2019 Speaker List
Keynote: The Honorable Mike Rogers - Former Chairman, House Permanent Select Committee on Intelligence/National Security Commentator, CNN
Keynote: Jim Routh - CISO, MassMutual
Dave Batz - Senior Director, Cyber & Infrastructure Security, Edison Electric Institute
Leveraging Contractual Frameworks to Manage Supply Chain Risk
To facilitate managing cybersecurity supply chain risks, a committee of representatives of EEI member companies developed a Model to align cybersecurity requirements and to encourage adoption by the vendor community. Recognizing the importance of procurement in managing supply chain risk, but the Model includes language that goes beyond compliance requirements with the goal of improving cybersecurity. The Model provides a starting point for negotiations with vendors and service providers.
Jill Czerwinksi - Partner, Crowe LLP
From Ongoing Monitoring to Ongoing Action: Transforming Your Monitoring to Reduce Risks
Many companies have invested in continuous monitoring tools and technology, but few are able to demonstrate that this investment resulted in risk reduction, where issues were identified, escalated and resolve. This session will focus on how continuous monitoring alerts should be triaged, analyzed, actioned, and tracked. The session will discuss innovative ways to resource, track, and manage ongoing monitoring data that is formal and informal.
Jacob Maenner - Senior Security Risk & Governance Analyst, Exelon
Betsy Soehren Jones - Exelon
Assets – Risks – Controls – Oh My! Structuring an Enterprise-Wide Security Program
Effective security programs must provide clear and relevant direction to those responsible for securing each in-scope asset and managing third-party security risks. To do this, there must be consistency in control statements, clarity in responsibilities, clear applicability to various types of assets, and a sustainable methodology. This presentation will outline the steps for any organization of any size to deploy an effective security program, consider risks vectored through third-parties, measure the program on a continual basis, and mature the program as regulations, threats, and the organization evolve. Attendees will be presented with a comprehensive process to protect all assets through programmatic security controls, with a special focus on third-party security concerns, giving them the knowledge to build an effective security program from scratch or to enhance an existing program.
Jack JoneS - Chairman, FAIR Institute
What Can Cybersecurity Data Actually Tell Us?
The good news is that we have more data than we think we do. The bad news is that there are challenges and limitations that have to be recognized before we can effectively use cybersecurity data. In this session, Jack will discuss real-world opportunities and challenges associated with cybersecurity data, and how they can be addressed. He'll also provide examples of how everyday cybersecurity data can be used to better understand your risk landscape and make better informed decisions. This is NOT a data science seminar, but instead focuses on clearing up common misperceptions and providing practical insights that will help organizations deal with cyber-related risk more effectively.
Rick Howard - Chief Security Officer, Palo Alto Networks
The 6Ds of Cybersecurity Exponentiation
Exponential technologies either double their processing power every few years or the cost to operate them is reduced by half every few years. Some experts forecast that within the next 10-15 years, this doubling phenomenon will flip the business model of certain grand challenges like Food Production, Water Distribution, Shelter Construction, Energy Distribution, Communication Ubiquity, Education Delivery, Healthcare Distribution, and Freedom as a Fundamental Right.
The model will flip from a scarcity model to an abundance model. This means that the resources needed to fulfill these grand challenges will flip from being hard to get to being so plentiful that they might as well be free. Six Ds of Exponentiation- Digitization, Deception, Disruption, Demonetization, Dematerialization, and Democratization- is a maturity model that describes the path of each exponential technology. Cybersecurity is absolutely on this path. I will discuss why I think so and what that means to the security community.
Amera McCoy - Manager, Vendor Risk Management, CME Group
Designing and Implementing a successful Third Party DR Program
Establishing a Third Party Risk Management (TPRM) Program is one piece of the puzzle; many other pieces involve implementing risk management throughout the organization that will feed the TPRM program. Disaster Recovery practices with third parties is a strategic way to assess risk by documenting the vendors capabilities and flexibility of their continuity. This data is used to feed the companies exit plan strategies and risk reporting groups. This session will discuss best practices for implementing third party DR testing, the different types of testing and the ways the risk data can be used to inform TPRM, Ops Risk, ERM and senior leaders.
Bernie McGuinness - IT Vendor Assessor Lead, Campbell's Soup
Third-Party Vendor Risk Management: Best Practices & Lessons Learned
In today’s modern society, companies continue to look for speed, agility & the ability to reduce cost all while making it invisible to the day to day user. As soon as you allow ANY vendor to access, host and/or manage your company’s data, you transfer the responsibility for protecting the data to your vendor. However, you cannot transfer accountability.
