PDF Download November 6-8, 2016 Agenda (PDF)

CISO Summit
November 6-8, 2016

↓ Agenda Key

View detailsKeynote Presentation

Visionary speaker presents to entire audience on key issues, challenges and business opportunities

View detailsExecutive Visions

Panel moderated by Master of Ceremonies and headed by four executives discussing critical business topics

View detailsThought Leadership

Solution provider-led session giving high-level overview of opportunities

View detailsThink Tank

End user-led session in boardroom style, focusing on best practices

View detailsRoundtable

Interactive session led by a moderator, focused on industry issue

View detailsExecutive Exchange

Pre-determined, one-on-one interaction revolving around solutions of interest

View detailsFocus Group

Discussion of business drivers within a particular industry area

View detailsAnalyst Q&A Session

Moderator-led coverage of the latest industry research

View detailsVendor Showcase

Several brief, pointed overviews of the newest solutions and services

View detailsCase Study

Overview of recent project successes and failures

View detailsOpen Forum Luncheon

Informal discussions on pre-determined topics

View detailsNetworking Session

Unique activities at once relaxing, enjoyable and productive

Sunday, November 6, 2016 - CISO Summit

3:00 pm
-
4:30 pm

Registration & Greeting

4:30 pm
-
6:00 pm

Executive Visions Panel

CIO and CISO; Who Reports to Whom?

The CISO role has generally grown up under the umbrella of the IT department as a whole, and while their responsibilities often run in parallel to those of “general” IT, increasingly they are in direct contrast. Where the CIO is tasked with operational efficiency and the delivery of services, the CISO’s mandate is to make sure enterprise resources are always secure and protected. With security breaches increasing in volume and visibility, perhaps the time has arrived to ask which of the two has greater impact on organizational success, and which therefore takes precedence. As businesses begin to ponder this question, it brings into focus the issue with reporting, and who should report to whom. Should the CISO continue to report to the CIO, should roles be reversed, or should the two be considered peers with neither taking dominance over the other? The world has changed, maybe reporting structures need to change as well.

Takeaways:

  • The demands for enterprise security are increasing exponentially as new computing paradigms take over
  • Making security secondary to other IT initiatives and demands ultimately undermines the ability of the CISO
  • Recent findings show that enterprises with a direct CISO to CEO reporting structure suffer significantly less financial loss

Moderated by:

View details Dave Cullinane, Founder , TruSTAR Technology TruSTAR Technology

Panelists:

View details Jeffrey Vinson, VP & CISO, Harris Health System Harris Health System

Gary Phillips, CISO , Time Warner EIS

Michael Walsh, CTO & SVP, iHeartMedia Inc

Wayne Pederson, Global Senior Director IT , Bloomin' Brands

6:00 pm
-
7:00 pm

Cocktail Reception

7:00 pm
-
8:30 pm

Networking Dinner

8:30 pm
-
10:00 pm

After Dinner Networking

Monday, November 7, 2016 - CISO Summit

7:00 am
-
8:00 am

Networking Breakfast

8:00 am
-
8:10 am

Welcome Address and Opening Remarks

8:10 am
-
8:50 am

Keynote Presentation

The Awakening of Cyber Analysis: An Intelligent Driven Solution to Security and Risk

Cyber analysis is perhaps one of the newest fields in the security profession. The cyber analysis discipline blends aspects of intelligence analysis, information security, and forensic science. Network traffic and system logs are a foundational data source for cyber analysts – but they must also consider external and human generated sources of information. By using cyber analysis, one can detect infiltrations faster, regardless of their source. Pairing advanced platforms with a human is the most effective way to detect an infiltration. This session will discuss the emerging field of cyber analysis and use of the Enterprise Insight Analysis (EIA) platform in specific use cases.

8:55 am
-
9:35 am

Keynote Presentation

Adapting to a Changing Enterprise Security Landscape: Why Cloud Security Is the Answer

The enterprise security landscape is changing. Employees now work wherever work needs to get done. And the data has left the office, too. With employees leaving the building and accessing corporate applications in the cloud, how do you keep your business secure when the world is your perimeter? 

