Name: Cyber Authors Ep.3: How to Do Application Security Right
Start: 2021-03-10T18:00:00Z
End: 2021-03-10T18:00:57.000Z
Location: BrightTALK
Rating: 5

Increasing expectations for good data governance, effective risk management and complex demands for legislative and regulatory compliance are presenting a growing challenge for organizations of all sizes. Tune in to live and recorded presentations by respected luminaries in the fields of governance, risk and compliance for insights on how to implement successful GRC strategies and processes for your organization.

Generally Accepted Privacy Principles (GAPP) was developed specifically to enable auditors to assess organizations’ attainment of their objectives for data privacy.  Not aligned with any specific laws or regulations, GAPP is built on ten basic principles that apply to all of them, supported by 73 auditable criteria. This session will illustrate how to use each of these criteria to identify specific artifacts that lead to comprehensive conclusions regarding compliance with internal and external requirements.

Learning objectives:
- What are the business benefits of privacy compliance?
- What are the risks of non-compliance?
- Establishing privacy baselines.
- Using GAPP to create a privacy compliant organization.

Applying Generally Accepted Privacy Principles to Assessing Compliance

The US data privacy laws in the US are shifting from a "harms-prevention-based" approach to a "rights-based approach exemplified by the European Union's General Data Protection Regulation (GDPR). Following California's lead, four other states, including Colorado, Connecticut, Utah, and Virginia, will begin enforcing new GDPR-inspired statutes in 2023. The shift in the philosophical framework will have profound implications for data privacy protection.

The US has historically allowed businesses and institutions to collect personal information without consent while regulating those uses to prevent or mitigate harm in specific sectors. The EU, on the other hand, has long pursued a rights-based regime for protecting personal information, which holds that data privacy is a fundamental human right. This has roots in Europe's history of suffering through the infamous data collection of the Nazis and the similar collection of data by the formerly communist East Germany's secret police. The GDPR, which became enforceable in 2018, codified several key principles reflecting the Europeans' human rights philosophy. The new laws will be applicable to specific industries and types of institutions and will impose restrictions on industries and institutions regarding their handling of personal information. More states are likely to follow the GDPR in the coming years.

This webinar entails to:
- Introduce the market drivers of the US privacy laws industry and their roles.
- Illustrate the shift in the philosophy underlying data privacy laws in the US.
- Comparison of the US "harms-prevention-based" approach vs the European Union's approach is more rights-based.
- Summary of the EU ‘s General Data Protection Regulation (GDPR), which became enforceable in 2018.
- Understanding how the principles reflected in the new data privacy framework will have profound implications in the years to come.

The New Era of Data Privacy Laws

The International Standards Organization’s ISO 27701 privacy information management standard is a framework that covers both security and privacy compliance aspects of various privacy regulations around the world. As a certified ISO 27701 Lead Auditor, Ralph Villanueva is more than happy to help the audience and their organizations resolve their data privacy risks and issues by pointing out how to use this very useful framework. 

Tune into this informative talk to learn the benefits of this new frameworks and how to make the best use of it. Even better, this framework will make enterprise-wide privacy compliance more cost effective across geographic locations, and add more value to the audience’s privacy work within the company as well.

How to Leverage ISO 27701 to Fulfill Data Privacy and Compliance Requirements

There is no shortage of privacy laws and regulations. We keep hearing that the latest privacy laws “will change everything”, but have they made a real difference? This session proposes an alternative approach. Privacy can be treated as an attribute of personally identifiable information and can be managed using data management techniques. Rather than building privacy programs on compliance with laws, it may be more productive to manage the data itself.  

Key takeaways include:
1.      Why and how data privacy has been managed in recent years.
2.      How the compliance-based approach to privacy has shaped organizational approaches to the issue.
3.      How data management principles can offer a different, and perhaps better, way for managing privacy.
4.      How a data management approach would alter organizational structures.

Have We Been Doing Data Privacy The Right Way?

