PDF Download March 21, 2017 Agenda (PDF)

CISO Summit France
March 21, 2017

↓ Agenda Key

View detailsKeynote Presentation

Visionary speaker presents to entire audience on key issues, challenges and business opportunities

View detailsExecutive Visions

Panel moderated by Master of Ceremonies and headed by four executives discussing critical business topics

View detailsThought Leadership

Solution provider-led session giving high-level overview of opportunities

View detailsThink Tank

End user-led session in boardroom style, focusing on best practices

View detailsRoundtable

Interactive session led by a moderator, focused on industry issue

View detailsExecutive Exchange

Pre-determined, one-on-one interaction revolving around solutions of interest

View detailsFocus Group

Discussion of business drivers within a particular industry area

View detailsAnalyst Q&A Session

Moderator-led coverage of the latest industry research

View detailsVendor Showcase

Several brief, pointed overviews of the newest solutions and services

View detailsCase Study

Overview of recent project successes and failures

View detailsOpen Forum Luncheon

Informal discussions on pre-determined topics

View detailsNetworking Session

Unique activities at once relaxing, enjoyable and productive

Tuesday, March 21, 2017 - CISO Summit France

7:00 am
-
7:55 am

Registration and Networking Breakfast

8:00 am
-
8:10 am

Welcome Address and Opening Remarks

8:10 am
-
8:50 am

Keynote Presentation

Addressing Privacy on a Global Scale

Of all the risk management issues that present themselves to the modern-day CISO, perhaps the most difficult to address is that of privacy. In and of itself, privacy is no different a challenge than protecting any other sensitive information, however the multi-jurisdictional impacts of the issue due to wildly differing laws between the US and European countries (as well as Canada, another country with strong privacy laws) make this an issue that is often times overwhelming to address. CISOs must work diligently to ensure that their privacy efforts conform with the standards of any jurisdiction with which they might work, where their data might be held and this is an almost overwhelming task.

Takeaways:

  • Privacy is one of the most challenging issues for any business and CISO to address
  • The difference in regulations between and among European countries (both those in and out of the EU itself) and North American ones means traversing a fraught landscape
  • A strong approach to privacy that addresses global differences is essential to being a stable and viable global business

8:55 am
-
9:35 am

Keynote Presentation

Identity and the New Age of Enterprise Security

From a technology standpoint, as a “society” the world of business has gone through two distinct stages in the evolution of its information security focus. The first addressed network based protection and preventative controls such as firewalls and anti-malware. The second looked at data-centric and detective controls such as encryption and intrusion/extrusion monitoring. Since breaches continue to occur at a record pace, what is need new is clearly a new evolution, one that pushes towards individual focused security through granular user monitoring and management as provided by solutions such as Identity and Access Management. While IAM isn’t a new technology field, it is one whose time has come and CISO need to begin investing in modern-day, light-weight, easy to implement IAM solutions now to stay ahead of the curve, and reduce enterprise threats.

Takeaways:

  • The breach onslaught demonstrates that existing security solutions are incapable of defending current threats
  • Enterprises need to begin looking at security from an activity perspective rather than an artifact perspective
  • IAM provides activity insight, and therefore threat awareness, no other platform can equal

9:45 am
-
10:15 am

Executive Exchange

Think Tank

Security in an Outsourced World

Building security into your enterprise processes, and integrating it with your existing technology investments has never been more critical or complicated than it is in this era of decentralized computing, and ever-tightening compliance requirements. Furthering this complication is the impact that partnering deals can have since infrastructure, applications, and even data may now longer be under your direct control. To be able to ensure efficient and effective security capabilities you need to understand the nature of the threats that exist today, the impact a sourcing relationship can have on these threats, and the mitigation strategies and tools key industry leaders are using to address the challenge.

