Ed TALKS

Principle-based approaches have long been at the core of “traditional” engineering disciplines. However, when it comes to building software and IT systems, best practices around encryption, access control, and authorization are often lackluster. The ability to understand and apply security concepts is essential to protecting today’s digital business.

Join host Ed Adams, a Ponemon Institute research fellow, for a panel discussion with security professionals whose collective experience spans Fortune 500 technology, financial services, and medical device industries.

JOSHUA CORMAN
Founder of I Am the Cavalry (dot org). His approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security.

UMA CHANDRASHEKHAR
Leader of the Global Information Product Security function at Alcon. She holds several patents in information security, privacy, and reliability and was an invited council member of the U.S. Federal Communications Commission’s Security, Reliability, and Interoperability Council (CSRIC).

MARK MERKOW
CISSP, CISM, CSSLP. A prolific author and advocate for building security into the SDLC with software-quality and security activities, tools, processes, and education.

Topics to be discussed:

* Why and for whom are security principles important?
* Have principles become a lost art form, or did they never really take off?
* What is the most underutilized principle? Does it vary based on tech stack and deployment?

FREE GIVEAWAY
We'll also be raffling off three copies of Mark Merkow's latest book "Secure, Resilient, and Agile Software Development" during the webinar.

With the proliferation of COTS, Open Source Software, libraries, frameworks, APIs, and other components, modern software is increasingly assembled instead of coded from scratch. While this shift helps deliver feature-rich solutions and interoperability, it also introduces risk and data security challenges.

To manage 3rd-party risks, new assessment and mitigation techniques are needed. Fixing the code is often impossible, pen testing can be limiting, and patching still leaves you exposed.     

Join host Ed Adams, a Ponemon Institute research fellow, for a panel discussion with security professionals, including:

JOHN MASSERINI
Global CISO, Millicom (Tigo) Telecommunications
An industry-recognized leader, John has decades of experience providing Information Security services to multinational organizations in diverse verticals. He is a prolific author and speaker and previously served as CISO for MIAX Options Exchange and Dow Jones.

CHARISSE CASTAGNOLI
General Counsel & Manager, Instapay Flexible LLC
Charisse has over 30 years of experience in the IT industry. She combines her technology expertise with security and legal skills to help organizations meet their security and compliance needs. She is an adjunct Professor of Law at John Marshall Law School.

FRED PINKETT
Product Director, Absorb Software
Fred is a technology expert with 20+ years of experience in the SaaS, Cloud, and cybersecurity fields. Throughout his career, he has worked closely with engineering and marketing teams to bring high-quality and secure products to the market.

Join us the hear these experts debate the following topics:
- Conducting software composition analysis (SCA)
- Assessing threats and impacts
- Risk-rating your inventory
- Selecting the right controls

The use of cloud services and infrastructure continues to skyrocket. Meanwhile, the proliferation of turn-key SaaS solutions makes it compelling for enterprises to use cloud-based software. Organizations are spinning up servers and databases in minutes, moving their applications to take advantage of CSP scalability, and mistakenly assuming they are immediately more secure.

There’s no doubt the cloud can deliver on the promises of improved scalability, availability, and security; however, consumers need to do their part. Come listen to 3 experts debate data and software security in the cloud. Topics include:

• Key considerations - new skills, migration challenges, compliance implications
• Unwanted surprises - misconfigurations, application rewrites, open data buckets
• Attack vectors - how they impact data flow and storage models
• Sunnier days - must-do’s for securing cloud software

The payment ecosystem is a complex one that is exposed from multiple points: Data interception, identify theft, and other attacks primarily target insecure software, APIs, and communication protocols that are difficult to lock down.

To secure data within the payment infrastructure retailers, software providers, financial institutions, and device manufacturers need to implement risk-based practices. Come hear three industry experts - Kara Gunderson (CITGO) and Ira Winkler (author, "You Can Stop Stupid"), Phil Agcaoili (Ponemon Institute Fellows) - discuss how to do this in a practical manner.

Topics include:

• Biggest threats and common attack vectors
• Dealing with POS (point of sale) systems
• End to End encryption – is it even possible?
• Managing software updates
• Passing with A’s: Authentication, Authorization & Access

Software teams regularly deal with rapid release cycles, dozens of technologies, and relentless threats. They generally want to incorporate security ways but are often unsure how (or why.)