In this session, David Ulevitch, Vice President for Cisco’s Security Business Group, will discuss how cloud security provides an added layer of protection for companies. Mr. Ulevitch will discuss how cloud-delivered security can protect common “weak links” targeted by attackers such as branch offices, vendor networks and off- network employees. Learn how security professionals and Internet-scale solutions are leveraging Internet-wide visibility to identify attacks before they strike.

9:40 am
-
10:10 am

Executive Exchange

Thought Leadership

Securing the Mobile, Cloud-First Enterprise

More and more organizations are embracing the cloud and mobility to improve productivity and make their business more competitive. This is turning the current security landscape upside down. At the same time newer, more advanced threats are creating new risks that traditional security appliances struggle to keep up with. CIOs and CISOs are looking for new approaches to securely adopt cloud and mobility. 

In this session Zscaler will discuss why many IT organizations are choosing to adopt a cloud-based approach to securely enable mobility, cloud applications and social media, while ensuring compliance and reducing risk. 

The audience will learn how a cloud security strategy can help them. 

  • Protect users from advanced threats: Why traditional security appliances are failing 
  • Why full SSL content inspection is necessary to detect emerging, advanced security threats.
  • How to embrace cloud with full visibility and control of Shadow IT
  • Get real-time visibility and control: mine billions of user transactions in seconds to quickly identify gaps in security and ensure compliance with corporate policies.

Sponsored by:

View detailsZscalerZscaler

10:15 am
-
10:30 am

Networking Break

10:35 am
-
11:05 am

Executive Exchange

Thought Leadership

Diving into the Deep: Understand the Risk of Everyday Internet Use by Employees

The internet is a ubiquitous tool, providing access to a treasure trove of information. Like an ocean, the internet is deep and full of predators surfing for victims for their next attack. Enterprises are particularly vulnerable due everyday employee access to the internet, where legitimate sites are frequently compromised to distributed malware to unsuspecting visitors.

Understanding how the internet works and how bad actors target and perpetrate attacks is critical to defending your enterprise infrastructure. This session will present a detailed description of the parties involved in rendering a site, how these parties operate, points of vulnerability and steps you should take to secure your business.

Reviewing actual, legitimate sites, you’ll learn:

  • How each individual has a different user experience
  • Where malware hides in the most popular, heavily-trafficked websites
  • Why filtering, ad blocking, black listing, penetration testing and web scanning are ineffective for smart malware
  • How your business’s public-facing website is a malware vector
  • How attacks can be orchestrated to successfully penetrate your infrastructure

11:10 am
-
11:40 am

Executive Exchange

Think Tank

Operational Readiness for Cyber Attacks: Raising the Bar through Collaboration

Cyberattacks often focus on personal data. Big breaches get a lot of attention, and they should. Personal data is at risk and must be protected. Then again, companies and their industries must also deal with the risks of cyberattacks against critical infrastructure. Alarmingly, such attacks are aggressive, sophisticated and executed at machine speed. 

The financial sector has developed a three-pronged approach to improving operational readiness: (1) improve resilience by mapping the industry’s ecosystem, identifying interdependencies, and creating “buffers” and other controls to prevent propagation and contagion; (2) share information with other companies and government agencies – at machine speed; and (3) conduct sector-wide cyberattack simulation exercises.  

Join this think tank as a practitioner and problem solver. Learn more about what the financial sector is doing and how it’s working with DHS, FBI and regulators to raise the bar through collaboration. Share your thoughts with other CISO-level experts about what your industry’s doing and what it’s not. And, speak plainly about the “ins” and “outs” of working with others outside your walls and firewalls. 


Takeaways:
  • Sophisticated cyberattacks at machine speed increasingly target industry infrastructure. Going it alone could be bad for everyone – your company, industry, customers, and the economy as a whole. 
  • The financial sector’s three-pronged model for collaboration provides lessons and best practices for other industries.
  • Government agencies are part of the solution. Turn the caution light to green while still protecting your company’s interest and prerogatives.

Think Tank

Are You Missing Pieces of the Puzzle?

