CONFERENCE AGENDA
FEBRUARY 10–11, 2016 • OTTAWA
THE HUMAN FACTOR
Cyber Security.
Lance Hayden
Managing Director
Berkeley Research
Group, LLC
Ray Boisvert
President and Chief
Executive Officer
I-Sec Integrated
Strategies (ISECIS)
Daniela
Crivianu-Gaita
Chief Information
Officer, GammaDynacare Medical
Laboratories
Christian
Leuprecht
Professor, Political
Science, Royal
Military College of
Canada and Senior
Fellow, MacDonald
Laurier Institute
#CBoCSecurity
The number of incidents and the costs
of data breaches are increasing—are
you keeping pace?
One challenge organizations face is that attacks come from a wide variety of actors.
Some involve traditional crime networks adding a cyber dimension to their activities,
while others involve states with all the resources at their command. Alternatively,
your data could be at risk from political groups such as Anonymous whose
motivation could be anything—financial gain, strategic advantage, spite,
competition, extortion—the list goes on.
You need to protect yourself
against evolving threats and in
many cases, technology alone
cannot do this.
Focus on the
people side of
cyber security.
The 2015 event focused almost exclusively on insider threat
because too many organizations ignore the issue. In 2016,
we will build on previous discussions and examine the role
of people and culture in cyber security. While people have
the potential to be a major liability as insider threats, they
also have the potential to become a flexible and adaptable
resource for cyber security.
This event will bring together some of the latest thinking
in the space of human behaviour to help you improve
your security and better enable you to prevent breaches
and compromises.
The technological cyber security
tools available to IT departments
are a necessary but insufficient
obstacle to prevent cyber attacks.
To increase security you need
to devote more resources to
the people side—to training,
education, testing, and the
culture of your organization. The
workplace is changing. Social
media and the emergence of a
new generation drive openness,
informality, and heightened
collaboration. It’s never been
more critical to build a culture
and drive behaviours that
recognize and can respond
appropriately to cyber threats.
To register, visit www.conferenceboard.ca/conf
Get answers from experts
and top practitioners.
Meet the public and private sector thought
leaders and benefit from their experiences
dealing with similar challenges. This event will
be of interest to CIOS, CISOs, CSOs, as well as
VPs, Assistant Deputy Ministers, Directors, and
Senior Managers of: information technology,
networking, new technology, security and
information security, human resources, risk
management, communications, social media,
mobile business, legal affairs, strategic
planning, and privacy.
Ask established security
experts your toughest
questions.
Learn from the experts and take advantage
of peer-to-peer discussions and networking
to develop new ideas and get the information
you need to address cyber security, including
how to:
• understand the risks your organization faces
• define the nature and motivation of different
threats—fraud, theft, extortion, national
security, terrorism
• recognize the value and the limitations of
technical solutions in cyber security
• build the human side of cyber security
• understand the nature of, and defend
against, insider threats
• build a culture of trust that pro-actively helps
to address risks
• appreciate and manage the risks associated
with new social technologies
• think creatively but practically about future
threats and be better prepared
• review of how attacks are changing—new
and emerging threats
• prepare your response now for future
attacks, should they be successful
• educate employees on how to prevent
attacks
• understand the value of people and culture
in building resilience to cyber attacks
To register, visit www.conferenceboard.ca/conf
Agenda
DAY 1 / Wednesday,
DAY # / Date
February
(Agenda10,
- Date)
2016
AT A GLANCE
8:00 a.m.
8:30 a.m.
8:45 a.m.
9:30 a.m.
10:15 a.m.
10:45 a.m.
11:30 a.m.
12:15 p.m.
Registration and Continental Breakfast
Opening Remarks from the Chair
Plenary Session 1
Plenary Session 2
Networking Break
Plenary Session 3
Plenary Session 4
Networking Luncheon
1:00 p.m.
1:45 p.m.
2:00 p.m.
2:45 p.m.
3:00 p.m.
3:45 p.m.
4:30 p.m.
4:45 p.m.
