IN-PERSON

Chicago CISO Executive Summit

May 14, 2019 | Hyatt Regency McCormick Place

May 14, 2019
Hyatt Regency McCormick Place

Governing Body Agenda Location Partners Contact

Governing Body Co-Chairs

Waqas Akkawi

SIRVA, Inc.
VP, CISO

Jim Cameli

Walgreens Boots Alliance
Global CISO

Nicole Ford

Baxter International Inc.
Global CISO

Larry Lidz

CNA
SVP & Global Chief Information Security Officer

JJ Markee

Kraft Heinz Company
CISO

John Reed

True Value Company
IT Security Program Manager

Paolo Vallotti

Mondelez International
Global CISO

Agenda

May 14, 2019

mid-afternoon morning afternoon

11:40am - 12:50pm Keynote

Harnessing the Power of Contradictions

Corey E. Thomas

President and CEO

Rapid7

As the world we live in continues to evolve and change, so do the requirements of what people look for in their leaders. Exceptional leadership comes from those who can get a group of people with diverse mindsets through difficult, ambiguous circumstances.

In this session, Corey Thomas, CEO of Rapid7, will share:

His leadership philosophy and how it informs his innovation strategy
How to leverage the power of contradictions and differences in a time of constant change and ambiguity
How contradictions drive creativity, higher standards, and consistent growth in organizations

12:50pm - 1:20pm Networking Break

1:20pm - 2:10pm Breakout Session

A Roadmap to Automating Access

Michael Boucher

CISO, Americas

Jones Lang LaSalle

How do you balance business agility and business security in your IAM strategy? Michael Boucher shares his process in developing an automated identity and access management program.

In this session, discuss:

The full lifecycle of a user’s identity
Meeting compliance and regulatory challenges
The benefits of shifting to automation

1:20pm - 2:10pm Breakout Session

Network Data — Powering the Modern SOC

John Matthews

CIO

ExtraHop

Two pillars of a successful and proactive SOC are threat hunting and incident response. The use of network traffic analysis can help improve performance in these two areas, if you can trust the data.

In this session, you will learn:

Current attack practices, including abuse of legitimate traffic and encryption
How hunters hide from attackers to avoid counter IR maneuvers
Ways to make analysts faster and more effective at validating and responding to threats
Options for empowering cross-training and on-the-job training to increase analysts' skills
Clarity on how gaining visibility into cloud and encrypted traffic

1:20pm - 2:10pm Executive Boardroom

Eliminating Vulnerability Overload with Predictive Prioritization

Shane Hibbard

Director of Information Security

Invenergy

Steven McLean

Senior Manager, Information Security

Ortho Clinical Diagnostics

Kevin Flynn

Senior Product Manager

Tenable

When it comes to reducing cyber risk, overcoming vulnerability overload is critical. Find out how predictive prioritization will improve your vulnerability management efforts so you can focus on what matters most to your business. During this peer-discussion you will explore:

How to use threat intelligence to move the most dangerous vulnerabilities up your priority list
The resources required to effectively assess your environment and prioritize your efforts in a predictive manner
Practices that will help you take appropriate actions to make your organization more secure
How to make your staff more efficient by drastically reducing the number of high priority vulnerabilities they need to remediate

Executive boardrooms are intimate and interactive sessions designed to foster dynamic dialogue around a specific, strategic topic. These private, closed-door discussions encourage attendee participation and are limited to 15 attendees (seating priority is given to CISOs). To reserve your seat, please contact Tim Bigley at 971.717.6612 or tim.bigley@evanta.com.

1:20pm - 2:10pm Executive Boardroom

Modernizing Your SOC

Robyn Clark

CISO

Illinois Tool Works Inc.

Justin Metallo

CISO

Beam Suntory

Chris Sears

Senior Solutions Architect

Securonix

When it comes to taking your data from you, cyber criminals never rest. If they can’t get in one way, they will try another. A sound Security Operations Center - staffed by the right people and with the right tools - should be a key part of your cyber defense strategy.

In this session you will discover how to:

Effectively develop your team
Automate to reduce workloads and drive efficiency
Equip SOC teams to operate within BYOD and Cloud
Create strong KPIs and KRIs to measure success

7:00am - 7:45am Registration & Breakfast

7:45am - 8:30am Keynote

The New Reality — Make Change Your Competitive Advantage

Karl Schoemer

Author, "Change Is Your Competitive Advantage"

Like a school of fish, an adaptive organization must move rapidly and in unison toward new opportunities. From navigating the uncertainty of today’s tight talent markets to responding to evolving employee expectations, leaders and employees alike must embrace the power of change to make it a part of their individual and organizational competitive advantage.