Daniel Conroy - CISO of Synchrony Financial, will provide a wealth of knowledge as it pertains to the current threat landscape - who the bad guys are - what they are doing - and what businesses need to know and do to get ahead of them.

Daniel's speaking engagements take a unique approach on "Security Awareness" apart from the traditional sense. He speaks about the serious state of Cybersecurity Threats, and Cybercrime vs. Security Awareness as a Business. 

With that established, Daniel will speak to his experiences as an Ambassador who is on the leading edge of "Security Awareness as a Business" to get in front of the criminals, or what he describes as Nirvana. 

 Topics overall include the importance of non-traditional collaboration, metrics including the importance of Intel indicators, and finally preparation for the inevitable when there is a security breach.

11:45 am
-
12:15 pm

Executive Exchange

Roundtable

Are Privilege Accounts a Vulnerability Risk

Privilege accounts are vulnerable and do present and IT risk. This has been proven in every major breach in 2014. 

What you need to do is identify all types of privileged account in your organization. 

  • Where are they located? 
  • How are they being used? 
  • Who are using them? 

And identify the appropriate measures to properly secure those accounts.

Roundtable

Critical Components of a Comprehensive Application Security Strategy

Enterprise data, and in particular personal identifiable information (PII), is the pot of gold at the end of the rainbow for hackers.  And applications have become the easiest the way in.  In response, enterprises are now placing an increased focus on application security.  But what makes up a comprehensive appsec program? 

This session will discuss the state-of-the-art in application security technologies and approaches, including application security monitoring, vulnerability detection and remediation, web application firewalls (WAF’s), database activity monitoring (DAM), runtime application self-protection (RASP), and Secure Software Development Lifecycle (SSDLC) methodologies.

12:20 pm
-
12:50 pm

Executive Exchange

Thought Leadership

Restoring Trust and Integrity in Email

A phishing attack is identified every minute with real consequences; it erodes brand reputation, costs companies millions and compromises consumers and employees alike. Billions of email accounts are now protected by DMARC (Domain-based Message Authentication, Reporting & Conformance), and enterprises such as Fidelity, Visa, Bank of America, and AMEX have implemented more secure email solutions -- but is this enough?


This session considers different perspectives on eliminating email threats and rebuilding trust in email through a multi-layered security strategy. It includes a breakdown of what this holistic strategy “beyond DMARC” looks like, best practices for implementing it to protect your brand, your customers, and your bottom line. It also discusses the emerging solutions that fuel such a strategy, including predictive email threat intelligence and TLS and DNS secure email browser blocking.

12:55 pm
-
1:55 pm

Networking Luncheon

2:00 pm
-
2:30 pm

Executive Exchange

Think Tank

Speaking the Language of the Business

For many years the CIO, has struggled with the concept of IT-Business alignment and finding ways to ensure that the IT department and the Lines of Business with which it integrates have a common understanding and ability to communicate. Now, as the CISO and the information security department grow out of the IT shadow, they increasingly find themselves in the same position. Their challenge however is greater in that the concepts of IT security are in many ways more abstract than those of generalist IT, and their activities often run counter to the goals of the rest of the organization. CISOs must learn for the trials and tribulations of the CIO and the IT department, and find common ground with the business, to ensure they can hear what their partners are saying, while communicating their own points in understandable terms.

Takeaways:

  • IT-Business communications have long been strained and only now are improving across most organizations through concerted effort
  • IT has had to find ways to speak the language of the business " it was not the business that learned to speak IT
  • The CISO must adopt and emulate the successful communications practices and strategies of the IT department or risk serious relationship issues

Think Tank

Securing the Internet of Things: Challenges and Opportunities

Over the past years, information technology professionals have gotten better about securing our servers, our workstations, and our corporate networks. And we are adapting, however slowly, to the notion that even defense in depth can be breached; and thus our data and operations must be resilient against insiders as well. 

The Internet of Things (IoT) presents the newest set of challenges in the ongoing quest for security and privacy. Many of the consumer devices being connected were not designed to have their sensitive control systems and data storage connected to potentially untrustworthy networks. And in the pursuit of ubiquity, technical standards solve for cost, space utilization, and power consumption as much (or more) than they solve for security and reliability. 