Concurrent Sessions—Set A
Travel to Concurrent Sessions
Concurrent Sessions—Set B
Refreshment Break
Plenary Session 5
Plenary Session 6
Closing Remarks from the Chair
Day 1 Adjourns
8:00 a.m. Registration and Continental Breakfast
8:30 a.m. Opening Remarks from the Chair
Dr. Satyamoorthy Kabilan, Director, National Security and Strategic
Foresight, The Conference Board of Canada
8:45 a.m. Plenary Session 1
From Insider Threat to Human Capital: The Promise of PeopleCentric Security
Dr. Lance Hayden, Managing Director, Berkeley Research Group, LLC
Technology has traditionally served as the primary lens through which
the security industry understands the threats and challenges it faces.
People and culture go underutilized or unaddressed as sources of
security value. In fact, many security programs view human beings
simply as potential threats and risks, whether from maliciousness or
ignorance or incompetence. The “solution” to this security “people
problem” is often to treat people more like unreliable machines than
human beings, to program them through training and awareness
exercises and to discard them if they fail to adhere to their
programming too often.
Cybersecurity, however, also has deep roots in human behavior and
organizational culture, where performance is a matter not of static IT
infrastructures, but of dynamic capabilities for adaptation and innovation
in the face of radical uncertainty. As an epidemic of security breaches
continues to put the lie to the claim that technology solutions are the
most effective way to respond to cybersecurity challenges, peoplecentric security is becoming ever more important. Security technology
succeeds when implemented in the context of well-formulated business
strategies, and managed in the context of a robust security culture that
engages human capital rather than marginalizing people as risks to
control. The future success of enterprise cybersecurity programs, and
To register, visit www.conferenceboard.ca/conf
4
DAY 1 / Wednesday, February 10, 2016
the success of the organizations they serve, depends upon the ability to
implement truly effective people-centric security.
9:30 a.m. Plenary Session 2
Owning A Domain Is A Dangerous Game—Stories About Hacks,
Hijacks, and Just Plain Bad Management
Dave Chiswell, Vice-President, Product Development, Canadian Internet
Registration Authority
2014 and 2015 have been and are the year of the attack on Canadian
organizations, with domain names and DNS as popular targets. The
security risks of domain name hijacking and attacks on the DNS are
often overlooked. The Canadian Internet Registration Authority (CIRA)
tracks and monitors trends on the Canadian and global Internets and
provides technology for academic institutions to help protect their online
presence. An analysis of the DNS and domain name portfolios of several
Canadian industries reveals serious security vulnerabilities.
This talk will begin by providing a brief overview of domain name and
DNS security risks before delving more deeply to help administrators
understand how domain names are hijacked and how the DNS is being
exploited by hackers. It will discuss common tools that bad actors use to
hijack domain names or DDoS the DNS to bring down websites and
embarrass target organizations. It will help administrators understand the
technology that can be used to help combat most attacks. Including:
• Detail the best practices for securing a domain name portfolio and
preventing domain name hijacking
• An analysis of typical DNS configurations that we have seen across
Canadian institutions and their associated risks
• Describe a method for strengthening the DNS using Anycast
technology
• Case studies from recent attacks, describe how they were mitigated,
and how they could have been avoided altogether.
The talk will then move into the new gTLD marketplace to provide
information on what is happening, how it is impacting brands and how it
is being exploited by people with malicious intent.
10:15 a.m. Networking Break
To register, visit www.conferenceboard.ca/conf
5
DAY 1 / Wednesday, February 10, 2016
10:45 a.m. Plenary Session 3
The Human Factor: Transforming Employees into Cybersecurity
Warriors
Eric Hummel, Vice-President, Human Resources, Symantec
A significant percentage of company cyber security breaches occur as a
result of employees being unintentionally less than vigilant about the
software, internet practices, and social mobile activity they generate on
their company devices.
This presentation will share current and future approaches to decrease
unintentional and intentional employee usage vulnerable practices using
human factor principles with creative solutions to shape the mindset and
behaviour intended to keep company data safe.
