhere to strict security standards and those that don’t. Learning about IoT components and systems that affect operations and assets is a tremendous advantage and the cornerstone of the detect-authenticate-update framework of the guidelines.

    Given the tremendous knowledge that each of these presenters has, this will be a session where you’ll benefit not only by getting answers to your own questions, but from hearing the Q&A with other session attendees.

    Tuesday, Sept. 13

    Scanners Are Dead [Application Security] (3136)
    11:00 am – 12:00 pm, Location: W106
    Nish Bhalla, CEO/Founder, Security Compass

    Many application security teams scramble to pinpoint vulnerabilities and flaws during the testing and release stages while managing limited security resources, a multitude of compliance regulations and surprise feature requests. Although these teams are trying to follow the right application security practices, they're being left in the dark, over-worked and most importantly applications are being shipped with fragmented security. The common denominator we have experienced with our customers is reliance on dynamic and static testing tools during the final stages of the lifecycle, ignoring the benefits of building security in during the first stage of the software development lifecycle: Requirements.

    I recommend that any manufacturers who are producing cloud-based offerings send someone to attend this (ISC)2 session. This session addresses the most common security industry failing with regard to cloud-based application development.

    How Current Cyber Terrorism Risks Affect IT Security (3104)
    11:00 am – 12:00 pm, Location: W311H
    Keith Flannigan, Ron Lander, Leonard Ong, Werner Preining

    Cyber terrorism is now considered to be the number one risk to businesses worldwide. Any business can be victimized by hackers who attack either for financial gain or as a political statement. By understanding the current threats, business managers can prepare a policy that will address related risks and reduce the probability that a facility will be attacked. Review best practices and case studies to assist in the development of a comprehensive IT security policy and plan.

    Physical security should be a contributor to the creation of a comprehensive IT security policy and plan. Many IT breaches have been enabled by unauthorized physical access. These are very knowledgeable presenters, all colleagues of mine on the ASIS IT Security Council, and they are all familiar with physical security as well. This will be a good session for asking questions.

    Implementing an Insider Threat Program Model (3105)
    11:00 am – 12:00 pm, Location: W311B
    Daniel Garvey Sr.

    Do you know what or who is slowly, quietly stealing your company's “crown jewels” one at a time? A threat from the inside could be more detrimental to the company then outside threats. Learn how to implement an insider threat program to protect your company’s proprietary, sensitive, and government-provided information from unauthorized disclosure by deterring, detecting, and defeating those threats. Review a scalable program model derived from government and industry best practices designed to counter the insider threat at any organization.

    Daniel Garvey Sr. is the chair of the ASIS Defence and Intelligence Council, and has 30 years of extensive experience in dealing with a wide variety of high level threats. He helped develop the ASIS certificate-based workshop program titled, Developing and Implementing as Insider Threat ProgramHe is also the co-author of the paper Security Performance Metrics: ​Persuading Senior Management with Effective, Evaluated Security Metrics, which you can download here.

    Virtual Security Operations Centers (3117)
    11:00 am – 12:00 pm, Location: W314A
    Michael Foynes, Ray O'Hara, Brian Tuskan

    Surrounded by virtual reality and the Internet of Things, it's time to move the security operation center to the cloud. Follow the progression of a leading software company as it transitions from three static global operations centers to one virtual security operations center (VSOC), supporting employees and customers around the world. The outcome is a 99 percent proactive operations model with heavy emphasis on predictive intelligence and proactive communications. Using dynamic technology, the VSOC enabled business continuity, reduced costs, improved effectiveness, and allowed security to operate at the speed of business.

    If you have, or are considering establishing, more than one security operation center, this Microsoft story will give you real-world perspectives on the operational and cost advantages of a cloud-based Virtual Security Operations Center. Another great session for asking questions! Your organization may already need these kinds of operations capabilities.

