Session One – Aligning people, processes and technology with governance and strategy
- Governance and management
- Breaking down risk
- The cyber skills gap
- The human factor in security
- Embedding IT & business strategy
- Defending your digital infrastructure
- Re-thinking mobile trust
Conference Chair’s Opening Address
Sarb Sembhi – Former President, ISACA London
Security, Accountability, and Self-Reflection
Greg van der Gaast – Head of Information Security, University of Salford
How are we doing?
Security spending is at its highest level ever, so is staffing, so is security technology. Yet breaches are increasing exponentially, security professionals are burning out – unable to make an impact, the average CISO turnover is half the time you need to have any chance of putting together a security programme, and cynicism is rife among our peers and ourselves.
We accept a model for doing security and risk management, an approach that has never worked, as the correct way. We shun new ideas, insisting we need to keep ramping up the same approach until it works, and ultimately stepping further and further away from the answers.
Let’s discuss what doesn’t work, why that is, what does, and why the “impossible” isn’t.
Let’s reflect. Let’s do better
The cyber skills gap: is it real?
We are led to believe that there exists across all industry and sectors a skills gap in cyber-security. Industry, media, academia have all come to consider this popularised opinion as fact. Whilst it is true that demand is outstripping supply, perhaps there is simply a misalignment in focus as to how best to address such a perceived gap in capabilities.
Rather than looking for the typecast cyber-security practitioner, organisations need to start looking for talent in unoriginal contexts to plug the gap in recruitment. Being able to teach the technology and taking advantage of transferable skills is key if you are to secure the right talent for your organisation regardless of background.
- The value in abandoning the checklist of security qualifications
- Treating the right behaviours as a valuable asset
- The value of on the job training
- Looking beyond traditional recruitment metrics
- Breaking down the institutionalised nature of security recruitment
Addressing internal and external error: the human factor
Even with the most secure, sophisticated architecture in place, human error, both internal and end-user, represents the most significant gap in your defence.
Humans are susceptible to phishing attacks, using sensitive information off-site or deploying security services in either unnecessary contexts or not disposing of them when most needed. Added to this, we live in the age of enterprise information overload in which both human-centred and automated processes lead to false flag alerts. This highlights both a lack of organisational scalability and technological innovation.
- Development of company policies
- Deployment of holistic standard tools
- Investment in training
- Adopting a long-term approach to upskilling
Creating a Risk-Aware Culture to Mitigate Risk
With more than 60% of incidents being credited to the human factor of cyber risk, more enterprises are looking for the root causes of risky employee behaviours and the aspects of workplace culture that could positively contribute to mitigating this risk. We consider:
- The importance of creating a risk-aware culture
- Gathering incident benchmarks that help prioritise culture challenges and needs
- Obtaining ideas for improvement directly from employees
- Segmenting the workforce to identify the most vulnerable populations
- Identifying the practices that drive security-conscious behaviours
Breaking Down Risk
Omer Maroof – Head of IT Risk UK & Ireland, Euroclear
Organisations are continuing having to do more with less, and Technology Risk teams are no exception. While expectations continue to rise – in the face of ever-increasing cyber incidents, regulatory pressure and challenge from boards – at the end of the day, resources and funding are finite. Technology Risk teams are responding by rightfully maintaining focus on the pertinent areas and enhancing risk metrics and reporting.
However, it is time to take a step back and think about alternative methods and solutions that have not received the right level of attention and challenge the status quo. In this session, the speaker will share some perspectives, insights and key takeaways of the last decade covering concepts such as threat analysis, risk appetite, risk metrics and risk events to help you cost-effectively channel resources.
Predictive Prioritisation: How to Focus on the Most Critical Vulnerabilities
With CVSS disclosing more than 15,000 new vulnerabilities per year – most of them categorised as high or critical – how can you identify the biggest threats to your business, and know what to patch first? We explore:
- Why precise predictive prioritisation matters
- Why rules-based prioritisation approaches and traditional vulnerability management efforts fall short
- Applying machine learning to build and compare a series of remediation strategies
- Adopting ML approaches that consider multiple data sources of vulnerability data, third party vulnerability and threat data
Questions To The Panel Of Speakers
Refreshment Break Served in the Exhibition Area
Information security: defending your digital infrastructure
As is common within the enterprise landscape, every so often a new, dynamic threat appears and highlights the shortcomings in existing security architecture.
An effective and dynamic security architecture allows you to signpost how you should manage the evolving threat, what action to take following successful penetration, and how to maintain a suitably aggressive posture.
Such threats emanate from well-funded criminals who are working to steal your data to benefit either themselves, third parties or state actors. To combat this, you must maximise the extent to which you can defend your digital ecosystem.
- Today’s threat landscape
- Threat character and motivation
- Adopting a zero-trust model
- Developing robust detection and incident response capabilities
Aligning IT with your business strategy: the role of the CIO
Ian McKay – CIO, Brookson Group
Enterprises must prepare themselves for the increasing enmeshing of people, devices, content and services created by models, platforms and the services that support businesses. This increasing complexity requires an aligning of your IT strategy with your business strategy into a single strategic approach designed to meet increasing security concerns and address the risk related to opportunities.