11:30 a.m. Plenary Session 4
Using Gamification to Educate Employees about Cyber Risks And
How to Respond
John Findlay, Founder, Launchfire
Jane E. Moser, Security Training and Awareness Program Coordinator,
Employment and Social Development Canada
If a reminder was needed of the risks of the digital age and the
importance of cybersecurity then June 17th provided it in spades. On this
day Internet vigilante group Anonymous shut down several critical GOC
websites and severely disrupted the government’s email system.
This most recent attack came on the heels of a major breach in the
US that saw the theft of personal details, including SIN numbers and
addresses, of over 4 million government employees.
In this environment, cyber risk and cybersecurity is everyone’s business,
with risk managers particularly needing to be up to date with latest
developments.
This session will give you the opportunity to take a look under the hood
of ESDC’s gamified security training pilot program! We’ll examine
everything from the enticements that drove initial participation to the
gamification tactics used to amplify engagement, comprehension, and
retention. And for the nerds in the crowd we’ll take a look at how the
analytics dashboard helped managers identify knowledge gaps and
slackers!
12:15 p.m. Networking Luncheon
To register, visit www.conferenceboard.ca/conf
6
DAY 1 / Wednesday, February 10, 2016
1:00 p.m. Concurrent Sessions—Set A
(Please choose one)
Concurrent Session A1
Designing for Security: Users Are Not the Weakest Link
Sonia Chiasson, Canada Research Chair in Human Oriented Computer
Security, School of Computer Science, Carleton University
There is a prevailing belief that users are the weakest link in the security
chain. In this session, Sonia Chiasson will discuss how this perspective
is inherently counterproductive to achieving increased cyber security and
explore alternatives with a higher chance of improving security.
Dr. Chiasson’s research group explores how systems can be designed to
better support secure behaviour. They design security applications
based on both understanding of security threat models and human
factors such as the capabilities, constraints, and expectations of users.
They explore how underlying system and interaction design choices can
lead to more secure systems by decreasing chances of misuse, errors,
or exploitation of security mechanisms. The session will consider several
examples and discuss strategies for designing improved security systems.
Concurrent Session A2
Having Trained, Now Test—How Well Prepared Are Your Employees
for Even The Most Common of Hacking Attacks?
Daniela Crivianu-Gaita, Chief Information Officer, Gamma-Dynacare
Medical Laboratories
Roger Hatch, Director, IT Security and Engineering, Bank of Canada
As a national health care services organization, Dynacare is responsible
for some of its clients most personal and critical information. Security
and privacy are therefore priorities for CIO Daniela
Crivianu-Gaita whose previous role as CIO at Toronto’s Hospital for Sick
Children was similarly security focused.
In this session, she will discuss Dynacare’s overall approach to security
in a complex, information critical environment. Recognizing that people
can sometimes be the weakest link she will discuss the policies and
procedures put in place to ensure heightened security.
But ultimately policies and procedures can only achieve so much and so
Daniela will share both Dynacare’s approach to training staff and how
they test their employees through techniques such as fake phishing
emails. The truth is that no matter how well educated your staff are,
To register, visit www.conferenceboard.ca/conf
7
DAY 1 / Wednesday, February 10, 2016
even the best training wears off over time. Daniela will discuss ways you
can ensure you and your staff are vigilant.
Roger Hatch from The Bank of Canada will join Daniela to share his
security experience in another highly sensitive environment. He will look
at where people fit in with technology as you build and maintain your
defences, the constraints of a people based defence, emerging threats
and how to build resilience in your organization.
1:45 p.m. Travel to Concurrent Sessions
2:00 p.m. Concurrent Sessions—Set B
(Please choose one)
Concurrent Session B1
The Need For New Leadership Approaches to Cybersecurity
Scott Tod, Deputy Chief of Police, North Bay Police Service
In this session Deputy Commissioner Scott Tod will share his thoughts
on the new thinking that needs to occur in policing in order to be
successful at creating a safer community from cyber crime. Leaders
need to appreciate the digital world’s demands on different thinking to
traditional responses and roles in police services. There is a need to
differentiate social media from technology crime and realize that social
media can function as a communication tool and an investigative tool.
