The Open Group Conference - Seattle 2010

"Moving Information Security Management From Art to Science" — Security Practitioners Conference Plenary

Tuesday, 8:15 - 12:30

Management of the information security function in large organizations is challenging. Senior IT security managers must have a broad understanding of IT security threats and controls, while communicating effectively about risk within the organization. As a relatively new discipline, IT security management is starting to become less an art, and more a science.

These sessions will include case studies of IT security management in several large organizations, as well as presentations on IT security management using metrics and maturity models.
Introduction to The Open Group
8:15 - 8:45
8:45 - 9:00

9:00 - 9:45
The Crisis in Information Security

Information security faces a crisis. As a discipline, as a profession and as a passion, the challenges we face seem overwhelming. Cyber-criminals are organising and making vast sums of money. Management never seems to want to cough up enough funding. Practitioners are exhausted. What's causing this crisis, and how can we break out?

Adam Shostack, Microsoft
Adam ShostackAdam Shostack is senior program manager in Microsoft Corp.’s Trustworthy Computing Group. As a member of Microsoft's Security Development Lifecycle team, he is responsible for security design analysis techniques, including the company’s threat modeling methodologies.

Shostack joined Microsoft in 2006 with an extensive background in software security. Before joining the company, he was involved in a number of successful start-up ventures involving vulnerability scanning, privacy and program analysis. Additionally, Shostack helped create the Common Vulnerabilities and Exposure (CVE) list, and now serves as the Emeritus Advisor of the group. He is also a founding member of both the International Financial Cryptography Association (IFCA) and the Privacy Enhancing Technologies Symposium, and has been a technical advisor to companies such as Counterpane Internet Security and Debix.

He has published articles in a variety of industry and academic venues, and is also co-author of the widely-acclaimed book, The New School of Information Security (Addison-Wesley, April 2008).

9:45 - 10:30
The Science of Information Security Management

Moving from art to science necessarily requires us to re examine first principles to discover the science. Looking at security management’s first principles shows that architecture and management are both required to understand information systems. Architecture, while describing the intentional function of an information system, fails to adequately describe the variance of that function. Controlling the variance, then is the objective of security management and forms the foundation for moving from art to science. This presentation breaks down security management into its core elements, harmonizes them into the TOGAF architectural framework, and suggests ways forward for both.

Mike Jerbic, Trusted Systems Consulting
Mike JerbicMike is an independent security and project management consultant specializing in information security architecture and project management. His work includes successful completion of numerous projects in secure data life cycle management, secure application development, audit and compliance. Prior to consulting, Mike had numerous product design, development, and management positions over a twenty year career at Hewlett Packard. In addition to his professional work, Mike chairs the Open Group Security Forum, an international security and security architecture industry consortium focussed on open, secure, interoperable collaboration. Articles he’s written have appeared in the the popular trade press, American Bar Association’s Business Law Journal, The Business Lawyer, and he co-authored the book A Guide to HIPAA Security and the Law. Mike has bachelors and masters degrees in electrical engineering from UC Berkeley and a masters degree in economics from San Jose State University.

10:30 - 11:00

11:00 - 11:45
Why Security Metrics Stink and What We Need to Do About It

Through the disclosure and examination of real experiences and lessons learned, Kip Boyle, CISO at PEMCO Insurance will show you why today’s security metrics are too expensive to produce, are commonly linked to the least challenging problems facing security managers, and fail to communicate clearly to management. When he’s done, you’ll know what we need to do to get us out of this mess.

Kip BoyleKip Boyle, CISO, Pemco Insurance
Kip Boyle is the Chief Information Security Officer of PEMCO Insurance, a $350 million property, casualty, and life insurance company serving the Pacific Northwest. Prior to joining PEMCO Insurance, Kip held such positions as: Chief Security Officer for a $50 million national credit card transaction processor and technology service provider to the financial services industry; Authentication & Encryption Product Manager for Cable & Wireless America; Senior Security Architect for Digital Island, Inc.; and Senior Consultant in the Information Security Group at Stanford Research Institute (SRI) Consulting. He has also held director-level positions in information systems and network security for the U.S. Air Force. Kip is a recent graduate of Seattle University’s Executive Leadership Program. He holds a Bachelor of Science in Computer Information Systems from the University of Tampa (where he was an Air Force ROTC Distinguished Graduate) and a Master of Science in Management from Troy State University. He is a Certified Information System Security Professional (CISSP) and Certified Information Security Manager (CISM). He has developed and delivered information security training and seminars at such venues as the International Information Integrity Institute (I-4), Motorola University, Information Security Forum (ISF), and the SANS Institute.

11:45 - 12:25
ISM3: Measuring the Right Things Right

Some security practitioners shoot themselves in the foot by focusing on the technical, and old concepts that no longer work, devoting resources to measure things that don't help continuous improvement, and failing to communicate their value to management...because of their lack of value. Vicente will show you how ISM3 can help, not by providing cooked answers, but helping practitioners to ask themselves the right questions.

Presenter: Vicente Aceituno, Director, ISM3 Consortium
Vicente AceitunoVicente Aceituno, CISA has 15 years experience in the field of IT and Information Security. Vicente started his career in the field of network and systems administration and moved into project management and security management. During his career in Spain and UK, he has worked for companies like Coopers & Lybrand, BBC News and DMR Consulting. He is the main Author of the Information Security Management Method ISM3 (Information Security Management Maturity Model), and Director of the ISM3 Consortium (, author of the information security book “Seguridad de la Información”(ISBN: 84-933336-7-0), and President of the Spanish chapter of the ISSA (Information Security Systems Association) and ex-President of the First Improvised Security Testing Conferences Association ( A list of publications and speaking engagements is can be obtained at his blog

12:25 - 12:40
Field Research on Security Metrics Programs

Based on in depth interviews with security leaders at 30 organizations, Burton Group analyst, Phil Schacter, will share key learnings and insights on the state of security metrics program

Presenter: Phil Schachter, Analyst, Burton Group
Phil SchacterPhil Schacter is a Vice President and service director for Burton Group Security and Risk Management strategies. He covers enterprise security, security governance, network security, and security reference architectures. Prior to joining Burton Group, Phil has worked in the network technology industry with experience in mainframe network applications, network-delivered services, distributed messaging systems, security policy and architecture, security consulting, and identity management systems. With 35 years of industry experience, Phil has designed and developed network applications, managed network services, and messaging product lines. He has worked on standards groups and authored reports on IT technologies and architecture, security, and identity management topics.

12:40 - 2:00
Members Meeting Lunch   |   Non-Members Lunch

Go to Return to previous page


   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page