Swiss CISO Summits take place three times a year. This overview details past events.
October 2017
Event Details
Keynote I: Addressing General Threats and APT: Experience with an all-in-one approach Speaker: Stefan Lüders Like any other enterprise, university and organization, CERN is under permanent cyber-attack: automatic scans, script-kiddies, white hats, hacktivists,
Event Details
Keynote I: Addressing General Threats and APT: Experience with an all-in-one approach
Speaker: Stefan Lüders
Like any other enterprise, university and organization, CERN is under permanent cyber-attack: automatic scans, script-kiddies, white hats, hacktivists, but also through advanced persistent threat (APT) actors trying to infiltrate the organization. Given CERN’s academic environment, however, CERN cyber-security must be well balanced with CERN’s academic mandate and the free and open operation of its assets. This presentation shall outline CERN’s computing environment, the identified cyber-risks associated with it, and the various measures implemented and deployed in order to prevent, protect and detect any kind of cyber-attack.
Stefan Lüders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined CERN in 2002. 2009 on-going, he is heading the CERN Computer Security Incident Response Team as CERN’s Computer Security Officer with the mandate to coordinate all aspects of CERN’s computer security – office computing security, computer centre security, GRID computing security and control system security – whilst taking into account CERN’s operational needs. Dr. Lüders has presented on computer security and control system cyber-security topics at many different occasions to international bodies, governments, and companies, and has published several articles.
Keynote II: Communication throughout incidents and crisis
Speaker: Juan Carlos Lopez Ruggiero
The communication concept in security incidents and crisis management is a subject that involves three disciplines with common elements: Security, Risk and Compliance. By identifying how to communicate, it means knowing how to handle it. The speaker will bring up communication processes and notions used in case of incidents and crises and share some “do and dont’s” from real environments with an eye on the imminent GDPR regulation. Three basic aspects of the speech are:
- The Incident must stay underground.
- The Incident can be communicated internally, but to a limited group (still secret).
- The Incident must be brought to media.
Juan Carlos Lopez Ruggiero is global Risk and Security Executive with 20+ years experience in implementing complex IT solutions in Risk Management, Cyber Security, Regulatory Compliance and Quality Management across multiple countries and industries. He lead IT organizations in implementing COSO, COBIT, ERM, ISO 27001, 6SIGMA, ISO 31000 and CMMI tenets, Lean Manufacturing strategies, and metric-based management. Having been the global CISO and Chief Risk Officer for Royal Philips, Juan Carlos is currently the CSO for DXC Technology in Switzerland and GDPR Lead for the EMEA region. He owns a degree in Law and speaks at least 7 languages fluently.
Time
October 18, 2017 12:00(GMT+00:00)
Location
Culture and Congress Centre Luzern (KKL)
Europaplatz 1, 6005 Luzern
January 2018
Event Details
Keynote I: How to crack the problem of insider threats – practical experiences Speaker: Igor Podebrad The starting point and rst line of defense against insider threats is
Event Details
Keynote I: How to crack the problem of insider threats – practical experiences
Speaker: Igor Podebrad
The starting point and rst line of defense against insider threats is always a well-designed awareness campa- ign. But awareness itself is just a piece in a complex puzzle. Identifying core information assets and its threat model leads to the risks. These risks will be evaluated with a business impact analysis such that transparency of the risk exposure is reached and can trigger an internal discussion for addressing this topic on executive level.
As second and third line of defense measures such precise description of processes i.e. process frameworks, multidimensional attribution of data, four or multiple eyes principle during execution and control, Chinese Walls (the strict segregation of duties and critical or contradicting roles), as well as technical measures such as log- ging of relevant actions and their context frameworks, adequate monitoring, evaluation and alarming schemes are effective in mitigation of insider threats. In special areas additional cameras will help to defend against insi- der threats and have evidence, in case it happens anyway. Experience, which measures have proven as effective, and which measures did not meet the expectation, will be shared.
