*Agenda subject to change
|WEDNESDAY, OCTOBER 24|
|12:00 - 5:00 PM||Golf Tournament sponsored by King & Union, Farsight Security & DomainTools|
|5:00 -7:00 PM||Early Registration|
|7:00 - 9:00 PM||Welcome Reception|
|THURSDAY, OCTOBER 25|
|7:00 AM - 7:00 PM||Registration|
|7:00 - 8:00 AM||Breakfast & Exhibit Area Open|
|8:00 - 8:30 AM||Opening Remarks - Cindy Donaldson, GRF President|
|8:30 - 9:30 AM||Keynote - Sandra Grimes, Retired CIA Officer|
|9:30 - 10:00 AM||Networking Break & Exhibit Area Open|
|10:00 - 10:45 AM
|Working Collaboratively During An Incident - Mary Chaney, Attorney At Law, The Cyber Security Law Firm of Texas|
|Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle - Marc Lieberman, VP Third Party Intelligence, Citi|
|Third Party Risk from the C-Suite - Catherine Allen, Chairman and CEO, The Santa Fe Group; Joe Prochaska, Chair, Board Risk Committee, Synovus Financial Corp.; Leslie Ireland, Member, Board of Directors, Citigroup|
|10:45 - 10:50 AM||Transition Break|
|10:50 - 11:20 AM
|The Role of Secure Collaboration in Digital Transformation - Symphony|
|The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices - Brenda Ferraro, Senior Director of Networks, Prevalent|
|Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter - Ofer Israeli, Founder and CEO, Illusive Networks|
|11:20 - 11:30 AM||Transition Break|
|11:30 AM - 12:00 PM
|Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties - Scott Schneider, CyberGRX|
|Solving Third-Party Cybersecurity Risk: A Data-Driven Approach - Kelly White, CEO and Co-Founder, RiskRecon|
|Post-IOC Evolution of Threat Intelligence Use Cases - Katie Kusjanovic, Sr. Solutions Consultant, EclecticIQ|
|12:00 - 12:30 PM||Lunch Served & Exhibit Area Open|
|12:30 - 1:30 PM||Lunch|
|1:30 - 2:30 PM||Keynote - Jim Routh, Chief Security Officer, Aetna|
|2:30 - 3:00 PM||Networking Break & Exhibit Area Open|
|3:00 - 3:45 PM
|The When, Where, and How of Vendor Onsite Visits - Julie Gaiaschi, Team Leader Third Party Security, Wellmark BCBS|
|Creating a Risk Management Program in the Energy Sector - Alissa Krause, Security Risk Manager, Xcel Energy|
|"50 @ 50": A Common Sense Approach for Simplifying Third-Party Assessments - Bruce Potter, CISO, Expel|
|3:45 - 3:50 PM||Transition Break|
|3:50 - 4:35 PM
|An Attackers View of Your Supply Chain Risk - Geoff Hancock, Principal, Advanced Cybersecurity Group|
|Response to High Profile Incidents - Marc Sachs, CSO, Pattern Computer|
|4:35 - 4:40 PM||Transition Break|
|4:40 - 5:25 PM
|So Many Vendors, So Little Time: A Risk Based Approach to Third-Party Review - Gina Baker, Third Party Auditor, Intermountain Healthcare|
|Addressing GRC with Threat Intelligence - Thomas Pope, Adversary Hunter, Dragos|
|Real-time Vendor Monitoring - Joe Hughes, Sr. Manager Risk & Compliance, General Electric|
|5:30 - 6:30 PM||Exhibit Area Open for Exhibitor Bingo|
|6:30 - 8:30 PM||Evening Reception|
|FRIDAY, OCTOBER 26|
|8:00 AM - 1:00 PM||Registration|
|8:00 - 9:00 AM||Breakfast & Exhibit Area Open|
|9:00 - 9:15 AM||Opening Remarks - Cindy Donaldson, GRF President|
|9:15 - 10:15 AM
|The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners - Kostas Georgakopoulos, Global CISO, Procter & Gamble; Ram Chennamsetty, Deputy CISO, IBM; Renee Guttmann, CISO, Campbell’s Soup; Rocco Grillo, Global Cyber Leader, Stroz Friedberg, Aon|
|10:15 - 10:45 AM||Networking Break & Exhibit Area Open|
|10:45 - 11:15 AM
|Uncovering the Full Spectrum of Cyber Threat Through 3rd-Party Risk Assessments - Tom Findling, CISO, IntSights|
|11:15 - 11:20 AM||Transition Break|
|11:25 AM - 12:10 PM
|Shifting Paradigms: How Innovation is Changing Payment Security (and Standards) - Troy Leach, Chief Technology Officer, PCI Security Standards Council|
|How FS-ISAC Disrupts Cybercrime and How You Can Too - Errol Weiss, SVP, Global Information Security, Bank of America|
|Swiss Army Knives, Not Scalpels - Jonathan Ehret, 3rd Party Cyber Risk Assurance Manager, HealthNow|
|12:10 - 12:15 PM||Transition Break|
|12:15 - 1:00 PM
|Cyber/Privacy Incident Response Playbook Best Practice - Evan Wolff, Partner, Co-Chair of Privacy and Cybersecurity Practice Group, Crowell & Moring|
|Innovate to Improve Access Control Posture - Neha Joshi, Managing Director, Accenture Security|
|Beyond the Questionnaire - Using Data Science to Create a Security Event Driven Program - Jason Zellmer, Global Security, Third Party Risk, Aetna|
