2016 (ISC)2 Security Congress – Member Town Hall – Part 1
Meet the newest members of your association membership management team as David Shearer, (ISC)2 CEO interviews Patrick Craven the new Director for the Center for Cyber Safety and Education (formally (ISC)2 Foundation and Dan Waddell the newest (ISC)2 Managing Director for the North America region. This was originally held on September 11, 2016. (NOTE: Due to length of presentation, this video DOES NOT qualify for a CPE)
RecordedOct 13 201649 mins
Your place is confirmed, we'll send you email reminders
Organizations deploy multiple security monitoring tools to detect threats, but they often overlook the most important part of the threat detection process: Content. This session describes what is the role of detection content in security monitoring and exposes the need for structured processes to identify, develop and maintain this content. Attendees will learn the characteristics of the Detection Development Life Cycle and understand how to use it to optimize their threat detection practices.
Eric Gauthier, VP of Technical Operations, Burning Glass
What if your team works remotely, your applications are all third-party cloud services, and you have no firewalls, servers or office networks? This talk will explore the unique challenges of securing a cloud-native company when most standard approaches require something “on premise.” We will discuss how any company can use these practices to reduce compliance efforts and improve security by flipping your perspective on internal versus external, office versus coffee shop, and managed versus third-party cloud applications. The talk will cover topics including the shared security model, IAM, CASBs, device management, segmentation, DLP and vendor management.
1. Improve security and easy compliance by viewing employees as remote workers and services as third-party cloud application, even when they are not.
2. Securely scale remote work without the complexity and capacity issues required when relying on VPN services.
3. See how zero-trust networking and perimeter-less security can improve your security and enable your workforce.
Dr Adriana Sanford, Acting-Director of Executive Education & Senior Fellow at OU CINS, University of Oklahoma
Amid the coronavirus uncertainty, companies worldwide have been forced to move more of their professional routines online. As employees adapt to working from home using their private devices, sophisticated cyber attackers have ample opportunities to avoid employers' detection tools and exploit the "new normal." Also, among the pandemic-related legal issues is the mitigation of the Force Majeure contract clauses within the global supply chains, as the restrictions on the mobility of people and products continue to mount. Despite privacy restrictions set forth by the EU's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), the effects of the current pandemic cause corporate boards to reconsider their views on data privacy and senior management to conduct workforce health checks to prevent the
further spread of COVID-19. This presentation will outline the dangers and legal risks that have arisen since the coronavirus first forced everyone to pivot to a more virtual workforce. –
1. Understand why confusion from the COVID-19 pandemic created long-term security, legal and privacy risks for businesses.
2. Learn top tips for ensuring data protection compliance in the age of the COVID-19 pandemic.
3. Learn what personal information employers may need to collect from employees in order to enforce coronavirus protocols and to best limit their risk of exposure during a health crisis.
Marinda Hamann, (ISC)²; Sanjana Mehta, (ISC)² EMEA; Chris Green, (ISC)² EMEA; Brian Alberti, (ISC)²
The (ISC)² Cybersecurity Workforce Study is one of the most highly-anticipated annual research reports each year. Not only has it come to be considered the industry standard for measurement of the global “skills gap” in cybersecurity, but it offers nuanced insights into subjects like job satisfaction rates, salaries, role alignment, the profile of the cybersecurity professional, diversity and how to strengthen teams and improve hiring practices. The 2020 edition of the study was released in early November and also includes data on the cybersecurity community’s response to COVID-19 and the transition to remote work environments. This panel discussion brings together several of the (ISC)² architects behind the research to provide a deeper look beyond the numbers and explore some of the key themes of this year’s findings.
- Learn about the cybersecurity community’s response to the COVID-19 pandemic and the shift to remote work
- Understand the landscape of the current cybersecurity workforce and the shortage that exists today
- Gain insights on how organizations can find, recruit and train new talent to better protect organizations from security threats
Michael F. Angelo, Chief Security Architect, Micro Focus Corporation
While a secure development lifecycle (SDLC) is centered around education, it goes much beyond the simple ‘how to program securely’ to include:
-Training, including an overview of the process
-Threat modeling, including both deployment and functionality
-Secure coding standards and reviews
-Testing / analysis such as static, dynamic, fuzz and penetration testing
-Supply chain security / monitoring that incorporates component tracking and build/development environment security
-Incident response to improve reaction times
This session will conclude with a discussion on how to measure your SDLC capability and maturity. As we delve into each of these areas, the attendee will gain insights into what is now required to be successful with an SDLC.