    Using Self-Service and Autonomous Security Systems (3209)
    1:45 pm – 3:00 pm, Location: W311D
    Steve Surfaro, Timothy Meyerhoff, W. Douglas Fitzgerald

    Automated physical security processes are the future. At a recent Super Bowl, a test of self-service security baggage screening was conducted and autonomous unmanned aerial systems are on the horizon. Cars will soon operate with technology systems to prevent collisions, hacking, and other threats while safely operating over great distances. Through case studies, explore the most economically significant opportunities for security screening, operations, and response using autonomous systems. Review an automated entry screening assessment tool among other unique technologies and assess the feasibility of self-service security automation

    This is an important topic for your security systems technology roadmap, whether you want to include or exclude autonomous technology.

    Drones: Friends or Foes to the Security Industry? (3212)
    1:45 pm – 3:00 pm, Location: W311D
    Nathan Ruff, Mark Schreiber, Jason Cansler

    Join the discussion among an unmanned vehicle aerial (UAV) industry expert, a managing director of a national non-profit professional coalition, a UAV operator, and a security engineer on the key elements of UAVs (drones). While security managers need to know how to defend against UAVs, they also need to know how to use UAVs as assets. Explore UAV capabilities and limitations, why this technology is suddenly viable for application in the security arena, the future implications of a multi-billion-dollar industry, UAV legislation and enforcement, and UAV security applications.

    The presenters in this session (there is likely to be a fourth) are all experts in their fields, and can field any questions you may have about drone applications. This is the second session on this important topic for your security systems technology roadmap, and both are scheduled for the same time! See which one fits your interest the best.

    Drones: Friends or Foes to the Security Industry? (3212)
    1:45 pm – 3:00 pm, Location: W414B
    Mark Domnauer

    Learn innovative and inexpensive ways to market your corporate security function internally that will improve awareness and use of programs while enhancing overall brand and perceived value to the company. Learn how the head of security for a well-known tech company has built a security program that is seen as a core benefit by employees and is regularly cited in employee engagement surveys and emails to executives as a reason employees love this company. Learn actionable tactics you can implement, many quickly and with little or no cost, that will result in regular positive feedback and improved brand recognition. Get ideas to factor into long term strategic plans for improved personal and department branding.

    Mark is the Director-Global Safety/Security for Adobe Systems. This is a very important topic for practitioners with senior security responsibilities. In particular, he can answer your questions about results timeframes, initially approaching stakeholders, and how to plan for improvements in this critical but typically neglected aspect of a security program.

    Improve Organizational Resilience through Enterprise Security Risk Management (3303)
    4:30 pm – 5:00 pm, Location: W311C
    John Petruzzi, Rachelle Loyear

    Organizational resilience is about more than simply surviving a crisis and continuing to function. Organizations today also want the ability to take advantage of new opportunities that could be realized from crisis recovery. Enterprise security risk management (ESRM) embraces risk identification and mitigation while recognizing that businesses need to take risks to succeed. Explore ESRM as a driver for increasing resilience, identifying security risks and working with business executives to find risk treatments while also promoting the agility the organization needs to thrive in uncertainty.

    One great thing about this session is that the presenters, the VP - Enterprise Security Operations and the Director – Enterprise Business Continuity, are from the same company. You’ll hear about, and be able to ask questions about, how their collaboration works and how ESRM provides them and their organization with a unifying perspective.

    Wednesday, Sept. 14

    How ISIS Cyber Attacks Affect IT Security (4204)
    1:45 am – 2:45 pm, Location: W311C
    Keith Flannigan, Ron Lander, Leonard Ong, Werner Preining

    Explore the tactics currently used by ISIS that put businesses at risk. ISIS leaders openly declare that they want to kill Westerners by destroying the infrastructure, forcing the West into a state of disaster. Consider the tactics being used currently as well as the instructions given to ISIS supporters in the West and refugees moving into Western nations on how to access IT networks. Review proven IT countermeasures that can assist in developing IT policies and security methodologies.

    If you are an IT security specialist, or you have senior responsibility for both corporate, physical and IT security, this session will help you with specific thinking about how your organization should be considering ISIS cyber attacks.  Another good session for asking questions.

