Skip to main content

Northwestern Pritzker School of Law
375 E. Chicago Ave. (Corner of Lake Shore Drive) Chicago IL 60611

Directions & Nearby

Event Description

The FTC’s fourth “Start With Security” event was held on Wednesday, June 15, 2016, in Chicago, Illinois, and was co-sponsored by Northwestern Pritzker School of Law.

During this one-day event, the FTC brought together experts who will provide businesses with practical tips and strategies for implementing effective data security. FTC Commissioner Maureen Ohlhausen provided opening remarks. 

The event was free and open to the public. Lunch was provided by Northwestern Pritzker School of Law.


    8:30 am Doors Open

    9:30 am

    Todd Kossow
    Acting Regional Director
    Midwest Region, Federal Trade Commission

    James B. Speta
    Senior Associate Dean for Academic Affairs and International Initiatives
    Northwestern Pritzker School of Law

    Opening Remarks
    Maureen Ohlhausen
    Federal Trade Commission

    10:00 am

    Panel 1: Building a Security Culture
    Building a security culture is essential for any business that wants to reduce its security risks. This panel will explore how businesses can prioritize security within their corporate cultures and why it is important to do so. Topics will include organizational buy-in for security, risk analyses, threat modeling, and employee training.


    • Cora Han
      Division of Privacy and Identity Protection
      Federal Trade Commission


    • Aaron Bedra
      Chief Security Officer

    • John Downey
      Security Lead
    • Arlan McMillan
      Chief Information Security Officer
      United Airlines
    • Marc Varner
      Corporate Vice President and Global Chief Information Security Officer
      McDonald’s Corp.
    11:00 am Break
    11:15 am

    Panel 2: Integrating Security into the Development Pipeline
    Integrating security into the development pipeline can save businesses time and money. This panel will discuss secure coding practices, how security testing can be automated, and strategies for acting upon test results.


    • Jim Trilling
      Division of Privacy and Identity Protection
      Federal Trade Commission


    • Michael Allen
      Chief Information Security Officer
    • Matt Konda
      Founder and Chief Executive Officer, Jemurai
      Chair, OWASP Global Board of Directors

    • Alex Lock
      Senior Software Engineer, Application Security
    • Lyle Sudin
      Mandiant Consulting Services

    12:15 pm Lunch Break
    1:15 pm Panel 3: Considering Security When Working with Third Parties
    Service providers and vendors can have a big effect on any business’s security. This panel will address risk management strategies when working with external parties, such as cloud service providers, code developers, and other vendors.


    • Steve Wernikoff
      Office of Technology Research and Investigation, and Midwest Region
      Federal Trade Commission


    • Erin Jacobs
      Founding Partner
      Urbane Security

    • Jeff Jarmoc
      Lead Product Security Engineer

    • Nathan Leong
      Corporate Counsel
    • Jon Oberheide
      Co-Founder and Chief Technology Officer
      Duo Security

    2:15 pm Break
    2:30 pm

    Panel 4: Recognizing and Addressing Network Security Challenges
    Security professionals have observed that diverse businesses are affected by similar network security issues. This panel will discuss common network security challenges and strategies for addressing them.


    • Andrea Arias
      Division of Privacy and Identity Protection
      Federal Trade Commission


    • Jibran Ilyas
      Director, Incident Reponse
      Stroz Friedberg 
    • Nicholas Percoco
      Chief Information Security Officer
    • Sunil Sekhri
      Director, Forensic Technology Solutions

    3:30 pm

    Concluding Remarks


  • Panel 1:  Building a Security Culture

    Aaron Bedra is Chief Security Officer at Eligible, where he works to protect sensitive healthcare information. He is the creator of Repsheet, an open source threat intelligence framework. He has spoken around the world on software, security, and leadership, and he is the co-author of Programming Clojure, 2nd Edition.

    John Downey is the Security Lead at Braintree, a company that provides development tools and support to help businesses accept payments online. He has worked on Braintree’s highly available infrastructure and integrations into the banking system. In his free time, he contributes to open source projects and mentors high school students in the FIRST Robotics Competition.