Ransomware and other forms of malicious cyberattacks are a top threat to IT availability; and generally speaking, to ongoing business viability.  A key element to reducing business impact and downtime is having well thought out options, both IT and business led options for compromised data recovery that can be adapted and undertaken quickly to address the particulars of a successful ransomware attack.

Join us for this session that will shed some new insights on what it takes to reduce the risk of a failed data recovery effort. 
Key takeaways include: 
1. The IT and non-IT led approaches to data recovery (its far more than restoring from backups).
2. Determining what data is most worthy of advanced levels of protection and recoverability.
3. How to get the business community ready to do their part.

About the speaker:
John Beattie has been a Principal Consultant with 11:11 Systems for more than 15 years where he has consulted with organizations looking to reduce operational risk by establishing or transforming their operational resilience programs including, business continuity, disaster and data recovery, and crisis management programs. He currently leads 11:11 Systems’ cyber-compromised data recovery consulting team.  

Prior to joining 11:11 Systems,  John was the Global Director of Business Continuity for News Corporation. He also worked at Ernst & Young for more than 15 years where he worked closely with clients across many industries on a wide variety of strategic and tactical information technology and business process improvement engagements.

John has attained FBCI certification from the Business Continuity Institute and Certified Third-Party Risk Professional (CTPRP) from the Shared Assessments Program. He is an alumnus of the New Jersey Institute of Technology where he earned undergraduate degrees in Industrial Engineering and Applied Mathematics and a Masters degree in Computer and Information Science.

Compromised data risk management: It's everyone's business

Compliance and risk management on Wall Street is vitally important to the health of a well-functioning economy and its financial markets. Regulation across all sectors of Wall Street, from broker-dealers to registered investment advisor firms to hedge funds and other financial service firms, has become increasingly more robust and stringent over the past decades. 

This presentation will discuss practical ways that firms can improve their compliance and risk management strategies to mitigate the many risks to their clients and to the firms themselves that can arise from lax and ineffective compliance and risk management strategies. This presentation will be given by Dr. Paul Wendee, a 40-year veteran of Wall Street who has owned and/or managed several Wall Street firms (broker-dealers, investment banking firms, investment advisory firms, and hedge funds).

Here are some of the topics attendees can expect:
1. Why is compliance and risk management on Wall Street important?
2. Compliance and risk management for securities broker-dealers.
3. Compliance and risk management for registered investment advisors.
4. Compliance and risk management for investment banks.
5. Compliance and risk management for hedge funds.
6. Compliance and risk management for other financial service firms.
7. Some interesting examples of frauds that have been perpetrated on Wall Street.

Compliance and risk management on Wall Street

Financial systems must follow certain rules that may seem the same on the surface, but in practice have significant differences. Financial institutions are highly regulated entities, which are required to comply with various statutory regulations. Many of these compliance rules pertain to cybersecurity. One might assume that compliance with these rules will make a company secure. While compliance is necessary, that alone is rarely sufficient to guard against tomorrow’s security threats. Compliance are rules based on the past; effective cybersecurity must anticipate the future. 

Tune into this webinar from industry expert Jerald Murphy (Nemertes Consulting) will discuss actions organizations can take to overcome hurdles to ensure companies can be compliant, with maximum agility in dealing with the latest cybersecurity threats.

Overcoming security and compliance challenges in finance

In the digital business world, reliability of service and customer satisfaction are fundamental benchmarks for application success. Google’s Service Level Objectives (SLOs) are a way of setting measurable goals around customer satisfaction and reliability to determine the level of service quality an application provides.  

Within the financial services sector, while reliability and customer experience are important, in the face of continued regulatory reform, application teams are also responsible for ensuring that all regulatory requirements and processes are being followed. SLOs can be used to directly implement these requirements, e.g., Payment Service Directive 2 (PSD2), with the necessary KPIs and automated alerts. 

In this session, Xue Liu (Reliability Lead in Deutsche Bank’s Private Bank Center of Expertise,) shares tips and best practices for embedding regulatory requirements into your SLOs. 