Scott will outline the need to leverage the two different aspects and use
them in furthering cyber security and preventing cyber crime.
The leaders need to rethink strategic alliances and what technology and
behaviours promote victimization and criminality. This requires a change of
mindset among leaders and a particularly increased understanding of risk.
While Scott’s presentation specifically addresses the needs of the police
service he has an important message for all organizations—
cybersecurity should be a concern for those at the top.
Concurrent Session B2
The Legal and Practical Implications of Mobile, Distributed and
Ubiquitous Connection
Lou Milrad, Lawyer and Advisor, Milrad Law
As computing moves from the desktop to the coffee shop and computers
make up a shrinking proportion of an expanding universe of connected
devices, organizations need to give careful consideration to the security
To register, visit www.conferenceboard.ca/conf
8
DAY 1 / Wednesday, February 10, 2016
implication of these two trends. Add social media and cloud computing
into the mix and you are left with a radically different technology
environment than just a few years ago.
Lou Milrad has long tackled these issues and recommends, as a first
step, that organizations ensure their policies and procedures keep up
with technological and cultural change. In this session he will discuss his
10 point checklist that goes beyond compliance to cover issues such as
third-party agreements, the protection of personal information, education
and strategy.
2:45 p.m.
Refreshment Break
3:00 p.m. Plenary Session 5
Increasing Connectivity, Increasing Complexity, Increasing
Vulnerability - How to Build Protection At the Speed of Business
Derek Manky, Global Security Strategist - Threat Researcher and
Evangelist, Fortinet
The proliferation of connected devices characterizes the modern
workplace. Smart phones are just the beginning, with an increasing
number of devices being connected, the vulnerabilities in your systems
increase exponentially. This situation poses a serious challenge to
security professionals - how can you possibly keep up with all the new
threats with a growing and more complex attack surface?
Drawing on his work in threat research with Fortinet, Derek Manky will
share some recent instances that demonstrate the kinds of vulnerabilities
that are emerging and the ingenuity and persistence of hackers and
others attempting to compromise your systems. He will discuss how you
can better defend yourself and the critical role the human element plays
in any cyber defence.
3:45 p.m. Plenary Session 6
Insider Threat: Employee Screening and Risk Analysis
Alan C Azar, Security Advisor, Canada Border Services Agency
Mario Vachon, Insider Threat and Security Risk Manager, Departmental
Security Branch, Royal Canadian Mounted Police
This session will feature two discreet presentations followed by a Q&A.
While each addresses the issue of insider threat, they focus on different
stages in the life cycle. Alan Azar will share some of the CBSA’s work in
screening out potential threats during the hiring process.
To register, visit www.conferenceboard.ca/conf
9
DAY 1 / Wednesday, February 10, 2016
Mario Vachon will then look at both the behaviours that characterize
insider threats and some of the risk factors you need to be aware of.
While addressing the issue of cybersecurity, this session will consider
this in the context of the broader risk that employees can pose in terms
of their behaviour and the negative impact this can have on other
employees and the organization.
4:30 p.m. Closing Remarks from the Chair
Dr. Satyamoorthy Kabilan, Director, National Security and Strategic
Foresight, The Conference Board of Canada
4:45 p.m. Day 1 Adjourns
To register, visit www.conferenceboard.ca/conf
10
Agenda
DAY 2 / Thursday, February 11, 2016
AT A GLANCE
7:30 a.m.
8:00 a.m.
8:15 a.m.
9:00 a.m.
9:45 a.m.
Continental Breakfast
Opening Remarks from the Chair
Plenary Session 7
Plenary Session 8
Networking Break
10:15 a.m.
11:00 a.m.
11:45 a.m.
12:00 p.m.