    Arlan McMillan is the Chief Information Security Officer and HIPAA Security Officer for United Airlines. He has over 20 years of experience in information technology and security. Prior to joining United, he was the CISO and HIPAA Security Officer for the City of Chicago, and he previously led global teams delivering security services to Fortune 500 companies in roles such as the head of Symantec’s MSSP Global Analysis group and Global Head of Information Security Operations for ABN AMRO, LaSalle Bank. He is the current FBI-InfraGard Chicago Area Transportation Security Chief and was recognized as the 2014 “CISO of the Year” by the members of the ISSA, AITP, and FBI-InfraGard chapters.

    Marc Varner is Corporate Vice President and Global Chief Information Security Officer for McDonald’s Corporation. In this role, he has responsibility for the protection of the company’s information assets, as well as the strategy and implementation of all identity and access management systems for the worldwide organization. He has more than 20 years of experience in the technical, operational, and program management aspects of information security, privacy, and architecture. Prior to his current position, he led security and architecture functions in the professional services industry at Deloitte Global, and Navigant Consulting, as well as in the financial services sector with Discover Financial/Morgan Stanley. He also worked at Arthur Andersen, where he directed the development of the firm’s information security program in the EMEIA region.

    Panel 2:  Integrating Security into the Development Pipeline

    Michael Allen is the Chief Information Security Officer for Morningstar. He is responsible for setting enterprise security strategy, software and product security, and disaster recovery. Recently, his efforts have focused on rugged DevOps, the cloud, and integrating security methodologies into the software development lifecycle. He has more than 15 years of experience in information technology for the finance, banking, start-up, education, and telecommunications sectors. He holds the Certified Information Systems Security Professional (CISSP) designation and is part of the leadership team for the Chicago OWASP Chapter.

    Matt Konda is the Founder and Chief Executive Officer of Jemurai and Chair of the OWASP Global Board of Directors. He is experienced building application security programs and delivering secure development training, application penetration testing, secure code review, security unit tests, and automation to inject security into the software development lifecycle. He is the project leader for the OWASP Pipeline project, which seeks to be the glue that ties security tools into the development process. At Jemurai, he is bringing together security pros and developers to solve security challenges in positive, fun, and creative new ways.

    Alex Lock is a Senior Software Engineer on the Application Security team at Groupon. There, he is spearheading the efforts to inject static code analysis into the development lifecycle. He is the creator and primary author of Codeburner, and the co-author of OWASP Pipeline, both of which are open source tools developed to help aggregate and triage static analysis results as part of a continuous integration process. Prior to joining the security team at Groupon, he led the company’s production systems engineering group. Before joining Groupon, he worked as a Systems Architect and Engineer at companies including Orbitz, Wireless Generation, and Earthlink/Mindspring.

    Lyle Sudin is a Manager in the Mandiant Consulting Services division of FireEye. He has more than 15 years of experience in cybersecurity, working for Mandiant, HERE (formerly Nokia/NAVTEQ), and BBN Technologies. He recently joined Mandiant, where he focuses on strategic security consulting, security program buildout, and incident response. At HERE, he ran over 100 application security project reviews, built a program to include security into the software development lifecycle, and helped to achieve ISO 27001 certification. He spent 12 years at BBN, culminating in running his own cybersecurity R&D projects as a Principal Investigator.

    Panel 3:  Considering Security When Working with Third Parties

    Erin Jacobs is a Founding Partner at Urbane Security, a vendor-agnostic information security services firm focused on providing innovative defense, sophisticated offense, and refined compliance services. As a former CIO and CSO, she brings more than 15 years of consulting and c-level management experience to managing Urbane’s compliance and strategic advisory delivery teams. She and her teams work with all levels of client organizations to implement solutions for securely driving their businesses forward. She has presented at Black Hat, SOURCE Boston, Cloud Expo, SOURCE Barcelona, and several Security BSides events. She is passionate about fostering collaboration between the CSOs and practitioners that oversee day-to-day security challenges and the security research community.

