Enterprise Security & Risk Management

27 November 2019

Victoria Park Plaza




Session One – Aligning people, processes and technology with governance and strategy

  • Governance and management
  • Breaking down risk
  • The cyber skills gap
  • The human factor in security
  • Embedding IT & business strategy
  • Defending your digital infrastructure
  • Re-thinking mobile trust
Conference Chair’s Opening Address
Security, Accountability, and Self-Reflection

Greg van der Gaast, Head of Information Security, University of Salford

How are we doing?

Security spending is at its highest level ever, so is staffing, so is security technology. Yet breaches are increasing exponentially, security professionals are burning out – unable to make an impact, the average CISO turnover is half the time you need to have any chance of putting together a security programme, and cynicism is rife among our peers and ourselves.

We accept a model for doing security and risk management, an approach that has never worked, as the correct way. We shun new ideas, insisting we need to keep ramping up the same approach until it works, and ultimately stepping further and further away from the answers.

Let’s discuss what doesn’t work, why that is, what does, and why the “impossible” isn’t.

Let’s reflect. Let’s do better

Questions, questions...

Simon Mullis, Director of Technical Account Management, Tanium

How can you answer the hard questions, if you can’t even answer the basic ones?

The ever-increasing complexity and scale of today’s environments and the drive towards Digital Transformation makes managing risk and achieving IT Hygiene extremely challenging.

The same old questions – which have required answers for nearly two decades and are made infinitely harder to answer in a world of endpoint heterogeneity, dynamic workloads, cloud computing and exponential growth in data creation – remain much harder to answer than they should.

Until now, we’ve sought to combat this complexity with ever-increasing investments in teams, tools, and processes. But whatever the chosen approach, whether renewing legacy products or deploying the latest point solutions, we still struggle to manage and secure our IT assets and ensure regulatory compliance.  Our teams and processes remain siloed and therefore, the goal of IT Hygiene continues to be a moving target.

Are you able to ask and answer critical questions within your environment today?

Using Metadata to Improve Network Security at Scale

Ollie Sheridan, CISSP Gigamon Principal Engineer, Security (EMEA), Gigamon

Understand what is meant by Metadata Find out how Metadata can improve your Security posture at Scale An explanation on how to use Metadata to understand the ramifications of an attack.

The Cyber Skills Gap: Is It Real?

Dr Sanjana Mehta, Head of Market Research Strategy EMEA, (ISC)2

Based on the latest iteration of the highly respected (ISC)2 Cybersecurity Workforce Study, we address:

  • The value in abandoning the checklist of security qualifications in favour of certification
  • Treating the right behaviours as a valuable asset
  • The value of on-the-job training to address skills shortages and career advancement
  • Looking beyond traditional recruitment metrics
  • Breaking down the institutionalised nature of security recruitment
Why engaging people matters

Denise Beardon, Head of Information Security Engagement, Pinsent Masons

While phishing tests and online guidance are the first steps towards building a better security culture, the most effective way to truly change behaviour is through personal training and engagement.

Join this presentation as we cover ways in which you can:

  • Ensure security belongs to everyone.
  • Measure behavioural change.
  • Communicate on a more personal level.
  • Deliver effective training.
Why Understanding Your Attack Surface Matters

Charl van der Walt, Chief Security Strategy Officer, SecureData, part of Orange CyberDefense

  • What does it mean to obtain and use ‘cyber intelligence’ in a manner that effectively prioritises scarce resource across the full spectrum of ‘Assess, Protect, Detect & Respond’ cyber security disciplines?
  • Threats in cyber-space arise for two main reasons; weakness in IT infrastructure and an interest taken by an attacker. Most businesses know they must mitigate cyber threats for their own good but also because regulators require them to.
  • But the threat landscape is ever-changing as technology evolves and attackers innovate. Ensuring an organisation has the skills, agility and underlying platforms and processes to understand, detect and manage cyber threats is one of the most compelling challenges faced by any 21st-century business. Regulatory changes have pushed to issue up to board level.
  • What should the priority be for an organisation that wants to improve its cybersecurity posture, finding and removing vulnerabilities in its infrastructure or assessing the external threats it faces?
Questions To The Panel Of Speakers
Refreshment Break Served in the Exhibition Area
Making a Cloud-First Strategy a Reality

