The inaugural Cyber World Congress launched virtually on March 2nd as a unique large-scale event aimed at connecting the world’s cyber security community. As a 24-hour event, it followed the sun, starting with speakers from the APAC region, moving through to MEA, Europe, LatAm, finishing in North America.
Over a thousand security leaders attended, of which almost 60% were CISOs. Breaking down the numbers further, we saw that Banking & Finance was the industry most represented, followed by Energy & Utilities, Government, Healthcare, and Manufacturing.
The event welcomed 52 practitioners as they delivered thought-leadership sessions addressing the security challenges associated with increased digitalisation driven by the global pandemic. By attending, delegates gained insights into how leading organisations around the world are responding to an ever-evolving threat landscape to secure the so-called ‘new normal’.
In this post-event write up, let’s take a closer look at what each segment brought to the event!
APAC – Securing the Modern Enterprise in a Digital World
CWC’s APAC segment opened with Darktrace’s session, ‘Securing the Future of Work with Cyber-AI’. Led by their Director of Technology, Andrew Tsonchev, the session offered insight into ways organisations can rethink their approach to security – relying more on new technologies like AI to achieve much-needed adaptability & resilience as digital environments become more dynamic than ever.
Delving deeper into the topic of the shift to digital environments, a panel of senior security leaders addressed the challenges related to zero-trust, their cloud security strategies, and how they’re balancing future needs against legacy infrastructure in the live panel ‘Leaving Legacy Infrastructure Behind – When the Move to the Cloud is no Longer an If and Security Must be Part of the Equation’.
Moderated by Virag Thakkar (Head of IT Governance, Risk & Compliance, Agoda) and joined by Fuller Yu (CISO, Hospital Authority Hong Kong), Harish Goel (Director IT Security & Compliance, Publicis Groupe) and Allan Tay (Regional IT Security & Compliance Manager, Sodexo), our speakers found that while the pandemic has accelerated the use of cloud-based services (lending to benefits of reduced delivery time, increased scalability and saving costs), carrying out thorough security risk assessments remained tantamount to staying secure.
They agreed that strong security monitoring measures and disaster recovery plans needed to be in place in order to maintain the confidentiality, integrity, and availability of data. Fuller Yu added that not only do your processes need to be secure but so do your people, concluding “Make your people ready for the cloud, invest in them”.
Following the panel discussion, Eileen Neo, APAC Regional Lead at YesWeHack, gave some actionable insights on ‘Fighting cybercrime in a Digital World’ with Bug Bounty, followed by Dr. Lopa Mudraa Basuu, Former Global Head of Cyber Security Risk Governance & Compliance at Nissan Motor Corporation.
Dr. Basuu delivered an exhaustive talk on her hands-on experience with ‘DevSecOps – A Cultural Transformation Journey’, explaining how DevSecOps enhances the collaboration between development and operations teams by placing security at the heart of the process to create a faster, more efficient way to safely deliver code within an agile architecture.
To conclude the APAC segment, the panel discussion ‘Cyber Security vs Digitalisation – Making Cyber Security an Integral Component of your Company’s Trust and Value Proposition’ addressed how to overcome the challenge of getting cyber teams involved earlier in digital transformation programmes.
Led by Beatriz Silveira (SVP, Cyber Intelligence Center Regional Lead, APAC, Citi), Ashish Khanna (CISO, The Oberoi Group), Muhammad Maad (CISO, Faysal Bank), Amit Chaubey (Head of Cyber Security Risk, Governance & Compliance, Ausgrid), and Richard Harrison (CISO, healthAlliance) discussed how they were able to much more effectively balance their business’ push for digitalisation and its cyber security needs, with Amit Chaubey explaining:
“I am a fan of automation because an automated solution is going to work as you designed it. In the transformation piece, I always talk to my team and ask can we automate something here and reduce the manual process? This will reduce the risk of human error and provide the dashboard for management to review.”