Plenary Session 9
Plenary Session 10
Closing Remarks from the Chair
Conference Adjourns
7:30 a.m. Continental Breakfast
8:00 a.m. Opening Remarks from the Chair
Dr. Satyamoorthy Kabilan, Director, National Security and Strategic
Foresight, The Conference Board of Canada
8:15 a.m. Plenary Session 7
Castles Are For The Middle Ages—What Defenses Work for the
21st Century
Christian Leuprecht, Professor, Political Science, Royal Military College
of Canada and Senior Fellow, MacDonald Laurier Institute
For most organizations secure computing today is modelled on ever
higher, ever better layers of walls. This “castle” approach is as outmoded
for cyber security today as it became for physical security centuries ago.
This session will examine the three forces that have undermined the
castle model as a practical security solution. First, organizations
themselves tear down their walls and make their gateways more porous
because it pays off in terms of better agility and responsiveness—they
can do more, faster and better. Second, technological developments
increasingly destroy walls from the outside as computation becomes
cheaper for attackers, and the implementation of virtual walls and
gateways becomes more complex, leaving vulnerabilities to be exploited
by the clever and unscrupulous. Third, changes in the way humans and
technology interact, exemplified by the Millennial generation, blur and
dissolve the concepts of inside and outside, so that distinctions become
invisible, or even unwanted, and boundaries become annoyances to be
circumvented.
A new approach to cyber security is needed: Organizations and
individuals need to get used to operating in compromised environments.
Christian Leuprecht will discuss how you can operationalize this strategy
in terms of a paradigm shift away from a Castle Model and towards a
more nuanced form of computation that you must assume to be
potentially compromised.
To register, visit www.conferenceboard.ca/conf
11
DAY 2 / Thursday, February 11, 2016
9:00 a.m. Plenary Session 8
Building a Successful Audit Program to Keep Insider Threats at Bay
Bob Slocum, Director of Security Strategies, Raytheon|Websense
Insider threats encompass more than just the obvious data thief and are
influenced by a combination of technical, behavioral, and organizational
issues. 70 percent of U.S. survey respondents to a recent Ponemon study
said that more security incidents are caused by unintentional mistakes
rather than intentional and/or malicious acts. While your IT system can be a
witness, victim or enabler, insider threat is more than a technology problem
— policy, process, controls, risk management, auditing and monitoring all
play critical roles in managing this invisible — yet very real vulnerability.
Join Bob Slocum for this informative discussion on managing and mitigating
insider threats within your organization.
9:45 a.m. Networking Break
10:15 a.m. Plenary Session 9
The Game is Rigged: Hackers Have An Ace Up Their Sleeve.
Why Prevention Fails
Mark McArdle, Chief Technology Officer, eSentire Inc.
Businesses globally spend billions trying to secure their networks from
breaches, yet hackers continue to win. If we don’t change our approach,
this will only continue.
This session will explain how a shift from prevention to detection is required
in order to protect our networks from fast moving cyber criminals.
11:00 a.m. Plenary Session 10
A New Age of Risk and Cybersecurity—Emerging Threats and
Mitigation Strategies
Ray Boisvert, President and Chief Executive Officer, I-Sec Integrated
Strategies (ISECIS)
As former Assistant Director of the Canadian Security Intelligence
Services (CSIS), Ray Boisvert is one of the country’s leading experts
on cybersecurity—and he possesses unique and essential insights into
what the future holds.
To register, visit www.conferenceboard.ca/conf
12
DAY 2 / Thursday, February 11, 2016
Ray will close the event with a must-hear analysis of the present and nearfuture of cybersecurity. He will focus on the need to build resilience in your
people and systems so you can keep pace with a rapidly changing
environment. He will draw on his CSIS experience to discuss operating in
high-risk environments. He will share best practices in engaging all your
employees in cybersecurity. You will leave with a heightened awareness of
your changing environment and a clearer vision of the action necessary to
address new and emerging threats and challenges.
11:45 a.m. Closing Remarks from the Chair
Dr. Satyamoorthy Kabilan, Director, National Security and Strategic
Foresight, The Conference Board of Canada
12:00 p.m. Conference Adjourns
To register, visit www.conferenceboard.ca/conf
13
Registration
REGISTER NOW !
www.conferenceboard.ca/conf • 1-800-267-0666 or 613-526-4249
Register now and save !
