2018 Summit Agenda

If you would like to present at the Summt, please visit the Call for Presentations page. 

12:00 PM Sponsored Golf Event (Pre-Registration Required)
5:00 -7:00 PM Early Registration
7:00 - 9:00 PM Welcome Reception
7:00 AM - 7:00 PM Registration
8:00 - 9:00 AM Breakfast
9:00 - 9:30 AM Opening Remarks - Cindy Donaldson
9:30 - 10:30 AM Keynote Speaker - Sandra Grimes
10:30 - 11:00 AM Morning Networking Break
11:00 - 11:45 AM Concurrent Sessions
11:45 AM - 12:00 PM Transition Break
12:00 - 12:45 PM Concurrent Sessions
12:45 - 1:45 PM Lunch
1:45 - 2:30 PM Concurrent Sessions
2:30 - 2:45 PM Transition Break
2:45 - 3:30 PM Concurrent Sessions
3:30 - 4:00 PM Afternoon Networking Break
4:00 - 4:45 PM Concurrent Sessions
4:45 - 5:00 PM Transition Break
5:00 - 5:45 PM Concurrent Sessions
6:00 - 9:00 PM Evening Reception
7:00 AM - 3:00 PM Registration
8:00 - 9:00 AM Breakfast
9:00 - 9:30 AM Opening Remarks - Cindy Donaldson
9:30 - 10:30 AM General Session
10:30 - 11:15 AM Concurrent Sessions
11:15 - 11:45 AM Morning Networking Break
11:45 AM - 12:30 PM Concurrent Sessions
12:30 - 12:45 PM Transition Break
12:45 - 1:30 PM Concurrent Sessions
1:30 - 2:30 PM Lunch
2:30 - 3:15 PM Concurrent Sessions
3:15 - 3:30 PM Closing Remarks

Keynote Speaker: Sandra Grimes

Sandy Grimes is a 26-year retired officer of CIA's Directorate of Operations, who spent most of her career working against the former Soviet Union supporting CIA's most valuable cases - penetrations of the KGB and GRU. She joined CIA in July 1967 shortly after graduating from the University of Washington, Seattle with a BA in Russian. In 1991 she participated in the hunt for a Soviet spy in CIA and the identification of that individual as Aldrich Ames, one of the most destructive traitors in American history. She is co-author of the book "Circle of Treason", which details that search. It was also the basis for the ABC News mini-series "The Assets" aired in 2014.

The daughter of parents who worked on the Manhattan Project, Sandy spent her formative years in Denver, Colorado, where she substituted a course in Russian for the dreaded junior year of physics that set the direction of her personal and professional life. A mother of two daughters and grandmother of four, she and her husband of 49-years live in Virginia.



Confirmed Session Descriptions

Gina Baker - Third Party Auditor, Intermountain Healthcare

So Many Vendors, So Little Time: A Risk Based Approach to Third Party Review
Keeping track of third parties, their services provided, access to data and compliance can be overwhelming at best. Using industry research and lessons learned from breaches as they occur, a risk based approach to third parties can help streamline the approach and processes of managing the reviews.

Jonathan Ehret - 3rd Party Cyber Risk Assurance Manager, HealthNow

Swiss Army Knives, Not Scalpels
This presentation will look at how effective Third Party Risk programs are not simply comprised of a single method for assessing third party. Rather, they are made up of various layers/tools, each providing different types of intelligence that are aggregated to perform an overall picture of the third party's security posture.

Tom Findling - VP of Customer Success, IntSights

Uncovering the Full Spectrum of Cyber Threats Through 3rd Party Risk Assessments
The role of managing 3rd party risk has expanded beyond the risk and compliance organizations. Cyber risk must be included in the overall risk assessment process, but most organizations approach this process with a flawed methodology. Many companies will simply assess internal configurations, tools and processes to calculate cyber risk, but these surface-level assessments neglect the external and dark web risks that target a company, which can be even more damaging. To accurately and holistically assess cyber risk, you need to consider the threats that lurk below the surface and figure out how a threat actor may try to target that organization. In this session, we’ll describe the hidden threats that many risk assessment solutions fail to evaluate and share a methodology that organizations can use to accurately and appropriately assess 3rd party risk based on the full spectrum of cyber threats.

Julie Gaiaschi - Team Leader Third Party Security, Wellmark BCBS

The When, Where, and How of Vendor Onsite Visits
If you are a large, or even a smaller, organization, you most likely have 100's if not 1000's of vendors. You don't have the time or the resources to perform onsite visits for all of your vendors. So how do you determine when to perform an onsite visit? In this session, you will learn how to determine when an onsite visit is needed, where to perform the onsite visit (as multiple vendors have multiple locations), and what to do during an onsite visit. You will then learn how to take all of the information you've gathered from the onsite visit and translate it into a comprehensive security report.

Joe Hughes - Sr. Manager Risk & Compliance, General Electric

Real-time Vendor Monitoring
Hear our story as we looked for ways to evaluate high risk vendors continuously. Learn about some of the benefits associated with continuous monitoring and how we have been able to use them to support other areas of business.

Alissa Krause - Security Risk Manager, Xcel Energy

Creating a Risk Management Program in the Energy Sector
All industries face third-party risk, and many have similar components from a vendor, actor and corporate perspective. But each sector also faces its own unique threats, with specialized vendors and an attack surface specific to its operations. This presentation will highlight how Xcel Energy has implemented a security risk program that evaluates and protects against threats to IT and OT systems, cybersecurity, and physical security.

Norma Krayem - Sr Policy Advisor & Chair, Global Cybersecurity & Privacy Policy and Regulatory Team, Holland & Knight LLP

How Policy and Regulation Impact Business Risk and Responsibilities
Between GDPR, financial services regulations, and other policies changes, cybersecurity and risk management are a growing obligation for businesses. This presentation will discuss recently imposed regulation and cover upcoming policy changes that compliance staff and managers should be aware of as they evaluate their risk posture and responsibilities.

Marc Lieberman - VP Third Party Intelligence, Citi

Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle
Citi’s Cyber Intelligence Center (CIC) was established to provide situational awareness and strategic recommendations to internal decision-makers and stakeholders—delivering timely and actionable intelligence to stay ahead of the ever-evolving and maturing threat landscape. The presentation focuses on telling the story of Citi’s journey developing this program with some lessons-learned, successes, and use-cases.

Bruce Potter - CISO, Expel

“50 @ 50”: A common sense approach for simplifying third-party risk assessments
Another darn questionnaire! Too often, assessing the security of our vendors seems more like security theater than a practical process – with surveys that can stretch to dozens (or hundreds!) of questions. Is there a better way?

Kelly White – CEO and Co-Founder, RiskRecon

Solving Third-Party Cybersecurity Risk - A Data-Driven Approach
Your organization's risk surface is likely much larger than you think, so how can you get a handle on what risks exist, where they reside, and which ones are most important to resolve immediately? By taking a data-driven approach to identifying, understanding, and acting on risk, you can efficiently eliminate your organization's most critical third-party security gaps.


Additional Speakers:

Catherine Allen - Chairman and CEO, The Santa Fe Group

Joe Prochaska – Chair, Board Risk Committee, Synovus Financial Corp.

Jason Zellmer - Global Security, Third Party Risk, Aetna