Takeaways:

  • Social, Mobile, Cloud, and Analytics is already having a significant impact on enterprise security, sourcing potentially adds another layer of complexity
  • Beyond “simple” security however there are also issues such as privacy and compliance that also need to be considered
  • Investing in the right tools and practices is essential to weather the storm without breaking the bank

Think Tank

Avoiding ERM for the Sake of ERM

In many ways ERM, or Enterprise Risk Management, has become just another buzz word that is bandied around without any clear understanding of it’s meaning, any clear understanding of it’s value, or any clear understanding of how it can be achieved. ERM is not a project or a task on a list to be checked off. Instead it is a fundamental change in how an enterprise approaches the way it conducts it’s business to ensure that all possible impacts to it’s capital and earnings are identified, quantified, and mitigated. Such a sweeping paradigmatic shift isn’t something that can be taken on lightly and enterprises seeking to just place a check mark next to a to do list line item will be sorely disappointed in their results.

Takeaways:

  • ERM is a way of life, not a one-time effort and the only way to value is to come to that realization early
  • To be successful, an ERM deployment must be sponsored from the top and have the involvement of every level and every department
  • Even though ERM initiatives are all-encompassing it’s best to start small; trying to boil the ocean is the surest way to failure and loss of good will and buy-in

10:20 am
-
10:50 am

Executive Exchange

Thought Leadership

Improving Email Deliverability AND Security

It may seem self-evident, but email is still the predominant form of business communication whether in B2B or B2C channels with business sending over 100 billion emails each and every day. Not all of this traffic is legitimate, desired, or safe however with estimates that as much as 90% of all email traffic can be considered spam or worse. In this environment businesses need to ensure that the email they send is viewed as trustworthy, and that the mail they receive is safe of threats. To do this email authentication is imperative and DMARC, Domain-based Message Authentication, Reporting, and Conformance is the gold standard. While DMARC policies are published to public DNS servers and already protect up to 60% of mailboxes for the most part these are public mailboxes from consumer email providers and many business are still on the outside looking in. Savvy IT Leaders know that they need to leverage commercial solutions that streamline DMARC management for their own email infrastructure to ensure they are protected from threats, and able to communicate with partners, clients, and prospects.

Takeaways:

  • Email authentication is essential in today’s spam-centric world to ensure deliverability of key business communications
  • Email authentication also ensures businesses are protected from the myriad email based security threats that assail them every day
  • DMARC provides this protection but management can be convoluted and time consuming without focused management solutions

10:55 am
-
11:25 am

Executive Exchange

Roundtable

Physical and Digital Convergence

The discussion around the convergence of physical security and information security dates back over a decade, but though much was made of the concept in the early 2000’s little was actually done and the buzz faded. Flash-forward to today however and the buzz is back because of the increased focus on holistic risk management, the increased pressure of greater compliance requirements, and the increased demand for every aspect of the business to be a value generator. CISOs and CIROs need to evaluate the opportunities for both technology convergence (streamlining platforms) and organizational convergence (streamlining roles) to meet new threat protections mandates.

Takeaways:

  • As enterprise security matures and morphs or integrates into enterprise risk management, converged security becomes a must have
  • Convergence allows for far greater levels of visibility and control of threats and threat actors
  • Convergence enhances not just “base” security but also top-level risk management, enterprise compliance, and even operational value

Roundtable

Is Security Obscuring the Benefit of the Cloud?

Cloud delivered computing services, whether Software, Platform, or Infrastructure as a Service offer the potential of significant business advantages such as reduced cost and increased flexibility. These advantages however come with very real risks, chief among them security concerns and the risk of data and compliance breaches – how do you secure what you can’t see, touch, and control? Join our panel as we explore both the security and compliance issues inherent in Cloud deployments, look at the hidden issues that first time Cloud adopters may simply not be aware of, and discuss through solutions that can be used to address these challenges and allow enterprises to fully and firmly embrace the Cloud.

Takeaways:

  • Be exposed to the true security and compliance cloud threat landscape
  • Learn how successful cloud adopters have mitigated these risks
  • Discover how to build cloud protection capabilities keyed to your needs

11:30 am
-
12:00 pm

Executive Exchange

Roundtable

Data Centric Security

For years the security focus of the enterprise was to build a hardened perimeter at the edge of the network, an impenetrable shell that kept the good out and the bad in. Over the last few years this model has fallen by the wayside. Technologies such as Cloud and Mobility have pushed the enterprise beyond its traditional perimeter while increased levels of partnership have created inroads through that shell. As a result, infrastructure based security is no longer sufficient or appropriate and enterprises everywhere are having to make the shift to a new security paradigm, one that is centered on the data itself, not on the infrastructure that houses it.