Marc Sachs - Chief Security Officer, Pattern Computer
Mechanical Backdoors in Cold War Encryption Machines
Recently declassified documents from the National Security Agency confirm what was suspected for decades. Several of the mechanical cipher devices built by Crypto AG after World War II contained deliberate encryption weaknesses that could be exploited by the NSA. Many stories have been told about breaking the Enigma. This talk will cover Boris Hagelin’s devices that were sold “pre-broken.” Learning Objectives: 1: Learn about mechanical encryption devices and how they work. 2: Understand how these devices can be cryptographically weakened. 3: Discover a very interesting historical story about Cold War supply-chain attacks.
Vince Fitzpatrick - Cyber Risk Program Manager, Christiana Care Health System
Creating a Successful TPRM Program
During the past year Christiana Care Health System stood up a new third party risk management program. This presentation will review processes, tools and techniques used to create this successful program.
Brian Harrell - Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security
Critical Infrastructure Protection in the Age of Hybrid Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) will discuss the need for physical and cybersecurity convergence in the age of the hybrid attack landscape. Assistant Director Brian Harrell, who leads CISA’s Infrastructure Security efforts, will focus on system resilience, redundancy, and how many of the recent attacks on critical infrastructure have both a cyber and physical nexus. AD Harrell will also discuss his priorities for securing soft targets and crowded places, including houses of worship and schools.
Rita Bush - Assistant Director of National Intelligence for Private Sector, U.S. Office of the Director of National Intelligence
Strategies for Government / Private Sector Partnerships to Increase National Security
The U.S. faces significant changes in the domestic and global environment; we must be ready to meet 21st century challenges and to recognize emerging threats and opportunities. The US Government must better leverage partnerships to support and enable national security outcomes. We seek to build, enable, and maintain private sector partnerships to mutually share information, people, processes, technologies, innovations, and ideas to advance the Intelligence Community mission and strengthen national security.
Julie Gaiaschi - Third Party Security, Wells Fargo
Integrating Your TPRM Program Into The Procurement Process
It's critical vendor security controls are reviewed prior to a contract being signed to not only ensure the vendor has a sufficient security program in place, but also to ensure continuous monitoring needs are incorporated into the contract. A strong partnership with your organization's Procurement department will assist with your program objectives. But how do you begin the conversation? In this session, we will discuss: 1. Relationship building with your Procurement department; 2. Potential workflow for vendor due diligence; 3. Contract review process to ensure appropriate security language; 4. What to do if contracts are managed by business partners and not by a Procurement department.
Matthew McMahon - Product Security Expert, Siemens Healthineers
The Customer Security Questionnaire Process
Siemens Healthineers currently processes over a thousand pre-sale customer security questionnaires a year in the United States, European and Asian markets. Over the course of the last few years Siemens has established multidisciplinary teams to effectively complete these questionnaire’s and return them to our customers in a timely fashion. This presentation will cover historically how we were able to pull together a multidisciplinary team entailing, technical, legal, contractual and sales resources to effectively address this customer need and how other manufacturers may do the same.
Andy Keiser - Principal, Navigators Global
Protecting the Global Telecommunications Supply Chain: USG-led Actions to Counter the Threat from Huawei and ZTE
The Trump Administration and U.S. Congress have led an aggressive crackdown on Chinese telecom giants Huawei and ZTE, which it believes are arms of the Chinese military and intelligence services. Where do these U.S.-led efforts stand? What does this crackdown on Huawei and ZTE mean for the global telecommunications supply chain; and is it precipitating a bifurcated internet between the West and China? What impact could these actions have on cybersecurity domestically and internationally; and how will it affect global deployment of the fifth generation wireless network or 5G?
Jamil Jaffer - Founder & Executive Director, National Security Institute, George Mason University Antonin Scalia Law School
Critical Infrastructure and Private Sector Cyber Threats: The Need for Collective Defense in the Modern Era
Nations and their critical infrastructure industries face a barrage of threats in cyberspace. Nation-state attackers are getting more aggressive, with deterrence still playing only a limited role in cyberspace even as countries are increasingly willing to use cyber offensive capabilities in place of traditional military tools. The risk of significant damage, including collateral damage is also growing. Meanwhile private sector companies are often expected to act as the first--and often only--line of defense for their own systems, with limited support from government. This situation is fundamentally unstable. This session will discuss the need for a rethinking of the roles, responsibilities, and capabilities between the public and private sectors and will argue that governments need to play a much more central role in defending critical infrastructure providers. This session will also discuss what steps private sector actors might take to better protect themselves, including entering into collective defense agreements to share more data and response information in real-time.
