Day 3: Tuesday, March 13th

8:00 AM - 8:45 AM Networking Breakfast

8:45 AM - 8:50 AM Chairperson’s Opening Remarks

Cyber security is just one responsibility of the CISO, with high profile data breaches in the new regulatory era, communication with the board and the rest of the C-suite is paramount. CISOs must shape the message and methods to address unique organizational dynamics. Explore how the CISO must be part technical guru along with psychologist and business leader. The CISO must know the technology enough to protect the organization’s critical operations and data. The CISO must be able to justify security expenditures in business terms. The psychology helps with navigating motivations and priorities of the rest of the executive team. Changing regulations are also affecting the CISO’s reporting structure and the dynamics of the role
Join this session to learn how to:
•Engage, manage and meet board and C-Suite expectations
•Exploring how the CISO reporting structure has changed with regulations
•Blending business, psychology and technology

Sarah Engstrom

Chief Information Security Officer & IT Director of Productivity

Brian Kreitzer

UCLA Health

Harry O’Laughlin

California Department of Insurance

Michael Coates


9:35 AM - 10:05 AM Business Meetings

10:05 AM - 10:35 AM Business Meetings

10:05 AM - 10:35 AM Networking Break

10:40 AM - 11:20 AM Next Generation Third Party Security Management

Paul Valente, Sr. Director, Information Security , LendingClub
Your company’s security posture is not strictly determined by your company’s security program. Because today’s information networks are a patchwork of systems and information shared, exchanged, and acquired from vendors, partners, and M&As, no company is an island. Your company’s security posture is a product of the security programs of all the companies in an information ecosystem. Complicating this security environment is the fact that vendor security management processes are all but broken.
Effective, comprehensive due diligence efforts haven’t caught up with the speed of business today. Long-form questionnaires burden vendors and clients alike and often produce incomplete, inaccurate, or irrelevant information on which decision makers are expected to rely. All the while, regulators are requiring more frequent monitoring and deeper reviews of service providers—as well as their service providers. Information security attacks are increasingly sophisticated. Breaches are more frequent. And no matter the risk climate, business needs to accelerate to remain competitive. It’s time for a rationalized approach that leverages core expertise, automation, and machine learning to yield both rapid and accurate information necessary to effectively assess and manage vendor security risk.

Paul Valente

Sr. Director, Information Security

11:20 AM - 12:00 PM Case Study: Time-Traveler’s Guide to Handling Advanced Persistent Threat (APT) Actors

Oleksiy Kuzmenko, Deputy CISO, United Nations Development Programme
The talk presents a case study of an incident involving known Advanced Persistent Threat (APT) actor recently handled by the incident response team of UNDP. In addition to presenting how the incident was detected, contained and eradicated, the talk discusses operational security aspects vital for successful handling of such actors, ways to automate detection of these incidents through retrospective analysis of network data as well as some “force multiplying” tools for resource-constrained incident response teams and our experience deploying them.

Oleksiy Kuzmenko

Deputy CISO
United Nations Development Programme

12:00 PM - 12:00 PM Chairperson’s Closing Remarks