    Jeff Jarmoc is a Lead Product Security Engineer at Salesforce. In this role, he works to ensure that the security and privacy of customer information is maintained throughout Salesforce’s cloud platform. Previously, he worked with Matasano Security (now NCC Group) as a Senior Application Security Consultant, and as a Security Researcher at Dell SecureWorks. He has contributed to several open source security tools. He has presented his original research at several security industry conferences, including Black Hat Europe, Black Hat USA, DEFCON, DerbyCon, 44CON, THOTCON, and others.

    Nathan Leong is Corporate Counsel at Microsoft, where he is a trusted advisor in complex cloud computing deals with Fortune 100 global companies and serves as Privacy Subject Matter Co-Lead for North America. He regularly speaks, writes, and advises on global privacy, data protection, information security, cross-border data transfer, healthcare and financial privacy, and export issues in the cloud. He also provides front-line legal support for Microsoft’s multibillion dollar 18-state, U.S. Central Region. He is a national committee chair for the National Asian Pacific American Bar Association, and he co-chairs the Corporate Counsel Committee of CABA-Chicago.

    Jon Oberheide is the Co-Founder and Chief Technology Officer of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, he was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, he enjoyed offensive security research and generally hacking the planet. He was recently named to the Forbes “30 under 30” list for his mobile security hijinks.

    Panel 4:  Recognizing and Addressing Network Security Challenges

    Jibran Ilyas is a Director on Stroz Friedberg’s Incident Response Team. He serves as one of the firm’s investigative leads for high-profile data breaches and leverages the experience in the field to the benefit of organizations seeking proactive security services. He has investigated large breaches in the financial, technology, and retail sectors. As a thought leader, he has presented on the topics of computer forensics and cybercrime at several global security conferences, including DEFCON, Black Hat USA, THOTCON, Microsoft Digital Crimes Conference, and SOURCE Barcelona. He is also an Adjunct Lecturer at Northwestern University, teaching its first-ever Digital Forensics and Incident Response course.

    Nick Percoco is the Chief Information Security Officer at Uptake. Previously, he served as the Vice President at Rapid7, a publicly held security data analytics company. He co-founded the “I am The Cavalry” movement, a highly regarded grassroots hacker organization that is focused on issues where computer security intersects public safety and human life, and he founded SpiderLabs, the ethical hacking test lab that contributed to Trustwave’s growth. He created THOTCON, a growing annual Chicago hacking conference. He has served as a media spokesperson on CNN, Fox News, CNET, and Forbes.

    Sunil Sekhri is a Director in PwC’s Forensic Technology Solutions practice in Chicago, supporting local and global clients in matters addressing internal corporate investigations, accounting fraud, IP theft, data breaches, global Ponzi schemes, and regulatory response. He brings over 16 years of specialized expertise in computer forensics and information security, applying a strong understanding of information technology as it relates to computer forensics, eDiscovery, IT audit, risk management, incident response, cybercrime, and network security. He has led investigations and managed a variety of technical security engagements, including security architecture reviews, security baseline standards development, server configuration reviews, vulnerability assessments, and incident response cases. He holds several certifications, including the EnCase Certified Examiner (EnCE), Certified Computer Examiner (CCE), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), and GIAC Certified Forensic Analyst (GCFA).


FTC Privacy Policy

Under the Freedom of Information Act (“FOIA”) or other laws, we may be required to disclose to outside organizations the information you provide when you pre-register for events that require registration. The Commission will consider all timely and responsive public comments, whether filed in paper or electronic form, and as a matter of discretion, we make every effort to remove home contact information for individuals from the public comments before posting them on the FTC website.

The FTC Act and other laws we administer permit the collection of your pre-registration contact information and the comments you file to consider and use in this proceeding as appropriate. For additional information, including routine uses permitted by the Privacy Act, see the Commission’s Privacy Act system for public records and comprehensive privacy policy.

This event will be open to the public and may be photographed, videotaped, webcast, or otherwise recorded.  By participating in this event, you are agreeing that your image — and anything you say or submit — may be posted indefinitely at or on one of the Commission's publicly available social media sites.