Igor Podebrad is Group Chief Information Security Of cer at Commerzbank AG, Germa- ny. In addition, he is adjunct professor for digital forensics and cybercrime at university of applied sciences Brandenburg at Havel, owns a PhD from Freie Universität Berlin and relevant research experience in secure computer architectures in collaboration with Helmut Schmidt Universität of the German defense forces in Hamburg. His work experience comprises management positions with tasks in IT security standards, thread analysis, digital forensics and threats mitigation & defense.
Keynote II: What kind of insider threats must we expect and how can we optimize effective counter measures?
Speaker: Andrea Gergen
The cyber security industry is developing more and more sophisticated solutions to make it even more complex for external attackers and insiders to steal the crown jewels of the company. Besides implementing these new solutions, companies are concentrating on implementing policies and awareness programs to mitigate the risk that arising from insiders, the weakest link in the cyber security processes.
Trends are showing that on the one hand the attack surface, i.e. motivations and possibilities for insider threats, is continuing to grow and on the other hand the cyber security programs are concentrating to build more com- plex solutions, additional barriers and more awareness programs. The speaker presents a holistic view about the current state, future trends and a potential way, how to get more out of the current measures by taking an insider-type-centric view.
Andrea Gergen is director in the area of cybersecurity and privacy at PwC Switzerland. In her function as lead of the Cyber-as-a-Service (CaaS) team she is supporting clients in transforming security solutions into an end to end working, risk and cost optimized security platform. Andrea has over 15 years of experience in IT- and strategy consulting in different industries like nancial services, telecommunication, pharma, chemical and automotive focusing on the implementation and transformation of IT security service management, process- and service optimization and standardization, IT strategy ma- nagement and innovation as well as Business Transformation Management.
Time
January 30, 2018 12:00(GMT+00:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
May 2018
Event Details
IoT and Industrial Control Systems (ICS) – Concepts, Risks, and the new Role for the CISO Internet of Things (IoT) services, Industrial Control Systems (ICS)
Event Details
IoT and Industrial Control Systems (ICS) – Concepts, Risks, and the new Role for the CISO
Internet of Things (IoT) services, Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) are connected today to internet via the corporate network. In many corporationsthese systems are in separate network security zones, with strong firewalls in-between. The securityrisks of these technologies come from many sides, internal devices as well as mass installation from outside such as DDoS attacks from COTS cameras world-wide directed on a few servers. For both security risks CISO must elaborate security plans. With two leading speakers, one from research and innovation, one from an early adopter of the upcoming technologies the discussion at the round table will be introduced and stimulated.
IoT services, Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Industry 4.0 and Digital Transformation are pending issues in any enterprise, and future business success will depend on timely and proper application and integration of these new concepts. In this context the CISO’s organisation must be included in such projects and provide solutions for security and resilience in the three phases „protect, detect and response“.
As usual, the goal of Summit 13 is to learn from the speakers, from each other and from the background material which will be distributed before the meeting for exploring today’s baseline and designingeffective and efficient security solutions in these new fields.
Time
May 29, 2018 12:00(GMT+00:00)
October 2018
Event Details
For a long time it has been well-known and well-recognized that information security policies are the cheapest and most effective tool to increase security.
Event Details
For a long time it has been well-known and well-recognized that information security policies are the cheapest and most effective tool to increase security. However a proper strategy to reach the precious goals set in the policy is needed. This is where things start getting complicated in practice: The implementation of Information Security Strategies.
More often than not the term “Information Security Strategy” is defined circumstantially and thusdoes not possess a commonly agreed upon, well established meaning. It could represent the real implementation strategy of a security policy, but it is often used as an umbrella term for several high- level documents forming the foundation for information security governance in a company. In general, the Information Security Strategy needs to be well-tuned to the enterprise needs and socio-cultural ecosystem. If this is done successfully the implementation of and adherence to the strategy will fall into place smoothly. If the socio-cultural eco- system is not ready, a change program will help to pre- pare for the next steps.