In this presentation, we will equip security leaders with new ways of thinking for the post-IoT world. We will discuss key security challenges facing IoT adopters, and offer suggestions on how to address them. 

Takeaways 

Security leaders will learn about:

  • The most significant security challenges presented by the Internet of Things
  • How to assess whether and to what extent their firms are impacted by IoT
  • How to design for security and privacy in a world where everything is networked 
  • Specific actions to take now to assess and secure their current environments

2:35 pm
-
3:05 pm

Executive Exchange

Roundtable

Break a Hacker’s Heart: Turn the Table on Cyber Criminals

They’ve been doing it to us for years; now you can fight back. For decades, the security industry has been struggling to keep up with cyber attackers’ pace of innovation and collaboration. Gone are the visions of sole hackers stowed away in dark basements. 

Today’s cyber criminals represent coordinated, well-funded, highly sophisticated organizations that collect data on their targets, build simulations on existing defenses, and practice the best ways to break through disparate point solutions. Learn how you can break a hacker’s heart by developing a security approach that they cannot easily simulate in their own labs. 

 Join us for an open roundtable to understand how you can: 

  • Confuse hackers with a security approach they cannot easily simulate
  • Reduce the efficacy of zero day and targeted attacks
  • Improve your protection with an evolutionary step toward coordinated security

Roundtable

Leveraging Privileged Account Management Tools as the Core of Your Security Program

As networks become more open and interconnected, attackers are increasingly able to gain entry and begin their attacks. Given enough time, the keys to the kingdom can be compromised and used to bypass all of your security controls. 

Learn what hackers find to be their easiest avenues to gain critical data, and how Privileged Account Management software can immediately reduce your risk by securing these targets and protecting your critical infrastructure.

3:10 pm
-
3:40 pm

Executive Exchange

Thought Leadership

Evolution of CyberSecurity Organizations

This session will describe Lockheed Martin’s approach to cyber operations and the lessons we have learned in using Intelligence Driven Defense(R) (IDD) to advance Lockheed's capabilities along the cyber maturity curve. 

While a focus on people, process and technology isn't new, IDD establishes an advanced application of the Cyber Kill Chain(R) across these domains, which enables network defenders to stay in front of their adversaries, measure their effectiveness, and move from a reactive to predictive cyber posture that best utilizes the strengths of their cyber analysts

3:45 pm
-
4:00 pm

Networking Break

4:05 pm
-
4:35 pm

Executive Exchange

Thought Leadership

Adversarial Alignment: A Hacker’s Perspective

Understanding how our adversaries operate, and what perspective they bring to our best-laid plans is critical to the success of any security team. 

In this session we’ll talk about the gap between the hacker we plan for, and the one we actually face. By looking at real-world exploitations of business logic and compliance-centric controls, we’ll build a better understanding of how to present ourselves as harder targets to hackers.

4:40 pm
-
5:10 pm

Executive Exchange

Think Tank

Shadow IT - To Embrace or Eliminate?

Best practice in most enterprises, at least as far as the CIO and CISO goes, is to squash Shadow IT wherever it is encountered. Shadow IT, the argument goes, leads to a world of data and integration problems for the IT department, and significant amounts of unknown and unquantifiable risk for the information security group. A small but vocal minority however is beginning to advocate for Shadow IT as a catalyst of innovation, citing the increases in productivity and creativity by allowing enterprise staff to find their own out of the box solutions to organizational problems. CISOs can allow their organizations to have their cake (Shadow IT) and eat it too (still be secure) by following a few simple steps that allow them to build in security regardless of user activity.

Takeaways:

  • Shadow IT is not malicious activity; it is simply the Line of Business user community looking to be efficient and effective
  • A well developed security program can take Shadow IT into account and incorporate protection mechanisms that allow end user flexibility
  • Embracing Shadow IT does not mean no holds barred and end users need to understand the limit of the boundaries and the reason for their existence

Think Tank

Maturing Your Cyber Security Program

With the continued focus on growth in cyber security it has become apparent the need for a Cyber Maturity Model.  Understanding current state of your program is critical in building a path forward. 