We explore how to position information and technology at the heart of your business strategy, the CIO’s role in shaping such policy, its components, where IT is embedded and how to continuously recalibrate to maximise business benefit.
Making the Business Case: Articulating Risk to the Board
Just a small percentage of boards report having a full level of engagement regarding cybersecurity and digital transformation, and more importantly, very few — 5 per cent or less — full-board meetings focus on cybersecurity.
Join this session to:
- Understand the importance of articulating cybersecurity risk to the board
- Learn ways to frame strategic cybersecurity discussions that are more akin to the way organisations consider other risks
- Elevate the discussion to financial risks – how to present business metrics and market growth to impact decision-makers
- Acquire tools that leverage storytelling to create compelling cases
Questions to the Panel of Speakers and Delegate Movement to the Seminar Rooms
Networking Lunch Served in the Exhibition Area
Session Two – Aligning governance & strategy with technology
- Designing secure IoT devices
- State of application security
- Deploying CASB in the cloud
- Architectural trends in IAM
- Centralised risk management
- Deception as a key security tool
- Preventing highly evasive attacks
Conference Chair’s Afternoon Address
Sarb Sembhi – Former President, ISACA London
Securing IoT: enhancing enterprise visibility
Making assumptions about your enterprise’s connectivity security is an error many make when utilising such high technology for personal and industrial use.
The degree of connectivity offered by IoT is impressive, but so is the risk in security it represents as the organisational attack surface continues to expand. The more device types and form factors that are required to deal with, the more difficult it is to maintain visibility.
- Penetration testing beyond traditional boundaries
- Use attacker tools and techniques to test IoT devices
- Deploy effective change control & network security access controls
- Moving beyond a baseline of security
Beyond Detection: understanding security patterns to prevent evasive threats
The reality is that hackers do not reuse carbon copy methods to attack your network and instead deploy previously unused techniques and tactics. Equally true is the fact that security professionals cannot rely on threat intelligence alone for detecting such efforts.
We address identifying the key security patterns to prevent evasive threats without relying on detection tools alone.
Is the Cloud Secure? It's Easy if You Do it Smart
Francesco Cipollone – Director of Events, Cloud Tentative – Security Alliance UK; Head of Security Architecture & Strategy, HSBC Global Banking and Markets
The talk will take the audience on a journey on the cloud evolution, the recent hacks and the need to make security everyone’s responsibility.
We will explore major challenges in cloud transformation from an organisation and security perspective with top 8 solutions to address them.
- The shared responsibility models
- Foundation architecture
- Cloud pattern available
- Design security and security by design
- Gamification and the use of EoP in everything security
- Shift left and bringing security at the beginning of the development
- Security testing and automation
- DEV-SEC ops and the integration of Security and Business/Architecture
Architectural trends in enterprise IAM
The delineation between IAM, security, risk and privacy has all but faded away from the enterprise landscape as more identities, data sources and technologies are introduced.
One of the key reasons for such alignment is the shifting of applications to the cloud, proliferation of devices and the diversity of users. In response, businesses of all sizes and scale have placed increasing importance on investing heavily in perfecting their IAM architecture to resolve workforce to SaaS, on-prem workforce, customer and B2B IAM cases.
- Identity analytics
- Data privacy and consent rules
- The challenge of IoT
- The future of blockchain
Questions to the Panel of Speakers
Afternoon Networking and Refreshments served in the Exhibition Area
Centralising your security and risk-related activities
The application of effective risk management software provides the opportunity to identify, analyse, monitor, review and treat existing and potential threats and risks throughout your organisation. True also is its ability to align with risk-centric standards.
Deployment of a user-friendly tool will give you the cutting edge in strategic management, mitigation and prevent risk in your organisation.
Securing effective deception across your environment
It is universally accepted that conventional security methods will fail at some point no matter the architecture and supporting infrastructure, which is why organisations are increasingly deploying deception as the key against malicious attacks.
Rather than view deception negatively, businesses are increasingly turning the tables on hackers and mimicking their deceptive practices in the face of highly sophisticated phishing, malware and ransomware.
- Exercising deception-based detection at every layer
- Making the entire network a trap for the attacker
- Deception as an alternative to big data analysis
- Enhancing both network and IT security
Closing Keynote: The cyber imperative, DevSecOps
Michael Macpherson – Lead Information Security Architect, ClearBank
The reality is that application security is worsening. Throughout 2018 applications have continued to provide malicious hackers with ease of access compared to other potential attack vectors. The question is, why?
Some people point to the increasing role of DevOps teams and the need for many to yet evolve towards DevSecOps.
This is not the fault of the DevOps team, but rather a symptom of the continuing drive away from perfect to fast application development to decrease time to market. Security teams either lack the workforce or the time to maintain application security review processes.
Rather than reducing the speed of development, and therefore impacting brand reputation, it is better to look to the role of automation as an established technique to improve security.
We explore automated security testing and flawless integration of DevSecOps to elevate, embed and evolve your risk response.
Questions to the Panel of Speakers
Closing Remarks from the Conference Chair
Sarb Sembhi – Former President, ISACA London
Whitehall Media reserve the right to change the programme without prior notice.