August 21 - 23, 2019
Marriott Georgetown, Washington, DC

Day 2, August 22, 2019

7:45 am - 8:25 am Breakfast

8:25 am - 8:30 am Chairperson’s Opening Remarks

8:30 am - 9:15 am Embracing the Privacy Imperative- Navigating Regulations and Requirements

Lauren Heyndrickx - Chief Information Security Officer, JCPenney
Companies must navigate complex and rapidly evolving data privacy regulations and compliance requirements. Various state, national and global regulations along with high profile breaches have made consumers look deeper at which data they share and with whom. The panel will explore the evolving patchwork of privacy and security regulations and how they affect big data, Artificial Intelligence, advertising and litigation.  In this discussion, explore the emerging world of privacy with data as a currency. Look at who owns and controls the flow and use of data.  This session will discuss planning, preparedness and response to evolving compliance requirements including operational, strategic and proactive communications.
In this session:
  • Integrating privacy by design
  • Empowering privacy in enterprise risk management
  • Determining which state regulations to apply

Lauren Heyndrickx

Chief Information Security Officer

We have all seen the numbers. We are just beginning to understand just how frightening it is to all industries big and small. However, if we take a deeper look we realize that we have seen this before. Taking those learnings, we can manage the risks. It is going to take all of us working together.

Mark Ramsey

Chief Information Security Officer

9:50 am - 10:05 am Networking Break

10:05 am - 10:35 am Business Meetings

10:35 am - 11:05 am Business Meetings

11:05 am - 11:35 am Business Meetings


11:40 am - 12:25 pm Bolstering Third Party Risk Management
With the common practice of utilizing vendors for various business transactions, having a clear understanding of the risk of sharing data is necessary. Business partners and suppliers must be carefully assessed to make sure they meet regulatory and compliance requirements especially with the European Union and other current and pending regulations. Non-compliance includes stiff fines and breach notification requirements.
This session will explore the extended risk and attack vectors associated with vendor staff, products and services that originate outside of an enterprise’s defensive perimeter and offer best practices for assessing vendor compliance, including:

  • Adjusting access levels for third party user and system accounts
  • Securing development of application integrations; including firewall configuration
  • Increasing industry collaboration and engagement to prioritize security


11:40 am - 12:25 pm CMMI® Institute: Building Resilience Through a Risk-Based ‘Cybermaturity’ Approach
The CMMI Institute interviewed CISOs/CSOs seeking to identify common themes in the challenges organizations are facing and the best thinking in solving those challenges. Recognizing the need to provide a holistic solution that seeks to align pragmatic insights with business objectives, the CMMI Institute built a risk-based capability maturity platform. The platform is an enterprise platform that can support organization of varying complexity and security demands while providing a clear understanding of the priorities an organization should attack first. 

Key Takeaways:
•Understand the challenges global 
organizations are facing and how leading 
organizations are solving 
•Understand a risk-based approach for 
prioritizing investment for organizations 
with varying complexity and security 
•Understand the CMMI Institute’s holistic 
approach of assessing the maturity of an 
organization’s security capability maturity

12:25 pm - 1:25 pm Networking Lunch

1:25 pm - 1:55 pm Security's Role in Corporate Growth in the Digital Economy

In the current digital transformation- technology is often the business. Through collaboration, transparency and risk awareness, organizations can leverage networked economies and create new opportunities.  Data needs to be secure and private so organizations can leverage, collaborate and monetize information without being exposed to breaches, misuse of information or theft of proprietary data. Security teams are an integral piece of the organization and need to reduce the likelihood of an attack and lessen and contain the impact of any breaches.

In this session, learn: 

•Communicating with stakeholders the security risks facing the enterprise
•Monetizing data without compromising security or privacy
•Quantifying the level of vulnerability and creating opportunities for remediation

Roundtable Discussions- Please choose your topic and join the relevant discussion.

2:00 pm - 3:05 pm Zero Trust Access: Five Steps to Securing the Extended Enterprise

The perimeter-based security approach of the last century is no longer adequate for securing the modern enterprise. Today, organizations must secure a mobile workforce that uses a mix of corporate-owned and personal devices to access cloud-based applications and services, often from outside corporate networks. The zero trust access model delivers that security without cumbersome and antiquated technologies such as VPN and MDM. Attend this session to learn how the zero trust access model works, how leading organizations such as Google use this approach to secure access to their critical applications and data, and how you can implement this model in your organization in five logical steps. 

2:00 pm - 3:05 pm Staying Ahead of the Breach

CISO teams continue to struggle getting visibility into their massive attack surface as the number of attack vectors and devices, applications, and users needing protection continue to grow. What are the best ways to increase visibility of the ever-expanding attack surface?  And how can you proactively mitigate what you see, versus reactively remediate post-breach? 
This roundtable will be a discussion on:

  • Why getting complete visibility into your attack surface is hard
  • Can AI be useful in automating visibility and analyzing the findings?
  • What are the best ways to prioritize today's ever-growing # of events/alerts?  Can that be based on business risk?
  • Can you use vulnerability management tools in achieving this, or are new controls needed?


3:10 pm - 3:55 pm Achieving Risk Tolerance Through Solid Risk Frameworks
Concise, clear communication is essential to identify risk tolerance and the key assets that must be protected.  Frameworks such as NIST CSF provide a common language of communication for stakeholders. Breach contingency planning and communications are as important as breach prevention. But strengthening relationships with legal, HR, PR and other stakeholders often is pushed away with focus resting on breach prevention. 

In this session:
•Developing and practicing contingency planning
•Utilizing risk frameworks for communications in a common language
•Exploring impact of changing legal and regulatory requirements


3:10 pm - 3:55 pm Preparing for a Quantum World
This future-focused session explores the potential impacts of advances in quantum computing and quantum cryptography on confidentiality, integrity, and expectations of privacy. From potential challenges such as rendering some or all current encryption algorithms obsolete due to processing power, to the concept of a re-imagined Quantum Internet with possibly guaranteed confidentiality. The information discussed is intended to provoke insights into the  emerging security landscape. Whether the advent of quantum-based computing and cryptography turns out to be beneficial or harmful (or both), expectations must be reset and realigned to plan for such a paradigm shift.
In this session:
•Differentiating between a quantum computer and classical computer
•Understanding the impact of quantum algorithms on cryptography
•Realigning expectations for the paradigm shift of quantum-based cryptography

3:55 pm - 4:10 pm Networking Break

4:10 pm - 4:40 pm Business Meetings

4:40 pm - 5:10 pm Business Meetings

5:10 pm - 5:40 pm Business Meetings

What are the main priorities of a security executive when hit by a breach?  Will the incident response and disaster recovery plans really work?  Ruben Chacon outlines his key learnings facing a major cyber-crisis in a global enterprise setting.

In this keynote, Ruben Chacon provides insights into:

•How malware incidents may unfold
•Crisis management before, during and after the breach
•Key priorities while responding and recovering
•Ensuring  communication flows with stakeholders

Ruben Chacon

Vice President and Chief Information Security Officer
Constellation Brands Inc.

6:30 pm - 7:00 pm Networking Reception