Takeaways:

  • Learn the principles of data centric security
  • Understand the role encryption plays and how it should be integrated
  • Determine when and where data monitoring tools make sense

Roundtable

Securing Divergent Endpoints

Over the last few years, as cloud and mobile technologies have taken hold within the enterprise, the concept of the network perimeter has dissolved, and with it the concepts around traditional network security. The broad scale adoption of IoT technologies however will make this first phase of network disaggregation seem trivial in comparison as enterprises begin to connect to not just thousands but millions of disparate and divergent endpoints. To ensure appropriate security in such a dispersed networking world and entirely new paradigm to security will be required that encompasses not just wildly diverse types of devices in wildly diverse locations, but the threat of low-powered, low complexity endpoints that have no internal capacity for monitored and managed security capabilities.

Takeaways:

  • The number and type of enterprise endpoints is about to go through explosive growth and each of these endpoints will represent security threat
  • These new endpoints will not have the capacity for internal security and so central security solutions will be required to ensure appropriate protection
  • The volume and variety of new security data feeds and security threat info will overwhelm traditional security platforms and capabilities

12:05 pm
-
12:35 pm

Executive Exchange

Think Tank

Building a Stronger Threat Intelligence Community from a Grass Roots Perspective

More and more C-level executives are realizing that cyber security is not just an IT function given the far-reaching and direct impact that cyber security threats can have on current and future business operations. Cyber espionage attacks by APT actors are breaching organizations both large and small, public and private. To counter these risks, CISOs realize that traditional security techniques are insufficient. Last February, President Obama announced and signed an executive order to encourage companies to share their cyber threat information and launched the Cyber Threat Intelligence Integration Center (CTIIC). Sharing critical data can lead to uncovering related tactics and threats targeting specific industries or organizations. We are stronger together than we are apart!

Takeaways:

  • Sharing Intelligence effectively
  • The need for a Cyber Threat Intelligence Officer
  • Digitally Coordinated Attacks can translate to Physical

Think Tank

Security and Compliance; Chicken and Egg or Chalk and Cheese?

Since regulatory (and industry) compliance became a notable “thing” in the early-mid 2000’s it has been intimately linked with information security and often times has been the lever (or hammer) by which enterprises made necessary investments in security. But being “compliant” and being “secure” aren’t the same thing, and in too many cases enterprises that were perfectly compliant have been perfectly breached. A new focus is needed; one that respects that while security and compliance are not the same thing, they are working towards the same goal (a reduction in overall enterprise risk exposure) and sees that compliance flows from security.

Takeaways:

  • While a secure company is likely a compliant company, the same cannot be said of the reverse situation
  • Just because compliance has loosened the purse strings doesn’t mean it takes a pre-eminent position on security investments
  • Reducing enterprise risk is the goal of both practices but without appropriate focus on both is a goal that will never be achieved

12:40 pm
-
1:40 pm

Networking Luncheon

1:45 pm
-
2:15 pm

Executive Exchange

Think Tank

Speaking the Language of the Business

For many years the CIO, has struggled with the concept of IT-Business alignment and finding ways to ensure that the IT department and the Lines of Business with which it integrates have a common understanding and ability to communicate. Now, as the CISO and the information security department grow out of the IT shadow, they increasingly find themselves in the same position. Their challenge however is greater in that the concepts of IT security are in many ways more abstract than those of generalist IT, and their activities often run counter to the goals of the rest of the organization. CISOs must learn for the trials and tribulations of the CIO and the IT department, and find common ground with the business, to ensure they can hear what their partners are saying, while communicating their own points in understandable terms.

Takeaways:

  • IT-Business communications have long been strained and only now are improving across most organizations through concerted effort
  • IT has had to find ways to speak the language of the business " it was not the business that learned to speak IT
  • The CISO must adopt and emulate the successful communications practices and strategies of the IT department or risk serious relationship issues

Think Tank

Balancing Reactivity and Proactivity in Enterprise Security

As with all things in life, the focus on how to conduct enterprise security ebbs and flows between varying degrees of reactivity and proactivity. In the old school “Security 1.0” world, where the focus was almost completely on network security, efforts were in general proactive in nature with firewalls and anti-malware seeking to prevent threats before they even occurred. This didn’t work so well and so “Security 2.0” focused on reactivity, wrapping things like encryption around the data so that even if a breach occurred, the loss would be mitigated. Yet breaches, and losses, continue to occur. So if primarily proactive security doesn’t work, and if primarily reactive security also doesn’t work, how then do we find the right balance between the two to find a security posture that does work?