1. Discover the elements and definitions of the currently evolved secure development lifecycle (SDLC) you need to succeed.
2. Understand how to track the evolving SDLC, since a static one often spells doom.
3. Be introduced to usage and deployment models to determine threats and mitigate them appropriately during the development process.
Koji Nakao – Distinguished Researcher, National Institute of Information and Communications Technology (NICT)
Recently, observed cyber-attacks have been often triggered by “malwares” and have been maliciously evolving and sometimes hidden from our monitoring countermeasures (FW, IDS/IPS). For achieving advanced security solution, utilizing passive monitoring technologies should be considered. In this presentation, passive monitoring technologies such as darknet and honeypot/sandbox are explained with practical use-cases to accurately observe and monitor ongoing threats (cyber-attacks). The use-cases may include detection of malware-infected IoT devices by means of darknet and honeypot monitoring. Furthermore, detection of cyber-attacks by passive monitoring can be utilized for cyber security proactive response as practical solutions.
Catherine Chapman, Security Journalist and Saskia Coplans, Digital Interruption
Anyone working in information security understands that communication is a crucial part to an incident response plan. But this conversation is missing collaboration from a key player: the media.
The mainstream media's role to inform audiences and sway public opinion has yet to be leveraged by the information security community to produce consistent and informed articles on topics of security. Infosec remains in a bubble, with the public stuck in an information loop of data breaches and outdated security patches. As the industry grows, how should these channels of communication develop?
This talk will explore the relationship between press and information security, presenting case studies of how technical topics are represented in the media. An analysis of "security" representations in both print and online media will be also included.
1. Understand the channels in which consumers learn about security.
2. Understand how security gets misconstrued in the media.
3. Get your research picked up, or covered, by a journalist.
Andrew Boyle, Director and Distinguished Cyber Technologist, Booz Allen Hamilton
We've migrated from Waterfall to Agile to DevOps and now, DevSecOps. Now that security is equality represented with development and operations, is everything good? Not at all! Broadly speaking, the Sec element has not (yet!) been fully embraced and is not on par with Dev and Ops. In fact, in many cases the Sec element amounts to a check in the security box.
Testing went through a similar struggle but emerged victorious with test-driven design and embedded testers. The inclusion of the Sec element in DevSecOps gives all cybersecurity practitioners an opportunity to elevate the impact and relevance to equal the Dev and Ops elements. We, as leaders in the cybersecurity industry, must understand how Sec engagement in DevSecOps works and what indicators predict failures.
1. Describe the critical role that security plays during DevSecOps and understand the critical nature of security to successful DevSecOps environments.
2. Conduct assessments of past/current/future DevSecOps environments to ensure that the 'Sec' element is of equal influence and impact.
3. Quantify and prioritize the attributes of the 'Sec' element of DevSecOps that are applicable to their organization, and recognize the Sec-specific signals related to successful and unsuccessful DevSecOps environments.
Do your developers understand enough about security to secure your applications properly? How do they fare against the OWASP Top 10? A large number of security problems bury developers. Do you know best how to help them?
Developers must gain security knowledge about how to secure everything they work on. Explore the ten things every developer must know about security and learn how to properly expose them to your developers, including the realms of security culture, hacking, OWASP, third-party software, GitHub, DevSecOps and Docker/Kubernetes.
Gain a perspective on security from the eyes of your developers. Realize a greater awareness of your application security risk, knowledge of the ten things, and perspective on how to asses and build application security culture in a programmatic fashion.
1. Gain a perspective on security from the eyes of your developers.
2. Realize a greater awareness of the application security risk you face.
3. Assess and build application security culture.
Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
Imagine a nationwide blackout. The reality hit Ukrainian residents when their energy sector was hit by a massive cyber attack that caused a power outage for more than 86,000 homes. This session dives into the real-world hack of a power station that explains the planning, perimeter security, engines and SCADA controls behind the attack.