Melissa S. Hersh - Risk & Strategy Consultant, Hersh Consulting, LLC
Managing Third-Party Risk in an Era of Great Power Competition
This presentation aims to explore some geopolitical challenges facing public, private, and PPP organizations with respect to managing investment partners, suppliers, and supply chains in an age of renewed great power competition. While the Fourth Industrial Revolution (4IR) (the human/machine interface) has ushered in a range of new enabling technologies and business opportunities built on the rise of digital technology and automation (Third Industrial Revolution (3IR) it has also exposed critical functions and operations to new hybrid threats. These hybrid threats include: new dependency dynamics (e.g., financial instruments, raw materials, critical components & supply chains), hyperconnectivity risk, new platforms for promoting information influence activities, and asset protection challenges. Examples and case studies of threats and mitigation solutions will look at trends related to investment screening and contract structuring, international co-operation in standards setting, and more.
Jill Morganwalp - Principal Security Assurance, E*TRADE
Pillars of a Third Party Risk Program
Evidencing the success of an organization’s third party risk program is challenging. Per our experience evidence of success of a third party risk program is possible if the risk program includes risk assessment and monitoring program elements such as identification of risk characteristics relevant to each vendor’s service, onsite assessments, incorporation of multiple security scoring tools’ data points, standard industry documents, and threat-based risk assessments, i.e. assessments based on leading cyber threats. The benefits, as well as anecdotal stories, of employing and integrating these elements will be presented
Douglas White - Sr. Information Security Analyst, Delta Dental of NJ and CT
Designing and Tailoring a Business-Balanced Third-Party Security Program
Delta Dental of NJ & CT’s goal is to have a robust Third Party Risk Management (TPRM) program that allows for business flexibility while maintaining a strong security posture. Some time ago we determine a centralized program was needed to coordinate a loosely managed process with no centralized container for vendors we were doing business with, that had no method for vetting potential vendors from a security standpoint. The initial objective of our project was to design, document, and implement a program which did not exist. This presentation will show steps on program design and implementation, through configuration of a chosen GRC product. We will also highlight several methods developed as we discovered the need for flexibility in our final program, including for tiering vendors, leveraging security ratings for our top vendors, and the use of continuous monitoring and alerting on vulnerabilities for remediation. We will cover the timeline we used during development and post production, including form creation, review committee creation and workflow checkpoints prior to procurement.
Jason Zellmer - Senior Director, Third Party Risk, Global Security, CVS Health/Aetna
How CVS Health/Aetna Enforces Endpoint Encryption on Third-Party Devices
Aetna has more than 200,000 brokers working for them. These brokers handle sensitive personally identifiable information such as names, addresses, birthdates and Social Security Numbers. Regulations require insurance companies to protect member data also when it is stored on broker devices. However, being on top of the security stance of this large group is certainly easier said than done. Insurance brokers work for several insurance companies and are independent business owners. As such, they value their autonomy and would most likely not accept being enrolled into a provider’s MDM solution (Mobile Device Management solution). And, even if they would, it would be an administrative nightmare to enroll this huge number of devices into an MDM solution – not to mention the cost it would incur. Brokers are also the insurance providers’ sales force and need to be treated with much care. Striking the right balance between care and security enforcement has been crucial for the success of the broker security program at Aetna. Want to know how Aetna addresses this challenge? Listen to Jason Zellmer, head of Global Security, Third Party Risk at Aetna and Ebba Blitz, CEO of AlertSec, and hear them walk you through their solution to the issue. The overarching theme has been the old maxim Trust but verify!
Rhonda Cook - Chief Risk Officer, SEI Investments
Beyond Vendors: Addressing Non-Traditional Arrangements & New Technologies
All Third Party Risk Management Programs identify, assess, and mitigate the risks arising from traditional vendors, but many are also tasked with addressing other, non-traditional arrangements and emerging technologies. This session will discuss practical approaches and “lessons learned” on how to identify, assess, and mitigate the risks arising from non-traditional arrangements such as open source code and crowdsourcing, and the integration and use of newer technologies such as Internet-of-Things (IoT), Robotic Process Automation (RPA), and Artificial Intelligence / Machine Learning (AI/ML).
