Loading images...
Loading images...
Loading images...

September 2013 – Risk-Based Security Management

Date Venue Presentations
September 18, 2013
2:00 PM to 7:00 PM
Protiviti - 1290 Ave of the America's, 5th Floor, New York, NY 10104
Dress: Business Casual
Register: Click here to Register
Date Wednesday, September 18, 2013
Event Start Time – End Time 2:00 – 5:00 pm
Overall Event Title RISK-BASED SECURITY MANAGEMENT  (Register)
Event abstract Risk-Based Security Management (RBSM) is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system.The advertised benefits of a Risk-Based Security Management (RBSM) are very attractive:* More effectively communicate InfoSec risk to senior management* Quantify InfoSec risk in financial terms* Risk based prioritization of security initiatives* Derive cost-benefit analysis of security spend* Ability to compare vendor solutions based on risk reduction benefit

* More efficient use of resources based on risk reduction benefit

Learn about the state of RBSM and how to develop a culture of risk, understand the value of risk based metrics and how to lay a foundation for a RBSM program.  Hear from our expert speakers who are at the forefront of this trend..


Protiviti – 1290 Avenue of the America’s, 5th Floor, New York, NY 10104

Dress Code Business casual
Event kickoff opening remarks 2:00 – 2:10
Speaker NY ISSA Board Member
Session description Welcome attendees
Session Title The State of Risk Based Security Management 2013
Start Time – End Time 2:10 – 3:00
Session Description An in-depth study conducted by Ponemon Institute and sponsored by Tripwire reveals how organizations are applying rigor­ous and systematic analytical techniques in order to quantify and evaluate the security risks that impact an organization’s information assets and IT infrastructure.   Ponemon Institute surveyed 1,320 professionals in IT security, information risk management and IT operations in the United States and the United Kingdom.  This presentation will provide an overview of the results and cover the following topics:* Is RBSM and Art or Science?* Risk Based Security Management, Maturity & Governance* The Value of Risk-Based Security Metrics* Key Metrics for Risk-Based Security* Risk-Based Security Controls and Spending.*Risk-Based Security Collaboration, Communication and Culture
Speaker Cindy Valladares, Manager for Solutions and Corporate Communications at Tripwire Inc.,
Bio(s) Cindy Valladares is Manager for Solutions and Corporate Communications at Tripwire Inc., a leading global provider of risk-based security and compliance management solutions.  She brings over ten years of experience in product marketing, where she has been leading the product positioning and messaging for B2B software solutions.  Ms. Valladares has been a speaker at various security, risk and privacy conferences in North America, Europe and Latin America, where she focuses on topics that affect the information security industry and communicates how Tripwire solutions enable enterprises to effectively connect security to their business. Ms. Valladares is a regular contributor The State of Security and can also be found on Twitter @cindyv. She holds an international MBA from the University of Ottawa in Canada, and a BBA in Marketing and International Business.
Session Title Laying a “FAIR” Foundation for RBSM
Start Time – End Time 3:05 – 3:50
Session Description While these benefits may inspire a CISO to start down the path of RBSM, organizations typically struggle to develop and follow a strategy to transform or enhance their program.  One of the greatest barriers is identifying and implementing a simple risk framework that doesn’t increase the complexity of managing the program.Factor Analysis of Information Risk (FAIR), The Open Group Technical Standard Risk Taxonomy, provides the foundational understanding of risk and a simplified structure for the critical thinking required to analyze the complex problem space of information security.  FAIR provides the foundation and framework for the rigorous analytics required for RBSM and enables the quantification of InfoSec in financial terms $$$.  In this session you will gain an appreciation for the power of the FAIR model and understand the resources available to empower adoption.
Speaker Michael Radigan, Executive Director, Business of Security; Past President, Central Ohio ISSA; Certified FAIR Risk Analyst
Bio(s) Michael Radigan is the Founder and Executive Director of Business of Security whose mission is to help CISO’s define and communicate the value of their programs to the business.  Michael has been invested in Risk Based Security Management since 2001 when he was introduced to the inventor of Factor Analysis of Information Risk (FAIR), Mr. Jack Jones, who at the time was CISO at Nationwide Insurance.  Michael was an early champion for FAIR and used his positions of influence as a Cisco Security Business Consultant to advance the mission of transforming the practice of information security from an “art” to a “science”.   Michael was instrumental in the commercialization of FAIR in 2011 when he led the business development efforts of a start-up that Jack Jones co-founded, CXOWARE.  FAIR continues to be embraced internationally through The Open Group who now owns the new professional certification FAIR Risk Analyst

Networking Break

3:50 – 4:10

Session Title An Executive View of Cyber Risk Management
Start Time – End Time 4:15 – 5:00 PM
Session Description The most successful senior business leaders are adept at managing risk and knowing where to “invest” limited risk management resources. Cyber risk  and cyber risk insurance is now a topic of board room conversations and senior management is required to assess and manage this risk as part of the overall enterprise risk management strategy. Our speaker, Ty Sagalow, author of the ANSI/ISA Publication ““The Financial Management of Cyber Risk: An Implementation Framework for CFOs,” by ISA-ANSI (2010)” will provide some context for how these decisions have been made in the past and the current trend in cyber risk management. He will help us understand how cyber insurance underwriters view cyber risk, how they assess it and what their risk treatment options typically include. Ty brings a very unique historical perspective having led AIG’s eBusiness Risk Solutions as COO from 2000-2003 and developed the first cybe-risk insurance products brought to the industry.
Speaker Ty R. Sagalow, President, Innovation Insurance Group
Bio(s) Ty R. Sagalow is President of Innovation Insurance Group, LLC. Mr. Sagalow is a 30-year veteran in the insurance industry having senior executive positions in underwriting, legal and product development for major insurance companies. In addition to product development, Mr. Sagalow is considered an expert in new product development, cyber-insurance as well as directors and officers liability insurance and reputation insurance.Mr. Sagalow spent 25 years as a senior executive with AIG. His major positions included, from 1989-1999, Chief Underwriting Officer and General Counsel for AIG Executive Liability (f/ka/ National Union). National Union is the largest provider of management and professional liability insurance in the United Staets. From 2000 to 2005, he was the Chief Operating Officer of AIG eBusiness Risk Solutions, a large provider of security and privacy insurance. From 2005 to 2009, he headed up new product development at AIG General Insurance as President of Product Development before moving to Zurich North America as its Chief Innovation Officer. In April 2011, he departed Zurich to create Innovation Insurance Group.The products that Mr. Sagalow is largely credited with creating has produced hundreds of millions of dollars of gross premium for the insurance industry and includes Y2k Insurance, (Entity Cover) Directors and Officers Insurance, Cyber insurance, Reputation Insurance, Collectible Authenticity Insurance and Intellectual Property Collateral Insurance.


Sponsored by

5:15 – 7:00

Following the program meeting, a CXOWARE- and Tripwire-sponsored networking event will occur and provide an opportunity for attendees to gather at a nearby location over drinks and munchies.

Thanks to CXOWARE and Tripwire for their sponsorship.

CXOWARE               Tripwire

Who should attend  (customized to each session content) Who should attend this session:ISSA Members, ISACA Members and FS/ISAC Members (and other ISAC’s), Governance Risk and Compliance Managers & Practitioners, Chief Risk Officers, Chief Compliance Officers

SAGALOW ISA II manage cyber risk 9-18-13 ISSA Chapter Mtg

FAIR Based RBSM ISSA NYC Sept 18 2013 PDF