Cart 0

2019 Speaker List

Keynote: The Honorable Mike Rogers - Former Chairman, House Permanent Select Committee on Intelligence/National Security Commentator, CNN

How Adversaries are Weaponizing Data

Keynote: Jim Routh - CISO, MassMutual

Future of Third Party Governance

Dave Batz - Senior Director, Cyber & Infrastructure Security, Edison Electric Institute

Leveraging Contractual Frameworks to Manage Supply Chain Risk

To facilitate managing cybersecurity supply chain risks, a committee of representatives of EEI member companies developed a Model to align cybersecurity requirements and to encourage adoption by the vendor community. Recognizing the importance of procurement in managing supply chain risk, but the Model includes language that goes beyond compliance requirements with the goal of improving cybersecurity. The Model provides a starting point for negotiations with vendors and service providers.

Jill Czerwinksi - Partner, Crowe LLP

From Ongoing Monitoring to Ongoing Action: Transforming Your Monitoring to Reduce Risks

Many companies have invested in continuous monitoring tools and technology, but few are able to demonstrate that this investment resulted in risk reduction, where issues were identified, escalated and resolve. This session will focus on how continuous monitoring alerts should be triaged, analyzed, actioned, and tracked. The session will discuss innovative ways to resource, track, and manage ongoing monitoring data that is formal and informal.

Jacob Maenner - Senior Security Risk & Governance Analyst, Exelon
Erin Holloway - Manger, Security Risk Management Team, Exelon

Assets – Risks – Controls – Oh My! Structuring an Enterprise-Wide Security Program

Effective security programs must provide clear and relevant direction to those responsible for securing each in-scope asset and managing third-party security risks. To do this, there must be consistency in control statements, clarity in responsibilities, clear applicability to various types of assets, and a sustainable methodology. This presentation will outline the steps for any organization of any size to deploy an effective security program, consider risks vectored through third-parties, measure the program on a continual basis, and mature the program as regulations, threats, and the organization evolve. Attendees will be presented with a comprehensive process to protect all assets through programmatic security controls, with a special focus on third-party security concerns, giving them the knowledge to build an effective security program from scratch or to enhance an existing program.

Jack JoneS - Chairman, FAIR Institute

What Can Cybersecurity Data Actually Tell Us?

The good news is that we have more data than we think we do. The bad news is that there are challenges and limitations that have to be recognized before we can effectively use cybersecurity data. In this session, Jack will discuss real-world opportunities and challenges associated with cybersecurity data, and how they can be addressed. He'll also provide examples of how everyday cybersecurity data can be used to better understand your risk landscape and make better informed decisions. This is NOT a data science seminar, but instead focuses on clearing up common misperceptions and providing practical insights that will help organizations deal with cyber-related risk more effectively.

Rick Howard - Chief Security Officer, Palo Alto Networks

The 6Ds of Cybersecurity Exponentiation

Exponential technologies either double their processing power every few years or the cost to operate them is reduced by half every few years. Some experts forecast that within the next 10-15 years, this doubling phenomenon will flip the business model of certain grand challenges like Food Production, Water Distribution, Shelter Construction, Energy Distribution, Communication Ubiquity, Education Delivery, Healthcare Distribution, and Freedom as a Fundamental Right.

The model will flip from a scarcity model to an abundance model. This means that the resources needed to fulfill these grand challenges will flip from being hard to get to being so plentiful that they might as well be free. Six Ds of Exponentiation- Digitization, Deception, Disruption, Demonetization, Dematerialization, and Democratization- is a maturity model that describes the path of each exponential technology. Cybersecurity is absolutely on this path. I will discuss why I think so and what that means to the security community.