Matthew Welling - Counsel, Crowell & Moring LLP
Kate Growley- Counsel, Crowell & Moring LLP
Lessons from M&A Cyber Due Diligence and How to Leverage Them for Supply Chain Risk
Mergers and acquisitions (M&A) transactions are complicated, high stakes activities for any enterprise. Meanwhile, cybersecurity incidents and data breaches continue to be high profile events. During M&A transactions, these cyber risks threaten valuation or worse – such as a buyer unknowingly inheriting them, causing fall-out after the deals close. For these reasons, cybersecurity and privacy due diligence is fast-becoming a crucial activity in these deals – or should be. These reviews are no longer limited to tech deals, and supply chain issues are often at their heart. Companies must evaluate supply chain issues efficiently, within the often challenging timeframes of deals and in a variety of industries, products, and services. This presentation will include an overview of best practices and common pitfalls from cybersecurity and privacy due diligence reviews, as well as a discussion of how lessons learned can be applied to analyzing and managing supply chain security risk in any context.
Hunter Ferguson - Partner, Stoel Rives LLP
Are Your Vendors/Subcontractors Putting You at Risk of “Selling” Data in Violation of the CCPA
When the California Consumer Privacy Act (“CCPA”) goes into effect January 1 of 2020, it may introduce uncertainty around what constitutes a “sale” under the CCPA. “Sale” will be defined by the CCPA to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information to another business or a third party for monetary or other valuable consideration.” But what constitutes “valuable consideration?” In this presentation we will address the potential risks around types of exchanges of customer information with third party vendors/subcontractors that might be considered “valuable consideration” under California law, even if there’s no intention to “sell” the data; how certain agreements may demonstrate the exchange of valuable consideration when interpreted using existing contract law doctrine; demonstrate situations where personal information is exchanged in the course of doing business that might result in the transferring entity receiving a benefit that could likely be considered a “sale” under the CCPA; the likelihood of, and complexity around, potential enforcement rules on this topic; and review a list of steps organizations could take that might best ensure that customer information they are transferring to their vendors or subcontractors does not cause them to run afoul of the Act.
Travis Moran - Vice President, Welund North America
Understanding and Responding to the Activist Threat to Enterprise
Perhaps no greater physical security threat is misunderstood or overlooked in today’s security environment. Often considered the realm of the mere disaffected or single-issue operator, activist groups are now some of the most powerful and well financed challenges to physical security that both corporations and governments face. Spanning the globe in their influence and structures, activist groups and their campaigns, direct actions and disruptions are costing businesses and governments at all levels billions – particularly in the energy sector in terms of lost productivity, project delays, legal costs, and investor divestment. This seminar will help companies better understand the threat posed from activists both from the general emphasis on corporate and public safety, as well as the protection of property, projects, reputation and critical infrastructure from disruption. Attendees will gain a general understanding of activist goals, structure, tactics, funding and how to better plan for, and respond to, activist campaigns.
Denise Anderson - President, Health ISAC
Faye Francy - Executive Director, Automotive ISAC
Scott Algeier - Executive Director, IT-ISAC
Bug Bounty Programs: Ins and Outs to Squash Vulnerabilities
Jon Ehret - Manager, Third Party Cyber Assurance, Bluecross Blueshield of western NY
The Evolution of Third Party Risk Programs: What Stage Is Your Program At
This talk will take a look at the different evolutionary stages of third party risk programs and will help companies determine where they are at and how to get to the next stage.
Bruce Potter - Ciso, Expel
Building a Better Third Party Risk Questionnaire
Modern 3rd party security questionnaires are often filled with poor questions that lead to poor answers that lead to poor decisions. While many of us complain about these questionnaires, there has been little public analysis of what makes a good or bad question, and most importantly, what leads to good risk decisions. This talk with examine the quality of several standard questionnaires in use today. I will discuss what makes a good question in general and present an ontology for 3rd party risk and 3rd party risk questions. Then, I will show specific examples of questions that lead to bad risk decisions due to technical bias, assumptions, and straight up leading the witness. I’ll correct these questions into queries that will elicit a response that result in a better risk decision. Finally, I’ll release a public tool that simplifies the 3rd party questionnaire and keeps questions targeted, useful, and brief.
