A SecurityWeek Event


An Exclusive Executive Forum Focused on
Information Security Leadership and Strategy

September 13-14, 2022

2021 CISO Forum Presented by


2021 Diamond Sponsors


2021 Platinum Sponsors


2021 Gold Sponsors


Silver Sponsors


2021 CISO Forum

SecurityWeek’s CISO Forum takes place annually at the beautiful Ritz-Carlton, Half Moon Bay, which has served as the venue of the forum since 2014.

Given the global situation resulting from the COVID-19 pandemic, SecurityWeek’s 2021 CISO Forum, Presented by Cisco, will take place virtually. Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, specific zones & sponsor booths.

This  event is designed for security leaders to discuss, share and learn information security strategies. (Register)

Visit Here for the Latest Event Updates for the Virtual Edition

An Exclusive Executive Forum Focused on Cybersecurity Leadership and Strategy

September 14-15, 2021
Virtual Event – View Event Website

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Topics Include:

  • Fireside Chat: Adrian Stone: VP, CISO at Peloton
  • Winning Hearts and Minds on the Board
  • Designing and Architecting Security for a Hybrid World
  • CISO Panel: Navigating SBOMs and Supply Chain Security Transparency
  • Panel: CISO’s Guide to Building a Security Dream Team
  • Panel: The Top 5 Priorities of the Modern CISO
  • Defenders Playbook for Attack Simulation and Security Posture Validation
  • Virtual Expo and Networking
  • Identity-Focused Security for Your Zero Trust Journey
  • Winning Hearts and Minds on the Board
  • Securing Our Cloud Environment Against Hackers
  • Key Insights to Prevent Never-Before-Seen Cyber Attacks
  • SASE Industry Trends
  • Measuring Security and Building Trust with Leadership: Enabling Transformation Through Testing
  • How DevOps Can Make AppSec Testing Seamless
  • Addressing Sophisticated Supply Chain Attacks Head On with No Source Code Required
  • Much more! – Add to Calendar

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.

Adrian Stone

Adrian Stone


Anne Marie Zettlemoyer

Anne Marie Zettlemoyer

VP, Security Engineering

Caleb Sima

Caleb Sima


Allan Friedman

Allan Friedman (Invited)

Cybersecurity and Infrastructure Security Agency (CISA)
SBOM Champion

Summer Craze Fowler

Summer Craze Fowler

Argo AI

Fredrick Lee

Fredrick ‘Flee’ Lee

Chief Security Officer

Shaila Shankar

Shaila Shankar

SVP and General Manager of Cisco Cloud Network and Security

Jonathan Jaffe

Jonathan Jaffe


Aanchal Gupta

Aanchal Gupta

VP, Azure Security

Lena Smart

Lena Smart


Sounil Yu

Sounil Yu


Theresa Payton

Theresa Payton

Former White House CIO
Star of CBS TV series, “Hunted”, and Leading Cybersecurity Expert




September 24-26, 2019


1 Miramontes Point Rd, Half Moon Bay, CA 94019


+ 1 (650) 712-7000

The Five Things CSOs Need to Know About Software-Defined Security

01/14/2015 0

The business benefits of moving workloads to the cloud are so compelling that most enterprises are now investing heavily in this direction. Lower cost infrastructure frees up IT budget that can be focused on net new applications and business innovation.

While driving capital expenditures to near zero is a good aspirational goal, the reality is that most organizations will end up with mixed environments of physical data centers, private cloud and public cloud.  The question is:  how are companies supposed to keep business-critical assets safe in this new model?

In a cloud and virtual infrastructure world, security and compliance consistently bubble to the top of the list of concerns. In fact, in a recent report, Gartner identified security as one of the top 10 information technology priorities for 2015.

For decades, IT and Internet security has been built around models that assume the availability of fixed perimeters, hardware security appliances, physical proximity of data and explicit control of physical topology.  

Cloud environments – including cloud hosting, virtualization and software defined infrastructure – disrupt these assumptions dramatically. And the ripple effects extend to many major IT trends including Software-Defined Data Centers (SDDC), Infrastructure-as-a-Service (IaaS), IT-as-a-service (ITaaS) and software-defined storage.

While the use of “software defined” infrastructure is attractive, it imposes technical and operational characteristics that differ significantly from traditional IT infrastructure strategies.   

A few of these differences include broader IT asset distribution, high rates of change, greater diversity in deployed technologies, and large variability in scale. Of course, another key difference is that very often the underlying physical infrastructure is owned and operated by a third party.

It’s clear that new security strategies are needed — traditional, perimeter-based security models simply don’t work in the cloud.