Join the session to discover:  
- Why incorporating compliance within SLOs matters and how it contributes to overall application success. 
- Best practices for integrating regulatory requirements within your SLO frameworks to ensure customer satisfaction, site reliability and adherence to industry regulations. 
- Collaboration strategies and processes to bridge the gap between compliance and application teams. 
- And more...

Drive compliance and regulatory requirements with service level objectives

According to The Life and Times of Cybersecurity Professionals 2021 report by the Information Security Systems Association, the ongoing cybersecurity skills crisis has steadily continued for over five years. Organizations are consistently on the prowl for talented cybersecurity professionals to combat increasingly prevalent and sophisticated cyber attacks. However, is hiring the “best fit” the only option organizations have to address the ongoing cybersecurity skills shortage? 

After working alongside the constant cybersecurity skills shortage, CISOs understand that only looking to hire talent won’t cure the longstanding problem. So how are security executives addressing the growing need for cybersecurity skills? Join Hosts Dan and Earl with guests as they take a deeper look into the cybersecurity skills shortage and:

- Innovative new strategies organizations are utilizing to tackle the cybersecurity skill shortage from integrated security architectures to partnerships with third party services or vendors
- Investing in IT and security staff through cybersecurity training
- Embracing automation and analytics to streamline security processes

The Cybersecurity Skills Shortage: Why, How, and What To Do About It

The increasingly distributed nature of the modern enterprise is making zero-trust security approaches more relevant than ever. In this research-led session, John Grady, ESG Principal Analyst, will focus on how organizations are thinking about, planning for, and implementing zero trust across their environments.


Join to find out how zero trust can provide a framework to secure even the most complex environments, whether implementing least-privilege tenets for user access or securing the connections to and between the disparate aspects of today’s hybrid multi-cloud deployments. You'll learn exactly what a zero-trust initiative should entail, where to begin, and how best to overcome the organizational obstacles that result from such a cross-functional undertaking.

Zero Trust Security Strategies to Safeguard the Enterprise

As organizations are looking for ways to stay on top of an evolving threatscape, many are
looking towards AI to enhance their security strategies and fend off cyber attacks before they
happen. In the 2022 CIO and Technology Executive Survey by Gartner, 66% of respondents
reported that they expected to increase cyber and information security investments for the
next year. More than half of respondents reported that they planned to heavily invest in
business intelligence and data analytics.

However some security leaders are cautious about adding artificial intelligence into their
security arsenal. Despite rapid advancements in AI, these solutions can also come with their
own unique set of drawbacks. Some skeptics say that AI technology is still immature and
that there may be simpler, more cost-effective solutions. With all the interest surrounding AI
in cybersecurity, it’s important for organisations to establish realistic expectations.

Join this panel to learn more about:
- The current state of AI in security
- What CISOs and their teams should keep in mind about AI
- How AI impacts your workforce strategy
- And more!

Speakers:
- Dan Lohrmann, Field CISO at Presidio
- Earl Duby, CISO at Lear Corporation
- Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet
- Warsamé Ahmed, Co-Founder & CEO at BR[AI|YT.ai

Using AI in Cyber Security: Boon or Bust?

Secure access to cloud is broken. By now, you must already know that the traditional VPNs are the weakest links when it comes to secure access into your mission critical infrastructure. This is due to two fundamental flaws. 

VPN aka virtual private network, as it suggests, provides a virtual network extension over a secure link. That means, if the endpoint that is connecting over the VPN, is compromised, an attacker can gain secure access your infrastructure.

Once insider your network, the intruder now has the license to roam within the subnet/VLAN and, unless you have an error free setup, perhaps the intruder has the license to roam across the enterprise.
 
Time and again, we have witnessed VPNs being exploited by the adversaries and, if you want to stay protected, please ensure that you get off the traditional VPN train first.

The modern-day alternative to VPNs is called Zero Trust Network Access (ZTNA). However, the ZTNA solutions lack end to end segmentation. That means, if the attacker somehow gains access to one of your hosts over ZTNA, the attacker will then be able to roam laterally withing your organization. This is the predominant way for Ransomware to spread and compromise most of your assets.

