Name: "Security as code" for automated development pipelines
Start: 2020-06-12T08:30:00Z
End: 2020-06-12T08:30:44.000Z
Location: BrightTALK
Rating: 4.3

Go in depth into CSA's latest research on everything from IoT to containers to blockchain. Webcasts will break down the research, provide use cases, instructions for implementation, and further insights.

Traditional authentication methods are, at times, proving inadequate against modern, sophisticated attacks. As financial service industry continues to accelerate cloud adoption, how do CISOs and other security professionals navigate the increasingly complex set of threats and regulatory requirements?

How do you maintain the integrity of your authentication practices?

This talk explores how FIDO Alliance's passwordless authentication vision addresses the security challenges facing financial services, while simultaneously meeting DORA, PCI DSS v4.0, and PSD2 expectations. 

The conversation will examine how financial services leaders can integrate FIDO protocols to build resilient, compliant, and user-friendly authentication systems for their cloud and other environments.  As well as strategy to prepare for the next wave of emerging threats.

Beyond Passwords: FIDO's Authentication Vision for Financial Services in the Cloud Era

As financial institutions accelerate their cloud adoption, the stakes for security, compliance, and operational resilience have never been higher. The newly established ANSI X9.125 Cloud Management and Security standard provides the financial sector with its first comprehensive framework specifically designed to address the unique challenges of cloud computing in highly regulated environments.

Join our panel of industry experts as they break down the most critical elements of X9.125 and translate complex regulatory guidance into actionable strategies. This interactive session will address the ten highest-impact areas that financial institutions must master to achieve secure, compliant, and successful cloud operations.

Key topics include:
• Understanding the financial sector's unique cloud security requirements and how X9.125 addresses them
• Operationalizing the shared responsibility model and crafting bulletproof Cloud Service Agreements
• Implementing robust risk management programs tailored for cloud environments
• Mastering encryption, key management, and cryptographic controls in the cloud
• Navigating privacy compliance and cross-border data protection challenges
• Building comprehensive monitoring, incident response, and disaster recovery capabilities
• Avoiding common migration pitfalls with proactive planning and X9.125 best practices

Whether you're just beginning your cloud journey or looking to enhance existing cloud operations, this webinar will equip you with practical insights, real-world examples, and expert recommendations to confidently navigate the intersection of cloud technology and financial services regulation.

Securing Financial Services in the Cloud: Essential Guidance from ANSI X9.125

The 2025 Verizon Data Breach Investigations Report (DBIR) offers a detailed view of the threat landscape facing the financial and insurance industries. With 74% of breaches tied to System Intrusion, Social Engineering, and Basic Web Application Attacks—and 90% financially motivated—attackers are doubling down on high-reward, low-resistance targets.

In this FinCloud Friday webinar, Troy Leach, Chief Strategy Officer at CSA, and Christopher Novak, Vice President of Global Cybersecurity Solutions at Verizon Business, will unpack the report’s most critical findings and connect them to emerging cloud and AI threat dynamics. The discussion will explore:
• External Threat Dominance: What the 78% of breaches involving external actors reveal about modern attacker tactics—and how defenders can better allocate security resources.
• Cloud Misconfigurations & IAM Failures: How common mistakes continue to drive cloud breaches, with lessons learned from incidents like Snowflake and insights from CSA’s latest Cloud Threat Report.
• AI as an Attack Force Multiplier: How adversaries are weaponizing AI to enhance phishing and automation, and what financial institutions must do to stay ahead.
• Systemic Risk & Third-Party Exposure: From SolarWinds to CrowdStrike, what cascading breach effects teach us about dependency and supply chain security.
• Strategic Outlook for 2026: DBIR-aligned priorities for improving resilience, visibility, and governance across hybrid and multi-cloud financial ecosystems.

Join us to decode what the DBIR 2025 trends mean for your organization’s cloud defense, risk management, and compliance posture and learn how to operationalize these insights into proactive strategies for the year ahead.

What Verizon’s 2025 DBIR Reveals About the Future of Financial Sector Cyber Risk

The Cloud Security Alliance recently released the first independent benchmark study of AI agents in the SOC. With 148 analysts across two investigation scenarios, the study delivered hard evidence on how AI makes analysts faster, more accurate, and more consistent.

Hear from CSA CEO Jim Reavis, former Robinhood CISO Caleb Sima, and Dropzone AI CEO Edward Wu as they unpack the results for SOC leaders deciding how to adopt AI today.