Leading analysts, CIOs and CSOs agree that adopting a Software-Defined Security (SDSec) architecture is necessary to ensure that security and compliance does not slow down the movement to cloud infrastructure, but rather complements and accelerates the value it delivers to the enterprise. Security and compliance management must evolve to succeed in these massively scalable, fast-moving environments.

So how do we get there? Five key architectural principles have emerged that are central to enabling security and compliance to keep up with software-defined infrastructure. These five principles are:

Abstraction: Most traditional infrastructure security strategies depend on physical constructs such as hardware appliances, physical network segmentation, and proximity of computing components. Given that the underlying infrastructure itself is becoming more virtualized and more widely distributed, security and compliance for the cloud needs to be virtualized and able to operate regardless of where underlying hardware might be physically located.

A true software-defined security strategy should also be independent of any specific infrastructure platform, vendor, or service provider. Achieving infrastructure security abstraction makes security organizations more adaptable in their ability to support any infrastructure model, including a mix of private, public, and hybrid infrastructures (a.k.a., multi-cloud infrastructure) in addition to virtualized and bare-metal systems.

Automation:  Manual monitoring and audit of security policies in virtual infrastructure is not feasible and could lead to serious mistakes and slow reaction to business needs. Security automation is required that implements security and compliance controls (e.g. firewall policies, intrusion detection) with minimal human intervention in deployment, configuration, and operation. Well-implemented automation will enable security organizations to keep up with the scale and rapid rate of change associated with emerging cloud infrastructure models. In an ideal world, even automated control deployment is not enough. Most desirable is full lifecycle automation, in which policies are set once and tied to some context, after which underlying controls are 100% automated at each stage of the control’s lifecycle—from deployment to de-provisioning. Keeping up with cloud infrastructure velocity means automation throughout the lifecycle of every enforcement and monitoring control. In addition, modern, software-defined security must be on-demand for low friction, and have “instant on” availability for audit and compliance.

Orchestration: Trying to manually provision security for virtual infrastructure simply won’t work in the dynamic, elastic nature of cloud. Security orchestration reduces the time, effort and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments.

Business security requirements must be satisfied by dynamic, automated, centrally managed composition of individual controls into integrated, holistic security services. Security orchestration platforms centrally manage the composition, deployment, and management of individual control components into more complex, service-oriented security systems. By composing many individual controls into a larger system, security orchestration is considered to be a higher order function than simple control automation. In many implementations, orchestration also addresses licensing, metering, chargeback, and other security resource consumption issues—important in service-oriented cloud computing and software-defined infrastructure environments.

A key strategic value of orchestration is the ability to rapidly create and maintain numerous security environments that are aligned with higher-level business needs while keeping pace with automated deployment, migration, and reconfiguration needs of the underlying application environment.

Security orchestration also reduces the time, effort, and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments. This streamlines control deployment, integration, and change management, preventing security from becoming a speed bump in an otherwise seamlessly orchestrated environment.

And as technology delivery becomes increasing service-oriented, orchestration can relieve the administrative complexities of usage-based security resource management.

Automatic Scalability:  Scaling application and infrastructure environments automatically, on-demand, and in near real-time is one of the essential capabilities that makes cloud computing so valuable. Dealing with seasonality or other fluctuations in demand once required maintaining sufficient idle infrastructure capacity to meet peak demand, often on a per-application basis. This approach was operationally and economically inefficient. Security and compliance control capacity must also scale up or down dynamically – and without human intervention.  

This means that controls must be deployed directly into the application scaling mechanism (e.g., building controls directly into cloud-burstable virtual machines) or must have the ability to scale based on application scaling triggers (e.g., detection of a cloud-burst triggers deployment of more virtual appliances). Given that an arbitrary number of security controls may potentially be needed across an arbitrary number of diverse application environments, the SDSec principles of orchestration and automation are often leveraged to achieve automatic scalability.

Cloud-oriented application hosting models that support instant deployment and dynamic capacity will demand security that can automatically scale. Automatic scalability as a feature of an on-demand, orchestrated security service is an optimal strategy for implementing software-defined security.

API Enablement:  Security monitoring and enforcement control functions should be fully accessible via open Application Programming Interfaces (APIs), so that security and infrastructure organizations can fully integrate and use the tools with which they’re already familiar. CSOs and their organizations should insist on open API enablement of any security solution, especially those oriented to software-defined and cloud computing operations.

These five principles of software defined security—abstraction, automation, orchestration, automatic scalability, and API enablement—can go a long way to ensuring the success of security and compliance programs for enterprises transforming to cloud-oriented infrastructure and technology delivery.

Software-defined security changes the game for the CISO and their teams. Security can now move to being an enabler for enterprises that are taking advantage of the business value offered by cloud services and infrastructure, without sacrificing security or compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe for Event News