What you need is a combination of modern Secure Access technology coupled with an agentless micro-segmentation solution and a potent incident response tool.
 
This will be the focus of our session. In this session, you’d learn how to
• Provision agentless segmentation at scale across your organization for all your assets – TV, Toaster, Laptops, VMs, Servers, and even containers
• Gain end-to-end visibility and control for all traffic
• Secure high value assets distributed across your organization
• Deploy a Ransomware Kill Switch™ that prevents ransomware spread

The correct way to “Cloud-Access”

Working remotely has become the new normal. This, and many other changes organizations adopted last year in response to the pandemic are likely to stay for the long term. According to Gallup, about two-thirds of U.S. remote workers want to continue to work remotely. So, how can organizations continue to support their growing distributed workforce at a time where reports of security threats have increased by 400% compared to pre-pandemic levels? 

Here is where the zero-trust approach to security comes into play. 

Join this month's episode of The (Security) Balancing Act with Diana Kelley and guests as they discuss the emergence of zero trust (“Trust Nothing, Verify Everything”) and what it helps achieve for enterprises in the age of cloud and remote work.

Viewers will learn about:
- The evolution of the security perimeter and the shift to zero trust
- Why zero trust is an approach and not a product
- Zero Trust Network Access (ZTA) vs. corporate VPN
- Real-world stories and practical hands-on guidance from people who have deployed a ZTA

Speakers:
- Mari Galloway, CEO, Women's Society of Cyberjutsu
- Jonathan Nguyen Duy, Vice President, Global Field CISO Team, Fortinet
- Bob Rudis, Chief Data Scientist, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Zero Trust for the New Normal

Phishing and ransomware attacks continue to rise, according to Proofpoint’s State of the Phish report for 2020. Organizations in the U.S. are at risk, the increase in remote work due to the pandemic has fueled a spike in attacks, and phishing attempts are up by 14 percent compared to the previous year. 

Email continues to be the number 1 delivery vehicle, but other social engineering schemes that rely on social media, voicemail (“vishing"), SMS phishing (“smishing”), and malicious USB drops are also of concern for organizations. Ransom demands are also on the rise, but according to the report, paying the ransom is not guaranteed to work as many companies that paid the ransom failed to receive a decryption key. 

Join this month's episode of The (Security) Balancing Act as Diana Kelley and guests discuss why ransomware is surging again, which sectors are most at risk, the threat to enterprises and how it is being used for more than just ransom (ex: distractionware, destructionware, etc).
- The rise in ransomware under the cloak of the pandemic 
- Why email continues to be the channel of choice 
- The difference between fully automated and human-operated campaigns
- How to decide whether or not to pay or not to pay the ransom
- Why your backups may not be immune to ransomware
- Addressing the threat with best practices

Speakers
-  Nicole Hoffman, Intelligence Analyst, GroupSense 
-  Courtney Radke, CISO for National Retail, Fortinet 
-  Patrick Lee, Senior Incident Response Consultant, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Ransomware in the Remote Work Era

Requiring non-security specialists to describe their posture and informing the management hierarchies on our current security posture is difficult. The language is foreign and does not lend itself to exactness. The eternal question is “Are we secure? The expected answer then cannot be “It depends…”, but rather an aggregated statement, very close to a single “Yes” or “No”. 

In case of a negative response, it is also expected to hear of the gaps and the plans to fill them to become secure again.

 

To accomplish this aggregated statement, a traditional assurance cycle of up to a year is too slow. The product owners need to have security activities in their backlog, they need to know when circumstances change to be able to address them based on risk. The management hierarchy needs to be informed with the current security posture and what implications that brings.


The road to prevent breaches is paved with measurements, a quick feed-back loop and AI assisted decision making. All meant to push security decisions out in the organization.

Here one could add the analogy of driving a car, where the driver, or senior manager, has to take decisions based on situational awareness and information provided by the car. The driver does not need to know the exact oil pressure or the cooling temperature, but rather if it has reached a hazardous level. The driver cannot base decisions on oil pressure solely by dipping the stick before starting the journey, which would be equivalent to classic compliance.