Amera McCoy - Manager, Vendor Risk Management, CME Group

Designing and Implementing a successful Third Party DR Program

Establishing a Third Party Risk Management (TPRM) Program is one piece of the puzzle; many other pieces involve implementing risk management throughout the organization that will feed the TPRM program. Disaster Recovery practices with third parties is a strategic way to assess risk by documenting the vendors capabilities and flexibility of their continuity. This data is used to feed the companies exit plan strategies and risk reporting groups. This session will discuss best practices for implementing third party DR testing, the different types of testing and the ways the risk data can be used to inform TPRM, Ops Risk, ERM and senior leaders.

Marc Sachs - Chief Security Officer, Pattern Computer

Mechanical Backdoors in Cold War Encryption Machines

Recently declassified documents from the National Security Agency confirm what was suspected for decades. Several of the mechanical cipher devices built by Crypto AG after World War II contained deliberate encryption weaknesses that could be exploited by the NSA. Many stories have been told about breaking the Enigma. This talk will cover Boris Hagelin’s devices that were sold “pre-broken.” Learning Objectives: 1: Learn about mechanical encryption devices and how they work. 2: Understand how these devices can be cryptographically weakened. 3: Discover a very interesting historical story about Cold War supply-chain attacks.

Vince Fitzpatrick - Cyber Risk Program Manager, Christiana Care Health System
Natsha Coulter - Risk Manager, Christiana Care Health System

Creating a Successful TPRM Program

During the past year Christiana Care Health System stood up a new third party risk management program. This presentation will review processes, tools and techniques used to create this successful program.

Brian Harrell - Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security

Critical Infrastructure Protection in the Age of Hybrid Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) will discuss the need for physical and cybersecurity convergence in the age of the hybrid attack landscape. Assistant Director Brian Harrell, who leads CISA’s Infrastructure Security efforts, will focus on system resilience, redundancy, and how many of the recent attacks on critical infrastructure have both a cyber and physical nexus. AD Harrell will also discuss his priorities for securing soft targets and crowded places, including houses of worship and schools.

Rita Bush - Assistant Director of National Intelligence for Private Sector, U.S. Office of the Director of National Intelligence

Strategies for Government / Private Sector Partnerships to Increase National Security

The U.S. faces significant changes in the domestic and global environment; we must be ready to meet 21st century challenges and to recognize emerging threats and opportunities. The US Government must better leverage partnerships to support and enable national security outcomes. We seek to build, enable, and maintain private sector partnerships to mutually share information, people, processes, technologies, innovations, and ideas to advance the Intelligence Community mission and strengthen national security.

Julie Gaiaschi - Co-Founder, Third Party Risk Association

Integrating Your TPRM Program Into The Procurement Process

It's critical vendor security controls are reviewed prior to a contract being signed to not only ensure the vendor has a sufficient security program in place, but also to ensure continuous monitoring needs are incorporated into the contract. A strong partnership with your organization's Procurement department will assist with your program objectives. But how do you begin the conversation? In this session, we will discuss: 1. Relationship building with your Procurement department; 2. Potential workflow for vendor due diligence; 3. Contract review process to ensure appropriate security language; 4. What to do if contracts are managed by business partners and not by a Procurement department.

Matthew McMahon - Product Security Expert, Siemens Healthineers

The Customer Security Questionnaire Process

Siemens Healthineers currently processes over a thousand pre-sale customer security questionnaires a year in the United States, European and Asian markets.  Over the course of the last few years Siemens has established multidisciplinary teams to effectively complete these questionnaire’s and return them to our customers in a timely fashion.  This presentation will cover historically how we were able to pull together a multidisciplinary team entailing, technical, legal, contractual and sales resources to effectively address this customer need and how other manufacturers may do the same.

Andy Keiser - Principal, Navigators Global

Protecting the Global Telecommunications Supply Chain: USG-led Actions to Counter the Threat from Huawei and ZTE

The Trump Administration and U.S. Congress have led an aggressive crackdown on Chinese telecom giants Huawei and ZTE, which it believes are arms of the Chinese military and intelligence services. Where do these U.S.-led efforts stand? What does this crackdown on Huawei and ZTE mean for the global telecommunications supply chain; and is it precipitating a bifurcated internet between the West and China? What impact could these actions have on cybersecurity domestically and internationally; and how will it affect global deployment of the fifth generation wireless network or 5G?