1. Gain a full understanding of the anatomy of a privileged account hack.
2. Learn the challenges of reporting to the board and lessons learned.
3. Develop a strategy to reduce your risk and prevent abuse of your critical information assets.
James Perry, Senior Director and Head of Incident Response, CrowdStrike Services
Stories of CrowdStrike incident response engagements and how we have changed the model for how companies respond to a breach. Learn the methods CrowdStrike uses to disrupt and ultimately remove bad actors from networks.
Daniel Kim, CISSP, CCSP, Chief Privacy Officer and Scott Hollar, CISO, Extended Stay America
A company can find it hard survive if they lose the faith of their loyal guests or business partners that drive new customers. This Billion-dollar hospitality company could see that the new Data Privacy regulations were beginning to create obstacles to business-as-usual and they needed to prepare accordingly. Their strategic mindset compelled them to assume that CCPA and GDPR were only just the beginning, with more regulations to follow. They wanted to implement a strategy of excellence that would focus on proactive data privacy and prevent the high cost of chasing each successive regulation.
Their CISO joins us to talk about their journey and discuss:
• The building blocks for successful automation
• Integrations for enterprise support and successful business integration
• GDPR and CCPA drivers for rapid response and resolution
• What success looks like going forward Learning Objectives:
• Gain an understanding how success is highly influenced by the time spent planning.
• Learn alternative approaches to meet compliance and gain business buy in.
• Define success and strategies to ensure a sustainable program.
Rob Ayoub, FireEye; Sharon Smith, Verizon; John Esparza, Schneider-Electric; Deidre Diamond, CyberSN & Erik Von Geldern, FXCM
It is well known that malware outbreaks, security breaches and other security-related incidents can cause times of extreme anxiety and pressure. Anecdotal evidence indicates that stress and mental health issues within information security profession are not limited to incident responders. Join panelists from a wide variety of security career areas of focus as they discuss burnout in general and how it has affected them as individuals. These professionals will offer insights and perspective on how they perceived burnout in their career and among coworkers. They'll also talk about how to recognize the signs and maintain mental health in a challenging career field. Learning objectives: 1. Recognize potential stressors and mental health triggers in the course of Information security work. 2. Gain insights into managing stressful situations, work environments and careers. 3. Reflect on the need for changes in schedule, balance, hobbies or other activities to manage stress throughout the course of an information security career.
Scott M. Giordano, Spirion; John G. Bates, DocuSign; John Bandler, Bandler Law Firm PLLC
What qualifies as a breach vs. an incident? When does an investigation need attorney-client privilege? Do I need to make a bitstream copy, or is an image enough? If these questions have ever come up in your department, you likely had to call someone in Legal, or even outside counsel. Over the past five years, the need for legal insight in information security has gone from a nice-to-have to a must-have. Just some of the areas where attorneys can assist you include incident response/breach notification, contract negotiations, policy writing and review, and working with insurance carriers. In this presentation, information security legal veterans will explain what attorneys can do for your team and how they can advance your department’s mission.
1. Discern which information security and privacy problems require legal involvement.
2. Learn the latest trends in information security that have legal implications.
3. Understand how to work with counsel to achieve the best results.
Andrew Neal, VP - Research, Gartner and Jenifer Sosa, Director, Information Security & Compliance Services, TransPerfect
The business world is full of data privacy regulations and obligations. The legal community is full of lawyers with lots of advice about compliance. The information security world is full of techies who must operationalize data privacy regulations. What lies at the intersection of these three things? Is it chaos? Or could it be that success in the ever-changing world of data privacy regulations is best achieved by combining the viewpoints of the legal and technical experts? This presentation will explore the contrasting, but not necessarily conflicting, viewpoints of two experienced data privacy and governance professionals from very different backgrounds. An attorney and a technology professional, each with decades of experience, will present attendees the differing viewpoints necessary for a successful data privacy and governance program. Learning objectives: 1. Describe the perspectives of the various stakeholders in the data privacy and governance process. 2. Compare and contrast the focus and emphasis of legal and IT when addressing data privacy concerns. 3. Discuss the necessary cooperation between legal and IT, and the benefits that such a team confers on compliance efforts.
