The Power of Community

Oct 10, 2022 7:00am ‐ Oct 10, 2022 8:30am

Identification: SS2201a

Credits: None available.

We are empowered to change the world together — all it takes is you. We kick off (ISC)2 Security Congress 2022 with a series of compelling explorations of the binds that tie the cybersecurity community together. First, (ISC)2 CEO Clar Rosso will discuss how our association is advocating for you and taking on a growing role in connecting governments, businesses and individuals to create a more secure cyber world. Ann Dunkin, Chief Information Officer for the U.S. Department of Energy, will share her insights on the importance of collective defense. Next up, SCYTHE Founder and CEO Bryson Bort will explore the implications of emerging technologies, why attackers continue to win and what it means for our community. In her address, CEO and Founding Board Member of the Women’s Society of Cyberjutsu Mari Galloway, CISSP, will speak to the ways you can follow in her path of giving back and empowering the next generation of cybersecurity professionals. Finally, DataRobot Chief Information Security Officer Andrew Smeaton, CISSP, will share his personal, harrowing experience traveling to war-torn Ukraine to ensure members of his team were out of harm’s way. Join us. Be inspired. Learn how you, too, can help make the cyber world more safe and secure.


Solutions Theater Presentation - What Developers Want! - For Application Security Training & Education - Sponsored by Security Compass

Oct 10, 2022 8:35am ‐ Oct 10, 2022 8:55am

Identification: SC22ST5

Credits: None available.

Application security expertise is limited in organizations and it can be challenging to ensure development teams get the necessary training to build secure and compliant products. Innovative training techniques such as hands-on coding exercises, gamification and micro learning have gained popularity but are they effective? In this presentation we will share the results of a 2022 primary research study, customer interviews, as well as provide insights that reveal how developers educate themselves today and what they find most valuable from a training perspective. We will also introduce models of how organizations can help to optimize staff time spent on training while improving developer centric AppSec knowledge and building team culture through: Incentivizing and scaling industry-recognized certifications while delivering coding language and role-specific training to secure all stages of the SDLC Delivery of Just-in-Time contextual training that fits into developers' workflow Introducing trackable mechanisms to monitor the relationship between the granular dissemination of security knowledge to the reduction of product vulnerabilities and risk.

Learning Objectives:
  • Understand problems developers face with training & reference material
  • Understand the level of maturity and knowledge of security in developers
  • Assess the reception of developers to different techniques and formats
  • Distinguish the needs of the developer vs. business decision makers

Now More Than Ever: Ethics in Cyber

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: SC2203

Credits: None available.

(ISC)2 is built on an ethical foundation, and ethical issues within the cybersecurity profession are increasingly taking center stage. In this session, we will share results from a recent (ISC)2 survey and explore those issues that your peers are grappling with today in the workplace. Join us as our panel of professionals shares these real-life case studies and explores solutions. Come prepared to think outside the box and grapple with difficult ethics choices.

Learning Objectives:
  • Better define the Canon of Ethics of the (ISC)<sup>2</sup> and their relevancy to everyday activities of our profession.
  • Define and describe how ethics acts as a foundational element of an information security professional.

OWASP Top 10 Risks

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: OWASP

Credits: None available.

Security is not a post-development check – it’s a mindset, spanning design, development and testing. OWASP – the Open Web Application Security Project – is a community that produces articles, methodologies, documentation, tools and technologies in the field of application security. In this talk, I will cover the OWASP Top 10 risks as well as how certifications can help in the world of AppSec. I will also share how you can build a sustainable program with open source resources.


Trust No One: Practical Zero-Trust for Cloud

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: SC2204

Credits: None available.

The concept of zero trust has become the gold standard of security methodologies enabling remote work and BYOD. This became even more critical as the pandemic continues to revolutionize the work-from-home paradigm. The challenge here, however, is that implementation can be daunting. There are different interpretations of "zero trust" and a whole field of products claiming to bring a full-field solution.

In this session, we discuss practical implementations of zero trust in cloud environments that can get you well on your way to an agile, secure and maintainable environment that can extend out to any of your organization resources. At the conclusion of the session, resources are shared to help attendees get started on zero trust initiatives in their own organization, public sector or private.