Jamil Jaffer - Founder & Executive Director, National Security Institute, George Mason University Antonin Scalia Law School

Critical Infrastructure and Private Sector Cyber Threats:  The Need for Collective Defense in the Modern Era

Nations and their critical infrastructure industries face a barrage of threats in cyberspace. Nation-state attackers are getting more aggressive, with deterrence still playing only a limited role in cyberspace even as countries are increasingly willing to use cyber offensive capabilities in place of traditional military tools. The risk of significant damage, including collateral damage is also growing. Meanwhile private sector companies are often expected to act as the first--and often only--line of defense for their own systems, with limited support from government. This situation is fundamentally unstable. This session will discuss the need for a rethinking of the roles, responsibilities, and capabilities between the public and private sectors and will argue that governments need to play a much more central role in defending critical infrastructure providers. This session will also discuss what steps private sector actors might take to better protect themselves, including entering into collective defense agreements to share more data and response information in real-time.

Melissa S. Hersh - Risk & Strategy Consultant, Hersh Consulting, LLC

Managing Third-Party Risk in an Era of Great Power Competition

This presentation aims to explore some geopolitical challenges facing public, private, and PPP organizations with respect to managing investment partners, suppliers, and supply chains in an age of renewed great power competition. While the Fourth Industrial Revolution (4IR) (the human/machine interface) has ushered in a range of new enabling technologies and business opportunities built on the rise of digital technology and automation (Third Industrial Revolution (3IR) it has also exposed critical functions and operations to new hybrid threats. These hybrid threats include: new dependency dynamics (e.g., financial instruments, raw materials, critical components & supply chains), hyperconnectivity risk, new platforms for promoting information influence activities, and asset protection challenges. Examples and case studies of threats and mitigation solutions will look at trends related to investment screening and contract structuring, international co-operation in standards setting, and more.

Bryan Inagaki - Senior Director, Cybersecurity Risk Management and solutions, Thermo Fisher Scientific

Business and the Beast: How to keep your security program from falling behind the business you’re supposed to protect

Technology has created not just new jobs requiring new skills – it has fundamentally changed the way we work on a daily basis. However, for every company pushing the boundaries of technology, there are many more holding on to the traditional views of what a business should be and how it should operate. Cybersecurity teams are not insulated from these changes, but unfortunately our industry is subject to entrenched and outdated modes of operation. This talk is about the beasts – the myriad of changes and advancements occurring across business that are challenging the fundamental ways businesses have been operating for generations, the impact they have on our businesses, and the things we need to in cybersecurity to not fall behind.

Douglas White - Sr. Information Security Analyst, Delta Dental of NJ and CT

Designing and Tailoring a Business-Balanced Third-Party Security Program

Delta Dental of NJ & CT’s goal is to have a robust Third Party Risk Management (TPRM) program that allows for business flexibility while maintaining a strong security posture. Some time ago we determine a centralized program was needed to coordinate a loosely managed process with no centralized container for vendors we were doing business with, that had no method for vetting potential vendors from a security standpoint. The initial objective of our project was to design, document, and implement a program which did not exist. This presentation will show steps on program design and implementation, through configuration of a chosen GRC product. We will also highlight several methods developed as we discovered the need for flexibility in our final program, including for tiering vendors, leveraging security ratings for our top vendors, and the use of continuous monitoring and alerting on vulnerabilities for remediation. We will cover the timeline we used during development and post production, including form creation, review committee creation and workflow checkpoints prior to procurement.