Danny Phillips, Senior Manager of Systems Engineers, Zscaler


  • Legacy IT debt, unfinished upgrades and compliance are all quoted as reasons to delay cloud adoption.
  • Meanwhile, new entrants to the market are able to start from an unhindered position.
  • Has the new entrant got the edge?
  • If you were able to start your business again from scratch, and plan the next five-year IT strategy, what would it consist of?
  • Join our session to discover how you can implement a cloud-first strategy amidst legacy architectures.
CASB: Enabling Secure Digital Transformation

Raif Mehmet, Regional Sales Director, UK & Ireland, bitglass

While Cloud Access Security Brokers (CASBs) were originally used solely for shadow IT discovery, they have since emerged as the de facto standard for real-time cloud data & threat protection, securing a rapidly evolving enterprise cloud footprint, including SaaS, PaaS, and IaaS. For many, the question isn’t whether or not they need a CASB, but rather, how best to leverage a CASB for maximum impact. This session will focus on an immediately actionable use case from a financial institution that you can implement in your company immediately, including:

  • The most commonly used cloud security policies
  • Architecture, deployment and integration considerations for a financial institution
  • Case study from major financial services institution
A New Era of Cyber Threats: The Shift to Self Learning, Self Defending Networks

Josh Lamming, Cyber Security Manager, Darktrace

The Enterprise Immune System: The World’s Leading AI.

This session will explore:

  • Leveraging machine learning and AI algorithms to defend against advanced, never-seen-before, cyber-threats as seen Fish Tank installed into North American Casino, Darktrace identified anomalous data transfers to an external source, and a major case of data exfiltration avoided.
  • How new immune system technologies enable you to pre-empt emerging threats and reduce incident response time
  • How to achieve 100% visibility of your entire business including cloud, network and IoT environments
  • Why automation and autonomous response is enabling security teams to neutralize in-progress attacks, prioritise resources, and tangibly lower risk as seen when Employee logged into personal email and inadvertently downloaded stealthy, malicious ransomware which was identified and dealt with in just 33 seconds.
Questions to the Panel of Speakers and Delegate Movement to the Seminar Rooms
Seminar Sessions
Networking Lunch Served in the Exhibition Area

Session Two – Aligning governance & strategy with technology

  • Designing secure IoT devices
  • State of application security
  • Deploying CASB in the cloud
  • Architectural trends in IAM
  • Centralised risk management
  • Deception as a key security tool
  • Preventing highly evasive attacks
Conference Chair’s Afternoon Address
Technology Risk – Reflections of the Last Decade

Omer Maroof, Head of IT Risk UK & Ireland, Euroclear  

Organisations are continuing having to do more with less, and Technology Risk teams are no exception.  While expectations continue to rise – in the face of ever-increasing cyber incidents, regulatory pressure and challenge from boards – at the end of the day, resources and funding are finite.  Technology Risk teams are responding by rightfully maintaining focus on the pertinent areas and enhancing risk metrics and reporting.

However, it is time to take a step back and think about alternative methods and solutions that have not received the right level of attention and challenge the status quo.  In this session, the speaker will share some perspectives, insights and key takeaways of the last decade covering concepts such as threat analysis, risk appetite, risk metrics and risk events to help you cost-effectively channel resources.

Customer Case Study: Tackling Vendor Risk Challenges in Practic

Ignasi Riera, Vendor Risk Sales Manager, OneTrust

Managing IT vendor risk is a continuous effort for businesses under global privacy laws and security regulations. In this session, OneTrust will share a step-by-step approach for automating third-party vendor risk management and share a practical case study on how one of our clients successfully automated their program.