|1:00 - 2:00 PM||Lunch with Closing Remarks & Raffle|
Sandy Grimes is a 26-year retired officer of CIA's Directorate of Operations, who spent most of her career working against the former Soviet Union supporting CIA's most valuable cases - penetrations of the KGB and GRU. She joined CIA in July 1967 shortly after graduating from the University of Washington, Seattle with a BA in Russian. In 1991 she participated in the hunt for a Soviet spy in CIA and the identification of that individual as Aldrich Ames, one of the most destructive traitors in American history. She is co-author of the book "Circle of Treason", which details that search. It was also the basis for the ABC News mini-series "The Assets" aired in 2014.
The daughter of parents who worked on the Manhattan Project, Sandy spent her formative years in Denver, Colorado, where she substituted a course in Russian for the dreaded junior year of physics that set the direction of her personal and professional life. A mother of two daughters and grandmother of four, she and her husband of 49-years live in Virginia.
Jim Routh is the Chief Security Officer and leads the Global Security function for Aetna. He is the Chairman of the H-ISAC Board. He serves as a member of the Advisory Board of the ClearSky Security Fund. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express.
Jim is the winner of the 2017 Evanta Breakaway Leaders Award, 2016 Security Alliance Award for Innovation, 2016 ISE Luminary Leadership Award, and many other awards.
Third Party Risk from the C-Suite
Board Members and Executives discuss how Risk Committees operate within Boards to address third party risk within an organization.
So Many Vendors, So Little Time: A Risk Based Approach to Third Party Review
Keeping track of third parties, their services provided, access to data and compliance can be overwhelming at best. Using industry research and lessons learned from breaches as they occur, a risk based approach to third parties can help streamline the approach and processes of managing the reviews.
Working Collaboratively During An Incident
During this session we will discuss how companies and vendors can act collaboratively when responding to an incident. How companies can extend their incident response teams to include their vendors thus ensuring cyber security resilience across the enterprise.
Swiss Army Knives, Not Scalpels
This presentation will look at how effective Third Party Risk programs are not simply comprised of a single method for assessing third party. Rather, they are made up of various layers/tools, each providing different types of intelligence that are aggregated to perform an overall picture of the third party's security posture.
The Triple Threat: How Automated Assessments, Continuous Monitoring, and Evidence Sharing Networks Drive Best Practices.
Everyone is looking for a way to reduce the burden of third party risk management. But are you effectively managing your risks head on? As the leader in Third Party Risk Management, Prevalent’s unified platform integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. Join Brenda Ferraro (Ward), Senior Director of Networks, as she discusses the value of a comprehensive TPRM program and how the critical mass within the networks is driving risk reduction across all sectors.
Uncovering the Full Spectrum of Cyber Threats Through 3rd Party Risk Assessments
The role of managing 3rd party risk has expanded beyond the risk and compliance organizations. Cyber risk must be included in the overall risk assessment process, but most organizations approach this process with a flawed methodology. Many companies will simply assess internal configurations, tools and processes to calculate cyber risk, but these surface-level assessments neglect the external and dark web risks that target a company, which can be even more damaging. To accurately and holistically assess cyber risk, you need to consider the threats that lurk below the surface and figure out how a threat actor may try to target that organization. In this session, we’ll describe the hidden threats that many risk assessment solutions fail to evaluate and share a methodology that organizations can use to accurately and appropriately assess 3rd party risk based on the full spectrum of cyber threats.