Jason Zellmer - Senior Director, Third Party Risk, Global Security, CVS Health/Aetna
Ebba Blitz- CEO, AlertSec

How CVS Health/Aetna Enforces Endpoint Encryption on Third-Party Devices

Aetna has more than 200,000 brokers working for them. These brokers handle sensitive personally identifiable information such as names, addresses, birthdates and Social Security Numbers. Regulations require insurance companies to protect member data also when it is stored on broker devices. However, being on top of the security stance of this large group is certainly easier said than done. Insurance brokers work for several insurance companies and are independent business owners. As such, they value their autonomy and would most likely not accept being enrolled into a provider’s MDM solution (Mobile Device Management solution). And, even if they would, it would be an administrative nightmare to enroll this huge number of devices into an MDM solution – not to mention the cost it would incur. Brokers are also the insurance providers’ sales force and need to be treated with much care. Striking the right balance between care and security enforcement has been crucial for the success of the broker security program at Aetna. Want to know how Aetna addresses this challenge? Listen to Jason Zellmer, head of Global Security, Third Party Risk at Aetna and Ebba Blitz, CEO of AlertSec, and hear them walk you through their solution to the issue. The overarching theme has been the old maxim Trust but verify!

Rhonda Cook - Chief Risk Officer, SEI Investments

Beyond Vendors: Addressing Non-Traditional Arrangements & New Technologies

All Third Party Risk Management Programs identify, assess, and mitigate the risks arising from traditional vendors, but many are also tasked with addressing other, non-traditional arrangements and emerging technologies. This session will discuss practical approaches and “lessons learned” on how to identify, assess, and mitigate the risks arising from non-traditional arrangements such as open source code and crowdsourcing, and the integration and use of newer technologies such as Internet-of-Things (IoT), Robotic Process Automation (RPA), and Artificial Intelligence / Machine Learning (AI/ML).

Matthew Welling - Counsel, Crowell & Moring LLP
Kate Growley- Counsel, Crowell & Moring LLP

Lessons from M&A Cyber Due Diligence and How to Leverage Them for Supply Chain Risk

Mergers and acquisitions (M&A) transactions are complicated, high stakes activities for any enterprise.  Meanwhile, cybersecurity incidents and data breaches continue to be high profile events.  During M&A transactions, these cyber risks threaten valuation or worse – such as a buyer unknowingly inheriting them, causing fall-out after the deals close. For these reasons, cybersecurity and privacy due diligence is fast-becoming a crucial activity in these deals – or should be. These reviews are no longer limited to tech deals, and supply chain issues are often at their heart. Companies must evaluate supply chain issues efficiently, within the often challenging timeframes of deals and in a variety of industries, products, and services. This presentation will include an overview of best practices and common pitfalls from cybersecurity and privacy due diligence reviews, as well as a discussion of how lessons learned can be applied to analyzing and managing supply chain security risk in any context.

Hunter Ferguson - Partner, Stoel Rives LLP

Are Your Vendors/Subcontractors Putting You at Risk of “Selling” Data in Violation of the CCPA

When the California Consumer Privacy Act (“CCPA”) goes into effect January 1 of 2020, it may introduce uncertainty around what constitutes a “sale” under the CCPA. “Sale” will be defined by the CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration.” But what constitutes “valuable consideration?” In this presentation we will address the potential risks around types of exchanges of customer information with third party vendors/subcontractors that might be considered “valuable consideration” under California law, even if there’s no intention to “sell” the data; how certain agreements may demonstrate the exchange of valuable consideration when interpreted using existing contract law doctrine; demonstrate situations where personal information is exchanged in the course of doing business that might result in the transferring entity receiving a benefit that could likely be considered a “sale” under the CCPA; the likelihood of, and complexity around, potential enforcement rules on this topic; and review a list of steps organizations could take that might best ensure that customer information they are transferring to their vendors or subcontractors does not cause them to run afoul of the Act.

