If the handout download links from within past event articles are broken, please navigate to Chapter->Downloads to obtain the document.

2021 Fall GRITSS - Aug 31 & Sep 1 - All Day Sessions

Day 2 - September 01 Sessions will be online only

Where: In person (Frontier RTP - Buildding 800) and online (webex link will be sent to registrants and are listed below)
Registration: Website
Cost:  Free
CPEs: Upto 8 / day
Handouts: Will Be Uploaded When available

Information will be updated as it becomes available.

Day 1 - August 31, 2021

Webex Registration Link: https://isacartc.webex.com/isacartc/j.php?RGID=r68c74207f162599bdce126840030d7a5

Session I - 0815 - 1130

Topic: Developers [and Many Others] Dislike Security: Ten Frustrations and Resolutions

Developers dislike security and won't tell you to your face. Developers think differently than security people, and everyone says developers need to become security people in a new DevSecOps world. Developers make all meaningful security decisions, and many times, they are doing it without us.

Why do developers dislike security? How can security meet developers where they are in a collaborative approach? Devs dislike security because security doesn't understand them, and often tries to force a process and toolset that is not optimized. Developers will not express their feelings and will instead be indifferent towards security, and in extreme cases, detrimental to security's success.

The talk begins with the concept of developer empathy, explaining what it is and how security can tap into it. Developer empathy is walking a mile in a developer's shoes. Next is the uncovering of the ten main frustrations that cause developers to dislike security. After presenting the problem, we'll transition into a positive case for how security teams can practice developer empathy, understand what makes developers tick, and meet them where they are, versus treating security as the answer for every question. We'll answer each of the frustrations with a collaborative and culture focused solution.

While this talk focuses on developers, the presenter will discuss the parallels between security in general, and how these frustrations that developers have are also frustrations other people have with security.

Speaker: Chris Romeo, CISSP, CSSLP, Security Journey

Chris Romeo is CEO and co-founder of Security Journey and is a builder of security culture influencing education. His passion is to bring security culture change to all organizations, large and small, by providing gamified security programs. Chris is a highly  rated industry speaker and trainer, featured at RSA Conference, OWASP Global AppSec, and ISC2 Security Congress. Chris was the Chief Security Advocate at Cisco for five years, empowering engineers to shift security left in all products and led Cisco’s security belt program (Cisco Security Ninja). Chris has twenty-three years of security experience, holding positions across the gamut, including application security, security engineering, and incident response. Chris holds the CISSP and CSSLP certifications. For more information, see https://www.linkedin.com/in/securityjourney/

Session II  - 1300 - 1630

Topic: Cloud Computing Security & Audit


Seminar Highlights

This session will focus on the audit and security issues related to Cloud Computing environments

Key Learning Objectives

  • Understand Cloud architectures and security & control components
  • Understand Cloud Service Models
  • Understand key risk and control issues with the different Cloud deployment models

Topics to be covered include:

  • Cloud Computing Concepts
  • Overview of Cloud architectures
  • NIST Cloud Definitions
  • Cloud Migration
  • Third Party / Fourth Party Risk Management
  • SOC 2 Reports and other certifications e.g. ISO 27001/ 27017

Cloud Service Models

  • Example Cloud Service Models
  • Serverless Computing (FaaS).

Cloud Deployment Models

  • Example Deployments

Cloud Security and Control

  • Understanding Shared Responsibility Models
  • Key Risk Issues
  • Key Security Concerns
  • Control Requirements with focus on CSA’s Cloud Controls Matrix and key mappings
  • NIST; ENISA; Cloud Security Alliance Security and Audit Resources

 Audit Tools & Techniques

  • Sources for Example Audit Programs


Speaker: John Tannahill, CA, CISM, CGEIT, CRISC, CSXx-P

John is an independent Information Security and Audit Services Consultant. His current consulting work areas are focused on information security in large information systems environments and networks, requiring detailed knowledge of the major operating systems encountered. Particular areas of technical security expertise include:

  • Cybersecurity Assessment
  • Windows Server
  • Linux
  • Database Security
  • Network Security


John is a frequent speaker in Canada; USA, Europe, Africa and Asia on the subject of Information Security. He is a member of the Institute of Chartered Accountants of Scotland.

Day 2 - September 01, 2021

Webex Registration Link: https://isacartc.webex.com/isacartc/j.php?RGID=rda4e3f734423367964641bf76a537478

Session I - All Day - 0815 - 1630

Topic: Encryption from the Roots to Outer Space

Morning Session
The roots of deception: Crytpo, fighting crapto and on to TLS1.3
o The history of Encryption, The Byzantine forward...
o How to do it properly: Symmetric, Asymmetric, Hybrid with a huge side of Hash
o How not to do it: Hash browned with the heat death of the universe vs. easy guessing

Afternoon Session
Lava Lamps, Volcano Lips, Hanging on to the edge for the future of Crypto
o From TLS to Quantum
o How to do Quantum Key Distribution
o Cytological fear of Quantum Computing

Speaker: Craig Cunningham

He is an award winning Cyber security consultant, instructor and researcher who is an "Expert Generalist" with 30+ years experience in IT. As head of Nomad Security he maintains twenty active certifications focused on IT Security including C|CISO, CISSP-ISSAP/ISSMP, CCSP, HCISPP, SSCP, A+, Network+, Cloud+, CCSK, & CASP allowing him to teach a broad array of courses. Craig has a very technical background supporting hybrid environments including being a Manager of Desktop Services for a  fortune 500 company. His love of teaching along experience in management and operations allow him to teach in a pragmatic way for a wide array of audiences.

He has been recognized for his work in vulnerability scanning and security patching across the US & UK for a multi-billion dollar global pharmaceutical company. He graduated Magna Cum Laude with a B.S. in Business Administration with a Finance  concentration. This computer and financial background help him advise clients to make informed and pragmatic risk decisions. He also has experience supporting global supply chains including ICS systems for manufacturing in the US, Malaysia and China.
Craig has delivered 6000+ hours of cyber security classes for ISC2, Training Camp and Firebrand including teaching CCSP for ISC2 at their national Security Congress in 2017 & 2018. He has taught CISSP and related courses for six years across the US, UK and Singapore. He is a regular speaker at cyber security conferences including ISSA Cyber Warrior Con, ISC2 Security Congress, BSidesLV, UNC Chapel Hill. He also taught over 200 hours of Artificial Intelligence & Python for Duke University TIP @ Georgia Tech. Craig works to keep up with our ever-changing IT landscape including being a member of the Quantum-Safe Security Working Group as part of the Cloud Security Alliance (CSA). His expertise encompasses a robust understanding of  encryption with continuous study on influential topics in computer science such as privacy, machine learning and cloud computing. He is active in ISSA, ISC2 and OWASP to increase and share this knowledge.

Here is quote from a previous student about Craig:

“Craig was my teacher at a CISSP Bootcamp. He is very knowledgeable, being able to explain in details each domain of the CBK, but also relating the content to real life stories and graphic examples in order to facilitate and increase the student level of  understanding. He is a very good teacher and I recommend him for anyone that wants to learn about Information Security to be in one his classes.”

Diogo de Bulhões / https://www.linkedin.com/in/secnomad