*Agenda subject to change
|WEDNESDAY, OCTOBER 24|
|12:00 - 5:00 PM||Golf Tournament sponsored by King & Union, Farsight Security & DomainTools|
|5:00 -7:00 PM||Early Registration|
|7:00 - 9:00 PM||Welcome Reception with Remarks from Leslie Ireland, Member, Board of Directors of Citigroup|
|THURSDAY, OCTOBER 25|
|7:00 AM - 7:00 PM||Registration|
|7:00 - 8:00 AM||Breakfast & Exhibit Area Open|
|8:00 - 8:30 AM||Opening Remarks - Cindy Donaldson, GRF President|
|8:30 - 9:30 AM||Keynote - Sandra Grimes, Officer, Directorate of Operations, CIA - Retired|
|9:30 - 10:00 AM||Networking Break & Exhibit Area Open|
|10:00 - 10:45 AM
|Working Collaboratively During An Incident - Mary Chaney, Attorney At Law, The Cyber Security Law Firm of Texas|
|Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle - Marc Lieberman, VP Third Party Intelligence, Citi|
|Third Party Risk from the C-Suite - Catherine Allen, Chairman and CEO, The Santa Fe Group; Joe Prochaska, Chair, Board Risk Committee, Synovus Financial Corp.; Leslie Ireland, Member, Board of Directors of Citigroup|
|10:45 - 10:50 AM||Transition Break|
|10:50 - 11:20 AM
|The Role of Secure Collaboration in Digital Transformation - Harry Patz, EVP Market Development, Symphony|
|The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices - Brenda Ferraro, Senior Director of Networks, Prevalent|
|Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter - Ofer Israeli, Founder and CEO, Illusive Networks|
|11:20 - 11:30 AM||Transition Break|
|11:30 AM - 12:00 PM
|Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties - Scott Schneider, Chief Revenue Officer, CyberGRX, Jason Zellmer, Global Security, Third Party Risk, Aetna|
|Solving Third-Party Cybersecurity Risk: A Data-Driven Approach - Kelly White, CEO and Co-Founder, RiskRecon|
|Post-IOC Evolution of Threat Intelligence Use Cases - Katie Kusjanovic, Sr. Solutions Consultant, EclecticIQ|
|12:00 - 12:30 PM||Lunch Served & Exhibit Area Open|
|12:30 - 1:30 PM||Lunch - Panel: Leveraging Your Sharing Community - A Cross-Industry Approach to Third-Party Risk - Anders Norremo, CEO, ThirdParty Trust; Chad Peterson, Director, Third Party Risk Management – Customer Satisfaction and Delivery, Optiv; Jill Czerwinski, Third Party Assessment Team Lead, SecurityScorecard|
|1:30 - 2:30 PM||Keynote - Jim Routh, Chief Security Officer, Aetna|
|2:30 - 3:00 PM||Networking Break & Exhibit Area Open|
|3:00 - 3:45 PM
|The When, Where, and How of Vendor Onsite Visits - Julie Gaiaschi, Team Leader Third Party Security, Wellmark BCBS|
|Building & Strengthening a 3rd Party Security Risk Program and How to Customize it to your Industry - Alissa Krause, Security Risk Manager, Xcel Energy|
|"50 @ 50": A Common Sense Approach for Simplifying Third-Party Assessments - Bruce Potter, CISO, Expel|
|3:45 - 3:50 PM||Transition Break|
|3:50 - 4:35 PM
|An Attackers View of Your Supply Chain Risk - Geoff Hancock, Principal, Advanced Cybersecurity Group|
|Response to High Profile Incidents - Marc Sachs, CSO, Pattern Computer|
|4:35 - 4:40 PM||Transition Break|
|4:40 - 5:25 PM
|So Many Vendors, So Little Time: A Risk Based Approach to Third-Party Review - Gina Baker, Third Party Auditor, Intermountain Healthcare|
|Addressing GRC with Threat Intelligence - Thomas Pope, Adversary Hunter, Dragos|
|Real-time Vendor Monitoring - Joe Hughes, Sr. Manager Risk & Compliance, General Electric|
|5:30 - 6:30 PM||Exhibit Area Open for Exhibitor Bingo|
|6:30 - 8:30 PM||Evening Reception|
|FRIDAY, OCTOBER 26|
|8:00 AM - 1:00 PM||Registration|
|8:00 - 9:00 AM||Breakfast & Exhibit Area Open|
|9:00 - 9:15 AM||Opening Remarks - Cindy Donaldson, GRF President|
|9:15 - 10:15 AM
|The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners - Kostas Georgakopoulos, Global CISO, Procter & Gamble; Ram Chennamsetty, Deputy CISO, IBM; Renee Guttmann, CISO, Campbell’s Soup; Rocco Grillo, Global Cyber Leader, Stroz Friedberg, Aon|
|10:15 - 10:45 AM||Networking Break & Exhibit Area Open|
|10:45 - 11:15 AM
|Cybersecurity as Corporate Social Responsibliity: Managing Risk in Your Third-party Ecosystem - Frederic Trinel, Co-CEO and co-Founder, CyberVadis|