Travis Moran - Vice President, Welund North America

Understanding and Responding to the Activist Threat to Enterprise

Perhaps no greater physical security threat is misunderstood or overlooked in today’s security environment. Often considered the realm of the mere disaffected or single-issue operator, activist groups are now some of the most powerful and well financed challenges to physical security that both corporations and governments face. Spanning the globe in their influence and structures, activist groups and their campaigns, direct actions and disruptions are costing businesses and governments at all levels billions – particularly in the energy sector in terms of lost productivity, project delays, legal costs, and investor divestment. This seminar will help companies better understand the threat posed from activists both from the general emphasis on corporate and public safety, as well as the protection of property, projects, reputation and critical infrastructure from disruption. Attendees will gain a general understanding of activist goals, structure, tactics, funding and how to better plan for, and respond to, activist campaigns.

Errol Weiss - Chief Security Officer, Health ISAC
Faye Francy - Executive Director, Automotive ISAC
Scott Algeier - Executive Director, IT-ISAC
Josh Dembling - Director, Product Security Incident Response Team, Intel
Jeff Troy - President, CEO, Aviation ISAC

Bug Bounty Programs: Ins and Outs to Squash Vulnerabilities

Errol Weiss will host this session with panelists from various ISACs and industries that have implemented successful bug bounty programs. They will describe some of the challenges and opportunities in implementing and managing these incentive programs to identify vulnerabilities.

Jon Ehret - Manager, Third Party Cyber Assurance, Bluecross Blueshield of western NY

The Evolution of Third Party Risk Programs: What Stage Is Your Program At

This talk will take a look at the different evolutionary stages of third party risk programs and will help companies determine where they are at and how to get to the next stage.

Bruce Potter - Ciso, Expel

Building a Better Third Party Risk Questionnaire 

Modern 3rd party security questionnaires are often filled with poor questions that lead to poor answers that lead to poor decisions. While many of us complain about these questionnaires, there has been little public analysis of what makes a good or bad question, and most importantly, what leads to good risk decisions. This talk with examine the quality of several standard questionnaires in use today. I will discuss what makes a good question in general and present an ontology for 3rd party risk and 3rd party risk questions. Then, I will show specific examples of questions that lead to bad risk decisions due to technical bias, assumptions, and straight up leading the witness. I’ll correct these questions into queries that will elicit a response that result in a better risk decision. Finally, I’ll release a public tool that simplifies the 3rd party questionnaire and keeps questions targeted, useful, and brief.

John Grim - Senior Manager, Verizon Threat Research Advisory Center

Verizon Insider Threat Report – Out of Sight Should Never Be out of Mind 

Within the panoply of cybersecurity incidents, insider threat activities are an exceptional challenge. These threat actors enjoy trust, privilege, and access. Add a detrimental motivation and disaster ensues. This presentation covers the Verizon "Insider Threat Report;" a compilation of data breach data, scenario, and experience-driven insights into recognizing, mitigating, and investigating insider threat activities. The audience will better understand the five insider threats actors and takeaway countermeasures for preventing and mitigating, hunting for and detecting, and responding to and investigating insider threats.

Scott Schneider - Chief Revenue Officer, CyberGRX
Jon Ehret- Manager, Third Party Cyber Assurance, Bluecross Blueshield of western NY

Third-Party Cyber Risk Management – A Critical Ingredient for A Healthy Ecosystem

When it comes to business, few things are as valuable as your data and brand reputation. As organizations rely on third party providers, however, they put their data and brand reputation at risk. That’s because today’s hackers are looking for the easiest way to steal your sensitive information, and unfortunately that is often through your third parties. The reality is, you need third parties to conduct your business; the challenge is ensuring you are collaborating with your third parties to do so securely. In this session, our panelists will discuss third-party cyber risk management (TPCRM) strategies they’ve had success with, and some they’ve learned from.