The Information Security Strategy is a context related document, and must be different before the cloud, with the cloud, with anywhere / any time work and with massive IoT inclusion in to the com- pany’s network. In addition, changes in society and new behavior of youngsters will challenge the CISO for having a buy-inn. To be successful in the long term, societal change needs to be modelled,understood and taken into account. Careful, early verification of the applied models can help to avoidobstacles and lengthy discussions.
At the 14th Swiss CISO Summit you will hear two leading speakers. One giving a retrospective on theexperience of aligning the strategy during his first 100 days in his new position as CISO, and the otherproviding a research and innovation perspective which will give some essential background and intro- duce the round table discussions.
As usual, the goal of Summit 14 is to learn from the speakers, from each other and from the material distributed before the meeting for exploring today’s most recent tendencies in preparing, governing and implementing successfully high-level information security steering documents.
Time
October 30, 2018 All Day(GMT+00:00)
January 2019
Time
January 29, 2019 All Day(GMT+00:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
May 2019
Event Details
Third Party Security and Patching: How to face this major vulnerability? In analyzing root causes of incidents, third party security and patching is strongly represented as a solution to attacks
Event Details
Third Party Security and Patching: How to face this major vulnerability?
In analyzing root causes of incidents, third party security and patching is strongly represented as a solution to attacks around 80% of the time. It is, thus, an utmost and urgent issue that needs addressd.
From the perspective of attackers, it is essential to run the attack-business well, which is why they invest 10-20% of their time investigating the weakest point in the targets’ defense concepts. Well protected multi-billion-dollar global companies are hard targets to hit, but their suppliers, their contractors, their clients and partners are often protected on a SME level only.
Against this background, the weakest links are often represented by a third party, which is an ideal situation for hackers to get an easy hook in to the well protected castle.
There are many statistical reports on patching., With an observed share of 50% of patched systems functioning 10 days after a patch has been implemented, it is clear that the patching sequence is in many cases far less effective than what it should be. However, the other 50% of systems are vulnerable with known weaknesses for which attack suits can be downloaded from the internet or the darknet. For any hacker, these are easy targets that can be conquered at very low cost.
The theory behind the topic is really very easy to understand, however, counter measures need many careful steps. There are two enlightening presentations on this topic in this summit. The first one deals with third party and patching issues in procurement and creates a binding framework for security issues in partnerships. The second one is based on real-time measurements in which the partners are controlled with software and information will be presented on the real important issues of how the observed weaknesses can be presented and eliminated.
As usual, the goal of Summit 16 is to learn from the speakers, from each other and from the material distributed before the meeting in order to explore today’s most compelling trends in addressing the information and cyber security challenges with the best set of controls.
Time
May 21, 2019 All Day(GMT+00:00)
October 2019
Event Details
Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values.
Event Details
Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values. Typically, most people think that culture is rather static than dynamic.
Our observation of the recent past depicts fast changes in technological and communicative means such as the internet, smartphones, group building (including on-line groups), innovation and societal integration. An additional factor is the seamless mixture of societies, such that we work today naturally in teams from many nations, while 50 years ago, we immediately felt a difference, even from people of another city in Switzerland.
As a security offi cer, we are concerned with all three issues simultaneously: fast changes, a seamless mixture of people with different origin, and nearly any mixture of beliefs and values. Without governance and clear direction, companies might develop a nearly unlimited number of very different odd subcultures. Now begins our tasks to care for a forward-directed and agile security culture, which adapts continuously to new situations.
We will get a report from Swisscom (main issue: business IT, Mobility, and cloud) and from SBB (Main issues OT, digitization, industrial control systems), and how they approach this enormous challenge. First turn around the employees to accept net technology, processes and human interaction, and then demand on top of these aspects a new security culture. How to keep motivation at a high level, create identification with the security controls, and protect the IPR and the data? How to measure these aspects, and how to select the best option in specific situation for well-defined change program? Now we welcome you in the world of the 17th Swiss CISO Summit.