What you’ll learn:

• What the data really shows about AI-augmented analysts’ performance in accuracy, speed, and consistency
• Where AI delivers the most value in the SOC today, from Tier 1 triage to Tier 2 investigations
• How analysts felt about AI after hands-on use—and why 94% said their opinion of AI improved
• What SOC leaders should do next to turn research insights into operational advantage

AI in the SOC: Expert Perspectives on the CSA Benchmark Study

Fifteen years ago, John Kindervag introduced Zero Trust to transform cybersecurity. Initially met with skepticism, Zero Trust is now more crucial than ever as attackers breach perimeters and move laterally through networks. Traditional security approaches are insufficient, prompting governments and enterprises globally to prioritize Zero Trust.

In this session, John Kindervag—Zero Trust founder and leading cybersecurity expert—will address the biggest obstacles delaying Zero Trust adoption and how organizations can overcome them. Drawing on decades of experience advising government and industry, John will trace Zero Trust's journey from inception to today, sharing real-world implementation examples—both successes and failures. He'll dispel common myths and highlight traps organizations must avoid.

This isn't theoretical—it's about providing tangible, actionable steps for implementing Zero Trust and overcoming business, technical, and cultural barriers. John has spent 15 years transforming Zero Trust from concept to movement, and now wants to equip others with knowledge to advance their Zero Trust strategy.

Aimed at security practitioners and business decision makers interested in implementing Zero Trust or already on the journey, attendees will gain a clear understanding of best practice methodologies, key pitfalls to avoid, and how to cultivate the right culture and organizational support to ensure successful Zero Trust initiatives that achieve anticipated resilience and economic outcomes.

10 lessons from 15 years of Zero Trust

The explosion of data across cloud platforms and the rise of AI aren't just reshaping businesses - they're rewriting the rules of data security. Legacy tools weren't built for this scale, speed, or complexity, and today's security teams face a new reality: the perimeter is gone, and what matters now is where the data is and who or what can access it. In this webinar, through real life scenarios we'll explore what happens when that access is compromised and how your organization should respond. From there, we'll walk through a modern approach to data security that's purpose-built for the challenges of AI and the cloud era.
You'll get a first look at the full data security lifecycle, the essential components of modern DSPM, and how it all connects to responsible AI adoption. Whether you're building a program from scratch or scaling your existing capabilities, this session will give you the insights and tools to move forward with confidence.

Hear from the authors of Modern DSPM for Dummies, Pete Chronis, Retired EVP & CISO of Paramount, Jason Clark, Chief Strategy Officer of Cyera, and Scott Solomon, Director of Product Marketing at Cyera to learn more about:
● Challenges in an AI centric world: Scenarios exposing the outcomes of exposed data and how you can prevent vulnerable data from getting exposed in an AI-centric data ecosystem.
● Core pillars of modern DSPM: Agentless deployment, data visibility, intelligent classification, guided remediation and rich ecosystem integrations, built for multi-cloud scale and real-time AI enablement
● Super-charging AI initiatives: How DSPM supplies clean, labelled, policy-aware datasets to LLMs and copilots while automatically redacting or quarantining high-sensitivity data before it ever hits a model

DSPM for Dummies: Achieving Data Security Success in the AI Era

Artificial intelligence systems pose a particular challenge with respect to cybersecurity, owing to their greatly expanded “attack surface” - i.e., the number of all possible attack vectors where a threat actor can access and extract or compromise data. Not surprisingly, with a greatly expanded attack surface comes greatly expanded legal exposure. In this presentation, which is designed specifically for current and aspiring corporate directors and CISOs, a panel of AI/InfoSec attorneys will examine the new cybersecurity mandates stemming from U.S. and multinational Al laws and the needed responses.

Objectives include:
• Providing actionable information, task lists, and discussion points that existing and aspiring directors can immediately take into the board room;
• Offering CISOs an understanding of current AI laws and their legal implications, such as OMB M-25-21 and the EU Artificial Intelligence Act, and
• Obtaining critical insights from leading on-point publications and frameworks from OWASP, ISO/IEC, and NIST.

What Directors and CISOs Need to Know About Cybersecurity Mandates for AI Systems

Financial service organizations today face a maze of third-party and regulatory risks as they look to modernize their offerings, oversee their provider partnerships, and keep pace with emerging risks. The expanding technology footprint creates a much greater scope for compliance activities while the number of regulatory activities continues to rise.

