2018 Summit Agenda

*Agenda subject to change

WEDNESDAY, OCTOBER 24
12:00 - 5:00 PM Golf Tournament sponsored by King & Union, Farsight Security & DomainTools
5:00 -7:00 PM Early Registration
7:00 - 9:00 PM Welcome Reception
THURSDAY, OCTOBER 25
7:00 AM - 7:00 PM Registration
7:00 - 8:00 AM Breakfast & Exhibit Area Open
8:00 - 8:30 AM Opening Remarks - Cindy Donaldson, GRF President
8:30 - 9:30 AM Keynote - Sandra Grimes, Retired CIA Officer
9:30 - 10:00 AM Networking Break & Exhibit Area Open
10:00 - 10:45 AM
Concurrent Sessions
Working Collaboratively During An Incident - Mary Chaney, Attorney At Law, The Cyber Security Law Firm of Texas
Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle - Marc Lieberman, VP Third Party Intelligence, Citi
Third Party Risk from the C-Suite - Catherine Allen, Chairman and CEO, The Santa Fe Group; Joe Prochaska, Chair, Board Risk Committee, Synovus Financial Corp.; Leslie Ireland, Member, Board of Directors, Citigroup
10:45 - 10:50 AM Transition Break
10:50 - 11:20 AM
Concurrent Sessions
The Role of Secure Collaboration in Digital Transformation - Symphony
The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices - Brenda Ferraro, Senior Director of Networks, Prevalent
Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter - Ofer Israeli, Founder and CEO, Illusive Networks
11:20 - 11:30 AM Transition Break
11:30 AM - 12:00 PM
Concurrent Sessions
Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties - Scott Schneider, CyberGRX
Solving Third-Party Cybersecurity Risk: A Data-Driven Approach - Kelly White, CEO and Co-Founder, RiskRecon
Post-IOC Evolution of Threat Intelligence Use Cases - Katie Kusjanovic, Sr. Solutions Consultant, EclecticIQ
12:00 - 12:30 PM Lunch Served & Exhibit Area Open
12:30 - 1:30 PM Lunch
1:30 - 2:30 PM Keynote - Jim Routh, Chief Security Officer, Aetna
2:30 - 3:00 PM Networking Break & Exhibit Area Open
3:00 - 3:45 PM
Concurrent Sessions
The When, Where, and How of Vendor Onsite Visits - Julie Gaiaschi, Team Leader Third Party Security, Wellmark BCBS
Creating a Risk Management Program in the Energy Sector - Alissa Krause, Security Risk Manager, Xcel Energy
"50 @ 50": A Common Sense Approach for Simplifying Third-Party Assessments - Bruce Potter, CISO, Expel
3:45 - 3:50 PM Transition Break
3:50 - 4:35 PM
Concurrent Sessions
An Attackers View of Your Supply Chain Risk - Geoff Hancock, Principal, Advanced Cybersecurity Group
Response to High Profile Incidents - Marc Sachs, CSO, Pattern Computer
How Policy and Regulation Impact Business Risk and Responsibilities - Norma Krayem, Sr Policy Advisor & Chair, Global Cybersecurity & Privacy Policy and Regulatory Team, Holland & Knight LLP
4:35 - 4:40 PM Transition Break
4:40 - 5:25 PM
Concurrent Sessions
So Many Vendors, So Little Time: A Risk Based Approach to Third-Party Review - Gina Baker, Third Party Auditor, Intermountain Healthcare
Addressing GRC with Threat Intelligence - Thomas Pope, Adversary Hunter, Dragos
Real-time Vendor Monitoring - Joe Hughes, Sr. Manager Risk & Compliance, General Electric
5:30 - 6:30 PM Exhibit Area Open for Exhibitor Bingo
6:30 - 8:30 PM Evening Reception
FRIDAY, OCTOBER 26
8:00 AM - 1:00 PM Registration
8:00 - 9:00 AM Breakfast & Exhibit Area Open
9:00 - 9:15 AM Opening Remarks - Cindy Donaldson, GRF President
9:15 - 10:15 AM
Panel Discussion
The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners - Kostas Georgakopoulos, Global CISO, Procter & Gamble; Ram Chennamsetty, Deputy CISO, IBM; Renee Guttmann, CISO, Campbell’s Soup; Rocco Grillo, Global Cyber Leader, Stroz Friedberg, Aon
10:15 - 10:45 AM Networking Break & Exhibit Area Open
10:45 - 11:15 AM
Concurrent Sessions
TBA
TBA
Uncovering the Full Spectrum of Cyber Threat Through 3rd-Party Risk Assessments - Tom Findling, CISO, IntSights
11:15 - 11:20 AM Transition Break
11:25 AM - 12:10 PM
Concurrent Sessions
Shifting Paradigms: How Innovation is Changing Payment Security (and Standards) - Troy Leach, Chief Technology Officer, PCI Security Standards Council
How FS-ISAC Disrupts Cybercrime and How You Can Too - Errol Weiss, SVP, Global Information Security, Bank of America
Swiss Army Knives, Not Scalpels - Jonathan Ehret, 3rd Party Cyber Risk Assurance Manager, HealthNow
12:10 - 12:15 PM Transition Break
12:15 - 1:00 PM
Concurrent Sessions
Cyber/Privacy Incident Response Playbook Best Practice - Evan Wolff, Partner, Co-Chair of Privacy and Cybersecurity Practice Group, Crowell & Moring
Innovate to Improve Access Control Posture - Neha Joshi, Managing Director, Accenture Security
Beyond the Questionnaire - Using Data Science to Create a Security Event Driven Program - Jason Zellmer, Global Security, Third Party Risk, Aetna
1:00 - 2:00 PM Lunch with Closing Remarks & Raffle
Sandra_Grimes.jpg