Reed Loden - Director of Security, HackerOne

Default to Disclosure: How disclosing vulnerabilities can build trust

Bug bounty programs are popping up across industries as more organizations embrace collaborating with ethical hackers to find vulnerabilities before cyber criminals have a chance to exploit the same bugs for nefarious purposes. These same organizations who reveal their findings and resulting patches are often scrutinized by civil society out of misunderstanding for how these programs work and why the holes exist in the first place. As a result, companies and government entities alike are running these programs in private, choosing to keep discoveries out of the public eye out of fear of public condemnation or reliance on old-school ways of thinking, ignoring the responsibility they have to their customers to disclose their findings. This talk covers the vital importance of responsible disclosure while giving real-world use cases where responsible disclosure and bug bounty programs have bolstered security, lowered costs, and improved safety and trust to consumers.

Todd Weller - Chief Strategy Officer, Bandura Cyber

The Threat Intelligence Cycle & What it Should Mean for Security Ops

Threat intelligence use and sharing is a critical requirement for cyber defense. Organizations not only need to operate with a broad-based view of threat intelligence but also efficiently incorporate it into their security operations. Importantly, threat intelligence and information sharing can no longer be the domain of large and sophisticated organizations.

The threat intelligence cycle is composed of multiple elements including collection, analysis, sharing, delivery, and action. To date, the majority of the focus has been on collection, analysis, and sharing with less focus on how threat intelligence can be delivered and acted on.

In this presentation we will:

  • Introduce the concept of automated full lifecycle threat intelligence and discuss the benefits and challenges associated with it, including operationalizing intelligence.

  • Discuss the ways sharing communities and enterprise security organizations are adopting full lifecycle threat intelligence.

  • Look at how threat intelligence portals, platforms, and gateways can be used by companies of all maturity levels to incorporate automated full lifecycle threat intelligence into their security efforts.

Joost van Hest- SVP Sales & Solutions

Managing CTI: Why One Size Doesn't Fit All

No one organization is the same when it comes to their security posture. Industry segment, how they perceive and manage risks, budget constraints, their specific architecture and internal security policies are just a few that makes no one company the same. Over time these elements can and will change therefor implementing and managing a CTI practice needs to fit and grow with each specific circumstance.

John Loveland - Director of Security Product Marketing, Verizon Business Group

Quantifying and Mitigating Supply Chain Risk

In today's global business environment, complex supply chains and highly-connected vendor ecosystems enable businesses to compete more effectively and efficiently - but they also introduce more risk.  Identifying and assessing specific operational risks and cyber risks that come from suppliers, vendors and connected partners is key to mitigating those risks.  The Verizon Risk Report provides detailed insight into where your organization might be vulnerable to weaknesses in your supply chain, and it offers recommendations for how to address those issues. Hear how organizations across the world are using this groundbreaking tool to proactively protect themselves from supply chain risk.

Tripp Hardy - CEO, Reprivata

Real-time Secure Collaboration, Actionable Intelligence, and Iterative Feedback Loop to Achieve Uniform Minimum Standards Across the Entire Supply Chain

Every industry, especially companies in Critical National Infrastructure or the Government Supply Chain and their dependent parties, are required to take action in 2020. They must demonstrate awareness of cyber supply chain risks and document progress towards minimum cyber maturity standards, such as the Cybersecurity Framework (CSF), NIST 800-171r1 and the DoD’s CMMC.

Doing so is immediately possible via:

  1. True inter- and intra-company collaboration (in a secure environment) around actionable threat intelligence that eliminates disclosure hurdles

  2. A continuous improvement feedback loop that reconciles assessments and real-time risk data

  3. A CSF-compliant environment for all third parties

This session will discuss these issues and immediate steps to demonstrate a path toward compliance.

Charlie Miller - Senior Advisor, Shared Assessments
Rocco Grillo - MANAGING DIRECTOR, Alvarez and Marsal

TPRM Framework Exploring Risk Appetite and Cybersecurity Continuous Monitoring

This session will explore solutions to two important issues discussed in recently released sections of the Shared Assessments TPRM Framework. The first part of the session will explore challenges related to ensuring a consistent understanding of risk appetite at all levels within an organization. While many FI boards regularly develop and update Risk Appetite Statements, most don’t take the next critical step of ensuring a coherent understanding of risk appetite beyond the Board and C-suite. The second half of the session will explore cybersecurity related continuous monitoring challenges associated with real time threat monitoring. Shared Assessments members report that cybersecurity continuous monitoring is a significant pain point, and we’ll explore approaches to increase monitoring effectiveness while limiting disruptions to the risk management process.