Is there an easier, more efficient and effective way to improve governance, risk management and compliance, increase transparency and achieve objectives at scale?

This session will discuss the impact of new legislation such as DORA, NIS2, CRA, and other emerging standards and explore strategies for harmonizing compliance efforts without duplicating work.

The session will also discuss the recently revealed Compliance Automation Revolution (CAR) initiative whose mission is to establish industry standards, best practices and architectures for compliance automation, real-time evidence collection to improve visibility, harmonizing regulatory framework, fostering continuous assurance and driving risk quantification.

Revolutionizing Compliance and Third-Party Governance

As businesses increasingly rely on cloud-based services to power their operations, the complexities of cross-border data transfers and data localization requirements have become a major concern — especially for multinational organizations. This webcast will explore the evolving regulatory landscape, security challenges, and privacy risks companies must address when handling data across jurisdictions. Join Illena Armstrong, President at Cloud Security Alliance as she sits down with Peter Kosmala, Course Developer & Instructor at York University as they discuss:
• Regulatory complexities: Understanding evolving global data privacy laws (e.g., GDPR, CCPA, China’s PIPL, India’s DPDP Act) and their impact on cross-border data flows.
• Data localization mandates: How country-specific regulations force businesses to rethink their data storage and transfer strategies.
• Cloud security risks: The challenges of ensuring data integrity, compliance, and access control when using globally distributed cloud infrastructure.
• Mitigating cyber threats: Best practices for securing sensitive data in transit and at rest, protecting against breaches, and ensuring third-party vendors meet security standards.
• Operational and business implications: The balance between regulatory compliance, operational efficiency, and the cost of implementing localized data storage strategies.

Attendees will gain valuable insights into how businesses can navigate these challenges while maintaining security, privacy, and compliance across multiple jurisdictions. This deep dive into the future of cross-border data management and the strategies organizations need to mitigate risk in an increasingly complex regulatory environment will be of interest to everyone.

Data in Transit: Cross-Border Challenges for Security and Privacy

Dive into a full year of SOC data to identify trends in infrastructure targets, malware, schemes, and more to uncover strategies for improving your security resilience in the coming year. We’ll cover:
• Security data specific to the FinServ industry, including specific threats to be aware of and remediation tactics
• Comparisons of trends in FinServ versus cybersecurity customers as a whole
• Recommendations for keeping your FinServ organization secure

Analyzing Annual SOC Data to Inform Your 2025 FinServ Security Strategies

The CSA Enterprise Authority to Operate (EATO) Framework is an assessment, remediation, consultancy, and certification framework. It targets Anything-as-a-Service (XaaS) providers and their entire underlying supply chain who are catering to customers in highly regulated industries processing sensitive data. EATO controls are based on CCMv4, with augmented controls to reflect tight regulatory requirements, and the certification plugs into the CSA STAR Framework as a Level 2 “premium” version. EATO will follow a subscription based model with shared funding of one single cycle (Audit – Findings – Remediation under independent guidance – Re-Audit – Trusted Certification) conducted by CSA certified partners, instead of duplicative assessments by each individual corporate customer.

The CSA Enterprise Authority to Operate (EATO) Framework

As organizations realize security and operational benefits of protecting users with zero trust principles, they are also achieving value for extended environments like office branches, factories, data centers, and clouds. This session will demonstrate how they adopt and operationalize these locations by extending their zero trust architecture to branch offices, cloud workloads, and OT/IoT devices.

Extend Zero Trust to your Branch, Factories and Cloud Environments

With the emergence of AI agents transforming how organizations operate, securing the AI infrastructure itself becomes increasingly central to security leaders. How much of traditional security strategies like shift left and zero trust can be applied to AI security? As organizations integrate AI deeper into their operations, they must determine which established practices remain effective and where new approaches are needed. 

Join Caleb Sima, Chair of the Cloud Security Alliance AI Safety Initiative, and Sysdig's CISO Sergej Epp as they explore the frontlines of AI security. They'll discuss practical strategies for securing and hardening AI workloads, responding to incidents and threats and reflects some misconceptions of AI Security. Sergej will also reveal the pivotal insights that led him from Palo Alto Networks to champion a runtime-first approach to cloud security.

Assume Breach: Securing AI Workloads & Investigating Breaches

Business continuity is top of mind in 2025. With AI-fueled cyberattacks at an all-time high, geopolitical instability in the news, and an ever-growing number of regulations to deal with, organizations are looking for solid foundations on which to build their operations.