    Steps to a Successful Unmanned Aerial Vehicle Program (4206)
    1:45 am – 2:45 pm, Location: W308AB
    Mark Crosby CPP, Joseph McDonald, Mike Wiley

    Specific requirements must be met when flying unmanned aerial vehicles (UAV) for commercial purposes. The risk and associated costs must also be considered when putting together a plan to use UAVs as another layer of operational security. Learn the steps taken by one company to research, select, and deploy UAVs over its Reno campus. Review current FAA rules for deploying UAV flights, budget concerns, offerings and selection of an aerial platform, initial flight plans, and lessons learned.

    Hear about UAVs (drones) from three end user security personnel who actually deployed UAVs. This will be a really good session for asking questions!

    Physical Security Is from Mars; Cybersecurity Is from Venus (4215)
    1:45 am – 2:45 pm, Location: W311E
    Jasvir Gill, Mark Weatherford

    Energy and utilities as well as other industry segments that make up the nation’s critical infrastructure are all dealing with similar issues: an ever-increasing number of attacks and a much higher level of impact from these attacks. Experts agree that one reason for this upsurge is that companies deal with security in silos. Learn innovative approaches to eliminating silos and addressing the varying needs of those tasked with managing corporate security. Learn about success stories of automating compliance to industry specific regulations such as NERC CIP V5, CIP-014 for physical security, and CFATS (chemicals), explore ways to drive the need to coordinate physical and IT security.

    These two experts have extensive very knowledge and experience and understand the about the practical issues of physical security/IT collaborating at all levels, especially where compliance has touch points for both domains. If you have wanted to start or expand your physical security/IT collaboration This is a “must-attend” session.

    What Should We Do with Biometrics? (4311)
    3:30 am – 4:30 pm, Location: W311D
    Shayne Bates, Rudy Wolter

    Uncover the great myth and secrets of integrating biometrics in real-life environments. Implementation issues include integrating multiple databases, adapting to governmental control of PII, and protecting an organization from entering into a great technology chase without foresight or a solid plan. The biometric industry has moved so rapidly that the gear you install today is outdated and unsupported tomorrow. Security practioners must still protect their organizations while attempting to be on the cutting edge. The biometric industry has charged ahead at such a pace that many security professionals are two- to three-years behind knowing and understanding the who, what, where, when, and why of this industry sector.

    This is definitely the session to use to catch up with the significant advancements in biometrics technology.

    Thursday, Sept. 15

    CISO Impact: ​​Driving Security into the Business (General Session)
    8:00 am – 9:00 am

    The connected ​world is a dangerous place. CISOs and their teams must lead their organizations to adopt safe business practices. In this keynote, IANS presents its data-driven leadership framework, CISO Impact™, based on years of research with over 1,​000 information security teams. IANS will present data. including data from (ISC)²​ members, which contrasts information security teams at five levels of maturity on both technical excellence and organizational engagement. Armed with data on how others have driven security into the business, CISOs and their teams can chart their own paths to leadership.

    The Security of Security: How Practitioners Can Ensure the Safety of Corporate Networks (General Session)
    9:30 am – 10:30 am

    Since 2014, Target has paid more than $116 million in settlements as compensation for a data breach that exposed the payment information of approximately 110 million customers. One of the most worrying things about the breach is that hackers gained entry by compromising the access of a third-party vendor—a refrigeration contractor. How safe are the security systems and services connected to your company's network? In this session, a panel of experts, including technology providers, end users, and thought leaders discuss the Security of Security and the ways security professionals can contribute to the overall cyber health of their organizations.

    About the Author

    Ray Bernard, PSP, CHS-III

    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

    Follow him on LinkedIn: www.linkedin.com/in/raybernard

    Follow him on Twitter: @RayBernardRBCS.

    The 62nd ASIS International Seminar and Exhibits will be held at the Orange County Convention Center in Orlando, Sept. 12-15, 2016.