Tuesday, June 11, 2019 from 8:00 AM to 5:00 PM EDT
Add to Calendar 


Sheraton Framingham & Conference Center 
1657 Worcester Rd
Framingham, MA 01701

Driving Directions 


ISACA New England Events Team 
ISACA New England 

ISACA New England 2019 Annual General Meeting & IT Audit, Security and GRC Conference


Save the date - Tuesday, June 11th, 2019 and register using the early bird discounts for the best volunteer run conference on IT Audit, Security and GRC.

We expect to sell out. Plan to register early to reserve your spot. Press the "Register Now" button above to reach the page with the conference registration fees.

Recommend Topics and Speakers:  https://goo.gl/forms/filfzP7y3J75SMcb2

Help us select the topics for the conference by voting in the survey we will issue in January. 

Potential Speakers: 

 Speakers and topics recommended by December 11th: 


Brian Contos, CISO & VP Technology Innovation, Verodin Hackers, Hooligans, Heists, & History From 19th century mechanical computers to telephones, radios, digital computers, and the Internet, acts of sabotage, fraud, theft, and other nefarious undertakings have been conducted with low risk, minimal hurdles, and high reward. This presentation will explore an abridged history of hackers, hooligans, and heists. Brian is a seasoned executive with over two decades of experience in the security industry, board advisor, entrepreneur and author. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents. He has authored several security books, his latest with the former Deputy Director of the NSA, spoken at leading security events globally, and frequently appears in the news. He was recently featured in a cyberwar documentary alongside General Michael Hayden (former Director NSA and CIA).
Thomas Sanglier, Senior Director-Internal Audit, Raytheon Company Disruptive Technologies Technology disruptors are of increasing interest by oversight committees, with new technologies emerging more often and at a faster pace than ever before. From Internet of Things to Blockchain, these technologies are rapidly impacting business models as well as governance, risks and controls. These rapid changes in technologies create new opportunities for Internal Audit to provide insight and foresight to stakeholders. Join us for a discussion on two emerging technologies, Robotic Process Automation and Artificial Intelligence, where we will discuss what these technologies are, potential impacts to organizations, related risks, and potential opportunities for Internal Audit to leverage these same tools in our audit toolset. Thomas Sanglier is a Senior Director of Internal Audit for Raytheon Company. Tom joined Raytheon in December 2010 from Ernst & Young LLP (EY), where he was a Partner in their Advisory Services practice. Tom is a member of the Institute of Internal Auditors Global and North American Boards. He is also a member of the IIA’s Guidance Development Committee, which develops and issues professional. guidance to the internal audit profession. Tom is a frequent speaker at internal audit related conferences His book “Auditing and Disruptive Technologies” was published in April 2018.
Chris Wetmore, Partner, RSM US LLP and Matt Healy, Director, RSM US LLP Auditing RPA Introduction for Robotic Process Automation
a. Where it applies
b. Digital Workforce
Audit review around your digital workforce
a. Security needed for RPA
Case studies/real world examples
As RSM Partner, Chris focuses on IT optimization and assessments, business process re-engineering, software selection and business intelligence and corporate performance management implementations. He also has significant experience guiding organizations through major restructuring and acquisition initiatives that have operational, financial and technology impacts.

