March 23 2022

12:30 PM – 12:50 PM (PDT) Meet Your Fellow Leaders, Get Acquainted, visit Sponsors

Vulcan Room

12:50 PM – 1:00 PM (PDT) Welcome address, Richard Greenberg

1:00 PM – 1:05 PM (PDT) Welcome address, Diamond Sponsor

1:05 PM – 1:50 PM (PDT) Opening Keynote: Strategic Ethical and Policy Implications for AI in Cyber Security”
Malcom Harkins, Chief Security & Trust Officer, Epiphany Systems

1:50 PM – 2:05 PM (PDT) Special Update: Latest Cybersecurity Risks related to Russia
Haral Tsitsivas, Chief Security Officer, Layer 8 Masters

Romulan Room

2:05 PM – 2:25 PM (PDT) Break, Visit Sponsors

Klingon Room

2:25 PM -3:10 PM (PDT): Supply-Chain Attacks – a preventative approach to attacks on software development
Rich Lindberg, Chief Information Security Officer, JAMS

3:10 PM – 3:25 PM (PDT) Break

Klingon Room

4:10 PM – 4:30 PM (PDT) Zero Trust and Microsegmentation – Easier Than You Think
Christer Swartz, Principal Technical Marketing Engineer, Illumio

4:30 PM – 4:45 PM (PDT) Break, Visit Sponsors

Vulcan Room

Happy Hour

Talk Descriptions:

“Strategic Ethical and Policy Implications for AI in Cyber Security”

Malcom Harkins

All systems can cause unintentional harm, and artificial intelligence (AI) is no different.  Security systems are no different.  And AI used in the context of security is also no different.  In fact as more organizations leverage AI across every part of their business, Chief Security and Privacy Officers have the opportunity to step up and build the policies and standards that govern the development, deployment, and use of AI to ensure it adheres to a basic set of ethical principles. These include respect for human autonomy, prevention of harm, and fairness. This is especially true when our stakeholders involve more vulnerable groups such as children, people with disabilities, etc.
 This presentation is intended to drive a provocative discussion on the role the CSO/CISO has in not only understanding key considerations around AI and policy not only for the use of AI in cybersecurity but also the risks/harm AI can cause particularly to society.  Key discussion points will include:

• Privacy and data governance
• Transparency
• Nondiscrimination and fairness
• Accountability
• Responsibility & Code of Conduct

“Latest Cybersecurity Risks related to Russia”

Haral Tsitsivas

The Russian invasion of Ukraine has opened up a whole new spate of cyber attacks on Ukraine and its Western supporters. This session will discuss the various types of attacks, the actors perpetrating them, and what we can do in response.

Test your Skills on the CMD + CTRL Cyber Range

Security Innovation

CMD+CTRL Cyber Ranges are intentionally vulnerable applications and websites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts. Hundreds of vulnerabilities, common to most business applications, lay waiting to be exploited.
For each vulnerability you find you’ll be awarded points (based on the level of difficulty) that will be charted on our live leaderboard. Top scorers get prizes, but all players have fun!

Board Level Presenting – Top of Mind Topics for InfoSec Leaders

Laz

3x CISO and Co-Founder of Blue Lava, Demetrios Lazarikos (Laz), will explore topics that are top of mind for security practitioners that have direct involvement in measuring, optimizing, and communicating their security program.

Attendees will gain insight into best practices and building a strong program foundation in these changing times. This is a pragmatic discussion that is not to be missed.

This session will cover the following topics:

1. Effectively communicating to your organization what a comprehensive security program is comprised of and how you navigate managing it as the business changes.
2. Target what you need to consider and assess in your program to support important business goals like digital transformation from on prem, to Cloud, IoT, and IoE.
3. Skillfully partner, advise and influence senior leadership on how and why to invest in specific areas of your program with the shared business goal of adapting to digital transformation

Supply-Chain Attacks – a preventative approach to attacks on software development

Rich Lindberg

The rise of ransomware gangs has been top of mind for most organizations. These attacks are more sophisticated and targeted than ever. The last year has seen targeted attacks on central distribution centers – our software vendors. Of note has been IT command and control software. This talk proposes a method for implementing controls against the supply-chain attack committed against organizations like SolarWinds, impacting countless customers and disrupting that organization’s regular business. The briefing covers a proposed model for integrity at various stages of Dev/Sec Ops.