  • Review the drivers and challenges organizations face when managing third-party vendor risk
  • Identify priorities before, during and after vendor procurement
  • Takeaway a step-by-step approach for automating the third-party vendor risk lifecycle
  • Hear a real case study on how one client successfully automated their program with OneTrust
Making the Business Case: Articulating Risk to the Board

Yvonne Harrison, Group Head of Enterprise Risk and Assurance, Mothercare Plc

Recent studies by the National Association of Corporate Directors highlighted that risk discussions at board level are largely backwards looking.   Key to improving this is to effectively articulate all types of risk, including cyber, to the board.  During this session we will explore:

  • Why risk appetite is important
  • How to elevate the discussion of strategic risk to the board
  • The importance of ‘horizon scanning’ for emerging risks at the strategic level
  • Ways to frame strategic cyber risk discussions that are more akin to the way organisations consider other risks
  • How to measure risk appropriately, using key risk indicators
Security for the Future: Work Smart and Stay Safe

Helen Hosein, Customer Engineer, Google

For organisations today, cybersecurity can feel like a moving target. As IT teams look to step up their endpoint security strategy, a managed web browser can offer multiple layers of protection that help reduce the risk of malware, ransomware and other exploits that often target your users.

In this session, a Google expert will help IT leaders identify keyways to improve their current web browser security, while still empowering users to access the web and be productive.

Questions to the Panel of Speakers
Afternoon Networking and Refreshments served in the Exhibition Area
From Security Awareness to Human Risk Management: What Will it Look Like in 2025?

Sarah Janes, Managing Director Layer8, and Co-Founder, Security2Live

Flavius Plesu, Co-founder & CEO, OutThink, and Co-founder, Security2Live

Without fail, every security report identifies human risk as ‘critical’. But how many security professionals are satisfied with how their organisations manage human risk today? The statistics of successful behaviour change are dissatisfying at best, and at worst non-existent. This presentation will give you a glimpse of how organisations at the forefront of cyber security practice identify, measure and manage human risk.

We will introduce innovative approaches and methods required to create the security culture of 2025!

Security Business and architecture in DEV-OPS 2.0

Francesco Cipollone, Head of Cloud Security Alliance UK & Ireland; Head of Security Architecture & Strategy HSBC GBM; Director NSC42 

Security Phoenix, From the ashes of dev-ops inflaming security a new creature is born DEV-BIZ-SEC-OPS at pace and speed

The talk will take the audience on a journey from the origin of the security architecture, traditional waterfall framework and the evolution of those in a traditional DEV-SEC-OPS.

We will introduce concepts such as trust and Verify your developer, “Build vs FIX”, “own your crappy code”,downtendring vulnerability threshold and licence to code.

We will explore:

  • Security Gates and why they do not always work in dev-ops
  • Security governance: how to avoid starving innovation but do a security review
  • ESF: Enterprise Security Framework – Different between products, Environment/Platforms and applications
  • Modern SLDC cycle:
    • How to secure the design phase (design and requirements)
    • How to secure dev and test
    • How to convert threat modelling in use stories
    • Risk management and roles in DEV-SEC-OPS
  • How to Deploy in the production ensuring that the artefacts have been reviewed (break the pipeline vs trust and verify)
  • Prioritizing Vulnerabilities using CVE, Metaexploit code availability, Impact assessment
Closing Keynote: The cyber imperative, DevSecOps

Michael Macpherson, Lead Information Security Architect, ClearBank

Businesses around the world are continually on a mission to operate at a reduced cost while maintaining the competitive advantage and maximising profit, this is where the blend between developers and operations, comes into its own.

Where do traditional security teams fit into the DevOps world?

The truth is they don’t; there need to be a cultural shift and security teams need to start breaking down the walls between internal silos in order to understand how to create the balance between enforcing traditional security controls and adopting a more functional security approach.

Let’s discuss some of the pain points that DevOps teams have with the traditional security approach and how we, as security professionals, can become an integral part of securing the DevOps pipeline.

We explore automated security testing and the integration of DevSecOps to elevate, embed and evolve your risk response.

Questions to the Panel of Speakers
Closing Remarks from the Conference Chair
Conference Closes

Delegates depart

Please note:
Whitehall Media reserve the right to change the programme without prior notice.