To prevent breaches senior management need to know that circumstances have changed, when they change, and ultimately that they are about to change.


In this webinar you will be inspired by a Proof of Concept and an idea of how to implement and extend it.

Proactive Breach Prevention using Automated Compliance and Continuous Auditing

This month's episode of The (Security) Balancing Act will focus on botnets as a growing threat to the enterprise, examples from the real world, and what enterprises can do to better protect against botnet-fueled state sponsored attacks.

Join this interactive roundtable discussion with security experts and industry leaders to learn more about:
-  How botnets have become a tool for cyber criminals and nation state actors
-  Real-world examples & known botnet attacks 
-  Nation state ransomware attacks
-  DDoS attacks
-  Cyber espionage
-  ATPs
-  The trouble with attribution
-  What enterprises and governments can do to address the threat

Panelists:
-  Johna Till Johnson, CEO and Founder of Nemertes Research
-  Derek Manky, Chief, Security Insights & Global Threat Alliances, Fortinet
-  Craig Harber, Chief Customer Success Officer, Fidelis

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Taking Down Nation State Botnets

Mentoring programs can increase knowledge and build skills for future goals and milestones, allowing your workforce to grow their skills organically and create cultures of collaboration and success. 

Join Part 1 of our series to learn how to design a mentoring program for women and minorities in security that actually delivers for everyone involved. 
- Learn from experts on how to design a mentoring program that delivers
- Understand how to make mentoring meaningful for your organization
- Learn what strategic planning steps are critical to make the plan a success

Speakers:
- Virginia "Ginger" Spitzer, Executive Director | ISACA, One In Tech Foundation
- Joy Harrison, Director, Leadership Development Center for Excellence | NTT DATA Services
- Sushila Nair, VP Security Services, Chief Digital Officer | NTT DATA Services
- Kwasi Mitchell, Chief Purpose Officer | Deloitte
This is Part 1 of our new series on mentorship produced by BrightTALK. Sign up for Part 2 via the link in the attachments.

Design a Mentoring Program That Delivers!

Instead of the traditional "castle and moat" model of the past, today the security perimeter is being defined around the identity of the person or the device requesting access. What are organizations doing to protect digital identities in the age of breaches? How are the current trends in identity and access management helping address this issue?

Join this interactive roundtable discussion with notable security experts to learn more about:
- The shift to identity-centric security
- The zero trust mindset
- What constitutes strong and effective authentication and authorization
- The role of policy orchestration and enforcement
- Best practices for protecting identities and managing access across the enterprise  

Panelists:
- Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic
- Dave Farrow, VP, Information Security at Barracuda
- Jeremy Snyder, Sr. Director, Corporate Development, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

The Future is Identity-Centric

If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk, too. 
 
Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, maybe you’re uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or, maybe you think you do know, but don’t realize what you’re doing wrong.
 
To defend against attackers, you must think like them. Join Ted Harrington, author of HACKABLE: How to Do Application Security Right and learn:
- how to eradicate security vulnerabilities
- establish a threat model
- build security into the development process 

You’ll leave knowing how to build better, more secure products, gain a competitive edge, earn trust, and win sales.

This episode is part of Cyber Authors, a new series with Sushila Nair. We welcome viewer participation and questions during this interactive interview.

Cyber Authors Ep.3: How to Do Application Security Right

Cyber Security

Security

Security Awareness

Security Breach

Hackers

Vulnerabilities

Application Security

Application Monitoring

Threat Detection

Threat Defence

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The unexpected nature of natural disasters and other disruptive events means that preparation is key to managing disaster recovery and business continuity planning. Join the business continuity and disaster recovery community for live and recorded presentations discussing best practices for business continuity planning, disaster recovery programs and business continuity management. Learn from BCDR experts to develop your critical infrastructure and gain insight into tactical solutions to your BCDR issues.

Business Continuity / Disaster Recovery

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Cyber Authors Ep.3: How to Do Application Security Right

Presented by

About this talk

More from this channel