Learning Objectives:
  • Define zero-trust principles and architecture.
  • Describe the process for starting realistic zero trust initiatives at their organization.
  • Implement the basic architecture principles necessary for a zero trust foundation in cloud environments.

Fortify Your Cloud Security - sponsored by Sysdig

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: SC2209

Credits: None available.

Lifting and shifting workloads to the cloud without tooling changes is a losing proposition. Traditional tools and processes fail, don’t provide adequate visibility, or don’t provide appropriate cloud and workload context. And there’s the agent-based vs. agentless debate. It’s no wonder security teams can feel overwhelmed as they struggle to implement a solution that affords timely, reliable, and comprehensive security outcomes. Discover how utilizing a combination of agent-based and agentless cloud-native security tooling can provide outcomes far superior to either solution on its own.

Learning Objectives:
  • Learn how utilizing a combination of agent-based and agentless cloud-native security tooling can provide outcomes
  • Understand how to leverage open standards such as Falco for runtime threat detection and cloud security monitoring

Are Deepfakes Really a Security Threat?

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: SC2207

Credits: None available.

The capabilities for creating quality deepfake audio, image and video content have been rapidly improving in recent years due to advances in artificial intelligence and machine learning. While this raises many individual privacy concerns, are deepfakes really a security threat to organizations? This talk will explore the organizational security concerns posed by deepfakes and what organizations can do to combat these threats.

The presentation will explain the fundamentals of deepfakes including how they are created, practical human deepfake detection methods and automated machine learning-based detection processes. Real-world incidents of deepfakes impacting organizations will be presented and discussed. The talk will conclude with recommendations for practices organizations can adopt now in oder to stay ahead of the emerging threats posed by deepfakes.

Learning Objectives:
  • Describe how deepfake content is created and approaches to detecting it.
  • Understand how deepfakes can pose threats to organizations.
  • List actions than an organization can take to limit the risks posed by deepfakes.

Digital Governance: A Fireside Chat with IAPP and (ISC)²

Oct 10, 2022 9:00am ‐ Oct 10, 2022 9:55am

Identification: SC2208

Credits: None available.

Join IAPP President and CEO, Trevor Hughes and (ISC)² CEO Clar Rosso as they discuss the future of digital governance. Where is the intersection of privacy and security in digital governance and how can professionals position themselves to be at the forefront?


Career Center Series (Virtual): The Best Ways to Develop Leadership and Soft Skills.

Oct 10, 2022 9:00am ‐ Oct 10, 2022 10:00am

Identification: CCSV07

Credits: None available.

Everywhere you look, studies are saying that it is great that you have the technical skills but to succeed in your career you need to have the people skills. According to Indeed, “hard skills show off your experience and understanding of a particular, measurable ability; soft skills often indicate your ability to work with others and grow within a company”. But how do we best build our soft skills and can this be done quickly?

Developing soft skills requires new and challenging environments but we are not going to get these from our current positions necessarily. Community volunteering is a great way to not only give back but to grow key leadership and communication skills to complement our technical skills. We will also examine other key aspects of community involvement that will support the development of leadership and soft skills.


Impacting and Actionable Dashboards to Monitor Security Posture and Engage with Senior Management

Oct 10, 2022 10:05am ‐ Oct 10, 2022 11:00am

Identification: SC2210

Credits: None available.

Efficiently and regularly monitoring your security posture is a big challenge, given the amount of security events we collect and the growing need from C-level management to trust our security environment. How do we design and maintain secure operational conditions at a reasonable cost? Which indicators should be the focus among the variety of security events produced? And how do we make those indicators both actionable for security SMEs and readable from senior management?

This presentation will focus on the following challenges :

- Strategy and risks

- Human factors

- Operational security

- Operational resilience

We'll do a deep dive through the various indicators - both KPIs and KRIs - enriching those four areas, including a live demo.

Learning Objectives:
  • Select among the galaxy of security events we manage on a day-to-day basis, including arriving at meaningful indicators and their promotion. They will be able to manage both KRIs and KPIs, which are impacting for senior management.
  • Produce such a dashboard at a reasonable cost and right frequency, leveraging an industrialized approach and user friendly tooling.
  • Implement the right governance to make the most of this dashboard. And, because risk is the common security language, attendees will learn how to engage efficiently with business management.