Home Tuck Dartmouth Search Site Map Contact Us
Center for Digital Strategies I3P, Institute for Information Infrastructure Protection
Security through Information
Risk Management

A Workshop for Information Security Executives
October 5, 2007 - Hanover, NH

In this workshop, CISOs and directors of information security engaged in a moderated roundtable, panel discussions, and structured breakouts to explore how to protect against economically motivated attacks.

Workshop Proceedings
PDF (308K)

Press Release
PDF (50K)

PDF (32K)

List of Participants
PDF (37K)

Discussion Guide
PDF (109K)



As information security risks continue to evolve, many organizations are moving from a traditional security mindset to a risk management mindset. While shielding the organization from the latest worm or viruses may consume many security resources, the most serious threats to any business come from attackers with economic motivation.

Protecting against these economically-driven threats requires much more than technology—it requires building security into the culture so that everyone can recognize and evaluate the risks. Like total quality management, total security management means security at the source: every employee, manager, and executive.

On October 5, CISOs and directors of information security discussed how companies are managing their information security risk and building secure organizations. In this workshop, we explored such topics as (see the Workshop Proceedings for a complete summary):

  • Ranking the Threats: What are some of the largest threats in your business? How do you prioritize those threats? Do you have a process for discovering new threats and communicating those threats to the organization?
  • Communicating the Threats: How do you help the organization understand and recognize economically driven threats? How does the organization embed these risks into its overall risk management? How do you jointly educate and manage the threats within your supplier and partner organizations?
  • Preparing the Organization to Protect Itself: How do you prevent information leakage? Where are the largest sources and how do you address them? What would "security at the source" look like in your organization?
  • Measuring Progress: In these soft areas of security, how do you know if security initiatives and awareness are making a difference? How can you use metrics to justify investment?

The keynote speaker, Gregory Garcia, Assistant Secretary for Cyber Security and Telecommunications for the U.S. Department of Homeland Security, kicked off the workshop at a dinner on the evening of October 4.

The detailed workshop agenda was developed in collaboration with the executive advisory council and participants.

Workshop Panel Leaders (all will be participating)
   Geir Ramleth, Senior VP and CIO, Bechtel Group
   John Stewart, Vice President, Corporate Security Officer, Cisco Systems Inc.
   Phil Venables, Managing Director and CISO, Goldman Sachs

Workshop Executive Advisory Council (all will be participating)
   Christopher Dunning, Director of Enterprise Security, Staples Inc.
   Mauricio Guerra, Global Director of Information Security, Dow Chemical Co.
   Jack Matejka, Director of IT Security, Eaton Corp.
   John Stewart, Vice President, Corporate Security Officer, Cisco Systems Inc.

"Building the Security-to-Business Bridge" - ISTS Quarterly
Embedding Information Security Risk Management into the Extended Enterprise - An Executive Workshop
Embedding Information Security into the Organization, Security & Privacy Magazine, IEEE
I3P - The Institute for Information Infrastructure Protection
Center for Digital Strategies' Information Security Project