Peter Prizio - King & Union
Glenn Wong - Recorded Future

Leveraging Collaboration and Threat Sharing Across Organizational and Cross-sector Boundaries to Enable Rapid, Actionable Threat Intelligence

To better fight today’s adversaries, security teams need to break down barriers within their own organizations - and even across industries - to more easily share their collective expertise, knowledge and threat intelligence. In this session, we’ll look at ways teams can better work together to more efficiently investigate threats, share information and collaborate to make security data easier to understand and act on.

Kelly White - CEO, RiskRecon
Bryan Inagaki - Sr. Director, Cybersecurity Risk Management and Solutions, Thermo Fisher Scientific
Bob Wilkinson - CEO and Founder, Cyber Marathon Solutions

Challenging tradition - a panel debate between traditional and future school third-party risk management

Our panelists hold some very passionate opinions about what works and what doesn't work. One of our panelists represents a more traditional approach to third-party risk management and another is taking an entirely different path, challenging long standing methodology. After each panelist presents their strategy we will challenge each approach.

In the end we will discover some new ideas that inspire us in a better direction and, at the same time, gain new appreciation and commitment to some of our traditional approaches that have served us well for so long. At minimum it will be entertaining.

Jill Morganwalp- Principal security Assurance, E*TRADE
Haddis Tafari- Director of cyber risk management, E*TRADE

Evidencing the success of an organization’s third party risk program is challenging.

Per our experience evidence of success of a third party risk program is possible if the risk program includes risk assessment and monitoring program elements such as identification of risk characteristics relevant to each vendor’s service, onsite assessments, incorporation of multiple security scoring tools’ data points, standard industry documents, and threat-based risk assessments, i.e. assessments based on leading cyber threats. The benefits, as well as anecdotal stories, of employing and integrating these elements will be presented.

Tim Leow- VP of Strategic Initiatives, Valimail

The Tenets of Cybersecurity: It’s Time to Demand Transparency and Accountability

Security vendors have long been able to use scare tactics, vague claims, and clever marketing to encourage enterprises to purchase their products. But in the face of increasingly damaging global cyber attacks that cost billions or even threaten the foundations of civil society, business as usual is no longer acceptable. It’s time for enterprise buyers to demand more from the security vendor/client relationship. Organizations like the GRF and ISACs have a critical role to play in holding vendors accountable. For instance, here are some suggestions for cybersecurity best practices and expectations that ISACs and their members might demand:

  • Transparency and truth. Don’t rely on fear-mongering, FUD, buzz words, aggressive practices.

  • Business impact. Clear expectations of results — and verifiable metrics.

  • Data feeds that can be integrated wherever possible (SIEMs, dashboards, APIs, etc).

  • Frequent and proactive communication regarding best practices and results.

  • Contractual guarantees regarding the expected outcome and timelines.

A single vendor can’t drive this process — it needs to be a collaborative, industry-wide effort. That makes the GRF an ideal venue to open this discussion. In this session, we will sketch a vision of how buyers of cybersecurity products could be better served, and we invite attendees to contribute their own ideas to the conversation.




LS-ISAO Annual Member Gatherings*
Energy Roundtable*
Complimentary Golf Outing
Kickoff Reception

Tuesday oct. 1

Keynote: The Honorable Mike Rogers
Cyber, Physical & Geopolitical Security Sessions
Third-Party Risk Management Sessions
Dinner & Networking Party

wednesday oct. 2

Keynote: Jim Routh, CISO, MassMutual
Third-Party Risk Management Sessions
Evening Gathering at Coton & Rye Bar

Thursday Oct. 3

Third Party Risk Certification Class**

*Invitation Only
**Additional Cost