Welcome Reception 

Join us for a welcome reception at the Ritz-Carlton Observatory room overlooking Half Moon Bay. Meet other CISO Forum delegates and enjoy appetizers, cocktails and great conversation!

New! View the interactive and mobile-friendly agenda here for details and speaker profiles.

Breakfast and Registration

Welcome Remarks

• Mike Lennon – Publisher & Managing Director, SecurityWeek
• Jim  Gordon – GM of Security Ecosystem Strategy & Development, Intel

Advancing the Security of the Microsoft Windows OS:

Windows is the operating system and application platforms that powers hundreds of millions of customers, enterprises, and core infrastructure globally. In order to remain resilient in a constantly evolving threat landscape, the OS security engineering team at Microsoft has built a strategy to address new and challenging attacks. This talk will walk attendees through Windows current and future security strategy and the engineering challenges with scaling across new devices, form factors, and threat models from client to the intelligent edge and cloud.

David Weston – Partner Director of OS Security, Microsoft

Intel’s Security First Pledge: Come Walk a Mile in Our Shoes

Senior Director in the Intel Product Assurance and Security (IPAS) Group, Bryan Jorgensen, will provide an overview of Intel’s “Security First” pledge, a company-wide initiative that covers active security research and red-teams, a healthy bug-bounty program supporting third-party vulnerability research, architectural leadership, ongoing Security Lifecycle Development (SDL) improvements, incident response and product governance.

Bryan Jorgensen – Senior Director, Intel Product Assurance and Security group (IPAS)

Project Zero, iMessage and Attack Surface

Google Project Zero aims to make it more difficult for attackers to use 0-day vulnerabilities against all users. This talk will explore the team’s recent research into iMessage. It will discuss the team’s goals, their research methodology and what there is to learn from vulnerabilities in commonly-used software.

Natalie Silvanovich – Security Researcher, Google Project Zero

Morning Coffee Break

Cybersecurity on the Frontier: Workforce and Technical Challenges

Aanchal Gupta, Head of Security for Calibra at Facebook, will share her perspective on managing and scaling security organizations. With an ever evolving threat landscape, it’s never been more important to have a robust and nimble security function. Aanchal will provide insights on building teams to scale to manage these threats, with a focus on bringing more diverse perspectives into the security industry.

Aanchal Gupta – Head of Security for Calibra, Facebook

Panel: All the ‘Zero Trust’ Questions You Want Answered

How easy is it for a traditional company to embrace the Zero Trust model? Do we even understand what Zero Trust really means? How is it different from the BeyondCorp model? Join this panel of experts as they provide insight into how organizations can benefit from adopting a Zero Trust approach to risk management. The panelists will also frame a discussion to address misconceptions and share best practices around Zero Trust adoption.

• • Steve Martino: SVP & CISO, Cisco
  • Lakshmi Hanspal: Global CISO, Box
  • David  Tsao: VP of Security Engineering, Marqeta
  • JD Sherry : CRO, Remediant
  • Ash Ahuja: VP Leadership Partner, Gartner [Moderator]

Sponsor Lightening Round

Lunch

[Panel] The Never-Ending Vulnerability Disclosure Debate

In this panel discussion, security stakeholders and decision-makers will discuss the long and winding curve of the decades-long vulnerability disclosure debate. The group will tackle a wide range a topics, from the controversial use of “responsible disclosure” to the current industry norm of “coordinated vulnerability disclosure,” to public disclosure deadlines and the landscape around the bug-bounty ecosystem. This promises to be a fun and lively session.

• Charlie Miller: Principal Autonomous Vehicle Security Architect, GM Cruise Automation
• David Weston: Director of OS Security, Microsoft
• Amit Elazari Bar On: Director of Global Cybersecurity Policy, Intel
• Natalie Silvanovich: Security Researcher, Google Project Zero
• Ryan Naraine: Director, Security Strategy, Intel [Moderator]

Fireside Chat With Charlie Miller  

Security Reporting Through Data Analysis: Behind the Scenes on the Verizon DBIR

With dozens of outstanding security reports written every year in our industry, most readers have little idea of what goes into making them happen, or even why companies spend the time and money to create them. Join the Verizon Data Breach Investigations Report (DBIR) Team Leader in this session to understand how our research becomes written word, the importance of maintaining independence from ‘marketing’, and why you should never trust a survey-based report ever again.

Alex Pinto – DBIR Team Leader, Verizon

Afternoon Break

Entering the Cave: Conquering Security Fears of Modern Infrastructure

Modern infrastructure holds proven benefits to productivity, performance, and stability for engineering teams. However, security teams can find themselves in the throes of anxiety at the prospect of adopting of modern tech – often without understanding how the tech works, let alone the right threat models for it.

In this talk, we will delve into some of the common misconceptions held by security teams regarding DevOps and microservices. Then, we will explore what risks truly matter in modern technology environments and how security teams can partner with their engineering colleagues to mitigate those risks – helping relieve security of its duty as a gatekeeper to productivity.

Kelly Shortridge – VP of Product Strategy, Capsule8

[Panel] The VC View: Security Innovation and Investments

Join this distinguished group of venture capitalists and CISOs as they discuss current opportunities for financing early-stage cybersecurity ventures. The panel will provide a deep dive in how VCs look at cybersecurity investments, the changing landscape for deal sizes, the emerging companies and sectors that will transform risk management and the role of investors and advisers in the success of startups.