Richard Harrison followed by stating that taking a more holistic approach to security & privacy has greatly enabled his organisation, mentioning that:
“In our organisation, what really helped us drive change has been the adoption of standards and patterns, because that makes it so much easier for project managers/architects/developers to embed security into their design in a more holistic way.”
MEA – A People-Centric Approach to Cyber Security for Today’s Digital World
The MEA segment opened with a live panel discussing the challenge most companies are facing today: ’How to Maintain Effective Security Awareness Amid a Hybrid Future of Work’.
The panel was moderated by Hisham Mohamed (Egypt CISO, Emirates NBD). He was joined by Nadia Cherif (Regional CISO, Siemens Energy) and Walid Mahmoud (Head of Information Security & Risk Management, Mantrac Group).
They shared their views on how to keep their remote workforce informed on the importance of security, their tips to overcome tighter cyber training budgets, and how they balance cyber training vs technical tools such as email proxy, anti-malware and anti-phishing technologies.
Both the moderator and panellists highlighted the importance of tailored security awareness campaigns. In the ongoing fight against an increasing number of phishing attacks, they agreed that organisations must make sure the training is tailored to the needs of the business – looking at the type of information handled and the threats they face.
When it comes to raising awareness, they emphasised the need for a holistic approach. Training should not only be aimed at employees, but also the Board, customers, and the supply chain as a ‘one size fits all’ approach would ultimately end in failure.
Nadia shared some great insights into KPI’s, looking at how to measure and assess if a security programme is having the expected outcome. Walid then added that introducing automated security programme tools made issuing and monitoring KPIs easier for his organisation. In both of their cases, they cited mock attacks as being good learning opportunities.
All in all, the panel concluded that to really increase the learning curve, support from management is essential. They feel that management should lead by example and cyber security should be embedded from top-down.
After, Hessa Al Nahdi (CISO, UAE Department of Culture & Tourism) delivered a case study on ‘How We Modernised our SOC to Secure our Remote Workforce’ in which she discussed the challenges associated with the global shift to remote workforces and their cloud-based operations.
She found that visibility has become a particular weak point as an increase in threats and attacks becomes more commonplace. In her talk, Hessa also shared her SOC framework, from collection to response, in order to help businesses to get visibility into the multiple environments and technology layers used in their organisation.
After a short break, CWC MEA returned to focus on the Africa region with Dr. Erdal Ozkaya (Regional CISO, Standard Chartered Bank) presenting on ‘Cybersecurity in Africa – Where do we Stand?’. In his talk, Dr. Ozkaya gave some great insights into the state of cybersecurity on the continent, and how companies can best prepare and respond.
“Cybersecurity is not just the CEO or CISO’s responsibility. Build a cyberculture such that everyone in the organisation understands cyber risks and helps you mitigate them.”
Thereafter, 5 security leaders from Africa, gathered in a very insightful panel discussion: ‘Doing More with Less’.
Ritasha Kalidas (Director IT Security, Risk & Governance, Tiger Brands), Samuel Mbonu (CIO, Tangerine Life), Rizwan Arain (Group CISO & Head of IT Risk, Habib Bank AG Zurich), and Michael Kwofie (Country CISRO, Standard Chartered Bank) shared views and tips on achieving affordable cyber resilience without increasing cyber spending. The discussion was expertly steered by Kerissa Varma (CISO, Old Mutual).
One of the key pieces of advice shared by Ristasha was to “bring security into project management so you don’t carry out the cost”, adding that “automation is a perfect tool to build security from the start”.
Michael then warned of the pitfalls associated with focusing on zero cost and gave his advice on how to get buy-in budget, highlighting the importance of communicating a clear strategy to management to get them on board. Samuel backed this, stating that “there’s a lot that we (cybersecurity experts) need to do regarding cost optimisation. It is important to have good negotiation skills to project the value of cyber security”.