Time
October 15, 2019 All Day(GMT+00:00)
January 2020
Event Details
The perception of cloud services has changed dramatically: in the beginning, there were statements from national administrations that deeply distrusted cloud services and dis-encourage
Event Details
The perception of cloud services has changed dramatically: in the beginning, there were statements from national administrations that deeply distrusted cloud services and dis-encourage organisations to move their data and operations to cloud service providers. Today the largest banks closed a deal for their highly sensitive data with a cloud provider: the world has changed.
The gap may be explained by changes within the cloud architectures including options to use strong customer-managed encryption keys to ensure ownership and privacy for the application and data.
A purey one-to-one relation between cloud providers and organizations may be reality for some at the moment. However, a multi-cloud approach is more likely to be adopted by a majority of organizations to mitigate systemic risks, use differentiated services and optimize costs. Not a core topic, but inte- resting for us as individuals, we relate to multiple cloud providers (e.g. WhatsApp, Twitter, Skype, etc.) even when we are unaware of it.
We can conclude that cloud usage is today a preferred model to profit from the economy of scale effects of hardware and operating system maintenance, but even more from the highly sophisticated security management: The larger the cloud provider is, the more people work in security engineering, security operations and therefore provide a service on higher level. The numbers in the background are enormous and can be between 50 to 5.000 professional security engineers. Happily, organizations can select from a variety of service providers, such that after a contractual period, a change is feasible. But what are the exit scenarios, what needs to be prepared when already when entering the contract?
Andrew Hutchison (T-Systems) will present some of the key challenges for a hybrid cloud environ- ment from a security perspective. Rolf Becker (UBS) will elaborate on UBS’s approach considering the requirements of one of the most sensitive cloud user groups. These keynotes will introduce and stimulate the discussion with questions such as how do we negotiate with cloud providers to use of private encryption keys, how to test security concepts and how to create preparedness for switching between cloud providers.
Time
January 28, 2020 All Day(GMT+00:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
September 2020
Event Details
Traditionally, Development and Operation were two separate streams of activities, separated by long and intense testing, to guarantee a near incident free and secure operation. Time-to-market is a
Event Details
Traditionally, Development and Operation were two separate streams of activities, separated by long and intense testing, to guarantee a near incident free and secure operation. Time-to-market is a key issue and defines from the business side the performance and flexibility of a company at the market. The goal to speed up the entire process from development until production is from all business lines accepted and paramount for business success. Security requirements are different for various applications. We have attracted two keynotes presenting critical applications in the rail and financial sector, both taking advantage of innovative combination between develop- ment and operation, while maintaining a very high level of security.
Olaf Zanger will present Smartrail 4.0, a concept of complete digitization of railway operation. In this case study the engineering process is predominant, including all quality and safety requirements. Smartrail 4.0 is using agile methods, and Olaf will present how the safety process can be adapted for secure software develop- ment. The main goal is to provide the highest possible software quality in a “mandatory fail-safe system”.
Christian Reinhard and Arno Aukia will present the Finnova secure banking operation platform, which is based on DevOps in development and operation: Agile development processes, container platforms and tools used for operational security engineering are core topics. From the technology partner, the focus is on DevOps pipe- line and technology, and from the core banking application side, the focus is on the experience of setting up these systems, testing it, and handling risk assessment and security issues.
At this 19th Swiss CISO Summit we offer a forward looking topic, which is often the blind spot in the eyes of the security office. I am convinced, that the topic is very important and that we need to advance the security in the agile DevOps issues, and a sound understanding of risks.
Time
September 2, 2020 All Day(GMT+00:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
November 2020
Event Details
After a longer period of E-banking fraud, the resistance of the merging better protected E-banking against the hacker’s penetration attempt was increasing so much, that the business model
Event Details
After a longer period of E-banking fraud, the resistance of the merging better protected E-banking against the hacker’s penetration attempt was increasing so much, that the business model did not work out for the hackers anymore. The hackers needed to find a new source for their income.