Regardless of the development process, there are common security activities and tools that need to be assimilated. In this edition of Ed TALKS, a panel of three industry experts provide practical tips on improving maturity and making security a natural part of software development.

Topics include:
- Practical automation throughout development and delivery
- How to motivate your team to care about security
- Assessing and benchmarking your SDLC maturity
- Not so fast: Activities to automate or skip at your own risk

Our panelists include:
Sasha Rosenbaum: Product Manager, GitHub
Throughout her career, Sasha has worked in development, operations, consulting, and cloud architecture. Sasha is an organizer of DevOpsDays Chicago, a chair of DeliveryConf, and a published author.

Sebastien Deleersnyder: Founder, Toren
Sebastien is the project leader for the OWASP SAMM maturity framework. He is a well-known instructor and threat modeling advocate. Earlier in his career, he served as a security architect for large telcos, banks, and logistics firms.

Dinis Cruz: CTO and CISO, Glasswall
Dinis is a well-known software security leader. He served on the OWASP board of directors for six years, has trained thousands of people globally, and has written books on cybersecurity and modern software development.

Edna Conway (Microsoft) & Octavia Howell (Equifax) join us for an exclusive panel on avoiding supply chain burns. Supply chain risk is not going away, especially not software updates that fuels the IT-dependent enterprise. The SolarWinds hack has sowed doubts about the fidelity and security of 3rd-party tech. Despite significant damage, some organizations successfully thwarted the attacks despite using the vulnerable SolarWinds Orion appliance – how did they do it and what can we learn from it.

This Ed TALK brings respected cybersecurity and supply chain experts together to discuss what companies that build and use technology can do to protect themselves in this increasingly partner dependent world.

Topics include:
Knowing your ingredients – SBOMs (software bill of materials)
I spy – can we detect or prevent “tainted” software updates
Walking the walk – let’s talk effective defense-in-depth, incidence response, network segmentation, and “zero-trust”
Avoiding the recency trap – risk rating threats to avoid knee-jerk reactions
Robots to the rescue – can AI be the solution to real-time threat intelligence?

High-performing InfoSec programs are critical to protecting sensitive data, securing systems, and maintaining compliance. However, organizations continuously struggle with the “how are we doing?” question.

Attend our next Ed Talk to learn how to identify key metrics and implement measurement vehicles to understand your real security posture.

* Benchmarking: What do you measure? And against what?

* Analysis Paralysis: What to do with the results and avoiding misleading and distracting data

* Metric Traps: Red flags versus red herrings

Attitudes toward privacy have an amazingly broad spectrum. Laws like CCPA and GDPR are forcing organizations to build privacy programs, but their robustness varies significantly based on geography, industry, and consumer views. Counter forces of IT Security, Data Breaches, and IoT put privacy at risk every day. Come listen to 3 industry experts discuss privacy in the context of today’s digital world. They will discuss the organizational impacts of privacy, compliance drivers, and the difference between data security and data privacy.

Topics include:
• Impacts of emerging technologies (5G, Artificial Intelligence, etc.) on privacy programs
• How the WFH movement has changed corporate privacy and security strategies
• Findings from the recent study "Privacy and Security in a Digital World” by The Ponemon Institute
• The battle between security and privacy (corporate, law enforcement, compliance, personal)
• Practical tips on how to protect both privacy and data security

Historical approaches to IT security have been driven by primary colors – red teams attack, blue teams defend. This leaves technical teams color blind as to how hackers exploit the very software they are tasked with building and protecting.

Purple Teaming is a collaborative approach organizations use to improve their security posture during the attack exercise to capture immediate value and foster a real-world defensive approach. This strengthens a team’s understanding of abuse cases so they can employ effective controls from requirements through deployment.

Attend this talk to learn how to embed an exploit mentality into technical teams, which results in a reduced attack surface, fewer security vulnerabilities, and accelerated feature release.

The enterprise of things (EoT) encompasses all the "things" that get pulled into an enterprise's infrastructure. Not just IoT but also operational technology, office endpoints, WFH devices, and more. The 2020 rush to work-from-home, the proliferation of 5G, and an increased dependency on personal devices are burdening IT with a more diverse attack surface and devices that don't conform to corporate standards.

Leaders need to adjust their cyber-risk-mitigation playbooks. Come listen to three industry experts discuss this hostile ecosystem and the defenses they've put in place to adapt.