While Kerissa stated that “newer technologies do not have to be more expensive”, one thought that was strongly shared across the group is that you don’t compromise on security tools. To conclude, Rizwan recommended looking into the processes and people you have available, while Michael and Ritasha suggested to step back and think of your fundamentals.
To end the MEA track, a long-overdue talk on ‘Rethinking our Approach to Security Talent by Embracing Diversity’ was delivered by Favour Femi-Oyewole, Group Chief Information Security Officer at Access Bank Plc.
In her enlightening talk, Favour shared approaches to address the shortfall of cyber security experts, tackling critical points such as greater diversity, wider outreach programmes or changes in recruitment. She also gave insights into what diversity in cybersecurity means today and shared tips on how to rethink traditional approaches.
EUROPE – Forward-Thinking Cyber Security to Secure the Next Wave of Digitalisation
Cyber World Congress’ Europe segment kicked off with Axonius’ keynote delivered by Nathan Burke, CMO: ‘Why Asset Management Matters for Cybersecurity’. As the line between IT and security continues to blur, Nathan gave an expert talk on the asset management challenge, showcasing its use-cases for cybersecurity.
The programme then continued with the panel: ‘How Should Cybersecurity Support the Next Wave of Digital Business Transformation?’. Simone Pezzoli (CISO, Autostrade per l’Italia) moderated the discussions between Balint Torok (Head of Information Security & Management, Nilfisk), Josué Delgado (CISO, Lusíadas Saúde), James Hamon (CISO, Financial Ombudsman Service), Bjørn R. Watne (SVP & CISO, Storebrand), Niamh Muldoon (Senior Director of Trust & Security, OneLogin), and Andrew Tsonchev (Director of Technology, Darktrace).
The 5 panellists shared their views and expertise, answering numerous questions on balancing digital transformation needs with cyber security strategy. Bjorn insisted that: “The lead of the business always has to come first. The whole cyber strategy has to evolve with the business digital needs”. This sentiment was shared by James, stating: “Strategy is key; ensuring longer-term strategy instead of short term reaction which often leads to lost sight – with a lot of mistakes made”.
Another point raised during the session was budget considerations to ensure Agile, DevOps, Cloud and Data are managed in a secure-by-design fashion. One smarter way to get a return on your investment advocated by most of the panellists was a continuous collaboration with development teams to make sure there is complete alignment with technology and security-building in the security cost into the lifecycle of an IT product.
On the flip side, when budget is limited, Josué highlighted the importance of making the DevOps team accountable for some of their own activity. Simone also questioned the panellists about concerns they have with remote working and identity management.
Josué answered that his “biggest concern is always the human factor” and cited that increasing awareness was the main challenge associated with remote work. Andrew then chimed in, stating “Security needs to be a lot more knowledgeable, understandable – understand human behaviour – It all starts and ends with your user communities”. On that note, Niamh added: “Digital transformation is driven by humans – it is a cultural change”.
One of the key aspects linked to digital transformation is the trust acumen – how do you build trust in security into your brand and generate value from it to prove that you can become a business of choice? Balint concluded on a positive note: “There is a very clear need in the business and customer to demonstrate that we are doing the right thing. Security needs are growing with digital transformation needs which is very positive”.
Andrea Szeiler’s (Global CISO, Transcom) case study followed by dealing with one of the ‘hottest topics’ associated with the WFH challenge, sharing Transcom’s journey and lessons learned while adopting the Zero Trust philosophy.
Nick Pavlichek, Product Manager, at OneTrust subsequently talked us through ’5 Steps to Overcome Data Overload: Using Data Discovery & Risk Formulas to Standardize Risk at Scale’, sharing data classification methods and flexible risk formulas that organisations can use to map information to harness real-time updates.
Ardie Kleijn, newly appointed CISO at Transavia, delivered a thought-provoking talk on cybersecurity leadership in which he explained how security leaders can exchange a system of control for an environment of trust and empowerment – a strategy he himself implemented in his former position as CISO of de Dutch National Police.