|Using the NIST Cyber Security Framework (CSF) to Communicate Risk - Ken Durbin, Senior Strategist, Symantec|
|Uncovering the Full Spectrum of Cyber Threat Through 3rd-Party Risk Assessments - Guy Nizan, CEO & Co-Founder, IntSights|
|11:15 - 11:20 AM||Transition Break|
|11:25 AM - 12:10 PM
|Shifting Paradigms: How Innovation is Changing Payment Security (and Standards) - Troy Leach, Chief Technology Officer, PCI Security Standards Council|
|How FS-ISAC Disrupts Cybercrime and How You Can Too - Errol Weiss, SVP, Global Information Security, Bank of America|
|Swiss Army Knives, Not Scalpels - Jonathan Ehret, 3rd Party Cyber Risk Assurance Manager, HealthNow|
|12:10 - 12:15 PM||Transition Break|
|12:15 - 1:00 PM
|Cyber/Privacy Incident Response Playbook Best Practice - Evan Wolff, Partner, Co-Chair of Privacy and Cybersecurity Practice Group, Crowell & Moring|
|Innovate to Improve Access Control Posture - Neha Joshi, Managing Director, Accenture Security|
|Beyond the Questionnaire - Using Data Science to Create a Security Event Driven Program - Jason Zellmer, Global Security, Third Party Risk, Aetna|
|1:00 - 2:00 PM||Lunch|
|2:00 - 2:45 PM
|Adversary Playbooks: The Atomic Element that we All Should be Sharing - Richard Howard, CSO, Palo Alto Networks|
|Importance of Integrated Operational Risk to Enable Business Objectives, and How Third Party Risk Fit into That - Speaker Lin Lu, SVP Enterprise Operational Risk, Freddie Mac|
|Supply Chain Impacts to our Overall Critical Infrastructure - Renee Forney, Senior Director of Cyber Assurance, Capital One|
|2:45 - 3:00 PM||Transition Break|
|3:00 - 3:30 PM||General Session - How to Economically Justify Your Risk Management Needs - Jack Jones, Chairman, FAIR Institute and Chief Risk Scientist & Co-founder, RiskLens, Inc.|
|3:30 - 4:00 PM||Closing Remarks and Raffle|
Sandy Grimes is a 26-year retired officer of CIA's Directorate of Operations, who spent most of her career working against the former Soviet Union supporting CIA's most valuable cases - penetrations of the KGB and GRU. She joined CIA in July 1967 shortly after graduating from the University of Washington, Seattle with a BA in Russian. In 1991 she participated in the hunt for a Soviet spy in CIA and the identification of that individual as Aldrich Ames, one of the most destructive traitors in American history. She is co-author of the book "Circle of Treason", which details that search. It was also the basis for the ABC News mini-series "The Assets" aired in 2014.
The daughter of parents who worked on the Manhattan Project, Sandy spent her formative years in Denver, Colorado, where she substituted a course in Russian for the dreaded junior year of physics that set the direction of her personal and professional life. A mother of two daughters and grandmother of four, she and her husband of 49-years live in Virginia.
Jim Routh is the Chief Security Officer and leads the Global Security function for Aetna. He is the Chairman of the H-ISAC Board. He serves as a member of the Advisory Board of the ClearSky Security Fund. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express.
Jim is the winner of the 2017 Evanta Breakaway Leaders Award, 2016 Security Alliance Award for Innovation, 2016 ISE Luminary Leadership Award, and many other awards.
Third Party Risk from the C-Suite
Board Members and Executives discuss how Risk Committees operate within Boards to address third party risk within an organization.
So Many Vendors, So Little Time: A Risk Based Approach to Third Party Review
Keeping track of third parties, their services provided, access to data and compliance can be overwhelming at best. Using industry research and lessons learned from breaches as they occur, a risk based approach to third parties can help streamline the approach and processes of managing the reviews.
Working Collaboratively During An Incident
During this session we will discuss how companies and vendors can act collaboratively when responding to an incident. How companies can extend their incident response teams to include their vendors thus ensuring cyber security resilience across the enterprise.