Keynote Speaker: Sandra Grimes

Sandy Grimes is a 26-year retired officer of CIA's Directorate of Operations, who spent most of her career working against the former Soviet Union supporting CIA's most valuable cases - penetrations of the KGB and GRU. She joined CIA in July 1967 shortly after graduating from the University of Washington, Seattle with a BA in Russian. In 1991 she participated in the hunt for a Soviet spy in CIA and the identification of that individual as Aldrich Ames, one of the most destructive traitors in American history. She is co-author of the book "Circle of Treason", which details that search. It was also the basis for the ABC News mini-series "The Assets" aired in 2014.

The daughter of parents who worked on the Manhattan Project, Sandy spent her formative years in Denver, Colorado, where she substituted a course in Russian for the dreaded junior year of physics that set the direction of her personal and professional life. A mother of two daughters and grandmother of four, she and her husband of 49-years live in Virginia.

2017_pic_(002).jpg

Keynote Speaker: Jim Routh

Jim Routh is the Chief Security Officer and leads the Global Security function for Aetna. He is the Chairman of the H-ISAC Board. He serves as a member of the Advisory Board of the ClearSky Security Fund. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express.

Jim is the winner of the 2017 Evanta Breakaway Leaders Award, 2016 Security Alliance Award for Innovation, 2016 ISE Luminary Leadership Award, and many other awards.

 

 

Session Descriptions

Catherine Allen - Chairman and CEO, The Santa Fe Group
Joe Prochaska - Chair, Board Risk Committee, Synovus Financial Corp.
Leslie Ireland – Member, Board of Directors, Citigroup

Third Party Risk from the C-Suite
Board Members and Executives discuss how Risk Committees operate within Boards to address third party risk within an organization.

Gina Baker - Third Party Auditor, Intermountain Healthcare

So Many Vendors, So Little Time: A Risk Based Approach to Third Party Review
Keeping track of third parties, their services provided, access to data and compliance can be overwhelming at best. Using industry research and lessons learned from breaches as they occur, a risk based approach to third parties can help streamline the approach and processes of managing the reviews.

Mary Chaney - Attorney At Law, The Cyber Security Law Firm of Texas

Working Collaboratively During An Incident
During this session we will discuss how companies and vendors can act collaboratively when responding to an incident. How companies can extend their incident response teams to include their vendors thus ensuring cyber security resilience across the enterprise.

