Session 1

25 years of Security and Risk transformation leadership through both the public and private sectors. I have guided companies through global breaches, risk transformations, complete security implementations, and program rebuilds while embracing “next-gen” security frameworks.

How to create an actionable cybersecurity strategy for the business

Cyber executive leadership is not exclusive to technologists. Executive business leaders have an important responsibility for supporting the cybersecurity strategy of the organization. Whether you are a business, technology, or security executive, learning how to create a business-relevant cybersecurity strategy that is actionable across the organization and understood at the executive level is critical. The strategy should drive the security program, justify funding, identify the right headcount, and enable the business.

Key take aways will be:

• How to start building a strategy
• How to identify stakeholders
• How to obtain funding
• How to grow your program
• How to reduce risk
• How to enable corporate goals

Session 2 – Keynote

The Advanced Persistent Threat (APT) is extremely dangerous to the national and economic security interests of the United States. We are totally dependent on computing systems of all types—including traditional Information Technology (IT) systems, Operational Technology (OT) systems, Internet of Things (IoT) systems, and Industrial IoT (IIoT) systems—to accomplish critical missions and business functions. The recent and rapid convergence of these types of systems has brought forth a new class of systems known as cyber-physical systems, many of which are in the critical infrastructure sectors including the energy, transportation, defense, manufacturing, and information and communications.

To address this reality in the 21st century, the one-dimensional protection strategy focused solely on perimeter-based defenses must be transitioned to a new multidimensional, defense-in-depth protection strategy that includes three, mutually supportive and reinforcing concepts: (1) penetration resistant architectures; (2) damage limiting operations; and (3) system designs that support cyber resiliency and survivability. This strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within organizational systems. When this situation occurs, organizations must have access to additional safeguards and countermeasures to confuse, deceive, mislead, and impede the adversary—that is, taking away the adversary’s tactical advantage and protecting and preserving the organization’s critical programs and high value assets.

This presentation will focus on the NIST Systems Security Engineering Initiative and a range of new projects that can support a multidimensional protection strategy. Topics include: (1) a brief overview of the flagship NIST SSE publications SP 800-160, Volumes 1 and 2; (2) a description of Zero Trust concepts and architectures; and (3) a discussion of the benefits of implementing a DevSecOps process to obtain trustworthy, secure, and cyber resilient systems at the speed of commercial industry.

Session 3

In this talk, John will share the experience he’s had building and running a security team during the COVID-19 pandemic. He will share real world that come from both work and home as his team and the company shifted to WFH (work from home) and SIP (shelter in place). The lens of the global pandemic will provide focus on five topics with take-aways for your security strategy, tactical, and operational programs.

Session 1

Digital transformation is the use of new, fast and changing technology to solve problems. Yet, many organizations struggle to move technology through-out the phases of the product or project life cycle. Let alone get to the point of actually using the technology to solve their organization’s problems. As we experience these unprecedented times, many organizations from government to Fortune 500 companies are asking “Why were we not prepared?”. Leaders of organizations are looking to their CXO and other technology team members for answers on why the technology and data sharing is broken. The CIO’s role is more than identifying the best or ‘cool’ technologies. CIOs must be able to partner across the organization to drive results-oriented implementation strategies. In the session, I will outline pitfalls of past digital transformation strategies and provide a blueprint for building a solid digital transformation game plan. We will discuss the use of agile methods, to help organizations respond to the current uncertainty and prepare to easily shift and respond in the future.

Session 2 – Keynote

The core concept of the talk? That too many organizations are on the verge of going off the proverbial cliff by neglecting to do the difficult, non-glamorous work beneath the headlines and the furious investments in cyberdefense technology.

As a consultant deeply involved with organizations of every size all across the United States, Paige sees first hand – and from a ‘crow’s nest’ perspective – the troubling disconnects starting to bare their ugly teeth in so many companies. These are organizations trying to do the right thing, which in most cases is throw talk and as much money as they can at perimeter security, authentication protocols and all manner of goods and gadgets that the headlines say will make them safer. And perhaps they will. But, according to Ms. Needling, crucial “basics” are being ignored and they threaten to undermine the “real world” security footing of these organizations. Simple things are always simple to do. Which may explain why so many companies pay lip service, at best, to things like Security Awareness Training for employees – why an ultra-secure office is still wide open to breach from vendors and business partners, either physically entering their building or introducing hack vectors through unsecure (or non-integrated) systems.

Central to this discussion are a series of critical “disconnects” and lack of alignment within organizations, making cybersecurity a top “talking point” for senior executives and Boards who don’t necessarily have the cyber IQ or strategic incentive to connect all the dots down in the trenches. It’s the reason that the CISO still has trouble finding audience with the Board, and why, in most companies, their own employees are still the greatest threat to security.

Session 3

The internet wasn’t built with security in mind, the world has a massive talent shortage, and we can’t rely on automation to solve everything.

If you’re on an information security team, I’m willing to bet you have more to do than time and resources to do it. Maybe one of your colleagues left for a new job last month, and there are two additional unfilled positions on your team. You could actually be in a position where you’re trying to do the jobs of 4 people.

Talent matters. You matter.

This talk is about preventing and addressing burnout for overworked application security professionals. It’s also about how to attract, retain, and grow a great team.

Caroline Wong is the Chief Strategy Officer at Cobalt.io. Wong’s close and practical information security knowledge stems from broad experience as a Cigital consultant, a Symantec product manager and day-to-day leadership roles at eBay and Zynga. She teaches cybersecurity courses on LinkedIn Learning and is a member of the Forbes Technology Council. Wong was named 2019 Cyber Educator of the Year in the 6th Annual Cyberjutsu Awards. She authored the popular textbook Security Metrics: A Beginner’s Guide, published by McGraw-Hill. Wong graduated from U.C. Berkeley with a BS in electrical engineering and computer sciences and holds a certificate in finance and accounting from Stanford University Graduate School of Business.

Session 1

There is no doubt that Cyber Security Strategy is vital to every organization in today’s world. Whether the Cyber Security Strategy reports to or must collaborate with the CIO, many security leaders think they know what the CIO is thinking. Though they may be directionally correct, there is often enough misalignment to create issues. Join Blake Holman in today’s session to get into the mind of the CIO where Cyber Security Strategy is concerned and understand some of the ways the misalignment can occur and how you might be able to adjust.

Session 2 – Keynote

How do you show up? How do you model, mentor, communicate and collaborate to build trust? It’s no secret that the demands of a CISO are not for the faint of heart. Between carefully walking a tightrope of an ever-changing threat landscape and balancing the need to enable organizations to rapidly innovate and execute, a CISO must creatively influence stakeholders across the organization for the Cybersecurity program to succeed. Without such influence, the ability to build partnerships with your team, peers, customers, the Board of Directors, or key parts of the business can quickly become a lesson learned in what not to do.

In this Keynote presentation, Kevin Morrison, Managing Director of Enterprise Information Security, & CISO at Alaska Air Group will share stories, insights, and recommendations that attendees can take away for building a strategy of influence and improving their security program’s success.

Session 3

Organizations focus a significant amount of time on developing methods for tracking success in operational efficiency in order to achieve profitability as an outcome of the strategic planning process. One of the things that can contribute to success (or failure) is having a mature understanding of your organizational culture. Having a strategy that focuses on understanding and managing culture can allow an organization to motivate employees and partners if cultivated and communicated effectively. When not managed affectively, poor culture can cause distrust and consternation between stakeholders. The presenter will discuss methods for executives and managers to include organizational culture in the strategic planning process and identify objectives for tracking success.