Before
Dec. 10, 2015
Before
Jan. 10, 2016
After
Jan. 10, 2016
Individual
$1,655
$1,755
$1,855
Team of 2
$2,895
$3,070
$3,245
Team of 4
(4th person comes free)
$4,965
$5,265
$5,565
Fees
Your registration in this event includes the sessions, continental breakfasts, breaks, luncheon, and a link
to speaker presentations.
TO REGISTER
Online www.conferenceboard.ca/conf
Fax PDF form to 613-526-4857 • Phone 1-800-267-0666 or 613-526-4249
All registrations will be confirmed. Program subject to change. Events are HST exempt.
Please see www.conferenceboard.ca/conf for our cancellation policy.
HOTEL AND CONFERENCE VENUE
Fairmont Château Laurier
1 Rideau St
Ottawa ON K1N 8S7
800-441-1414
Conference fees don’t include accommodations. Please contact the hotel directly for reservations, and mention
The Conference Board of Canada to receive the preferred rate of $179, available until Jan. 9, 2016. Should you need to
cancel your reservation, you must do so 72 hours prior to arrival to avoid penalty of one night room and tax.
SPECIAL OFFERS
4-for-the-price-of-3 team offer!
Visit www.conferenceboard.ca/conf or call 1-800-267-0666
to find out more.
Network Members save on registration!
Members of The Conference Board of Canada executive
networks save 50% off registration for all upcoming
conferences! For details, contact 613-526-3090 ext. 236
or [email protected].
Earn Directors College Continuing Professional
Development (CPD) Hours!
Conference Board of Canada conferences contribute to
Continuing Professional Development (CPD) hours for Directors
College, Chartered Directors. For more information on CPD
requirements and criteria visit www.thedirectorscollege.com.
The Conference Board’s Privacy Policy
By registering for this event, you are giving us consent to use information you provided to help us inform you about additional Conference Board
products and services. To view our Privacy Policy, visit www.conferenceboard.ca/privacy_policy.htm. If you wish to withdraw your consent to our use
of your infor­mation, contact us at [email protected] or 1-866-711-2262.
Registration Form
Cyber Security 2016
FEBRUARY 10–11, 2016 • OTTAWA
Group rates are available—See www.conferenceboard.ca/conf for details.
■ YES! Please register the following delegate for this event
NameTitle
Organization Tel.
E-mailFax
Mailing Address
City
Province
Postal Code
Your registration in this event includes the sessions, continental breakfasts, breaks, luncheon, and a link to speaker presentations.
Fees
Before Dec. 10, 2015
Before Jan. 10, 2016
After Jan. 10, 2016
$1,655
$1,755
$1,855
■ Conference
Please confirm attendance at event functions:
Day 1 Networking Luncheon   ■
Concurrent Sessions—Set A: (please choose one)
A1  ■ 
A2  ■
Concurrent Sessions—Set B: (please choose one)
B1  ■ 
B2  ■
Payment method: (all fees are due by the event date)
■ Credit card (we will e-mail you a link to our secure system for payment)
■ Cheque (payable to “The Conference Board of Canada”)
The Conference Board of Canada—255 Smyth Road, Ottawa ON K1H 8M7
All registrations will be confirmed. Program subject to change. Events are HST exempt.
Please see www.conferenceboard.ca/conf for our cancellation policy.
E-mail this form to: [email protected], or fax to: 613-526-4857
www.conferenceboard.ca/conf
Sponsors
We’d like to thank our generous sponsors for their contribution to this event.
EXHIBITORS
MARKETING PARTNERS
SPECIAL CONTRIBUTOR
Connect with your top prospects!
Sponsor this event, and collaborate with senior executives, practitioners,
and thought leaders. Connect your brand with the solutions, and position your
organization as a leader in its field. To learn more about sponsor benefits, contact
Rhonda Bradbury at 416-481-1904 or [email protected].
Insights. Understanding. Impact.
255 Smyth Road, Ottawa ON
K1H 8M7 Canada
Tel. 613-526-3280
Fax 613-526-4857
Inquiries 1-866-711-2262
conferenceboard.ca