Jonathan Ehret - 3rd Party Cyber Risk Assurance Manager, HealthNow

Swiss Army Knives, Not Scalpels
This presentation will look at how effective Third Party Risk programs are not simply comprised of a single method for assessing third party. Rather, they are made up of various layers/tools, each providing different types of intelligence that are aggregated to perform an overall picture of the third party's security posture.

Brenda Ferraro - Senior Director of Networks, Prevalent

The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices.
Everyone is looking for a way to reduce the burden of third party risk management. But are you effectively managing your risks head on? As the leader in Third Party Risk Management, Prevalent’s unified platform integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. Join Brenda Ferraro (Ward), Senior Director of Networks, as she discusses the value of a comprehensive TPRM program and how the critical mass within the networks is driving risk reduction across all sectors.

Tom Findling - CISO, IntSights

Uncovering the Full Spectrum of Cyber Threats Through 3rd Party Risk Assessments
The role of managing 3rd party risk has expanded beyond the risk and compliance organizations. Cyber risk must be included in the overall risk assessment process, but most organizations approach this process with a flawed methodology. Many companies will simply assess internal configurations, tools and processes to calculate cyber risk, but these surface-level assessments neglect the external and dark web risks that target a company, which can be even more damaging. To accurately and holistically assess cyber risk, you need to consider the threats that lurk below the surface and figure out how a threat actor may try to target that organization. In this session, we’ll describe the hidden threats that many risk assessment solutions fail to evaluate and share a methodology that organizations can use to accurately and appropriately assess 3rd party risk based on the full spectrum of cyber threats.

Julie Gaiaschi - Team Leader Third Party Security, Wellmark BCBS

The When, Where, and How of Vendor Onsite Visits
If you are a large, or even a smaller, organization, you most likely have 100's if not 1000's of vendors. You don't have the time or the resources to perform onsite visits for all of your vendors. So how do you determine when to perform an onsite visit? In this session, you will learn how to determine when an onsite visit is needed, where to perform the onsite visit (as multiple vendors have multiple locations), and what to do during an onsite visit. You will then learn how to take all of the information you've gathered from the onsite visit and translate it into a comprehensive security report.

Kostas Georgakopoulos - Global CISO, Procter & Gamble
Ram Chennamsetty - Deputy CISO, IBM
Renee Guttmann - CISO, Campbell’s Soup
Rocco Grillo - Global Cyber Leader, Stroz Friedberg, Aon

The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners
Today enterprises require technology that is faster, stronger, more efficient, more innovative, and integrated into business processes than ever before. And yet, incorporating new technologies and 3rd party vendors and business partners to keep up with evolving customer demands, and to remain competitive, leads to risks that extend beyond IT and to all areas of the enterprise. Further, the continued proliferation of the cloud and IoT devices in the enterprise takes managing third-party risks to a whole other level of sensitive and confidential data which has become a herculean task. The expanding cyber threat landscape, coupled with sophisticated attacks, further exacerbates an already complicated challenge for managing 3rd party risks. The cybersecurity risk management stakeholders of companies must not only adapt to the evolving threat landscape, but they must be engaged in enterprise-level decision-making in order to recognize the impact of cybersecurity vulnerabilities and threats to safeguard the organization’s most critical assets. This panel of leading industry experts will dive into the areas organizations can excel in today to proactively prepare for cybersecurity implications of the future by participating in business decision making.

Geoff Hancock - Principal, Advanced Cybersecurity Group

An Attackers View Of Your Supply Chain Risk
Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection. In this session we will assess the technical and operational challenges of managing the 3rd supply chain. We will breakdown a few most recent cyber-attacks to identify the failures and develop an operational plan to increase the security of your supply chain.

Joe Hughes - Sr. Manager Risk & Compliance, General Electric

Real-time Vendor Monitoring
Hear our story as we looked for ways to evaluate high risk vendors continuously. Learn about some of the benefits associated with continuous monitoring and how we have been able to use them to support other areas of business.