The When, Where, and How of Vendor Onsite Visits
If you are a large, or even a smaller, organization, you most likely have 100's if not 1000's of vendors. You don't have the time or the resources to perform onsite visits for all of your vendors. So how do you determine when to perform an onsite visit? In this session, you will learn how to determine when an onsite visit is needed, where to perform the onsite visit (as multiple vendors have multiple locations), and what to do during an onsite visit. You will then learn how to take all of the information you've gathered from the onsite visit and translate it into a comprehensive security report.
The Future of Cybersecurity Risk Management & Reliance on 3rd Party Business Partners
Today enterprises require technology that is faster, stronger, more efficient, more innovative, and integrated into business processes than ever before. And yet, incorporating new technologies and 3rd party vendors and business partners to keep up with evolving customer demands, and to remain competitive, leads to risks that extend beyond IT and to all areas of the enterprise. Further, the continued proliferation of the cloud and IoT devices in the enterprise takes managing third-party risks to a whole other level of sensitive and confidential data which has become a herculean task. The expanding cyber threat landscape, coupled with sophisticated attacks, further exacerbates an already complicated challenge for managing 3rd party risks. The cybersecurity risk management stakeholders of companies must not only adapt to the evolving threat landscape, but they must be engaged in enterprise-level decision-making in order to recognize the impact of cybersecurity vulnerabilities and threats to safeguard the organization’s most critical assets. This panel of leading industry experts will dive into the areas organizations can excel in today to proactively prepare for cybersecurity implications of the future by participating in business decision making.
An Attackers View Of Your Supply Chain Risk
Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection. In this session we will assess the technical and operational challenges of managing the 3rd supply chain. We will breakdown a few most recent cyber-attacks to identify the failures and develop an operational plan to increase the security of your supply chain.
Real-time Vendor Monitoring
Hear our story as we looked for ways to evaluate high risk vendors continuously. Learn about some of the benefits associated with continuous monitoring and how we have been able to use them to support other areas of business.
Harpoons, Nets, or Lures: Deception as a Top Priority to Catch the Threats that Matter
The oceans of data that extended enterprises generate make cyberthreat detection a major challenge. As organizations face the limitations of signature- and controls-based approaches, data analytics and “neural networks” promise to discern meaningful patterns and anomalies. A third approach is based on deception, which is still narrowly associated with “honeypots.” This session will provide a brief overview of how deception has evolved, compare these three threat detection approaches within an overall architecture for reducing cyber risk, and talk about why it is so important that organizations large and small have the ability to suppress lateral movement.
Innovate to Improve Access Control Posture
How can you use innovative technologies to increase your organization's Access Control posture? Using innovative technologies include Analytics to identify and predict riskiest access areas, Machine Learning to continuously utilize dynamic views of Access Control, Robotics to increase efficiency and reduce error, DevOps for increased speed to market (especially critical to address new findings), and Natural Language Processing for reduced costs. These innovations have proven successful in increasing Access Control posture across industries, but are not leveraged widely enough today. Let’s discuss how you can use innovative technologies to meet your needs.
Creating a Risk Management Program in the Energy Sector
All industries face third-party risk, and many have similar components from a vendor, actor and corporate perspective. But each sector also faces its own unique threats, with specialized vendors and an attack surface specific to its operations. This presentation will highlight how Xcel Energy has implemented a security risk program that evaluates and protects against threats to IT and OT systems, cybersecurity, and physical security.
How Policy and Regulation Impact Business Risk and Responsibilities
Between GDPR, financial services regulations, and other policies changes, cybersecurity and risk management are a growing obligation for businesses. This presentation will discuss recently imposed regulation and cover upcoming policy changes that compliance staff and managers should be aware of as they evaluate their risk posture and responsibilities.
Post-IOC Evolution of Threat Intelligence Use Cases
Today we know that IOCs are inherently reactive. In order to better prepare for tomorrow's threats, we need to be proactive and TI data, TIP technology and internally-harvested intelligence allows us to evolve into the next level. This session will first detail the current problem, the reactive limitations that come from a non-progressive loop of requirements -> collection -> analysis -> action -> repeat. Then we will describe how TI data can be used to action internally-harvested intelligence data sources to make the loop into a progressive evolution. The internally-harvested intelligence means that each step in the loop becomes potentially proactive. We will fully illuminate how each step in the loop becomes progressive and drives data evolution and the specifics involved. We will wrap-up with a hopeful prognostication of what a post-IOC defense will look like, namely how sharing data within community/industry/vertical might evolve and what role automation will continue to play by exploring three threat intelligence use cases from the third-party risk context.