Through the maturation of an organization’s people, processes and technology, a cohesion can take place; moving organizations from siloed and fragmented point solutions to a unified solution that drives your cyber security strategy.

In this presentation we will focus on proven methods of how to evaluate where your program is today and building a plan for the future.

Takeaways:

  • Recognize critical success criteria as well as pitfalls in building a successful cyber security program.
  • Understand the process and where your organization fits as it relates to the cyber security model.
  • Empowering your road maps through definition that is both tangible and achievable.
  • Learn about automating your cyber security program to improve processes
  • Understand the powerful visibility that metrics can provide to evaluate your program.

5:15 pm
-
6:15 pm

Executive Visions Panel

Women in Security

It is an unfortunate reality that there simply arent enough women in the field of Information Technology, but when we look at IT Security specifically, perhaps the info-tech-y-est of the info-tech fields, the situation is only compounded with women being almost completely absent from staff and leadership ranks. Given that IT Security is definitively in a boom phase, that IT departments are already short-handed when it comes to qualified and capable staff, and that the situation is only going to get worse in time as growth in need further outstrips growth in demand, this clearly is a situation that desperately needs to be addressed. Quite simply we must all begin actively attracting women to the field of IT security to ensure the continued well-being of IT Security departments but this means addressing a wealth of factors ranging from lack of visibility as a career, absence of training and development opportunities, staggering pay inequities, and yes harassment of all forms.

Takeaways:

  • Women are less than half as likely to become IT Security specialists than men, and nearly more than half as likely to abandon the field within a year
  • Pay equity for women in IT security ranges from bad to worse with the national average being just 80% of what equivalently capable men make
  • Beyond just filling a sheer numbers gap, women bring unique skills and abilities to the field that if leveraged, just might help us improve enterprise security

6:15 pm
-
7:00 pm

Cocktail Reception

Join us for cocktails and casino night! Try your luck at the roulette wheel, roll the dice at the craps table, or see if the cards fall in your favor at the blackjack or poker table.  Don't miss out on tonight's specialty cocktails, fun games, and great conversation.

7:00 pm
-
8:30 pm

Networking Dinner

8:30 pm
-
10:00 pm

After Dinner Networking

Let the games continue! Take this chance to redeem yourself, or keep the lucky streak rolling!

Tuesday, November 8, 2016 - CISO Summit

7:00 am
-
8:00 am

Networking Breakfast

8:10 am
-
8:55 am

Keynote Presentation

Cybersecurity: If Only it Were That Easy

We see magic solutions, we hear about all the ways that tools can protect us from ourselves, our users, our enemies. And they look amazing, and they do amazing things. But we are still in the same place. What’s going on? When it comes down to it, there is a fundamental gap between what we think we see and what we do see. We have complex infrastructures that have grown up over years. Our users, both greatest asset and greatest risk – come from many generations and levels of sophistication. Our data, known, unknown, discovered and hidden in a little cache over on a home drive. So what’s the solution? You want a magic wand, right?

9:00 am
-
9:45 am

Keynote Presentation

Hackers Communicate; Your Security Technologies Should Too

Today’s advanced threats use coordinated methods to attack organizations of all sizes. Using numerous point products that work in a vacuum no longer provides adequate defense. The time has come to enable security products to share contextual information and close the gap left open by layered, standalone tools. Consider a security guard detail. Their most effective defense is their ability to talk to each other, share relevant information and act on that information. 

We’d never expect security guards not to talk, so why do we allow this isolation with our IT security? In order to prevent coordinated, sophisticated attacks, we need advanced threat protection that uses the same level of communication and collaboration. 

Takeaways: 

  • Learn the most important evolution you can make to stop targeted cyber attacks
  • See the critical role information sharing plays in your security posture
  • Understand why the industry has been slow to adopt a coordinated approach

9:50 am
-
10:20 am

Executive Exchange

Thought Leadership

Effectiveness of Your Information Security Program

The reality of today’s threat landscape is that no single product or service can address the myriad of threats to your business. The principals of multi-layered security architecture, integrating people, processes and technology is more important today, than it has ever been in the past. As organizations strive to find the right balance while under the pressure of shifting budgetary control, and enabling the needs of business there is a light at the end of the tunnel. By adopting best practices, developing operational processes, and fine tuning those procedures, you can drive increases in your operational security model. 