Topics include:
- Securing the software that runs the Enterprise of Things
- Managing risk in corporate networks where IP is no longer isolated
- Evolving techniques in attack surface management and threat modeling
- Practical tips for minimizing IoT data leaks and adopting zero trust
- Managing device decay and non-standard configurations

To meet the demand for feature-rich software, companies rely on emerging technologies and rapid release cycles. However, they often lack confidence in their teams to build and deploy it securely. Leaders need a playbook that goes beyond just training developers on secure coding and reflects how teams want to learn.

Join this Ed TALKS to hear how three professionals have up-leveled skills at Intuit, Microsoft, and Atlassian and gain insight from benchmark data from Security Innovation’s own expansive user base.

Organizations are increasingly relying on microservices to modernize and scale in today’s distributed tech ecosystem. Microservices facilitate continuous delivery and deployment by offering loose coupling through modularity, fault isolation, and resiliency. However, the resulting distributed systems are often complex, with large attack surfaces, making traditional security assessments difficult.

To maintain consistent security levels, teams need to standardize practices and recalibrate assessment techniques. Come learn how industry experts from product security, engineering, and product management integrate risk-based approaches to their software pipeline to release software more confidently.

Topics include:

- Security as a Service: Arming teams with pre-secured libraries, assessment templates, security guidance, and hardened frameworks
- Rapid Risk Assessments: Evolving beyond monolithic SAST/DAST scans towards rapid component analysis
- Modern Vulnerability Management: Optimizing classification systems based on component criticality, business impact potential, and mitigating controls

2022 kicks off on the heels of Log4j and other soft spots of our technology underbelly. These warts on our security playbooks highlight the importance of supply chain and software diligence. Join 3 security experts as they discuss Ed’s thoughts on 2022 and what industry analysts predicted (right and wrong).

• Third-Party Breaches - increased attacks on both the vendors’ products and the enterprise ecosystem, driving the need for Software Bills of Materials (SBOMs).

• Cloud & API Risk - both will be used much more than they are understood from a security perspective, leading to a “dark cloud” of misconfigurations and data leaks.

• Evolving Responsibilities, Org Charts and Titles - knowledge continues to be pushed into technical teams, whilst security and risk-based decisions move closer towards the Board of Directors.

Got D&I on your mind? You should.

It’s a scientific fact that diverse teams make better decisions, operate more profitably, and are more innovative problem solvers. The cybersecurity talent shortage is a crisis, yet the diversity gap is stark with women and minorities, and we haven’t figured out how to cultivate this talented pool.

Find out how it’s done – from experts who have succeeded and have dedicated themselves to the cause.

Featuring fresh research from The Ponemon Institute, this panel will discuss the state of D&I in cybersecurity, including:

• Trends and other data that highlight disparity
• What roadblocks (still) exist and strategies to blast them out of the way
• Where and how to find untapped talent and how
• How globally recognized organizations have successfully built D&I programs

Hope you can join us as we band together to advance D&I in cybersecurity.

Data security is always top-of-mind for cybersecurity executives; however, emerging technology and attack developments will pose new risk to the data we try to secure.

Come hear how 3 leaders approach dynamic threats of the 20's, including:

• Tech Temperature – Hot or cold?
- Artificial Intelligence
- 5G: too dense and fast for its own good?
- Applied Crypto: Blockchain, NFTs, and de-centralized trust
- Quantum computing

• Intrinsic Dependencies
- Cloud: expansion or evaporation?
- Passwords, authentication, biometrics

• Changing Attack Landscape

The modern enterprise is highly dependent on the cloud and software-driven systems. To protect them, teams need relatable training that reflects the technologies they work with. Otherwise, they’ll tune it out.

Recent Ponemon Institute research shows that realistic simulation training tied to a specific job function is the most effective way to prepare teams for the battles they’ll face. By utilizing hands-on training in a familiar environment, teams can enumerate security risks in a native context.

Come learn the strategies of three security & technology leaders to up level skills of various audiences, create engagement, and drive lasting behavior change.

Modern application design and the continued adoption of DevOps expand the scope of automated security testing and push tools to the limit. Simultaneously, complex platforms like IoT and Blockchain require more specialized tools and skills.