Shifting Paradigms: How Innovation is Changing Payment Security (and Standards)
Don’t miss this session for a look into the evolution of payments and security standards. Hear about some opportunities and challenges that have been created by the innovations in technology. This session will also cover how PCI SSC is addressing these changes and how you can help.
Leveraging Intelligence to Support Third Party Risk Due Diligence Across the Lifecycle
Citi’s Cyber Intelligence Center (CIC) was established to provide situational awareness and strategic recommendations to internal decision-makers and stakeholders—delivering timely and actionable intelligence to stay ahead of the ever-evolving and maturing threat landscape. As cyber-criminals have shifted towards increasingly leveraging vulnerabilities in third-party relationships to target industries, the CIC’s Third Party Risk Intelligence Program extends the intelligence-led model to enhance 3rd party risk due-diligence efforts across the lifecycle. The presentation focuses on telling the story of the program's journey with some lessons-learned, successes, and use-cases.
Addressing GRC with Threat Intelligence
Governance, Risk and Compliance attempt to address cyber security in a holistic way. The shortcoming in most models is the lack of real world data. Threat Intelligence provides a means to stay ahead of compliance regulations, which can take years to develop, and help make informed decisions on risk. Case studies will be given regarding WannaCry, NotPetya, CRASHOVERRIDE and TRISIS showing how Threat Intelligence drives faster solutions.
“50 @ 50”: A Common Sense Approach for Simplifying Third-party Risk Assessments
Another darn questionnaire! Too often, assessing the security of our vendors seems more like security theater than a practical process – with surveys that can stretch to dozens (or hundreds!) of questions. Is there a better way?
Response to High Profile Incidents
Often a company needs to minimize and control any immediate public commenting on a data breach or security incident. But what if news of the incident hits the media outlets nearly immediately, requiring you to quickly develop public statements while simultaneously trying to figure out exactly what happened? Do you “spin” the story to protect the impacted organization, or do you say, “no comment” and leave everybody guessing, or do you do something else? This talk will look at a few recent high profile incidents and how the impacted organizations responded when their incident became a lead news story.
Modern Approaches to Identifying & Mitigating Continuous Cyber Attacks on Your Third Parties
It's no secret that hackers are opportunistic. They are constantly looking for the weakest link and are quick to capitalize on one as soon as it's spotted. So how can organizations protect themselves from these cyber criminals when their attack surface is continuously expanding with every new third party added? This panel will discuss third-party cyber risk approaches that have worked and some that have not - so the audience can walk away with some best practices on how to combat the ever evolving and constant threats in their third-party ecosystem.
How FS-ISAC Disrupts Cybercriminals and How You Can Too
In March 2012, the FS-ISAC dealt a serious blow to the global cybercrime arms-race. Thirty nine "John Does" – hackers with codenames like Pepsi, MaDaGaSka, virus_e_2003, and h4x0rdz – were disrupted when the FS-ISAC and Microsoft worked together to execute a legal and technical strategy resulting in the seizure of computers and thousands of domain names used to run the ZeuS malware. The court filings detailed how the criminals controlled thousands of computer botnets and were responsible for account takeovers causing hundreds of millions of dollars in fraud losses globally. The civil complaint marked the first partnership between FS-ISAC and Microsoft to combat online fraud and disrupt criminal malware. Errol will discuss this case and more recent examples to show how the financial services sector partners with technology firms and law enforcement organizations globally to combat criminal malware and how these techniques can be used by other sectors to disrupt cybercriminals targeting them.
Solving Third-Party Cybersecurity Risk - A Data-Driven Approach
Your organization's risk surface is likely much larger than you think, so how can you get a handle on what risks exist, where they reside, and which ones are most important to resolve immediately? By taking a data-driven approach to identifying, understanding, and acting on risk, you can efficiently eliminate your organization's most critical third-party security gaps.
Cyber/Privacy Incident Response Playbook: Best Practices
A decade ago, few companies had plans for managing cyber and privacy incidents. Now an incident response playbook is often a critical element of a company's comprehensive compliance and risk management program. During this discussion, we will highlight some of the essential components of an incident response playbook for those companies developing them, focusing on governance (roles and responsibilities as well as policies and procedures), operations and technology. For companies with existing playbooks, we will also discuss trends for enhancement and evolution of incident response processes.
Beyond the Questionnaire – Using Data Science to Create a Security Event Driven Program
Is a traditional audit based approach really helping reduce security risk? This session explores alternative sources of security data that can be used to help determine the risk posture of third parties. The presentation will look at what sources are available and how data science tools and technologies can help bring data together in a different approach to third party security risk.