Ardie’s talk was followed by a presentation by Alexis Horn (Director of Product Marketing, Invicti) in which he presented ‘Invicti’s Proven Approach to Web Application Security’.
As a tested approach to providing automation, visibility, accuracy, scalability, and developer enablement to eliminate the security bottleneck and reduce friction between security & development teams. In this short and insightful talk, Alexis gave a clear overview of today’s application security challenges and shared steps to secure your web assets.
Another key challenge associated with the spread of digitalisation and remote work is keeping your staff safe and up to speed with good security practices. To delve into the topic, Daniela Lourenco, BISO at CarNext.com delivered an enlightening talk on ‘The Future of Cybersecurity Training’ where she shed light on the differences between passive and active “awareness” delivery strategies.
She also shared actionable tools to ensure that your cyber training is meeting the expected outcome and tips on how to understand the needs of each organisation, as well as real-life examples to avoid when doing so.
To conclude the European segment, Maciej Szot, Group Information Security Director at Eurofins shared his hands-on experience with ‘Avoiding the Traps When Building a SOC’. He talked us through his experience of building out a security operations centre, from buying the tools, deployment & troubleshooting, hiring, and empowering the SOC.
LatAm – Modern Cyber Resilience for Today’s Digital Environment
Felipe García (CISO, Scotiabank), Carlos Russell (Business Conduct & Cybersecurity Director, Ternium), Michel Ramirez (CISO, Essbio), and Fernando Cortes (CISO, Emergia Contact Center) opened the LatAm segment with a fruitful discussion on ‘Pivoting from Recovery to Continuity to Achieve Operational Cyber Resiliency in Today’s Digital Environment’.
The main questions explored were: What adaptive security strategies have you adopted to more quickly respond to threats, minimising potential damage while continuing to operate while under attack?; How do you ensure business resilience gets further up the leadership agenda in businesses?; Does more tools equal more complexity?; What are the barriers to the adoption of cybersecurity best practices?
“Achieving a best-practice level of maturity, which leads to resilience, is a process and it takes time. Today, we are seeing more sophisticated attacks, which require more sophisticated layers and levels of protection. Cyber security needs to be embedded in all business processes” stated Carlos Russell.
Similarly, Felipe García commented, “You learn something each day on how to adapt to be resilient in every situation.”
Following the panel discussion, Márcia Tosta (CISO/Information Security Executive Manager, Petrobras) presented ‘Smarter Ways to Manage Vendors through Better Controls’. In her talk, Márcia shared practical insights on the topic as she disclosed a 5 step plan to guide you through the journey. She closed her presentation with a quote every CEO should keep in mind – “Cybersecurity is always seen as excessive until an incident happens. Then, it will be seen as insufficient”.
The LATAM segment closed with a very popular keynote delivered by Julio C. Padilha (Head of Security (CSO|CISO), Sodexo Benefits & Rewards Services): ‘The Agile CISO – Moving From ‘Dr. No’ To Business Enabler’.
In his empowering talk, Julio highlighted the importance of always adapting security processes to the business’ needs, especially in more difficult periods. He stated that this means you need to really understand your business; mapping the security risks accordingly, providing security guidance to new projects & initiatives, and sensitising the company to the importance of security as a whole.
In Julio’s own words, “I believe if you adopt a “security by design” culture, agile methods will not be an issue because security will always work in parallel with all Sprints”.
North America – Procedures and Strategies for Cyber Incident Response and Business Continuity in a Fast-Paced Threat Landscape
Nick Ritter (CISO, First Financial Bank), Jeffrey Ericson (CISO, MedRisk), Roger Caslow (CISO, HRSD), and Jason Cathey (CISO, Bank OZK) opened CWC’s North American segment with the lively panel discussion: ‘Are you Prepared for the Changing Threat Landscape?’.
