Ransomware is a combination of social engineering, deception, technology, encryption algorithms, stealth, data analytics, business analysis, high-pressure negotiation, and a highly unusual manifestation of customer service. Defending against ransom and ransomware is still a moving target. Every day organizations that believe their ransomware defense is under control must deal with the cruel reality of breaches and long-lasting consequences. We take a new look at ransom-based attacks based on recent, real-life events. Learn about current trends and discuss detection/prevention techniques. We provide a practical example of what to do if you are ever faced with a successful ransom(ware) attack, and how to resolve the most difficult and stressful situation to the most acceptable outcome.

Cybersecurity employee shortages put a demand on current professionals to find qualified applicants. Participants will be introduced to numerous educational career paths they can employ while developing their careers. Each path will be explained along with the significance of following that path, with an emphasis on apprenticeships and the opportunities for advancement of diversity. An exploration of the many forms of networking will be a differentiated with importance of each.

This session will use a consumer-centricapproach to address the ethical concerns posed by COVID-19 contact tracing technologies and significant privacy harms due to the collection of sensitive personal information. We will outline the tradeoffs between the sharing of sensitive data to address the crisis and privacy implications due to the re-identifiability risk while responding to public health emergencies during the pandemic.  As we step through the data protection principles challenged while combatting the pandemic, we will consider possibilities for companies, researchers and regulators to recalibrate policies and support sharing of personal information to promote public health initiatives during outbreaks without jeopardizing individual privacy rights and freedom.

Supply chain security is challenging due to the inherent complexity of global supply chains. The challenge of supply chain security programs is the ability to manage the interdependencies of hardware, software, firmware, and the human relationships and factors that introduce the product into your environment. In Secure SCM, you are only seen as a snippet of code lifted from Github by a coder paid for by a junior developer through an odd-job posted on Fiverr. This same complexity was inherent when the Open Systems Interconnection (OSI) model set a standard communication and data processing structure that is used today. We will propose a model to articulate supply chain risk, mitigating controls, and a risk scoring methodology for the security of the supply chain.

This session sets out an approach that combines the security, IT risk and assurance domains to create a sustainable secure software development process. The approach first defines a set of common audit controls and designs them into the process, where they can be inherited by every change. Then it defines a set of tailored controls to satisfy the security requirements of each of the changes that flow through the process. Finally, it creates a virtual-first line of defense, ensuring that as the change flows through the process,security requirements are met and common audit controls are inherited, resulting in every change passing through the development process being secure, compliant and authorized.

Security architecture is changing. Zero Trust is a response to accelerating trends that include flexible working, bring your own device (BYOD) and more services moving to the cloud. The increasing complexity of enterprise infrastructure has outpaced legacy methods of perimeter-based network security, which are also insufficient for preventing lateral movement once attackers have breached a network boundary. We need a new security paradigm. “No trust without verification" - removing inherent trust from the network and gaining confidence in users, devices and services - can be challenging to implement in a complex and shifting landscape of people, processes and systems. This session will focus on guiding principles and practical techniques that can be applied to plan your journey to Zero Trust in a complex hybrid environment.

The amount of data being generated on a daily basis has been growing rapidly over the last few years. For most organizations, this data is both indispensable and invaluable.

The problem is two-fold: (1) regulations are changing all the time and (2) methods for data management and governance range from manual records to privacy tools with all the bells and whistles. This program will bring together the observations and experiences of two perspectives, one legal-centric and one tech-centric, on how to assess and evaluate this problem. The goal is to create a discussion that will leave the participant with a high-level overview of state-by-state privacy requirements while arming them with a framework for determining the best methods to achieve defensible compliance.

This presentation combines the findings of a doctoral study into security automation in the financial sector with real-world experiences in implementing security automation. The research focused on strategies financial institutions need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. Learn from the experiences of companies that have implemented or are implementing security automation. This session will look at what to expect from security automation (and what not to expect), how to decide what to automate, strategies to help ensure a successful security automation program and lessons learned from successes and failures.

Cybersecurity risk posture only considers the capability of bad guys to penetrate network defenses, but risks resulting from doing business with third-party vendors who have unvetted access to company data pose just as great a risk. Communicating this to a board of directors may pose the biggest challenge of all to cybersecurity leaders. Whether your company outsources software developers not properly trained in security or uses a payment processing vendor whose cyber defenses are not as stringent as their customers', you are exposing your data to exploitable vulnerabilities. This session will detail the third-party risk issues that are fundamental to a mature cyber risk program and offer a process you can take to effectively communicate this to your board.