The Power of Community

We are empowered to change the world together — all it takes is YOU. We kick off (ISC)2 Security Congress 2022 with a series of compelling explorations of the binds that tie the cybersecurity community together. First, (ISC)2 CEO CLAR ROSSO will discuss how our association is advocating for you and taking on a growing role in connecting governments, businesses and individuals to create a more secure cyber world. ANN DUNKIN, Chief Information Officer for the U.S. Department of Energy, will share her insights on the importance of collective defense. Next up, SCYTHE Founder and CEO BRYSON BORT will explore the implications of emerging technologies, why attackers continue to win and what it means for our community. In her address, CEO and Founding Board Member of the Women’s Society of Cyberjutsu MARI GALLOWAY, CISSP, will speak to the ways you can follow in her path of giving back and empowering the next generation of cybersecurity professionals. Finally, DataRobot Chief Information Security Officer ANDREW SMEATON, CISSP, will share his personal, harrowing experience traveling to war-torn Ukraine to ensure members of his team were out of harm’s way. Join us. Be inspired. Learn how you, too, can help make the cyber world more safe and secure.


Effective Cybersecurity Board Reporting

Boards and Executive Leadership Team interest in understanding cybersecurity risks and the responses by their organization in the face of those risks continues to increase year over year. As a result, cybersecurity leaders are increasingly called upon to be the “face” of cybersecurity and give effective BOD and ELT level reporting internally, and often to others outside the investors and key business partners. Knowing your audience is just the starting point to having successful and engaged reporting and updates to key stakeholders. How can today’s cybersecurity leader find the right balance of content width and depth, have and engaged conversation, provide information that resonates with your stakeholders through effective storytelling, and build confidence with your stakeholders.

Learning Objectives:
  • Learn an effective framework for more effective Board Reporting (not just Cybersecurity)
  • How to integrate effective storytelling into your Board Report
  • Keys to avoiding the "Bisque" Board Report generation approach


Trust No One: Practical Zero-Trust for Cloud

The concept of zero trust has become the gold standard of security methodologies enabling remote work and BYOD. This became even more critical as the pandemic continues to revolutionize the work-from-home paradigm. The challenge here, however, is that implementation can be daunting. There are different interpretations of "zero trust" and a whole field of products claiming to bring a full-field solution. In this session, we discuss practical implementations of zero trust in cloud environments that can get you well on your way to an agile, secure and maintainable environment that can extend out to any of your organization resources. At the conclusion of the session, resources are shared to help attendees get started on zero trust initiatives in their own organization, public sector or private.

Learning Objectives:
  • Define zero-trust principles and architecture.
  • Describe the process for starting realistic zero trust initiatives at their organization.
  • Implement the basic architecture principles necessary for a zero trust foundation in cloud environments.


Security metrics - how to measure it efficiently

Many organizations struggle to measure the effectiveness of their security controls, mostly due to misunderstanding what is actually a good metric. Organizations too often apply metrics and measurements that are out of their control. Is having more vulnerabilities better or worse? Well, it depends on who you ask. A software company wants to show it is diligent in identifying vulnerabilities; for others, it's more about showing they are more secure. We will explore good and bad metrics, including how to define, track and understand their contribution to the organization.

Learning Objectives:
  • Understand metrics that are in your control and those that are outside of it.
  • Define metrics that are measurable, consistent and contributing to the organization.
  • Conduct discovery sessions on helpful measurements and metrics for their organization.


Cybersecurity & Third-Party Risk: Third Party Threat Hunting

Based upon the book _Cybersecurity & Third-Party Risk: Third-Party Threat Hunting_ (endorsed by (ISC)2), we will break the old way of thinking that third-party risk is a compliance, check-box activity into one that is innovative and forward-leaning into the risk. Billions of dollars have been spent by CISOs to secure their organizations, and yet we've largely ignored our supply chain and third-party risk. From physical validation, contractual terms and conditions, fourth parties, due diligence optimization and predictive analysis, methods will be explored to drastically lower this risk area with solid cybersecurity due diligence and due care.

