Law and regulation are of increasing importance for information security programs and professionals. Cybersecurity risks are directly tied to legal and regulatory risk. This presentation provides a foundational knowledge of law and the specific laws applicable to cybersecurity programs. It demystifies and explains important legal concepts as well as the evolution of law and regulation applicable to cybercrime and cybersecurity. All of this empowers infosec pros to understand and comply with the growing body of legal rules, and have productive conversations about the law.

Cybersecurity employee shortages put a demand on current professionals to find qualified applicants. Participants will be introduced to numerous educational career paths they can employ while developing their careers. Each path will be explained along with the significance of following that path, with an emphasis on apprenticeships and the opportunities for advancement of diversity. An exploration of the many forms of networking will be a differentiated with importance of each.

This talk suggests a wide list of non-fiction, non-textbook, cyber-related books that should be part of your reading list. These titles help put what we as cybersecurity professionals do in the broader context of international conflict, government and society. We all know the "what" and "how" of cybersecurity. A lot of these authors help provide the "why." Starting with Clifford Stoll's 1989 The Cuckoo's Egg and working through books that talk about current hot topics that touch on privacy, misinformation, e-commerce, ARPANET and international cyber conflict, we provide suggestions that should spark interest and discussion - including audience recommendations.

Ever wonder how we defined the programs that we have today? Many security professionals security started with PCI, HIPAA or SOX compliance. This presentation will take you on a journey from the creation of the Computer Security Program for Mission Operations at Johnson Space Center, NASA. That program was based on data security principles, the Orange Book and the Computer Security Act of 1986. The journey continues through the creation of several more programs; adding compliance, metrics and, in the end, drawing on the past to create a program that was able to be agile enough to meet the rapidly changing needs of the business during a pandemic. This presentation will focus on tricks, traps, lessons learned and standards created along the way.

Organizations are starting to understand the security risks that must be addressed within their organizations resulting in businesses hiring CISOs, directors of information security, and other security professionals to address this problem. The question then becomes, where to begin? Using the NIST Cybersecurity Framework as a baseline will give clarity of the security gaps and what needs are to be addressed. The next step is how will this be communicated to the C-Suite to obtain buy-in and, more importantly, budget. This session will present a process for security professionals to build an information security program from the beginning, obtain buy-in from executives, facilitate a culture of security throughout the organization and communicate security posture to the executive team in their language.

Recently, the U.S. has fallen victim to the most pernicious and skillful cyber espionage campaign known in our history, SolarWinds. The days to come will reveal more vulnerabilities, other points of weakness in the supply chain and further weaken technical defenses. Supply chains are complex and ever-changing. Consider third-party integrators, addition of new software or hardware products into the environment, and employees of the companies that make up the supply chain. Today’s dynamic technology fabric creates a greater need for due-diligence and common security control baselines as a standard for doing business. Basic reviews typically focus on “questionnaire” type audits that don’t address or satisfy the risks of the third-party workforce. (The 2018 (ISC)2 Cybersecurity report noted that 33% of small businesses admit that their employees had mishandled client credentials.) We, as leaders in cybersecurity, must begin to seriously address all aspects of the supply chain and respond to the weakest links.

In a time where DevOps is becoming commonplace, there is a desire for rapid technical automation and deployments to keep up with the pace of demand by organizations. The lightning speed at which this occurs can lead to security being an afterthought and having to be bandaged at a later date. By integrating a security capability into the culture of the organization, security can be "shifted left" and DevSecOps can be ingrained. This results in a proactive protection of the organization's key services. The need for tactical solutions are reduced and the strategic security posture is enhanced.