With software applications being more assembled than coded, and cloud CI/CD accelerating release, it’s time to sunset some legacy tools and consider new ones.

Come hear how product and application security professionals plan to scale software securely in 2022.

• The traditionalists: SAST, DAST, IAST
• Replacement players: SCA, API & container security, etc.
• New Kids on the Block: IaC, cloud native, fuzz
• Limitations, pitfalls, and best practices

In recent years the cybersecurity industry enjoyed high valuations, rapid growth, and the creation of many ‘unicorns.’ However, the industry has also had its fair share of overhyped expense/debt-laden companies. Cybersecurity investors have pumped the brakes with a global economic slowdown and generational inflation. Path-to-profitability has quickly become a paramount metric, once de-prioritized for growth, often despite massive losses.

This Ed TALKS will feature diverse perspectives from a cybersecurity investment banker, entrepreneur/executive, and venture capitalist. Attend to hear how today’s technology and investment trends are changing the way we operate in cybersecurity and get expert advice on:

• Challenges of running a VC/PE-backed cybersecurity company
• Valuation calibration and investment appetite
• Metrics to watch closely, stress, or de-emphasize
• ‘Red herrings’ cyber leaders need to avoid chasing

Overwhelmed by this year's industry predictions? Take back your time and avoid forecast fatigue as our industry experts have combed through the top reports to uncover essential insights and shed light on the best, and the worst, Cloud Security predictions for 2023.

Join our three industry experts as they de-bunk some of the top predictions and offer their own. Featuring research from the Cloud Security Alliance, our diverse panel of published authors will provide a deeper understanding of what to focus on for this year – including bonus “dark horses”!

The ‘Can’t Miss’ Panel:

Shira Rubinoff: A top cybersecurity influencer with 20,000+ LinkedIn followers; an entrepreneur, executive, board member, and advocate for women in cyber.

John Yeoh: The VP of Research at the world’s leading organization dedicated to defining best practices to help secure cloud computing environments.

Matthew Rosenquist: A trusted, respected CISO highly sought after as a conference keynote speaker, strategic advisor, and educator.

Join Mathieu Gorge, CEO of Vigitrust, and three esteemed co-authors for an Ed Talks to discuss the best-selling book "The Cyber Elephant in the Boardroom" - a real-world playbook for cybersecurity approaches and accountability. This dynamic panel will explore how businesses have adapted to an increasingly digital landscape, why cloud security is critical for application safety today, tips for incorporating robust protection into any coding process and delve into the implications of potential cyber risk at boardroom levels.

The Panelists:

Mathieu Gorge, an internationally acclaimed cybersecurity expert, is the founder and CEO of VigiTrust, a risk management company. With his prolific work in this field recognized by Forbes - authoring 'The Cyber Elephant In The Boardroom' - he's set to release his second book due out summer of 2023!

Cathy C. Smith is a leading authority in the DX space, pushing boundaries and driving innovation through her experience with major global organizations such as Deutsche Bank and Dell. She is the founder of Women in Tech NJ & NY. Her book "How to Become a Digital Leader" provides insights on leading organizations into emerging technologies that remain future-proofed for success.

Nick Vigier is a highly esteemed cybersecurity expert with extensive knowledge and experience in the field. He has been a CIO or CISO at many successful companies, including Talend, Sony, and Gemini. His vast knowledge makes him the go-to expert for media outlets looking to understand the ever-changing security landscape.

Ed Adams is a leading software quality and security authority, offering over two decades of expertise. As President & CEO of Security Innovation, creator & host of 'Ed TALKS' and board member for Cyversity – he's established himself as an industry thought leader with invaluable insights to share.

On top of the usual threats inherent to IT networks, applications, and cloud services, the complexity of medical devices creates a massive and distributed attack surface. Compounding the challenge are long-life expectancy and third-party dependency.

Attend this panel to hear healthcare security experts discuss the anatomy of medical devices, how to design them with human safety in mind, and how to make a shared security responsibility model a reality.

Specific topics include:

• The Prescription - security measures the FDA and others are demanding
• The Skeleton - the rickety infrastructure healthcare runs on
• The Brains - is SaMD (Software as a Medical Device) the new world norm?
• The DNA - what Software Bill of Materials (SBOMs) tell us about risk
• The Immune System - why traditional IT defenses struggle to protect patients
• The X-Rays - the need for new surveillance techniques