Karl Schoemer will draw on his 20 years’ experience studying change to share:

Insights on how leadership behaviors facilitate change
Strategies to help change contribute to culture
Tactics for creating change-adaptive individuals

8:30am - 9:00am Networking Break

9:00am - 9:50am Breakout Session

From Security Management to Risk Management

Amy Bogac

Director, Information Security and Risk Management

CF Industries

How do security executives get buy-in from the rest of the business? For Amy Bogac, it starts with building security strategy around what the board is already focused on. Bogac shares her success in partnering with enterprise risk management to build strong support for security across the organization.

Join to learn:

The importance of partnerships with privacy, HR, and ERM
What the board truly wants to hear
How to mature security roles into that of a risk professional

9:00am - 9:50am Breakout Session

Behavioral Analytics and the Evolution of Cyber Risk Ratings

Jasson Casey

CTO

SecurityScorecard

Cyber risk ratings have steadily evolved over the last six years, shifting from scoring approaches using off the shelf vulnerability scanners to frameworks built with machine learning. Jasson Casey shares the evolution of developing scores – including initial ideas, setbacks and breakthroughs.

In this session, learn:

The composition of a cyber security risk rating
How an enterprise IT team’s behavior manifests itself to the outside world
How behavior translates to cyber security risk for the business

9:00am - 9:50am Executive Boardroom

Keeping Ahead of Information Governance

JJ Markee

CISO

Kraft Heinz Company

John Reed

IT Security Program Manager

True Value Company

Martin Sugden

CEO

Boldon James

Information governance can seem like trying to boil the ocean. Developing the right strategy and approach is key in finding the best channels by which to assess risk. In this boardroom, uncover answers to your pressing questions, including:

How to gain visibility into high risk areas?
What controls should be in place to protect the company’s information assets adequately (and how are you defining adequately)?
What policies do you have in place, and how should you enforce and measure those policies?

9:00am - 9:50am Executive Boardroom

Managing the Convergence of Global Data Regulations

Victor Hsiang

Information Security Manager

GATX Corporation

Elizabeth Ogunti

Senior Manager IT Security and Compliance

JBT Corporation

Matt Little

Chief Product Officer

PKWARE, Inc.

Information security leaders navigate an increasingly complex matrix of national and foreign data privacy regulations. GDPR caused organizations to scramble to meet data protection directives and reassess risk management through new compliance reporting requirements and potential exposure to financial penalties. Now California has its own Privacy Act set to come into effect, and it’s one of potentially many different pieces of forthcoming regulation and policy. How can organizations create a unified data protection and compliance strategy that meets conflicting requirements?

In this session, discuss:

The current landscape of data privacy regulation around the world
Best practices for managing risk associated with data protection frameworks
Standards and metrics for measuring data protection risk
Data classification strategies to aid compliance, regardless of regulation

9:50am - 10:20am Networking Break

10:20am - 11:10am Breakout Session

An Approach to DevSecOps Implementation

Ricardo Lafosse

CISO

Morningstar, Inc.

How can security leaders move away from a waterfall approach to development and help make security frictionless in the organization? Ricardo Lafosse, CISO at Morningstar, shares the year long, multi-faceted initiatives implemented to help align Morningstar with agile methodology.

Join this session to learn:

The importance of adjusting to meet business demand
How to get started, with potential surprises and pitfalls
The techniques and framework to successfully shift to agile

10:20am - 11:10am Breakout Session

SD-WAN – The Solution to Network Visibility

Michael Konopka

Director, Cyber Security & Network Svs.

Eby-Brown

Bill Morgan

Director, Systems Engineering

Fortinet, Inc.

New SD-WAN technologies are reducing risk while simultaneously increasing security for enterprises by simplifying their security architecture through automation and integration. Michael Konopka joins Bill Morgan to share his experiences in partnering with Fortinet to deploy innovative solutions.

Join this session to learn:

Case studies of network visibility implementation
How organizations can gain visibility and application control while reducing WAN infrastructure cost with SD-WAN

10:20am - 11:10am Executive Boardroom

Connecting Security, Risk, and IT to Enable a Best-in-Class Program

Mike Zachman

CSO

Zebra Technologies

Michael Siegrist

Product Line Specialist, GRC and Integrated Risk Management

ServiceNow

The breaches of the past few years continue to show us that organizations are overwhelmed and struggling with patching software vulnerabilities. But what if you were able to properly pinpoint the vulnerabilities that represent the most risk and align these risks with overall enterprise risk?

Join this conversation to discuss:

How security, risk, and IT staff can best work together to locate vulnerabilities and remediate cyber risk
Best practices for strengthening governance, risk, and compliance programs
Effective methods to aid collaboration amongst stakeholders

10:20am - 11:10am Executive Boardroom

Translate Complex Cybersecurity Issues into Simple Business Context

Matthew Memming

CISO

Navistar, Inc.