Takeaways:

  • Proactive security measures, those that prevent a threat from occurring are valuable and necessary but haven’t proven effective
  • Reactive security measures, those that mitigate a threat that has occurred are also valuable but complicated a limit enterprise efficiency and efficacy
  • A new approach is needed, but is that one that blends techniques or one that finds new approaches (whether they be reactive, proactive, or both)?

2:20 pm
-
2:50 pm

Executive Exchange

Thought Leadership

Increase Your Security Intelligence and Enterprise Compliance

The breadth and depth of security threats that are targeting the modern enterprise are bordering on overwhelming, but they’re not alone as the breadth and depth of security solutions are also bordering on overwhelming. When security managers have to respond to alerts and warnings from dozens of security systems, and CISOs have to make strategic decisions based on fragmented data, it’s hard to argue that security is improving. Security Information and Event Management (SIEM) platforms that aggregate the vast quantities of data, correlate diverse events, and filter the signal from the noise are allowing enterprises to get back ahead of the curve and make appropriate tactical and strategic decisions.

Takeaways:

  • The life of enterprise security staff is being complicated not just by the threats they face, but the tools they use
  • Abandoning tools isn’t an option and CISOs need to help themselves and their staff get ahead of the curve
  • SIEM offers significant benefits in separating the “wheat from the chaff” and letting the business actually become secure

2:55 pm
-
3:25 pm

Executive Exchange

Roundtable

Cyber-Espionage and the Advanced Persistent Threat

More and more C-level executives are realizing that cyber security is not just an IT function given the far-reaching and direct impact that cyber security threats can have on current and future business operations. As is evidenced in recent reports from security providers such as Mendicant, McAfee, SentinelOne and others, cyber espionage attacks by APT actors are breaching organizations both large and small, public and private. Whether the objective is Intellectual Property (IP), M&A information, financial records, or other business-sensitive protected data losses can result in significant brand, reputation, and financial impacts. To counter these risks, CISOs need to realize that traditional security techniques are insufficient, and that a new tier of security solutions are required to defend against the APT attack.

Takeaways:

  • The era of cheap, powerful, and unique security threats is upon us and in this era traditional tools are insufficient
  • These Advanced Persistent Threats can be targeted at any organization, not just the biggest and the richest
  • Tools that allow for quick detection AND dynamic response are key; it’s not just finding the door is open, but closing it quickly that is key

Roundtable

Best-of-Breed or Consolidated: Principles in Security Architecture Design

When it comes to implementing network security infrastructure there are two schools of thought: use best-of-breed point solutions, or go with all round consolidated platforms. Pros and cons abound for either approach revolving around varying levels of protection, integration, and administrative overhead but the increasing complexity of current security infrastructure is showing a winning approach. Even though consolidated solutions may offer greater benefits in the long run, no one exists in a green-field situation when it comes to network and infrastructure security so careful planning is required to ensure the necessary protection. 

Takeaways:

  • The management burden of best-of-breed outweighs performance benefits
  • Consolidated platforms can lead to feature overlap and unnecessary cost
  • Planning is required to maximize coverage but minimize effort and spend

3:30 pm
-
4:00 pm

Executive Exchange

Roundtable

Security’s Place in Enterprise Risk Management

While Information Security has existed for decades, Enterprise Risk Management (ERM), as a formal and holistic practice, is much newer yet already has taken pre-eminence over its forebear. What is the CISO, who in many ways has toiled in invisibility, infamy, or ignominy to do when faced with the issue of being supplanted by the Chief Risk Officer, just as enterprise demand for and focus on security has reached all-time heights? Savvy CISOs will recognize this new, broader need for holistic visibility into, and management of, overall enterprise risk and will position themselves for success by looking beyond traditional information security boundaries and engaging business partners around all enterprise risk.