Shawn A. Harris, Director, Starbucks Coffee Company; Jim Turchek, Manager, Progressive Casualty Insurance
Aligning the Modern Cybersecurity Strategy with the Business Priorities
We're currently living through a time of great change that requires security teams to adapt to an ever-shifting landscape of business prioritization. This talk will focus on the migration of our respective teams to align our goals with business priorities to create greater engagement that helps fulfill larger organizational goals. Security traditionally has a mandate to limit risk; however, we must transform to enabling business agility. Both speakers have a history of making such security transformations within their teams. Financial services and retail have different regulatory requirements and business models, and their juxtaposition here will illustrate that each organization's approach could work in other industries too. Learning objectives: 1. Use the business alignment methods to invoke real-world change and migrate their teams to an enablers of business agility. 2. Understand a new people-centric approach to risk mitigation using business consultation techniques. 3. Take real-world architectural foundations back to their own organizations and align cybersecurity strategy with business goals and vision.
Dr. Kevin Charest, CISSP; Zachary Tudor, CISSP; Clar Rosso, (ISC)²; Dr. Casey Marks, (ISC)²; Wes Simpson, (ISC)²
The panel will consist of members from (ISC)² Management and (ISC)² Board of Directors who will be ready to answer any questions that you may have regarding membership, certifications, information security, etc. This meeting is open to both members and non-members. Dr. Kevin Charest, CISSP - Board of Directors Chairperson Zachary Tudor, CISSP - Board of Directors Vice Chairperson Clar Rosso - CEO, (ISC)² Dr. Casey Marks - Chief Products Office and Vice President, (ISC)² Moderated by Wes Simpson - COO, (ISC)²
Michael D. Weisberg, Caroline E. Saxon, James Packer, Brandon Dunlap
As the COVID 19 pandemic continues its hold on societies around the world, will business as we know it ever return? Should it? Which of our new ways of working will stick? Let’s get together, 6 feet (2m) apart, wear a mask, and discuss how the pandemic has not only changed our relationship to work and how we get things done; how it has affected the demands on information security? What strategies did you and your organizations use to function through the Covid-19 crisis? We will discuss what went well, badly, and sideways as we tried to maintain security and normalcy in challenging times. Will security return to the old way of doing things or have employers and employees expectations changed forever?
Brandon Dunlap, Managing Director, Brightfly, Inc and John Carnes, Executive Adviser, Anthem, Inc
In this discussion we will be talking about how do we, as professionals, both give and get interviews that focus on getting the right mindset of people in information security. Are we focusing on the right factors? Are we looking toward the right level of skills? We will discuss what questions work, what are a waste of time, and what we are potentially doing wrong as an industry. If you're looking to be interviewed, we'll talk about what skills you need to focus on and what skills you should be both working on and showing.
1. Learn what questions work for interviews and what questions are potentially going to mislead you into hiring the wrong people.
2. Learn the factors of thinking that make for a successful information security professional.
3. Learn how to grow at a personal level to be the best professional you can be.
In this presentation, we review malicious activity that involved SCADAfence's incident response team, which assists companies during industrial cybersecurity emergencies. Attendees will learn how ransomware infected the victim organization's network and how the incident response team gathered evidence, including where to look first. Then, we'll explain how the evidence was analyzed; what the initial findings were; and how the attackers were caught. Finally, we'll discuss additional attack methods used by the cyber criminals so everyone can take appropriate steps to prevent such attacks within their organizations.
1. Learn how industrial networks get infected with targeted ransomware.
2. Discover where to look for evidence; how to analyze it; and how to find attackers hiding in the network.
3. Understand additional types of attack methods used by cyber criminals in industrial networks, as well as best practices to protect those and all other networks.
2016 (ISC)2 Security Congress – Member Town Hall – Part 1David Shearer CISSP, (ISC)2 CEO; Patrick Craven, Director, Center for Cyber Safety& Education; Dan Waddell, CISSP,[[ webcastStartDate * 1000 | amDateFormat: 'MMM D YYYY h:mm a' ]]48 mins