Most cybersecurity technologies deal with the past (logs, forensics) or the present (network monitoring, intrusion detection, anti-virus). Although necessary, these approaches are inherently reactive. Attack tree-based threat risk analysis deals with the future. Customers working in critical defense and aerospace applications have long used attack tree analysis to ensure that their systems' architectures will withstand both present day and future attacks. In the attack tree analysis process, the analyst builds a graphical, mathematical model of the system they wish to protect, and descriptions of the system's adversaries. Analysis reveals the attacks the adversaries are most likely to use and the best countermeasures. It is especially applicable to industrial control system (ICS) security and an ICS example will be presented.

This session will discuss Security Office services and roadmaps as inputs to strategically targeting Security Awareness and Training (A&T) activities. The overall A&T goal is intentionally designed to drive enterprise security culture shift and maximize training effort rather than focus on a security compliance framework. We'll highlight initiatives – SimPhishing program, Ambassador program, Security Academy, Self-service security portal, topical videos, etc. - that are used to achieve this goal, with examples of metrics of success

Statistics show that an increase diversity and inclusion within cyber is imperative to securing diverse communities across the globe. Yet, how does that diversity truly impact and create a more sustainable cyber profession? In this fireside chat, we’ll discover how elevating and creating space for more diverse voices leads to that sustainability. We’ll talk with Anthony Hannon, CISSP, CISM—a leading voice in DEI in cyber—and discuss his journey in the profession and how he has navigated his own sense of belonging in cyber.

This presentation will discuss the tug of war between data-centric regulation and risk management, and data-centered growth and opportunities. Participants will experience a unique perspective on governance and compliance that puts it in conflict with business growth and societal expectations, with an organization’s data assets at the center of the conflict. Through imagery, storytelling, and discussion, attendees will learn how to strike a balance between control and growth.

Cybersecurity is about determining what capabilities you have comparing to what is needed, choosing how much of the gap to close, and then accepting or transferring the residual risk. Simple. Yet apparently unattainable. Why? In this session, we will explore the challenge from an executive leadership perspective then break-out the applied fundamentals of decomposition and recomposition of a best-fit stack, how to determine if it is operating effectively, and how to preserve effectiveness based on changes in posture and the dynamic threat landscape.