• Anne Marie Zettlemoyer  – VP, Security Engineering, Mastercard
• Nipun Gupta: Global Cyber Security Innovation Lead,  Deutsche Bank
• Sunil Kurkure: Managing Director, Intel Capital
• Will Lin: Partner & Co-Founder, Forgepoint Capital
• Scott Scheferman: Principal Security Technologist, SentineOne [Moderator]

Security + DevOps Putting Security On Rails

By the time you finish reading this sentence your infrastructures will have changed 5 times! DevOps did that! Dev and Ops got on rails (becoming DevOps) and left security behind. Now security is the last to know about the new app, the new publicly facing end point, the new S3 bucket and countless other changes you care about.What would happen if we put security on rails? What happens if we don’t? This talk will explore putting security on rails the DevOps way. And perhaps most importantly, it will explore how security leaders can know (measure) when its working and when it’s not.

Rich Seiersen: CEO, Soluble

Coastal BBQ Dinner Overlooking Half Moon Bay, followed by Bourbon & S’Mores by The Ritz Carlton Fire Pits

Breakfast and Registration

CISO Forum Day 2 Sessions 

Fireside Chat: Everything You Need to Know About Cyber Insurance 

In this fireside chat, Emy Donavan, Global Head of Cyber, Tech and Media at Allianz SE, joins Cisco’s Leslie Lamb to provide a deep dive into the cyber insurance landscape. Expect a thorough discussion on cyber insurance coverage areas, what goes into a decision to purchase cyber insurance, and the costs and limits to what companies can buy. This session is sure to prompt a lively Q&A session.

• Leslie Lamb: Director Global Risk & Resiliency Management at Cisco
• Emy Donovan: Global Head, Chief Underwriting Officer of Cyber and Tech Professional Indemnity at Allianz.

New Paradigms for the Next Era of Security

Over the next few years, we should expect to see attackers refine and mature their capability to drive outcomes that result in the *inability* for us to recover from an attack, i.e., irreversible attacks. We already are seeing evidence of this now through ransomware (irreversible attack on the availability of data), wikileaks (irreversible attack on the confidentiality of data), #fakenews (irreversible attack on the integrity of data). To proactively address this trend, we need to be in a position to make such attacks irrelevant by being able to conduct irreversible attacks against ourselves (e.g., Chaosmonkey) and design systems so that we can continue our business functions unimpeded. This session articulates the compelling need for us to consider new, business-aligned design patterns that enable us to have systems that are fully resilient against destructive/irreversible attacks and why we need to seriously consider pivoting to this approach within the next five years to survive. I’ll also discuss the implications for our industry and our profession. I will also reveal a new set of concrete measurements and metrics that enable us to focus on true solutions and not just an never-ending list of vulnerability and patching metrics.

Sounil Yu – Chief Security Scientist, Bank of America

[Panel] Assessing Security in the Hardware Supply Chain

While security teams often think of attackers coming from the outside, some of the most insidious cybersecurity threats and weaknesses can be embedded within newly acquired hardware before it is ever delivered. Implants, backdoors, and weaknesses can be intentionally inserted by sophisticated attackers, or inadvertently included due to mistakes or insecure practices by manufacturers and partners. To ensure the integrity of their devices, organizations need to be able to ensure that the systems they acquire are safe, arrive intact and without tampering, and that all updates are valid and secure. Our panel will discuss what measures CISOs and OEMs can take to secure their supply chain from real-world attacks.

• Gene Casady – VP Security Delivery & Operations, Global Payments
• Yuri Bulygin – CEO, Eclypsium
• Talha Tariq – Chief Security Officer, HashiCorp
• Patrick Heim – CISO, ClearSky

Morning Break

[Panel] In-CISOmnia – What Keeps CISOs up at Night

Our “CISO concerns” panel returns for 2019! Zero-Day vulnerabilities. Targeted attacks. “Trusted” insiders walking out the door with corporate secrets. Privacy. Compliance. Board Meetings. These are just a few of the headaches today’s security leaders are faced with on a daily basis. With security executives more accountable than ever, and an increasingly sophisticated threat landscape, this panel of security chiefs will discuss what is top of mind for them and what the future looks like as chief defenders of the enterprise.

• Nick Yoo: CISO, Noodle.ai
• Chris Castaldo: CISO, Dataminr
• Igor Vavnava Rombout: CISO, SAP Sales Cloud
• Scott Scheferman: Principal Security Technologist, SentineOne
• Alexander Hughes: Director of Security, Tanium [Moderator]

[Panel] The CISO Guide to Reporting to the Board

The modern CISO is now the point person — with a target on their back — for managing security incidents or data breaches and reporting security program issues to the company’s board of directors. In this panel discussion, practitioners will discuss how to prepare for reporting breaches and risks to the board of directors, the importance of using transparent data, the value of knowing your audience, and tips and tricks to make board reporting a success.

• Shelbi Rombout: SVP & Deputy CISO, Mastercard
• Rich Seiersen: CEO, Soluble
• Sounil Yu – Chief Security Scientist, Bank of America
• Will Lin: Partner & Co-Founder, ForgePoint Capital [Moderator]

Security Conversations Podcast: Live On-Stage Recording 

2019 SecurityWeek Golf Classic – Shotgun Start

Steak and Lobster Dinner at Half Moon Bay Club House & Golf Classic Awards