Learning Objectives:
  • Determine steps needed to develop a risk-based, cybersecurity-focused third-party risk program
  • Develop a risk-based, cybersecurity-focused program with physical validation and other due diligence, due care activities to drastically lower the risk from third-parties and their supply chain
  • Learn the steps needed to drop the reactive approach and become more predictive of third-party and supply-chain risks.


Hacking Gamification – Going from Zero to Privileged PWNED

Staying up to date and learning hacking techniques is one of the best ways to know how to defend an organization from cyber threats. Hacking gamification is on the rise to help keep cybersecurity professionals up to date on the latest exploits and vulnerabilities. This session is about helping you get started with hacking gamification to strengthen your security team. We will choose two systems from Hack the Box and walk through each of them in detail, explaining each step along with recommendations on how to reduce the risks. Going from initial enumeration, exploitation, abusing weak credentials to a full privileged compromise.

Learning Objectives:
  • Think like an attacker.
  • Be introduced to hacking gamification.
  • Learn how to do privilege escalation.


Enterprise Security Risk Assessment (ESRA)

Thirty years ago, cybersecurity was a small, often overlooked part of protective security. In 2022, cybersecurity is the core of all security activities. Cybersecurity, physical security, insider threat management, information security and security governance have never been more interdependent. Enterprise security risk assessments (ESRA) are essential in providing an integrated view of all aspects of an organization. But what is an ESRA? Some people might have you believe an ESRA involves conducting security audits on every network and physical site. Nothing could be further from the truth. The presenter has conducted enterprise security risk assessments for some of the world's largest government and commercial organizations for more than 30 years. This presentation describes what enterprise security means in the 21st century and how to conduct an ESRA.

Learning Objectives:
  • Learn what an ESRA entails.
  • Discover how to conduct an ESRA.


How to Establish a (successful) Security Strategy from Scratch

Maintaining a healthy security culture in a company is no easy feat. However, establishing such a culture can be even more challenging. In this session, Esther Pinto, CISO & DPO at anecdotes, will share her experience and present a roadmap for establishing a successful security strategy from scratch. Participants will learn where they should start, what to prioritize and who their key allies should be. Furthermore, the presentation will dive into how to approach balancing business and security needs at a young company looking to grow, and how to assess and define the company’s risk appetite.

Learning Objectives:
  • Understand the challenges of establishing an information security program from scratch.
  • Better understand the right approach to establishing a strong information security strategy and gain the relevant tools to build a detailed information security roadmap.
  • Better understand the different relationships that are important to build with various stakeholders and to better balance between business and information security needs.


Emerging threats against cloud application identities and what you should do about it

Many organizations have been laser-focused on user account security to defend against the increase in password spray and phishing attacks, implementing measures such as MFA and even moving to passwordless authentication. But recent cyber attacks show that adversaries are turning their attention toward application identities. Do you know what risky behavior your application identities are up to and how to protect them? Just as with user accounts, organizations will need to address application identities that are compromised through a compromised administrator, credentials-in-code or a malicious application pretending to be legitimate. In this session, learn about attacks against application identities -- how to detect these attacks as well as how to recover and defend application identities going forward against these emerging threats.

Learning Objectives:
  • Detect attacks against application identities.
  • Respond to application identity compromise incidents.
  • Take proactive steps to prevent application identity compromise.


Elite Security Champions Build Strong Security Culture

Everyone has a security champion program, but how effective is yours? Are you getting a solid return on investment? Security champions and application security mutually support each other through a security culture. Elite security champions require top-shelf skills and experience. We’ll explore the qualities needed for elite security champions. After unpacking individual abilities, we’ll cover the significant issues that must be addressed when building or enhancing an elite program, like branding, strategy and value proposition. Security champions provide a scalable solution for security capacity, providing an outlet for overworked security teams to magnify their efforts. If you do not have a program today or need a reboot, learn how to fill the halls of your organization with elite security champions.

Learning Objectives:
  • Define the elite set of skills and experience that make a security champion successful.
  • Explain the significant issues that must be addressed when building or enhancing an elite program, like branding, strategy and value proposition.
  • Apply these lessons to start a new champion program or reboot a floundering program.