In this webinar we will peel back the layers of operational resilience and explore practical ways in to help organizations:
• Remain compliant to regulations covering business continuity
• Protect their brand and reputation in an always-on world
• Look in detail at how to keep its mission critical services online
• Adopt fully managed business continuity cloud solutions

You should expect to come away from this webinar confident in your ability to stay compliant and operational, even during the most trying of circumstances.

Managed Business Continuity Cloud Solutions

Ever wonder what security leaders across industries are focusing on in the GRC space? What are their top priorities, and how should they shape yours?

Join Vanta’s GRC Subject Matter Expert, Faisal Khan, and Daniele Catteddu, CSA's Chief Technology Officer, for a deep dive on building and scaling GRC programs. They will share their take on the role of trust, AI, and automation in strengthening your foundation and preparing for what’s next.

What to expect:
Point of view on top of mind issues for GRC leaders
Role of trust management in scaling GRC 
Where to prioritize AI and automation in GRC

Scaling GRC with Trust, AI, and Automation

Dive into a full year of SOC data to identify trends in infrastructure targets, malware, schemes, and more to uncover strategies for improving your security resilience in the coming year. We’ll cover:
• Security data specific to the FinServ industry, including specific threats to be aware of and remediation tactics
• Comparisons of trends in FinServ versus cybersecurity customers as a whole
• Recommendations for keeping your FinServ organization secure

Artificial Intelligence (AI) is revolutionizing IT systems, rapidly becoming essential for organizations of all sizes. AI risks differ by industry, organization, country, business problem, and complexity. Managing these risks is crucial for user and data security. Join Charles Cresson Wood, author of Internal Policies for Artificial Intelligence Risk Management, and Illena Armstrong, President of Cloud Security Alliance, for a discussion on AI, the need for new risk management approaches, and the possible establishment of a Chief Artificial Intelligence Risk Officer (CAIRO) role in organizations using AI.

Evolving Your Risk Management Strategy Due to Advances in Artificial Intelligence

With AI dominating security conversations, it’s easy to get lost in the hype. What’s real today, and what’s still just a promise for the future?

Join Jesse Booth, Sr. Director of Security Operations at GoTo, Rex Guo, CEO of Culminate, and John DiMaria, Chief of Staff of Cloud Security Alliance, for a 60-minute webcast where they’ll cut through the noise and share how GoTo is successfully leveraging AI in its SOC right now—delivering measurable security and operational improvements right now—delivering measurable security and operational improvements.

5 Real AI-Powered Use Cases in GoTo’s SOC—What’s Working Today

Serverless platforms enable developers to develop and deploy faster, allowing an easy way to move to Cloud native services without having to manage infrastructure - including container clusters or virtual machines. This presentation covers security for the serverless applications, focusing on best practices and recommendations for security professionals. We will also talk briefly of the need for CICD and to help secure serverless workloads.
As part of the presentation we will also talk of the evolution of serverless and what we think the future of serverless security holds.

Serverless Security in 2020 and what is the future for Serverless

Ten years after the formation of the Cloud Security Alliance, cloud computing is a proven and globally accepted enterprise delivery and operational technology model. According to a January 2019 IDC report, the spending on Cloud IT infrastructure may have reached a tipping point in the third quarter of 2018 by surpassing traditional IT revenues with slightly more than a 50% market share.  
Looking at the European market, on one hand cloud computing appears not to have achieved maturity and expressed its full potential, yet on the other we see several new emerging and converging trends (Industrial IoT, Blockchain and AI). This session will address emerging technology trends and the risk and opportunities in the aftermath of the COVID 19 pandemic.

Emerging Trends Impacting the European Union

This session hosted by the CSA EMEA Privacy Center of Excellence will address accountability under GDPR and how Codes of Conduct and certifications are being leveraged by organizations to drive transparency, compliance, and trust.

Panel Discussion: GDPR with the CSA Center of Excellence

GDPR Fundamentals & CSA Code of Conduct: Objectives, Scope and Methodology.

Introduction to the Code of Conduct

Join Chris Hertz, VP, and Jeremy Snyder, Sr. Director, DivvyCloud by Rapid7 to learn how to achieve full lifecycle cloud security. They will discuss how cloud security challenges manifest in DevOps and how cloud security and developer misalignment creates friction and makes security a four-letter word.  Additionally, they will provide guidance on how to integrate cloud security into DevOps with pipelines and Infrastructure as Code to improve developer productivity and cloud security.