John Grim - Senior Manager, Verizon Threat Research Advisory Center
Verizon Insider Threat Report – Out of Sight Should Never Be out of Mind
Within the panoply of cybersecurity incidents, insider threat activities are an exceptional challenge. These threat actors enjoy trust, privilege, and access. Add a detrimental motivation and disaster ensues. This presentation covers the Verizon "Insider Threat Report;" a compilation of data breach data, scenario, and experience-driven insights into recognizing, mitigating, and investigating insider threat activities. The audience will better understand the five insider threats actors and takeaway countermeasures for preventing and mitigating, hunting for and detecting, and responding to and investigating insider threats.
Scott Schneider - Chief Revenue Officer, CyberGRX
Third-Party Cyber Risk Management – A Critical Ingredient for A Healthy Ecosystem
When it comes to business, few things are as valuable as your data and brand reputation. As organizations rely on third party providers, however, they put their data and brand reputation at risk. That’s because today’s hackers are looking for the easiest way to steal your sensitive information, and unfortunately that is often through your third parties. The reality is, you need third parties to conduct your business; the challenge is ensuring you are collaborating with your third parties to do so securely. In this session, our panelists will discuss third-party cyber risk management (TPCRM) strategies they’ve had success with, and some they’ve learned from.
Reed Loden - Director of Security, HackerOne
Default to Disclosure: How disclosing vulnerabilities can build trust
Bug bounty programs are popping up across industries as more organizations embrace collaborating with ethical hackers to find vulnerabilities before cyber criminals have a chance to exploit the same bugs for nefarious purposes. These same organizations who reveal their findings and resulting patches are often scrutinized by civil society out of misunderstanding for how these programs work and why the holes exist in the first place. As a result, companies and government entities alike are running these programs in private, choosing to keep discoveries out of the public eye out of fear of public condemnation or reliance on old-school ways of thinking, ignoring the responsibility they have to their customers to disclose their findings. This talk covers the vital importance of responsible disclosure while giving real-world use cases where responsible disclosure and bug bounty programs have bolstered security, lowered costs, and improved safety and trust to consumers.
Todd Weller - Chief Strategy Officer, Bandura Cyber
Ken Towne - Director of Technology, GRF
The Threat Intelligence Cycle & What it Should Mean for Security Ops
Threat intelligence use and sharing is a critical requirement for cyber defense. Organizations not only need to operate with a broad-based view of threat intelligence but also efficiently incorporate it into their security operations. Importantly, threat intelligence and information sharing can no longer be the domain of large and sophisticated organizations.
The threat intelligence cycle is composed of multiple elements including collection, analysis, sharing, delivery, and action. To date, the majority of the focus has been on collection, analysis, and sharing with less focus on how threat intelligence can be delivered and acted on.
In this presentation we will:
Introduce the concept of automated full lifecycle threat intelligence and discuss the benefits and challenges associated with it, including operationalizing intelligence.
Discuss the ways sharing communities and enterprise security organizations are adopting full lifecycle threat intelligence.
Look at how threat intelligence portals, platforms, and gateways can be used by companies of all maturity levels to incorporate automated full lifecycle threat intelligence into their security efforts.
Managing CTI: Why One Size Doesn't Fit All
No one organization is the same when it comes to their security posture. Industry segment, how they perceive and manage risks, budget constraints, their specific architecture and internal security policies are just a few that makes no one company the same. Over time these elements can and will change therefor implementing and managing a CTI practice needs to fit and grow with each specific circumstance.
John Loveland - Director of Security Product Marketing, Verizon Business Group
Quantifying and Mitigating Supply Chain Risk
In today's global business environment, complex supply chains and highly-connected vendor ecosystems enable businesses to compete more effectively and efficiently - but they also introduce more risk. Identifying and assessing specific operational risks and cyber risks that come from suppliers, vendors and connected partners is key to mitigating those risks. The Verizon Risk Report provides detailed insight into where your organization might be vulnerable to weaknesses in your supply chain, and it offers recommendations for how to address those issues. Hear how organizations across the world are using this groundbreaking tool to proactively protect themselves from supply chain risk.
Charlie Miller - Senior Advisor, Shared Assessments
Peter Prizio - King & Union
Glenn Wong - Recorded Future
MONDAY SEPT. 30
LS-ISAO Annual Member Gatherings*
Ransomware Cyber Range Exercise**
Complimentary Golf Outing
Tuesday oct. 1
Keynote: The Honorable Mike Rogers
Cyber, Physical & Geopolitical Security Sessions
Third-Party Risk Management Sessions
Dinner & Networking Party
wednesday oct. 2
Keynote: Jim Routh, CISO, MassMutual
Third-Party Risk Management Sessions
Evening Gathering at Coton & Rye Bar