Takeaways:

  • Just because information security is an aspect of enterprise risk doesn’t mean that the CISO needs to take a back seat position
  • Enterprise risk is defined by the business but needs to be quantified by an expert; CISOs bring risk quantification expertise to the table
  • The end goal is not about fiefdoms and ownership, it is about improving enterprise value and success; maintaining focus is essential

Roundtable

Applying Big Data Principles to Security Paradigms

Volume, variety, velocity, veracity; all four of the hallmarks of Big Data have a clear fit in the world of security as the number of threats grows, their natures diverge, the speed with they are encountered (and subsequently have to be dealt with) accelerates, and the need to be ever more accurate enhances. As enterprises have made significant investments in Big Data programs and analytics platforms, they are beginning to reap real benefits in terms of business efficiency and innovation. The time then has come to begin applying those same principles and platforms to the security challenges facing enterprises to allow for faster, more effective overall security.

Takeaways:

  • The nature of the enterprise security challenge closely mimics many of the Big Data challenges business are beginning to learn how to solve
  • Just as Big Data challenges required different tools to address for Line of Business and “general” IT issues, so they will for information security challenges
  • Security must become the next focus for analytics capabilities, and analytics the next focus for security professionals.

4:05 pm
-
4:35 pm

Executive Exchange

Think Tank

How to be Socially Secure (or Securely Social)

Social media is the least hyped and potentially least adopted of the so-called disruptive technologies, at least by enterprises in general. This doesn’t mean that employees are embracing these tools personally however, nor does it mean that enterprises should continue to avoid them. The fact of the matter is social platforms allow for incredible levels of interaction that when harnessed can lead to significant creativity and productivity gains allowing enterprises that adopt and encourage the use of social collaboration platforms to be more successful than their non-social peers. But every newly adopted technology brings with it unique problems and so it is the CISOs job to provide the secure landscape within which this social collaboration, both internal and external, sanctioned and not, can occur.

Takeaways:

  • Your employees are already social whether you realize it or not, facilitate it or not so ignoring the issue only leads to greater security problems
  • Social collaboration presents a real security threat as information is more freely shared, and interactions occur outside the boundaries of enterprise control
  • Social security programs must be built in layers, addressing first unsanctioned use, then sanctioned all while differentiating between internal and external social activity

Think Tank

Building a Collaborative and Social IT Security Program

In todays environment there can be no arguing that a comprehensive IT Security program is a de facto requirement for every organization. Such a program needs to address the full range of security threats that can be leveraged against an organization, needs to be integrated into whatever regulatory and governance requirements exist, but beyond that it needs to be accessible, consumable, and actionable by everyone that is influenced by it, or interacts with it. Building a program that is shared through social channels and relies on the collaborative input of employees and constituents for not only creation but enforcement will drive higher levels of adoption, responsiveness and, ultimately, protection.

Takeaways:

  • A security program, that is the stated intentions of the organization combined with the policies and tools to back those intentions up is essential
  • The program needs to be easily communicated, easily consumed, and easily complied with
  • Using an open social and collaborative approach to creation, distribution, and enforcement ensure greater adoption and ultimately greater security

4:40 pm
-
5:20 pm

Executive Visions

Shadow IT – To Embrace or Eliminate?

Best practice in most enterprises, at least as far as the CIO and CISO goes, is to squash Shadow IT wherever it is encountered. Shadow IT, the argument goes, leads to a world of data and integration problems for the IT department, and significant amounts of unknown and unquantifiable risk for the information security group. A small but vocal minority however is beginning to advocate for Shadow IT as a catalyst of innovation, citing the increases in productivity and creativity by allowing enterprise staff to find their own out of the box solutions to organizational problems. CISOs can allow their organizations to have their cake (Shadow IT) and eat it too (still be secure) by following a few simple steps that allow them to build in security regardless of user activity.

Takeaways:

  • Shadow IT is not malicious activity; it is simply the Line of Business user community looking to be efficient and effective
  • A well-developed security program can take Shadow IT into account and incorporate protection mechanisms that allow end user flexibility
  • Embracing Shadow IT does not mean “no holds barred” and end users need to understand the limit of the boundaries and the reason for their existence

5:20 pm
-
5:30 pm

Thank You Address and Closing Remarks

5:30 pm
-
7:00 pm

Cocktail Reception