Using the NIST Cyber Security Framework (CSF) to Communicate Risk
The NIST CSF was originally focused on Critical Infrastructure but is now being adopted by organizations of all sizes and market sectors. A key benefit driving such broad adoption is the Frameworks ability to help communicate an organizations cybersecurity posture and risk to individuals regardless of their cybersecurity experience. Join this session to understand:
Swiss Army Knives, Not Scalpels
This presentation will look at how effective Third Party Risk programs are not simply comprised of a single method for assessing third party. Rather, they are made up of various layers/tools, each providing different types of intelligence that are aggregated to perform an overall picture of the third party's security posture.
The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices.
Everyone is looking for a way to reduce the burden of third party risk management. But are you effectively managing your risks head on? As the leader in Third Party Risk Management, Prevalent’s unified platform integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. Join Brenda Ferraro (Ward), Senior Director of Networks, as she discusses the value of a comprehensive TPRM program and how the critical mass within the networks is driving risk reduction across all sectors.
Supply Chain Impacts to our Overall Critical Infrastructure
This presentation will look at the concentration risk across critical infrastructure and how our individual supply chain risk management programs all play a role in addressing this global problem. Using AI, Predictive Analysis and appropriate indicator sharing helps to limit disruption.
The When, Where, and How of Vendor Onsite Visits
If you are a large, or even a smaller, organization, you most likely have 100's if not 1000's of vendors. You don't have the time or the resources to perform onsite visits for all of your vendors. So how do you determine when to perform an onsite visit? In this session, you will learn how to determine when an onsite visit is needed, where to perform the onsite visit (as multiple vendors have multiple locations), and what to do during an onsite visit. You will then learn how to take all of the information you've gathered from the onsite visit and translate it into a comprehensive security report.
The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners
Today enterprises require technology that is faster, stronger, more efficient, more innovative, and integrated into business processes than ever before. And yet, incorporating new technologies and 3rd party vendors and business partners to keep up with evolving customer demands, and to remain competitive, leads to risks that extend beyond IT and to all areas of the enterprise. Further, the continued proliferation of the cloud and IoT devices in the enterprise takes managing third-party risks to a whole other level of sensitive and confidential data which has become a herculean task. The expanding cyber threat landscape, coupled with sophisticated attacks, further exacerbates an already complicated challenge for managing 3rd party risks. The cybersecurity risk management stakeholders of companies must not only adapt to the evolving threat landscape, but they must be engaged in enterprise-level decision-making in order to recognize the impact of cybersecurity vulnerabilities and threats to safeguard the organization’s most critical assets. This panel of leading industry experts will dive into the areas organizations can excel in today to proactively prepare for cybersecurity implications of the future by participating in business decision making.
An Attackers View Of Your Supply Chain Risk
Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection. In this session we will assess the technical and operational challenges of managing the 3rd supply chain. We will breakdown a few most recent cyber-attacks to identify the failures and develop an operational plan to increase the security of your supply chain.
Adversary Playbooks: The Atomic Element that we All Should be Sharing
I believe this is the future. We transition away from tactically deploying technical blocks to the security controls we have in place with very little understanding of the adversary to strategically inserting precise controls for specific adversaries at every stage of the kill chain. This requires work and automation and a change of thinking by the network defender community. But the work has begun. The Cyber Threat Alliance has embraced the idea and Palo Alto Networks is dedicated to showing the way.
Real-time Vendor Monitoring
Hear our story as we looked for ways to evaluate high risk vendors continuously. Learn about some of the benefits associated with continuous monitoring and how we have been able to use them to support other areas of business.
Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter
The oceans of data that extended enterprises generate make cyberthreat detection a major challenge. As organizations face the limitations of signature- and controls-based approaches, data analytics and “neural networks” promise to discern meaningful patterns and anomalies. A third approach is based on deception, which is still narrowly associated with “honeypots.” This session will provide a brief overview of how deception has evolved, compare these three threat detection approaches within an overall architecture for reducing cyber risk, and talk about why it is so important that organizations large and small have the ability to suppress lateral movement.
How to Economically Justify Your Risk Management Needs
One inescapable fact of risk management is that resources are limited, and every dollar that goes toward risk management is a dollar that isn’t available for growing the business or meeting operational needs. In order for executives to make well-informed trade-offs between risk, operations, and growth, they need to be able compare these things in similar terms. In a business setting, this boils down to dollars and cents. In this session, Jack will share insights, principles, and methods that can enable organizations to pragmatically evaluate and communicate risk in economic terms so that decision-makers can make better-informed decisions. Note, however, that some of what he’ll share will challenge conventional practice and wisdom, so come with an open mind.