Join our conversation to discover how to reduce ongoing expenditures by enabling the successful adoption of InfoSec controls, operated by educated staff and integrated into your organizations operational processes.

10:25 am
-
10:40 am

Networking Break

10:45 am
-
11:15 am

Executive Exchange

Roundtable

Cloudy with a Chance of Breaches

It’s not a question of if, it’s a question of when... when will your company be breached. The odds are high that you will be hacked, or already have been and don't know it yet. It’s time to re-evaluate your security approach from breach prevention to breach acceptance. 

This session will discuss this paradigm shift and key strategies on how CIOs are proactively protecting their most valuable assets to remain secure. 

Key takeaways:

  • Find out who is the biggest threat to your company's sensitive data
  • Learn how to legacy solutions fail to protect data beyond the firewall
  • Discover how a data-centric approach secures the data wherever it resides: Cloud, Network, Access, Device

Roundtable

Using IBM i2 to Decode Cyber Threats

IBM i2 for Cyber Intelligence helps organizations understand who their adversaries are, the construct of their criminal network, their strategies, motivation, and locations by layering large, disparate quantities of Cyber and real-world data into a fused comprehensive Intelligence picture; in order to better secure themselves from, and investigate on-going cyber-attacks.

11:20 am
-
11:50 am

Executive Exchange

Roundtable

Do You Have Control of Your SSH Environment?

Most people don’t realize just how critical the SSH component is to their day-to-day operations or the prevalence of SSH within their network architecture. Nearly all network administrators use it on a daily basis to remotely access critical servers and network appliances utilize it to execute commands as well as help automate the secure transfer of files. SSH is the plumbing that allows for secure access and movement to occur across your network.

 Unfortunately, enterprises haven’t managed their SSH environments, in particular SSH key based access typically has not been inventoried, provisioned and managed leaving a glaring hole in their identity access and security postures. 

 In this table discussion you will be able to learn about how SSH user keys have no expiration date, and this in turn leaves an unknown and unwanted exposure of unused, non-rotated and deprecated user keys across your entire network. Root access, segregation of duty challenges, shared private key scenarios, decommissioned applications, SSH1 keys, aged keys, and keys with weak encryption are just a few of the many examples where SSH Communications Security can help you get back control!

Roundtable

APIs & Security

The volume of threat intelligence is growing exponentially faster than security stacks are evolving in most organizations. The ability to predict, deter and respond to attacks more rapidly really lies in programmatically connecting our security systems. 

This roundtable will explore methods of operationalizing and sharing threat intelligence through APIs. 

Discussion questions: 

  • What are your sources of threat intelligence? 
  • How are you sharing intel across the organization and industry? 
  • How does your security architecture enable or become an obstacle to operationalizing threat intelligence?

11:55 am
-
12:25 pm

Executive Exchange

Think Tank

Addressing Privacy on a Global Scale

Of all the risk management issues that present themselves to the modern-day CISO, perhaps the most difficult to address is that of privacy. In and of itself, privacy is no different a challenge than protecting any other sensitive information, however the multi-jurisdictional impacts of the issue due to wildly differing laws between the US and European countries (as well as Canada, another country with strong privacy laws) make this an issue that is often times overwhelming to address. CISOs must work diligently to ensure that their privacy efforts conform with the standards of any jurisdiction with which they might work, where their data might be held and this is an almost overwhelming task.

Takeaways:

  • Privacy is one of the most challenging issues for any business and CISO to address
  • The difference in regulations between and among European countries (both those in and out of the EU itself) and North American ones means traversing a fraught landscape
  • A strong approach to privacy that addresses global differences is essential to being a stable and viable global business

Think Tank


12:30 pm
-
12:40 pm

Thank You Address and Closing Remarks

12:45 pm
-
2:00 pm

Grab and Go Luncheon