Ofer Israeli - Founder and CEO, Illusive Networks

Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter 
The oceans of data that extended enterprises generate make cyberthreat detection a major challenge. As organizations face the limitations of signature- and controls-based approaches, data analytics and “neural networks” promise to discern meaningful patterns and anomalies. A third approach is based on deception, which is still narrowly associated with “honeypots.” This session will provide a brief overview of how deception has evolved, compare these three threat detection approaches within an overall architecture for reducing cyber risk, and talk about why it is so important that organizations large and small have the ability to suppress lateral movement.

Neha Joshi - Managing Director, Accenture Security

Innovate to Improve Access Control Posture 
How can you use innovative technologies to increase your organization's Access Control posture? Using innovative technologies include Analytics to identify and predict riskiest access areas, Machine Learning to continuously utilize dynamic views of Access Control, Robotics to increase efficiency and reduce error, DevOps for increased speed to market (especially critical to address new findings), and Natural Language Processing for reduced costs. These innovations have proven successful in increasing Access Control posture across industries, but are not leveraged widely enough today. Let’s discuss how you can use innovative technologies to meet your needs.

Alissa Krause - Security Risk Manager, Xcel Energy

Creating a Risk Management Program in the Energy Sector
All industries face third-party risk, and many have similar components from a vendor, actor and corporate perspective. But each sector also faces its own unique threats, with specialized vendors and an attack surface specific to its operations. This presentation will highlight how Xcel Energy has implemented a security risk program that evaluates and protects against threats to IT and OT systems, cybersecurity, and physical security.

Norma Krayem - Sr Policy Advisor & Chair, Global Cybersecurity & Privacy Policy and Regulatory Team, Holland & Knight LLP

How Policy and Regulation Impact Business Risk and Responsibilities
Between GDPR, financial services regulations, and other policies changes, cybersecurity and risk management are a growing obligation for businesses. This presentation will discuss recently imposed regulation and cover upcoming policy changes that compliance staff and managers should be aware of as they evaluate their risk posture and responsibilities.

Katie Kusjanovic- Sr. Solutions Consultant, EclecticIQ

Post-IOC Evolution of Threat Intelligence Use Cases
Today we know that IOCs are inherently reactive. In order to better prepare for tomorrow's threats, we need to be proactive and TI data, TIP technology and internally-harvested intelligence allows us to evolve into the next level. This session will first detail the current problem, the reactive limitations that come from a non-progressive loop of requirements -> collection -> analysis -> action -> repeat. Then we will describe how TI data can be used to action internally-harvested intelligence data sources to make the loop into a progressive evolution. The internally-harvested intelligence means that each step in the loop becomes potentially proactive. We will fully illuminate how each step in the loop becomes progressive and drives data evolution and the specifics involved. We will wrap-up with a hopeful prognostication of what a post-IOC defense will look like, namely how sharing data within community/industry/vertical might evolve and what role automation will continue to play by exploring three threat intelligence use cases from the third-party risk context.

Troy Leach- Chief Technology Officer, PCI Security Standards Council

Shifting Paradigms: How Innovation is Changing Payment Security (and Standards) 
Don’t miss this session for a look into the evolution of payments and security standards. Hear about some opportunities and challenges that have been created by the innovations in technology. This session will also cover how PCI SSC is addressing these changes and how you can help.

Marc Lieberman - VP Third Party Intelligence, Citi

Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle  
Citi’s Cyber Intelligence Center (CIC) was established to provide situational awareness and strategic recommendations to internal decision-makers and stakeholders—delivering timely and actionable intelligence to stay ahead of the ever-evolving and maturing threat landscape. As cyber-criminals have shifted towards increasingly leveraging vulnerabilities in third-party relationships to target industries, the CIC’s Third Party Risk Intelligence Program extends the intelligence-led model to enhance 3rd party risk due-diligence efforts across the lifecycle. The presentation focuses on telling the story of the program's journey with some lessons-learned, successes, and use-cases.