Innovate to Improve Access Control Posture
How can you use innovative technologies to increase your organization's Access Control posture? Using innovative technologies include Analytics to identify and predict riskiest access areas, Machine Learning to continuously utilize dynamic views of Access Control, Robotics to increase efficiency and reduce error, DevOps for increased speed to market (especially critical to address new findings), and Natural Language Processing for reduced costs. These innovations have proven successful in increasing Access Control posture across industries, but are not leveraged widely enough today. Let’s discuss how you can use innovative technologies to meet your needs.
Building & Strengthening a 3rd Party Security Risk Program and How to Customize it to your Industry
All industries face third-party risk, and many have similar components from a vendor, actor and corporate perspective. But each sector also faces its own unique threats, with specialized vendors and an attack surface specific to its operations. This presentation will highlight how Xcel Energy has customized a security risk program that evaluates and protects against threats to IT and OT systems, cybersecurity, and physical security and how its model can be applied for your industry.
How Policy and Regulation Impact Business Risk and Responsibilities
Between GDPR, financial services regulations, and other policies changes, cybersecurity and risk management are a growing obligation for businesses. This presentation will discuss recently imposed regulation and cover upcoming policy changes that compliance staff and managers should be aware of as they evaluate their risk posture and responsibilities.
Post-IOC Evolution of Threat Intelligence Use Cases
Today we know that IOCs are inherently reactive. In order to better prepare for tomorrow's threats, we need to be proactive and TI data, TIP technology and internally-harvested intelligence allows us to evolve into the next level. This session will first detail the current problem, the reactive limitations that come from a non-progressive loop of requirements -> collection -> analysis -> action -> repeat. Then we will describe how TI data can be used to action internally-harvested intelligence data sources to make the loop into a progressive evolution. The internally-harvested intelligence means that each step in the loop becomes potentially proactive. We will fully illuminate how each step in the loop becomes progressive and drives data evolution and the specifics involved. We will wrap-up with a hopeful prognostication of what a post-IOC defense will look like, namely how sharing data within community/industry/vertical might evolve and what role automation will continue to play by exploring three threat intelligence use cases from the third-party risk context.
Shifting Paradigms: How Innovation is Changing Payment Security (and Standards)
Don’t miss this session for a look into the evolution of payments and security standards. Hear about some opportunities and challenges that have been created by the innovations in technology. This session will also cover how PCI SSC is addressing these changes and how you can help.
Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle
Citi’s Cyber Intelligence Center (CIC) was established to provide situational awareness and strategic recommendations to internal decision-makers and stakeholders—delivering timely and actionable intelligence to stay ahead of the ever-evolving and maturing threat landscape. As cyber-criminals have shifted towards increasingly leveraging vulnerabilities in third-party relationships to target industries, the CIC’s Third Party Risk Intelligence Program extends the intelligence-led model to enhance 3rd party risk due-diligence efforts across the lifecycle. The presentation focuses on telling the story of the program's journey with some lessons-learned, successes, and use-cases.
Importance of Integrated Operational Risk to Enable Business Objectives, and How Third Party Risk Fit into That
Today's businesses operate in an increasingly fast changing environment. Having the ability to manage operational risk effectively and efficiently will enable businesses to gain a competitive advantage. Third party risk is an integral part of the integrated operational risk capabilities that allows the company to prioritize risk response plans based on a holistic risk profile.
Uncovering the Full Spectrum of Cyber Threats Through 3rd Party Risk Assessments
The role of managing 3rd party risk has expanded beyond the risk and compliance organizations. Cyber risk must be included in the overall risk assessment process, but most organizations approach this process with a flawed methodology. Many companies will simply assess internal configurations, tools and processes to calculate cyber risk, but these surface-level assessments neglect the external and dark web risks that target a company, which can be even more damaging. To accurately and holistically assess cyber risk, you need to consider the threats that lurk below the surface and figure out how a threat actor may try to target that organization. In this session, we’ll describe the hidden threats that many risk assessment solutions fail to evaluate and share a methodology that organizations can use to accurately and appropriately assess 3rd party risk based on the full spectrum of cyber threats.
Leveraging Your Sharing Community - A Cross-industry Approach to Third Party Risk
With growing vendor populations and exponential risk, the best way to approach third party risk is by banding the good guys together and leveraging the work of your peers. Join Cindy Donaldson and representatives from ThirdPartytrust, Optiv and SecurityScorecard in discussing the leading role sharing communities play in reducing third party risk.