Bill Podborny

CISO

Alliant Credit Union

Evan Tegethoff

Director, Engineering and Consulting

BitSight Technologies

It is much easier now to determine what’s important, dangerous and real in your third party ecosystem. Yet, as hacks continue to threaten data and business continuity, the old school of thought around securing the enterprise is no longer relevant.

This boardroom will explore:

Layering traditional tools and new strategies to define goals and deploy resources
Communicate to the board through a holistic risk lens
Developing clear business cases connecting business profitability to risk reduction

10:20am - 11:10am Executive Boardroom

Facing the Challenges of Connected Devices

Erik Hart

CISO

Cushman & Wakefield

Naeem Motiwala

VP & CISO

Gallagher

Todd Kelly

Chief Security Officer

Cradlepoint

Connected devices provide valuable new functionality and revenue opportunities. They can also become a security nightmare, as many were not designed with security in mind. Cybersecurity leaders must have the right strategy in place to address potential vulnerabilities in the growing Internet of Things.

Join this roundtable to discuss:

Best practices in managing IoT ecosystems
Challenges securing IoT devices
Case studies of successful segmentation

11:10am - 11:40am Networking Break

2:10pm - 2:30pm Networking Break

2:30pm - 3:20pm Breakout Session

Benchmark This Breach! An Interactive Experience

Diane Brown

Director, IT Risk Management

Ulta Beauty

One of the best ways to check your assumptions in business is to know where you stand among your peers and allow them to challenge your assumptions. But even if you have a speed-dial full of trusted associates, this type of information sharing can be piecemeal and infrequent. This interactive session is your chance to:

Baseline your security program and explore context around recent data breaches
Compare incident response practices with a cross-section of your peers
Walk away with actionable insights

2:30pm - 3:20pm Breakout Session

The Hidden Attack Surface of APIs

Anthony Lauro

Director, Security Technology and Strategy

Akamai

The rapid adoption of mobile devices has led to 25% of all web transactions being API calls. Attackers not only target public facing APIs, but enterprise organizations due to how organizations manage automation and orchestration of their cloud environments. The sheer volume of transactions overwhelm security devices, leaving attack or abuse detection to be done after the fact.

In this session, we’ll discuss:

The current, and failing, architectural designs for addressing security for API transactions
Attacker techniques for identifying and targeting environments
Common tools that can be used to identify your own attack surface and deploy the appropriate defenses

2:30pm - 3:20pm Executive Boardroom

Dissecting Recent Breaches & Ensuring Cyber Resiliency

Todd Camm

Director IT Security

Navigant

Carl Erickson

CISO

Johnson Controls, Inc.

Sergio Abraham

Security Innovation Lead

Onapsis

In July 2018, the Department of Homeland Security issued an alert citing "Malicious Cyber Activity Targeting ERP Applications." While protecting endpoint access, phishing, and network monitoring is important, nothing else matters if your core business applications are not a primary strategic component.

In this session, we will explore:

Why and how cybercriminals, hacktivists and nation states are actively attacking ERP applications
How cloud, mobile and digital transformations are expanding the attack surface
Steps you can take to ensure cyber resiliency and mitigate risk

2:30pm - 3:20pm Executive Boardroom

The Continual Shifting of Threats

John Kellerhals

Information Security Manager

Wheels, Inc.

Wade Lance

Principal Solutions Architect

Illusive Networks

Whether it’s cybercriminals motivated by profit or nation-state attackers with geopolitical motives, public and private organizations of all sizes have felt the impact of cyberattacks. Enterprise organizations are reeling from the onslaught of massively spread ransomware attacks to surgical pinpointed attacks on their assets from sophisticated state-sponsored actors. How can CISOs best face changing threat vectors?

Join this roundtable conversation to discuss:

The current threat landscape
How to best discover and thwart nation-state attacks
What security executives can do to build resiliency

3:20pm - 3:40pm Networking Break

3:40pm - 4:20pm Keynote

Inspiring the Next Generation of Security Leaders

Christine Vanderpool

VP, Chief Information Security Officer

Florida Crystals Corporation

Building a strong talent pipeline is about more than attracting candidates - CISOs need to provide continuous training, development and career path guidance to their teams to maintain a competitive security organization. Christine Vanderpool, VP and CISO of Florida Crystals Corporation, shares her methods to inspire and provide guidance to security teams and other IT teams alike.

In this session, discover:

How to provide guidance on building an effective career development plan
Four easy ways to think about career development (ownership, developing a mission statement, defining personal brand truths and creating the map)
How to help build a career path for your team

4:20pm - 5:00pm Closing Reception & Prize Drawing