Cyber Security Leaders Cyber Risk Panel

Moderator: Richard Greenberg; Panelists: Jeff Schermerhorn, Doug Murray, John Kronick, Howard Miller

Executive Management doesn’t always understand that the CISO’s main job function is really to assess and mitigate Risk and insure that the level of risk aligns with the organization’s risk appetite. We have to be better at explaining to our stakeholders that CISOs work with the business and risk/compliance to identify and protect key assets based on Risk. The C-Suite typically looks at compliance, whereas we look at risk. There is a gap in how to holistically approach risk in companies.

Renewals for Cyber insurance are increasing, prices are skyrocketing, and companies are coming under more scrutiny before insurance companies will provide coverage. You can transfer some of your risk, but not all of it! You need to do appropriate risk assessments and create and implement a good information security program.

Join an esteemed panel of veteran InfoSec Leaders and Cyber Insurance professionals as they delve into the risk issues confronting us as we strive to implement dynamic security programs. They will share war stories, steps to take, pitfalls, and you will leave with a better understanding of risk management to take back to your place of business. Protecting our critical data is not for the faint of heart. Get the help you need.

CMMC, DoD, and Supply Chains: A Primer

Howard Chen

What if you had you secure the world’s most complex supply chain? With over 100,000 companies, the military supply chain presents a unique cybersecurity challenge. The Department of Defense recently introduced the CMMC, a new security framework for the defense industry. While we are familiar with standards like SOC2, PCI, and NIST CSF, by learning about the CMMC, we have the opportunity to see how the government’s perspective towards cybersecurity risk is changing, and how it may affect security governance for years to come.

In this talk, we will learn about the context and background of the CMMC, how it compares to pre-existing standards, and its potential impact on the security landscape down the road.

Rightsizing controls to avoid deficiencies or abundance

Karina Klever

This presentation encourages the viewer to be selective with the controls that they choose to apply to their company and operations, and right-size controls for their specific needs. Supporting background is provided detailing how regulatory and framework controls are designed to be broadly applicable across many industries, levels of maturity, as well as size of company. When combining frameworks and regulations a large and generalized set of controls is produced, however since controls are originally written using vague language the output is likely ridden with redundancy and inapplicability. Trying to adopt all the controls from all the authorities that may influence a company is unreasonable in many ways and will likely cause unnecessary burden. Unfortunately, many companies go through the effort of attempting to adopt an overwhelming number of controls in their environment without right-sizing first.
After decades of advising companies that are either implementing platforms, getting ready to be audited, or preparing for certifications – it’s clear that companies make attempts to operationalize controls which don’t even apply to them. There are some companies that remove duplicative controls from the larger combined authority documents such as regulations or frameworks, however deciding if controls are specifically appropriate for your particular company must not be overlooked. Intercepting assumptions and reinforcing the need to “make controls your own” results in controls that are actually used as part of daily operations and allow approachability, adoptability, as well as purposefulness when implementing company-wide.

Zero Trust and Microsegmentation – Easier Than You Think

Christer Swartz

Zero Trust has got to be one of the most talked about themes in cyber security. While the term means different things to different people, there are two things that can be agreed on: it’s a journey worth taking and microsegmentation is a key pillar of that journey. The next question always is how do you get started?Regardless of the sophistication of ransomware, the end goal is always the same: get in through a vulnerability and move laterally through your network. Join this presentation as we help peel back the layers to provide you simple steps to protect yourself from these threats that include:

• Gaining visibility to where you are the most vulnerable
• Closing risky ports
• Leveraging tools you already have in place without adding layers of complexity

While the journey can seem intimidating, we’ll help you realize that it doesn’t take a team of 100 or a PhD to deploy zero trust microsegmentation that will protect your organization and keep ransomware at bay.

“Cybersecurity & Global Privacy Laws: Legal Implications & Crisis Avoidance”

Adriana Sanford

Security threats are expected to be more severe in 2022. Many companies regardless of size or revenue, are surprised to learn that they must in fact comply with a new set of rules under an international data protection regulatory framework. Let us have a look at some of the top cybersecurity legal concerns of 2022 to ensure your company is compliant in order to avoid hefty financial penalties and to help mitigate any liability.