The Role of Secure Collaboration in Digital Transformation
According to an industry survey on digital transformation, 85% of enterprise decision makers surveyed feel they have a timeframe of just two years to make significant inroads on their digital transformation before suffering financially and/or falling behind their competitors. So, what steps can you take today to make sure you are not falling behind? Digital collaboration is an important new way for companies to interact with third parties, counterparties and other business partners. Email and office productivity applications are less secure and less efficient than secure team collaboration. This session will highlight the key milestones for today’s digital transformations, the role of collaboration platforms and best practices in reducing risk and improving compliance when interacting with business partners including third parties.
Addressing GRC with Threat Intelligence
Governance, Risk and Compliance attempt to address cyber security in a holistic way. The shortcoming in most models is the lack of real world data. Threat Intelligence provides a means to stay ahead of compliance regulations, which can take years to develop, and help make informed decisions on risk. Case studies will be given regarding WannaCry, NotPetya, CRASHOVERRIDE and TRISIS showing how Threat Intelligence drives faster solutions.
“50 @ 50”: A Common Sense Approach for Simplifying Third-party Risk Assessments
Another darn questionnaire! Too often, assessing the security of our vendors seems more like security theater than a practical process – with surveys that can stretch to dozens (or hundreds!) of questions. Is there a better way?
Response to High Profile Incidents
Often a company needs to minimize and control any immediate public commenting on a data breach or security incident. But what if news of the incident hits the media outlets nearly immediately, requiring you to quickly develop public statements while simultaneously trying to figure out exactly what happened? Do you “spin” the story to protect the impacted organization, or do you say, “no comment” and leave everybody guessing, or do you do something else? This talk will look at a few recent high profile incidents and how the impacted organizations responded when their incident became a lead news story.
Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties
It's no secret that hackers are opportunistic. They are constantly looking for the weakest link and are quick to capitalize on one as soon as it's spotted. So how can organizations protect themselves from these cyber criminals when their attack surface is continuously expanding with every new third party added? This panel will discuss third-party cyber risk approaches that have worked and some that have not - so the audience can walk away with some best practices on how to combat the ever evolving and constant threats in their third-party ecosystem.
Cybersecurity as Corporate Social Responsibility: Managing Risk in Your Third-party Ecosystem
With the ability to affect hundreds of millions of consumers and impact whole economies, data breaches have become a matter of corporate social responsibility. While the challenges and potential consequences can seem overwhelming, companies trying to manage third-party cybersecurity risk can take valuable lessons from the growth of CSR in the supply chain over the past decade.
How FS-ISAC Disrupts Cybercriminals and How You Can Too
In March 2012, the FS-ISAC dealt a serious blow to the global cybercrime arms-race. Thirty nine "John Does" – hackers with codenames like Pepsi, MaDaGaSka, virus_e_2003, and h4x0rdz – were disrupted when the FS-ISAC and Microsoft worked together to execute a legal and technical strategy resulting in the seizure of computers and thousands of domain names used to run the ZeuS malware. The court filings detailed how the criminals controlled thousands of computer botnets and were responsible for account takeovers causing hundreds of millions of dollars in fraud losses globally. The civil complaint marked the first partnership between FS-ISAC and Microsoft to combat online fraud and disrupt criminal malware. Errol will discuss this case and more recent examples to show how the financial services sector partners with technology firms and law enforcement organizations globally to combat criminal malware and how these techniques can be used by other sectors to disrupt cybercriminals targeting them.
Solving Third-Party Cybersecurity Risk - A Data-Driven Approach
Your organization's risk surface is likely much larger than you think, so how can you get a handle on what risks exist, where they reside, and which ones are most important to resolve immediately? By taking a data-driven approach to identifying, understanding, and acting on risk, you can efficiently eliminate your organization's most critical third-party security gaps.
Cyber/Privacy Incident Response Playbook: Best Practices
A decade ago, few companies had plans for managing cyber and privacy incidents. Now an incident response playbook is often a critical element of a company's comprehensive compliance and risk management program. During this discussion, we will highlight some of the essential components of an incident response playbook for those companies developing them, focusing on governance (roles and responsibilities as well as policies and procedures), operations and technology. For companies with existing playbooks, we will also discuss trends for enhancement and evolution of incident response processes.
Beyond the Questionnaire – Using Data Science to Create a Security Event Driven Program
Is a traditional audit based approach really helping reduce security risk? This session explores alternative sources of security data that can be used to help determine the risk posture of third parties. The presentation will look at what sources are available and how data science tools and technologies can help bring data together in a different approach to third party security risk.