Public Speaking

I've had the distinct good fortune to speak at a number of security events throughout the US and Canada. I've also provided security training in Singapore and Mexico City, but those presentations are not public, and thus I cannot share the presentation materials.

  • ISSA International Conference 2012, ISC2 Security Congress 2012, and Rocky Mountain Information Security Conference (RMISC) 2012
    • Title: "Cloud Control: Assurance in a Massively Scalable World"
    • Description: "Ubiquitous access to data and applications is here. No longer are our resources confined to enterprise networks and data centers of our own making. Rather, applications and platforms are now available on-demand, anywhere, anytime, to virtually anybody. Moreover, these environments can scale on demand, automating what has traditionally required expertise in system design and capacity planning. Assuring security in this environment poses new and evolving challenges. While they may resemble the same obstacles we've been managing for decades, they are increasingly more difficult to address. Now, more than ever, companies need to extend their governance, risk, and compliance initiatives to take cloud-related strategies and initiatives into account to proactively protect their data and their bottom line."
  • NESCO Town Hall: Security Risk Management Practices for Electric Utilities, May 2012
    • Panel: "What Risks Are We Trying to Manage?"
    • Description: "Jackie Stewart, former British racing driver and team owner from Scotland, once said "There is no doubt that Formula 1 has the best risk management of any sport and any industry in the world."  This is because Formula 1, as an industry, has spent many years researching its risk portfolio. They know exactly what to measure, have determined their risk tolerance level as an industry and have established a mature practice of measuring risk as part of their business model. The electric sector does this well on the operations side with many risk assessment practices being utilized on a daily basis. But what about security risks? What are we doing about those risks? This discussion session will explore the security risks that we should be managing to help enable the high level of reliability we expect of the power grid."
  • Secure360 2012
    • Title: "Back to Basics: Pragmatic Risk Management For the 99%"
    • Description: "If you've spent any time investigating how to build or mature a risk management program, then you've likely had at least one moment where your eyes have crossed and you've thought "who would ever do this?" Much of the current literature comes to us from the financial services sector, but very little of it seems to translate well to other industries; especially not to the more than 99% of U.S. employer firms who qualify as small businesses. This situation begs the question: Just what can and should organizations be doing? This presentation will demonstrate how to make pragmatic use of risk analysis in any business and discuss how to scale risk management practices while still having a positive impact."
  • RSA Conference USA 2012
    • Panel - LAW-301 "Hot Topics in Information Security Law 2012"
    • Description: "The legal risk and regulatory environment for information security is in a state of constant flux. New regulations, lawsuits and compliance obligations arise on a regular basis. This panel, put on by the American Bar Association's Information Security Committee provides up-to-the-minute reporting on key infosec legal developments and provides insight into where the law is going in the future."

    • STAR-304 "Legal & Ethical Considerations of Offensive Cyber-Operations?"
    • Presenters: David Willson and Ben Tomhave
    • Description: "Certainly nations have the right and in some cases obligation to use cyberspace tools in an offensive manner to defend themselves. What about businesses, do they also have this right? This session will explore the legal and ethical issues surrounding the use of offensive cyberspace by both nations and corporations."
  • RSA Conference USA 2011
    • Panel - GRC-201 "Reasonably Foreseeable, Legally Defensible" (Preview Podcast)
    • Moderator: Benjamin Tomhave - Panelists: Rafal Los, Dave Navetta, Dan Houser, Serge Jorgensen
    • Description: "The legal defensibility doctrine provides a sound risk management strategy that converges business, legal, and information security interests. However, part of that doctrine hinges on what is reasonably foreseeable. This panel will bring together business, security, and legal experts to discuss how to best tackle challenges to legal defensibility based on reasonable foreseeability."
    • LAW-403 "Ethical Considerations Involving the Use of Force in Cyberspace" (Preview Podcast)
    • Presenters: Benjamin Tomhave and David Willson
    • Description: "Unclassified discussions of offensive activities in cyberspace have begun to occur, though the ethics remain murky. Greater open dialogue must occur about the policy implications and practical realities around the "use of force" and acts of war in cyberspace. This session will look at the ethical issues that arise in these areas and stimulate debate about how such techniques should be used."
  • Secure360 2011, Rocky Mountain Information Security Conference (RMISC) 2011, Security B-Sides Austin (2011), Security B-Sides Ottawa (2010), OWASP AppSec DC 2010
    • "The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform"
    • Description: "What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision-making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success."
  • ISSA International Conference 2010 - "Legally Defensible, Proactively Protected" with David Navetta
  • RSA Conference USA 2010
    • Panel - LAW-401 "Digital Forensics vs. Security & Encryption"
    • Moderator: Serge Jorgensen - Panelists: Joseph Burton, Hoyt Kesterson, Robert Thibadeau, Benjamin Tomhave
  • Cyber Information Security Conference (CIScon) 2009
    • "It's About Time" - A talk on the importance of time synchronization and the pitfalls of NTP.
    • "Total Enterprise Assurance" - A full-day training session based on the upcoming release of version 2 of the TEAM Model, blends Survivability with Assurance Management. It provides a roadmap for flexibly structuring the assurance management program while achieving the goals of defensibility and recoverability.
    • "Practical Key Management" - A half-day session on managing cryptographic key materials, including a look at different vendors and use models available today.
  • CSI Annual 2008, Data Security Summit - "Information Classification (Ugh!)"
  • RootFest 2000, Minneapolis, MN (a defunct conference) - "Holistic Security: A Discussion of Risk Analysis & Strategic Initiatives"

My Other Pages

Support Me



Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10