ISC2 on Point with Careers: How to Lead High-Performance Security Teams

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

Learn how to be a better security team manager and leader. In this session, we’ll discuss the fundamentals of management. Find out what makes a great security team and how to hire. Understanding emotional intelligence and what motivates team members. Get strategies for goal setting and performance evaluations. You’ll learn the importance of feedback and coaching.
Learning Objectives:
  • Outline what makes a great security team and how to hire.
  • Recognize emotional intelligence and what motivates team members.
  • Implement meaningful goals and evaluate performance.

Leverage SEC Board Cyber Reporting Rule Changes to Transform Your Security Culture

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

Board reporting for CISOs is about to become more daunting than ever. The SEC recently unveiled rules that significantly raise liability for public companies operating in the United States. They demand stringent oversight of cyber risk governance and incident reporting, imposing stiff penalties on board directors and officers for violations. For astute CISOs, the changes present a remarkable opportunity. This session will analyze the SEC rule changes and, through the lens of a risk buy-down model, consider methods to meet SEC requirements. We’ll look at how to transform the spirit of the law into a powerful force that holistically reduces risk and elevates the role of the CISO.
Learning Objectives:
  • Describe the new SEC rules affecting board cybersecurity reporting.
  • Utilize a cybersecurity risk buy-down model to programmatically establish board risk appetite and drive down security risk.
  • Apply methods to leverage the new SEC rules to improve the security culture at your organization and elevate the role of CISO.

Protecting the ML Pipeline: Practical Guidance for Securing Machine Learning Systems

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

Advancements in Machine Learning (ML) have enabled a surge in adoption of ML solutions to address problems across numerous domains. With this rising reliance on ML in many organizations, it is critical that such systems are protected from malicious activities. This talk will present ML-specific cybersecurity issues, discuss ML adversarial techniques, and explore case studies of real-world ML cyber incidents. Further, this presentation will describe secure machine learning systems development approaches and secure machine learning operations (MLOps) pipelines.
Learning Objectives:
  • Describe cybersecurity threats to machine learning systems.
  • Relate ways to protect machine learning systems from adversarial attacks.
  • Explain techniques for building secure machine learning systems development pipelines.

Zero Trust Threat Modeling

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

What does Zero Trust mean at the top of the technology stack? Apply the concept to threat modeling by understanding change in a Zero Trust world and considering a threat model of Zero Trust architecture. We’ll explore new design principles, introduce a mnemonic to apply the significant threats impacting Zero Trust and expose a new taxonomy specific to Zero Trust application.
Learning Objectives:
  • Describe new design principles in a Zero Trust threat model and apply a mnemonic and taxonomy of threats impacting Zero Trust applications.
  • Recognize what changes with threat modeling in a Zero Trust world.
  • Explain the impact of Zero Trust on threat modeling.

The Art of Privilege Escalation - How Hackers Become Admins

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

Privilege escalation is one of the most common techniques bad actors use to discover and exfiltrate sensitive valuable data. From their perspective, it’s the art of increasing privileges from initial access, which is typically a standard user or application account, all the way up to administrator, root or even full-system access. With NT AuthoritySystem access or on the Linux root account, cybercriminals have full access to a system — and with domain administrator access, they own the entire network.
Learning Objectives:
  • Anticipate the ways bad actors escalate privileges.
  • Utilize proven tools to identify privilege escalation.
  • Apply strategies to reduce the risks of privilege escalation.

Cloud Architectures: Secure Experimentation and Innovation

Oct 25, 2023 10:25am ‐ Oct 25, 2023 11:20am

Credits: None available.

Dive deep into development, sandbox and production environments to implement guardrails, configurations and automation that drive practitioners to operate more securely. This session will identify how these architectures can create opportunities in vulnerability management and SLA enforcement by exploring real-world examples. Take back actionable and specific environmental configurations that maximize your ability to experiment and innovate while minimizing risk. Learn how introspection to business metrics can provide functional security operations value in minimizing the attack surface area of your cloud environments.

Learning Objectives:
  • Create secure environmental structures supporting DevSecOps practices
  • Describe secure cloud environments and best practices for innovation and experimentation
  • Demonstrate success and value through the correlation of business metrics with security data.

PII in the Sky: Maintaining Cloud Control when Access Extends Beyond the Service Edge

Oct 25, 2023 11:35am ‐ Oct 25, 2023 12:30pm

Credits: None available.

This session will explore recent innovations that underlie secure, performant solutions answering the need to control data even when it is held, processed or transmitted by other parties. The techniques deployed are infrastructure-agnostic and compatible with cryptographically enforced role- and identity-based access controls, end-user privacy preservation, authorized data recovery, multiparty computation and collusion resistant operations. Complex constructs such as ephemeral blinding and personalized tokenization are now accessible through no-code, low-code and full-code integration models.
Learning Objectives:
  • Assess the risks associated with data traversing beyond the security service edge, as well as those associated with the corresponding parallels to granular internal access controls.
  • Describe the fundamentals of novel techniques enabling federated, distributed access control on externally held data.
  • Apply solutions across adoption models to materially reduce the likelihood of breaches and their adverse impacts.

Cyber Risk Management from a CISO’s Perspective

Oct 25, 2023 11:35am ‐ Oct 25, 2023 12:30pm

Credits: None available.

Discover how to weigh the balance between cyber risk and operational requirements. We’ll discuss how to select a security framework and develop a vulnerability management strategy tailored to your organizational needs. Learn to recognize the impact of laws and regulations on security programs, and the importance of written information security policies and procedures.
Learning Objectives:
  • Apply risk-aware decisions for a balanced cyber risk management strategy.
  • Select security frameworks that are most appropriate for organizational requirements.
  • Develop a formal written information security program and define the reality of approving security exceptions.

Global Voices from N. America: On the Road Again – Mapping NIST’s Journey to Cybersecurity Framework 2.0

Oct 25, 2023 11:35am ‐ Oct 25, 2023 12:30pm

Credits: None available.

Join key influencers, policy makers and thought leaders from around the globe to hear their perspectives on regional cybersecurity issues impacting all corners of the world. Seize the opportunity to get answers to your questions from our featured guests. Hear the latest details about the road to the recently released draft NIST Cybersecurity Framework (CSF) 2.0—a document first developed in 2014 to help organizations manage their cybersecurity risk. Gain insights into some of the major changes that were unveiled in NIST’s latest draft publication, discover how to contribute feedback, and get an overview of the international impacts NIST has seen since throughout the years. Attendees will also learn about what’s next along the journey to the CSF 2.0 in the coming years—and what new stops are planned along the way.

Incorporating User Experience into Enterprise DevSecOps

Oct 25, 2023 11:35am ‐ Oct 25, 2023 12:30pm

Credits: None available.

Cybersecurity has a history of being a black-box activity. Although injecting Sec into DevOps has brought security into a more visible role, cybersecurity is still too often focused on reviews and code scans. Sec fails to consider one of the most important parts of the system: the user experience (UX). Take back best practices to apply UX from a cybersecurity perspective and ensure security is equally represented across enterprise-wide UX activities.
Learning Objectives:
  • Identify the basics of User Experience (UX) and Human Centered Design and their applicability across the full-spectrum of Sec activities within DevSecOps.
  • Apply UX to ensure cybersecurity is equally represented across enterprise-wide UX activities.
  • Adopt the expansion of Sec processes within DevSecOps to address the integration of UX activities.