Matthew Healy has extensive knowledge in the areas of Sarbanes-Oxley (SOX) 404, Statement on Standards for Attestation Engagements No. 16 (SSAE 16), and both internal and external audit methodologies. .
Mardiros Merdinian, Sr. Information Security Officer, mardik@gmail.com How can Risk Professionals Use MITRE ATT&CK Matrix? MITRE ATT&CK Matrix provides invaluable adversary TTP (Tactics, Techniques, Procedures) information to security operations teams in the trenches. This talk describes how ATT&CK can be used outside of SecOps in business by technology risk professionals. Mardiros Merdinian works as an Information Security Officer at State Street Corporation. In his role, he manages information security risks for business. He is also in the faculty of M.S. in Cybersecurity program at Northeastern University teaching a number of courses. Besides security, privacy, and risk management, Mardiros is passionate about leadership, strategy, learning, innovation, and entrepreneurship.
Fouad Khalil, VP Head of Compliance, SecurityScorecard Point-in-time compliance does not cut it anymore!! Periodic assessments or point-in-time compliance does not provide adequate assurances that control environments are effective and efficient. Continuous monitoring and auditing are critical to ensuring effective Confidentiality, Integrity and Availability of our systems and applications. At SecurityScorecard, Fouad is responsible for internal and external compliance programs, auditor education, alignment with industry best practices and global sales support. Fouad has extensive experience in the technology space and brings more than 25 years of experience spanning disciplines in software development, IT support, program and project management and, most recently, IT security and compliance management. He holds a bachelor's degree in electrical and computer engineering from Marquette University and CISA and ITIL Foundations certifications.
Ciske van Oosten, Senior Manager Global Intelligence Division at the Security Assurance Consulting practice of Verizon The Top Nine Factors for Effective Data Protection Controls Ciske will provide data driven insights on how to develop sustainable control environment and design and maintain effective security controls. Ciske is the Lead Author of the Verizon Payment Security Report, and a well-known Speaker on compliance performance management.
He champions a radical rethink of data protection to cultivate effective security control by addressing the root cause of data compromises. He challenges, informs and entertains his audiences on many keys issues of data protection, which stimulate out-of-the-box thinking to help organizations generate new strategies on data protection and compliance.
Ciske holds a master's in information security from the University of Liverpool, an honors degree in computer auditing and various industry qualifications.
W. Jackson Schultz, Lead Information Security Analyst, Corporate Risk Management, Discover Financial Services Managing Third-Party Risk on the First Try: Painting the Whole Picture Third-parties are critical to the survival of all businesses, but, are there cases when a third-party’s risk outweighs its value? During this session, Jackson will discuss a number of strategies to evaluate, examine, and report on vendor risk. He will dive into what questions to ask, and what metrics can be used to support their case when presenting an opinion to the business. Jackson is a Lead Information Security Analyst under Corporate Risk Management with Discover Financial Services. His role includes reporting on information security key risk indicators (KRIs), performing and managing vendor risk assessments, and contributions and membership to a number of information security and vendor-risk related steering and governance committees. Jackson has been a regular speaker at various industry-related events and gatherings, including events by ISACA, The Warren Group’s Bank Summit, the NEACH Payments Conference, the Cloud Security Alliance (CSA) Boston Chapter, and the ASIS New England Security Expo. He has been quoted as an expert in numerous publications including bankinfosecurity.com, Sophos Naked Security, and CIOReview.
Jason Clinton, CISA Wolf & Company, P.C. Third Party Assurance Reports - What to look for now As more and more types of third party assurance reports are issued, the vendor management landscape continues to become more complicated. The discussion will assess the different types of Assurance reports now available and what your organization should be reviewing. In particular, we will discuss SOC reports, HITRUST, ISO, PCI, Etc...