As Jason Cathey surmised, “One thing is certain: we don’t wanna be the low hanging fruit. While the threat landscape may have different hotspots, it hasn’t changed very much; we may have changed our focus and redirected it to the endpoints and the end-user in our control environment. I encourage everyone to share information/intel with the community.”
Kelly McCracken (VP Security Response Center, Salesforce) then presented on ‘Developing an Incident Response Plan You Will ACTUALLY Use’, walking attendees through the necessary steps to ensure their organisation is prepared to respond to any incident it may encounter.
Christopher Dobrec (VP of Product Marketing, Armis) followed with a talk on ‘Asset Inventory: How Security Teams get a Comprehensive View of IT, IoT, OT and More’, touching on the wave of unmanaged and IoT devices connecting to today’s networks, the fragmentation of device data across different IT & security tools, and the risks and vulnerabilities these new devices introduce.
‘The Evolution of the Role of the CISO over the Past 12 Months – How the Pandemic has Reshaped the Security Function’ then took place as a panel discussion.
Hung Lee (CISO, Kasasa), Mark Milne (CISO, NuSkin Enterprises), Joey Rachid (Senior Director of Information Security & Deputy CISO, Standard), Todd Bell (CISO, Valleywise Health), and Dennis Tomlin (CISO, Multnomah County) sat down to exchange their views and share their experiences with adapting to an entirely different landscape over the past 12 months, how their role has evolved, lessons learned, and how they are planning on addressing future security needs.
“I’m changing the way I operate and getting out of my comfort zone,” explained Todd Bell. He later added: “Invest in your employees and invest in becoming a better version of yourself from a leadership perspective.”
Dennis Tomlin then concluded: “There has certainly been a shift in our priorities. We have been working on our workforce retention, as well as on augmenting or building our culture in a different way. Every day brings a brand new challenge: what I like to call the threat du jour. As a result, open-mindedness and flexibility are key”.
In a talk on ‘Solving Asset Management for Cybersecurity’, Nathan Burke (CMO, Axonius)
showed why teams still struggle to get a straight answer about assets. He also demonstrated a simple approach to asset management for cybersecurity, aimed at getting a comprehensive asset inventory, uncovering security gaps, and automatically validating and enforcing security policies.
Cyber World Congress’ final session was centred on ‘Handling Incident Response Successfully in a Multi-Cloud World’. Moderator Darell Bateman (CISO, City Bank) alongside Rob Hornbuckle (CISO, Allegiant), Robert Eckman (CISO, Kent State University), Ido Dubrawsky (CISO, Emmes), and Dee Young (CISO, UNC Health) discussed and offered recommendations on real-world strategies for detecting, responding to, and remediating incidents in a multi-cloud world.
“I think the cloud is probably about 5 years behind endpoints at this point, where the cloud really needs to get to that automated space. […] But again, it’s something that every organisation has to own and once we really embrace automation, it’s gonna allow us to address those areas more specifically […] working with the engineering architecture team rather than having to deal with the day to day more rudimentary stuff. That’s where I see the industry going at this point” commented Bob Eckman.
In her concluding remarks, Dee Young encouraged everyone to keep on learning and to understand the importance of talking to peers to exchange experiences and ideas. A sentiment that we at QG Media can all but agree with.
Stay tuned for our future events dedicated to offering valuable platforms for communication and collaboration for security leaders around the world.
Written by Cecilia Limonta and Mariana Valette.
Working in critical infrastructure? Register to attend our sister event, Cyber Security for Critical Assets World, taking place on May 6th for a 24-hour programme dedicated to IT/OT/ICS security for the world’s Oil & Gas, Energy, Chemical, Mining, Utilities, Power and Water industries.
Use complimentary* discount code: CWCVIP at checkout – world.cs4ca.com/register/
Keep up to date with all our regional cyber security events here.
*T&Cs apply. Offer open to end-users only. Vendors & consultants are welcome to purchase a ticket online
