SolarWinds and other recent cybersecurity events have brought renewed attention on zero trust architectures (ZTAs), and whether ZTAs can be a single solution to current and future threats. Organizations have become dependent on an ever-increasing number of third-party providers who do a greater percentage of overall services. Cybersecurity threat exposure is further complicated by the sage of cloud service providers, remote workers, Internet of Things (IoT) and Bring Your Own Device (BYOD). It is recognized that ZTA can be "a solution," but is it "the solution" for cybersecurity challenges of today and tomorrow? Organizations that partially or fully shift to ZTA need to understand the impacts to cybersecurity, and also the impacts to programmatics, organizational structures, financials and missions.

In the on-premises world, cybersecurity risks were limited to your organization’s network perimeter. In the era of cloud computing, both the impact and likelihood of potential risks are significantly higher. With the corresponding rise of DevOps methodology, security is now the responsibility of everyone who is part of the application development lifecycle, not just security specialists. In this session, we will present findings on methods and processes to build the cloud security framework that make sense for both your business and your developers. The session is based on real-life experiences from implementing cloud security programs in some of the largest enterprises in the world.

The shortage in skilled cybersecurity workers is well documented. Conventional wisdom suggests that the shortage was historically related to low unemployment in developed nations. However, the increased spike in unemployment due to the Covid-19 pandemic put this idea to rest. As such, it is critical to consider why the information security industry is simply unable to recruit enough men and women to meet global demand, identified by the (ISC)2 Cyber Security Workforce Study at more than 3 million needed today. This presentation will consider some of the potential causes for the skills shortage, what the opportunities look like and what we as cybersecurity professionals can do to create a more positive vision of our industry to attract the best and brightest to the field.

Digitalization is here to stay and critical infrastructures are not an exception. Even before the pandemic, we have seen an increased number of connected OT systems to the internet. It leads to no separation of IT and OT networks due to the increase in data, connectivity, complexity and costs. What makes the protection for the digitalization of critical infrastructure difficult is the convergence between IT and OT. Threats that normally impact IT can move between cyber and physical environments. Therefore, cybersecurity is a key factor for the success of digitalized critical infrastructure. The presentation will share key principles and guidelines the presenter developed and refined over the years working in several industries. The application of the principles has helped prepare and secure critical infrastructure for the future of digitalisation.

Join us for (ISC)2 Security Congress Town Hall to learn what’s next for (ISC)² and hear directly from members of the Board of Directors. CEO Clar Rosso will provide a strategic update for our association, including recent accomplishments and milestones, as well as what members can expect in 2022 and beyond. Then, a panel consisting of (ISC)² Board members and management will answer members’ questions about the association, membership, certifications, workforce trends and other cybersecurity issues and challenges facing the profession. Town Hall is open to (ISC)² members and associates, as well as all Security Congress attendees. Featuring: Clar Rosso, CEO, (ISC)² Zachary Tudor, CISSP, Board of Directors Chairperson Lori Ross O'Neil, CISSP Board of Directors Vice Chairperson Dr. Casey Marks, Chief Qualifications Officer, (ISC)²

It is very important nowadays to stay up to date with all of the cyber threats from around the world. It is widely known that there are not enough resources to be found to fill up every security operations center (SOC). Therefore, many organizations struggle with the massive amount of new type of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint and cloud products. This session is targeted at SOC management, cybersecurity engineers, threat hunters and analysts. It will touch on threat detection, investigation and response.

Kubernetes has been the de-facto standard at T-Mobile, deployed across AWS, Azure, on-prem and using managed kubernetes services to support critical production workload applications at scale. Containers do offer many opportunities for building and deploying more secure applications and environments, but they also trigger new security challenges. This talk demonstrates how we took the challenge of securing 150+ clusters running 200,000+ containers in a strategic way to achieve shift-left security design coupled with flawless implementation, and backed by solid operational excellence guidelines in managing the T-Mobile Container Security Platform.

Every day companies - massive companies - get hacked. Why? Could it be what the company themselves leak through their own website, through DNS, through their staff. This talk will look at what operations security (OPSEC) is; how knowing your OPSEC can help protect your business, providing practical steps to better understand your leaks and what attackers will use to target you. We'll show real examples of OPSEC mistakes that impact the security of the organization and also show how attackers turn innocuous leaks into targeted attacks. Concluding, we'll outline how to mitigate some of your leaks and limit your exposures. Many of the secrets of the threat intelligence community are achievable yourself using basic open-source intelligence exercises. Get your Google-Fu on this will be fun!

HITRUST is the most-sought certification by healthcare organizations but the cost, resources, and time required are daunting. On average, the direct and indirect costs and time of achieving the HITRUST certification are more than $300K+ and 18 months. At Ginger, we took a different approach and completed our HITRUST assessment in less than half that budget and 11 months. This presentation will outline how nine best practices and projects implemented at Ginger helped us in our HITRUST journey. These practices include the best course for obtaining management support, implementing cross-functional projects between technical and governance teams, starting an organization-wide security program, pre-work required for the audit, tools that helped us, and lessons learned.