Adam R Cravedi, CISSP, CISA
Director of Business Operations
Compass IT Compliance
Business Resilience While Business Resilience incorporates many Business Continuity concepts, the idea behind it is not only returning to operation quickly after a security incident, but returning to normal operation as quickly as possible. Adam Cravedi brings over 26 years of experience in Information Technology for the Financial, Higher Education and Healthcare industries. He has implemented a number of WAN/LAN infrastructure, Information Systems architecture, VMware, Storage, Security, Compliance, Business Continuity and Disaster Recovery projects. Adam is also experienced in PCI ASV scanning and Internal/External Vulnerability and Penetration testing, PCI, IT and Information risk and security audits and development of in-depth Information Security Programs.
Tracy Hall, MBCP
Senior Manager
Wolf & Company, P.C.
BCP/IRP Testing - What your BCP/IRP test should look like The discussion will be centered around best practices in both BCP and Incident Response testing to make sure plans will be effective during a crisis. As one of the leading business continuity (BC) planning experts in the country, Tracy assists her clients in areas of BC planning including: audit and assessment, business impact analysis, development and maintenance, training and awareness, and simulation exercises. She is a popular speaker at seminars and trade shows, both regionally and nationally, and has authored articles on pertinent topics related to business continuity planning.
TBD CIS Top 20 - Best Practices for implementation More and more organizations continue to focus on the CIS Top 20 Critical Controls to act as their desired framework for protecting their organization. The discussion will include best practices to comply with the framework and enhance the information security program.
George Wrenn, CEO & Founder CyberSaint Security, MIT Cybersecurity Research Affiliate Implementing the NIST Cybersecurity Framework, a risk-based approach to compliance Implementing the NIST CSF while also addressing compliance requirements is a tough ask for many organizations. George draws from his time doing the same as CSO of Schneider Electric, and leading curriculums he created for MIT's Executive Education Program in cybersecurity. George will provide actionable strategies for security leaders to draw from in order to adopt the NIST CSF and measure their programs, their compliance posture, and easily report success in a language that all stakeholders can understand and get behind. George Wrenn is a Research Affiliate in Management Science at the MIT Sloan School of Management, the founder & CEO of CyberSaint Security, and was formerly the Vice President of Cybersecurity (CSO) for Schneider Electric. He has more than 20 years of experience in the field of cyber security.
Prior to the present role, George was as a senior managing consultant with IBM helping cross-industry Fortune 1000 customers reach compliance to NIST, FISMA, ISO/IEC, HIPAA, PCI, NERC/CIP, and other key regulatory frameworks, developing cyber security strategy, roadmaps, and global cyber security programs.
Jeff Livingstone, VP Life Sciences and Healthcare, Unisys The Emerging Need for Heightened Cybersecurity in Healthcare - Current industry attempts to secure patients, processes, and provisions, from highly focesed cybersecurity threats. The healthcare industry and healthcare information systems (HIT) represent the most prolific area and highest growth rate of cybercrime. This presentation will cover the market forces behind these statistics, along with suggested improvements in security postures and position, to combat these trends.
Dorina Hamzo, VP, Chief Audit and Risk Officer, athenahealth Revive the risk practice: Case study According to the “2018 The State of Risk Oversight” survey results published by AICPA in March 2018, only twenty-two percent of respondents describe their risk management program as “mature” or “robust” and most struggle to integrate risk management program with strategy. Those are troubling facts considering that the practice of risk management is not a new concept in the United States. In this session, I will explore how a fast-paced, high-growth and highly-regulated organization deployed an ERM program, processes, and technology solution to address those challenges.
Laura Milewski, Director Commercial Sales, Security Engineered Machinery Securing Classified and Unclassified Data through Destruction Your data and your data in the data center is an important part of security in the enterprise. Today's business decision makers are setting security compliance for destruction, the challenge daily becomes who is responsible for the final life of the data drive and how does this activation comply with the business decision. Decommissioning is well understood, destroying is the challenge whether at the NSA level or unclassified levels.
This session explores the path of data to end-of-life.
SEM is a 51 year old privately held company in Westborough, MA. Laura has over two decades of large account technology business development experience with targeted expertise in consultative sales. Laura focuses on solving the client’s business problem through a mutually beneficial solution, and is passionate about driving global business aligned to client strategy. Driving value and building relationships are core to her success. Laura's focus at SEM is with the top 10 IaaS technology companies.
Jack Jones, Co-Founder & Chief Risk Scientist, RiskLens Why Should We Take Risk Measurement Seriously? In this interactive session, Jack will share the root causes that limit our effectiveness at measuring risk, as well as the simple changes we can make to improve dramatically. He will also discuss the common cultural and other challenges organizations face in adopting better practices, and provide guidance on how to overcome those obstacles. Jack leads the way in developing effective and pragmatic ways to manage and quantify information risk as Chairman of the FAIR Institute and co-founder and Chief Risk Scientist at RiskLens.