Oh $*!%: Security Doesn’t Have to Be a Four-Letter Word for Developers

Alexandra will share insights on the multi-level work of the European Banking Federation (EBF) to facilitate the adoption of cloud computing in the European banking sector. The EBF supports the efforts of European institutions and agencies to promote security for cloud usage, contributing the banking industry's input in shaping processes and standards. Emphasis is attributed on the need for a future-proof risk-based approach, alleviation of fragmentation and establishment of a common security level.

European Banking Federation on Cloud

An effective governance, risk and compliance program should enable all stakeholders across business units to break down traditionally siloed risk areas and replace them with a connected, holistic view of risk that spans their organization and relationships. However, the data sprawl and scope of GRC initiatives can make this seem like a daunting or unattainable task. When reviewing today's roles, responsibilities and technology across today’s data driven landscape, there are three key aspects that set the foundation for establishing an insightful GRC program. In this session, we’ll review modern day GRC-drivers as well as the challenges of operating in the age of digital enterprises. We’ll breakdown practical applications and lessons learned in building a risk-based culture, proactively monitoring compliance, and mapping digital enterprises for GRC success. 
−Define business outcomes to own risk within each line of business and encourage support across leadership 
−Understand how to harmonize regulatory obligations and business objectives to effectively balance compliance and risk 
−Learn how to eliminate overlap across systems to work together and add greater business value to every layer of an organization.

Establishing a Modern Foundation for Advanced Insight

Cloud Computing is entering a mature phase from both the market share and technical evolution standpoint. However, one area that could achieve better results is security and privacy governance. Modernizing the risk management approach, improving the organizational accountability program and streamlining compliance are to be considered key goals for companies that want to optimize their cloud investments and reduce the likelihood of security and privacy incidents.
Two of the foundational pieces for this optimization process are compliance with solid standards and a skilled and knowledgeable workforce.
In this session Daniele Catteddu, Global CTO at CSA, will moderate a panel of key experts on cloud auditing, risks management and governance from the Financial Services sector and Accademia.

Panel: Risk Management and Governance

This talk will look at the Cybersecurity Certification Framework under the EU Cybersecurity Act (2019), give an overview of the new European cybersecurity certification schemes under development and offer an outlook on the implementation and use of such schemes for 2021 and beyond.

Cybersecurity Certification Framework under the EU Cybersecurity Act

In 2019, the Cybersecurity Act became law in Europe, establishing a European Certification Framework. In November 2019, the European Commission tasked ENISA with designing a candidate scheme for cloud services. This work is currently underway. This presentation will first describe the Cybersecurity Act's Certification Framework, and then provide a high-level status on the ongoing work on the scheme for cloud services.

Toward a European Certification Scheme for Cloud Services

Certifications or attestations championed through the CSA STAR program, ISO/IEC, or AICPA, have been a critical driver in the adoption of cloud service across the globe. However, for some cloud customers insensitive or highly-regulated industries such as banking or healthcare, these certifications or attestations are not sufficient because they do not provide a continuous level of assurance as they rely on annual or bi-annual audits only.
To address the concerns of this segment of the industry, the Cloud Security Alliance (CSA) is building a continuous auditing framework designed to assure customers on a monthly, daily, or even hourly basis. This framework can be applied either to self-assessments or third-party certifications.

Continuous Audit-based Certification

Cloud Security Alliance’s Virtual EU Summit

How to avoid letting supply chain attack compromise your most sensitive machines.
 Supply-chain attacks affecting software development when a malicious code is introduced into legitimate software through supply chain poisoning is an effective tool for cybercriminals. It has been used many times in the wild, successful attacks generating hundreds of thousands of downloads leading to successful pipeline compromise and backdoored software distribution. Such attacks tend to target the most sensitive production environments and are enabled and augmented by sub-par security practices and miscommunication between DevOps and InfoSec. The results are long-lasting, impacting the company image, relations and often bottom line. Let’s discuss how DevOps can introduce on-demand security to their CI/CD pipelines without hindering their KPIs.

"Security as code" for automated development pipelines

Cloud

Cloud computing has exploded over the past few years, delivering a previously unimagined level of workplace mobility and flexibility. The cloud computing community on BrightTALK is made up of thousands of engaged professionals learning from the latest cloud computing research and resources. Join the community to expand your cloud computing knowledge and have your questions answered in live sessions with industry experts and vendor representatives.

Cloud Computing

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

"Security as code" for automated development pipelines

Presented by

About this talk

CSA Research