Thomas Pope- Adversary Hunter, Dragos

Addressing GRC with Threat Intelligence
Governance, Risk and Compliance attempt to address cyber security in a holistic way.  The shortcoming in most models is the lack of real world data.  Threat Intelligence provides a means to stay ahead of compliance regulations, which can take years to develop, and help make informed decisions on risk.  Case studies will be given regarding WannaCry, NotPetya, CRASHOVERRIDE and TRISIS showing how Threat Intelligence drives faster solutions.

Bruce Potter - CISO, Expel

“50 @ 50”: A Common Sense Approach for Simplifying Third-party Risk Assessments
Another darn questionnaire! Too often, assessing the security of our vendors seems more like security theater than a practical process – with surveys that can stretch to dozens (or hundreds!) of questions. Is there a better way?

Marc Sachs - CSO, Pattern Computer

Response to High Profile Incidents 
Often a company needs to minimize and control any immediate public commenting on a data breach or security incident. But what if news of the incident hits the media outlets nearly immediately, requiring you to quickly develop public statements while simultaneously trying to figure out exactly what happened? Do you “spin” the story to protect the impacted organization, or do you say, “no comment” and leave everybody guessing, or do you do something else? This talk will look at a few recent high profile incidents and how the impacted organizations responded when their incident became a lead news story.

Scott Schneider - Chief Revenue Officer, CyberGRX

Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties
It's no secret that hackers are opportunistic. They are constantly looking for the weakest link and are quick to capitalize on one as soon as it's spotted. So how can organizations protect themselves from these cyber criminals when their attack surface is continuously expanding with every new third party added? This panel will discuss third-party cyber risk approaches that have worked and some that have not - so the audience can walk away with some best practices on how to combat the ever evolving and constant threats in their third-party ecosystem.

Errol Weiss – SVP, Global Information Security, Bank of America

How FS-ISAC Disrupts Cybercriminals and How You Can Too
In March 2012, the FS-ISAC dealt a serious blow to the global cybercrime arms-race. Thirty nine "John Does"  – hackers with codenames like Pepsi, MaDaGaSka, virus_e_2003, and h4x0rdz – were disrupted when the FS-ISAC and Microsoft worked together to execute a legal and technical strategy resulting in the seizure of computers and thousands of domain names used to run the ZeuS malware.  The court filings detailed how the criminals controlled thousands of computer botnets and were responsible for account takeovers causing hundreds of millions of dollars in fraud losses globally.  The civil complaint marked the first partnership between FS-ISAC and Microsoft to combat online fraud and disrupt criminal malware. Errol will discuss this case and more recent examples to show how the financial services sector partners with technology firms and law enforcement organizations globally to combat criminal malware and how these techniques can be used by other sectors to disrupt cybercriminals targeting them.

Kelly White – CEO and Co-Founder, RiskRecon

Solving Third-Party Cybersecurity Risk - A Data-Driven Approach
Your organization's risk surface is likely much larger than you think, so how can you get a handle on what risks exist, where they reside, and which ones are most important to resolve immediately? By taking a data-driven approach to identifying, understanding, and acting on risk, you can efficiently eliminate your organization's most critical third-party security gaps.

Evan Wolff - Partner, Co-Chair of Privacy and Cybersecurity Practice Group, Crowell & Moring

Cyber/Privacy Incident Response Playbook: Best Practices
A decade ago, few companies had plans for managing cyber and privacy incidents. Now an incident response playbook is often a critical element of a company's comprehensive compliance and risk management program. During this discussion, we will highlight some of the essential components of an incident response playbook for those companies developing them, focusing on governance (roles and responsibilities as well as policies and procedures), operations and technology. For companies with existing playbooks, we will also discuss trends for enhancement and evolution of incident response processes.

Jason Zellmer - Global Security, Third Party Risk, Aetna

Beyond the Questionnaire – Using Data Science to Create a Security Event Driven Program
Is a traditional audit based approach really helping reduce security risk? This session explores alternative sources of security data that can be used to help determine the risk posture of third parties. The presentation will look at what sources are available and how data science tools and technologies can help bring data together in a different approach to third party security risk.