He received numerous recognitions for his work as CISO with Nationwide Insurance, Huntington Bank and CBC Innovis. Prior to that, his career included assignments in the military, government intelligence, consulting, as well as the financial and insurance industries. Jack is the author of FAIR, the only standard quantitative model for cybersecurity and operational risk. A sought-after thought leader, he recently published the award-winning book 'Measuring and Managing Information Risk: A FAIR Approach' and is a regular speaker at industry conferences.
Alain Marcuse, Director, RSM US LLP The Third Wave: How emerging US and global privacy regulations will affect your company – and its audits Emerging data privacy regulations globally constitute a “third wave” of corporate risk that most companies don’t realize yet. Companies are now no longer just concerned with protecting their own crown jewels, within and beyond their corporate perimeter. They now have the obligation to protect the personal data of individuals they connect with in any way, including employees, prospects, vendors, and customers. While the GDPR certainly generated headlines, it is by no means unique any longer – California, Brazil, Vietnam, and others have passed similar legislation. Companies will need to take a hard look at their data protection governance programs, and Boards and Audit Committees are starting to ask hard questions in this area. In this session, we will cover the latest updates to the emerging global trends in data privacy regulation, their impact on US company governance and audit, and provide practical guidance on the road ahead for data protection. Alain serves as national lead for Data Privacy consulting services, supporting client teams with a wide range of compliance program matters for GDPR, CCPA, and other privacy regulations. He has led large-scale engagements to design and develop the security programs for some of the country’s largest corporations, developing cost-effective security program road maps that demonstrably improve the organization’s maturity.
Bryan Cassidy, CISA, CISSP, CFE, CIPP-US Wolf & Company, P.C. Privacy Refresh - The GDPR Affect This discussion will review the potential impact of GDPR in the US and how companies can prepare now for potential changes in privacy regulations.
Deidre Diamond, Founder and CEO, CyberSN and Brainbabe Acquiring and Retaining Talent A career development plan based on standardized projects and tasks, along with a culture that allows for psychological safety, will allow you to acquire and retain talent. When we combine daily processes of business operations derived from a subject-matter common language in which all teammates know their role and the roles of others on the team, with a culture that allows humans to think, feel and perceive without negative consequences, we can experience workforce development in any subject-matter profession. Deidre Diamond is the Founder/CEO of national cyber security staffing, research and technology company CyberSN (cybersn.com), the Founder of #brainbabe (brainbabe.org) and an ICMCP Strategic Board Member. Deidre was previously the CEO of Percussion Software, the first VP of Sales at Rapid7 (NYSE:RPD) and the VP of Sales at Motion Recruitment.
Deidre Diamond, Founder and CEO, CyberSN and Brainbabe, dd@cybersn.com Boston Cybersecurity Salaries and Compensation, What You Should Know To acquire talent an organization must have the correct salary budgets. The #1 reason why companies struggle to hire cyber talent is that they do not generate competitive compensation packages. Let’s discuss: current cybersecurity salary trends in the Boston area, what comp plans get accepted, how much bonuses and stock options matter, how the Equal Pay Act effects this conversation. Deidre Diamond is the Founder/CEO of national cyber security staffing, research and technology company CyberSN (cybersn.com), the Founder of #brainbabe (brainbabe.org) and an ICMCP Strategic Board Member. Deidre was previously the CEO of Percussion Software, the first VP of Sales at Rapid7 (NYSE:RPD) and the VP of Sales at Motion Recruitment.
CCSK, MBA, MSCIS, MSIA, Director of Internal IT Audit, Akamai Technologies
Women in InfoSec - Why the Shortage and What Can be Done to Fix It Abstract: Various ISC2 Global Workforce studies have documented the low participation of women. This study reported that only 11 percent of InfoSec professionals are women, an actual decrease when compared with a 2006 IDC survey that reported 13 %. This decline occurred despite an expansion of IA employment .The diversity issues go beyond just a scarcity of female practitioners because other minorities, are also underrepresented. One of them tries to explain why and potential solutions. Kerry has more than 21 years of experience in information security, audit and IT across a variety of industries. She is the author of The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture and numerous journal articles.
CCSK, MBA, MSCIS, MSIA, Director of Internal IT Audit, Akamai Technologies
This presentation explores a “prototype” for the next generation of Information Security professionals. It discusses the attributes these practitioners will need to manage the exponential changes in the technology, social, and business landscapes over the next decades. Kerry has more than 21 years of experience in information security, audit and IT across a variety of industries. She is the author of The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture and numerous journal articles.

Draft Agenda:

Registration/Breakfast (7:30 - 8:00)
Opening and Morning Keynote (8:00-9:30)

Session 1 (9:40-10:30)
Session 2 (10:40-11:30)

Lunch Keynote and AGM event

Session 3 (1:10-2:00)
Session 4 (2:10-3:00)

Closing Keynote (3:10-4:00)

Cocktail Hour and Raffle (4:00-5:30)

CPEs: 7 CPEs granted for attendance
Plan to pick up your CPE from the registration desk at the end of the conference 
As CPEs are granted for attendance, we will not respond for requests for lost or unclaimed CPE forms


Platinum Sponsor



Gold Sponsors









Silver Sponsor