The new source is primarily ransomware, which made them develop trojan horses, install them on the victim’s system, and encrypt the data of the system. The victim cannot work anymore and does not see his data. At this points the hacker start negotiating, how much money they want, for releasing the crypto keys, such that the victim can reuse his data.
Customers having a real offline backup, just install their data again, and work further. But there are quite a few corporations having mirrored server system, which protects very well against hard drive failure, but not at all against crypto locker software.
A crypto locker ransomware as well as other ransomware (e.g. payment for not publishing of embarrassing or confidential data) needs time to be placed in an evaluated system. This system selects hackers very carefully. And several steps are needed until the final key will be pressed when all data encrypt. During this period, Computer Emergency Response Teams (CERT) and Security Operation Center (SOC) may find indicator of compromise and can potentially mitigate the upcoming catastrophe.
Our debate will examine strategies which were successful in specific cases and share strategies which not succeeded before the system was under hacker’s control. And we will look at these strategies before the incident happened and at the response: How to negotiate with the hackers, how to start fighting, what means fighting for the victim, and how likely is success? How does the requested amount change when the fight continues for longer time? Which type of support we need in such situation, and how we can get this support? And is it wise to look for partners before the incident?
The first presentation from Frank Herberg (Switch) prepares the ground for broad discussion, how detection of indicators of compromise work, and how to respond to these. In addition, some response options are debated. The second presentation from Johannes Dohren (PwC) presents a true war story and demonstrates lively “what fighting against hacker” really means.
With this setup we expect to serve the community with an inspiring exchange for being better prepared and have more options to react on hackers attempt to harm us.
Time
November 4, 2020 All Day(GMT+00:00)
Location
Hotel Ador Sorell
Laupenstrasse 15
January 2021
January 2022
Event Details
Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions
Event Details
Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions
In 2020 Germany suffered losses of 220 billion Euro related to cyber security incidents, according to the asso- ciation Bitcom. Scaling this down to Switzerland will result in more than 22 billion CHF, more than four times the Swiss military budget. Hackers are rewarded with good money, and they re-invest the money in better tech- nology for attacking. This dream budget of hackers is not available in the counterpart, the CISO offices, which must defend their IT infrastructures. How to communicate the new conditions towards executive offices and get them aware that early investment into the security office might be better than sponsoring hackers later?
The pressure towards hackers to get caught is relatively small, especially if they operate from countries
with no contracts with Switzerland regarding law enforcement and countries not cooperating with other law enforcement agencies. The hacking business has better profitability rates than drug and other criminal businesses. Hackers realized that the ransom works better when attacking critical infrastructure. Of course, they need more and new knowledge when attacking SCADA and ICS, but investments will pay back soon,
as e. g. the colonial pipeline case demonstrated.
The Corona home office period displaces secure corporate working spaces to warm and beautiful homes. However, the security measures are not on the same level, and through diverse family interaction in the same net will the attack surface grow. In other words, hackers have easier access.
Innovation of technology is not to stop: Internet of things, cloud shift, choices of networks (4G, 5G, fiber, DSL), cellphones which have enormous computing and storage capacity, and the new generation of software open up for further attacks.
Against this background, we will discuss how security should be shaped in the following strategic period:
- What are the intentions of the top executives in respect to security? To which function should CISO report? And how should CISO deal with the new pressure of the management, which wants more reporting, more reliable security, and more control over the security function?
- Which strategies must be followed to succeed with security in the next period?
- How to reorganize security and security offices for counter-fighting attacks in the new area?
- Which actions are most urgent to be taken?
- How to speed up the implementation of security measures for new technologies the company has procu-red?Against this background, we want to have an open exchange stimulating each other to have a better picture of preparedness and a greater awareness of the many options to deal with the new and more challenging situation.
Time
January 25, 2022 - February 1, 2022 (All Day)(GMT+02:00)
February 2022
Event Details
Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions
Event Details
Against the background of ever-increasing and more rewarding criminal activities: Dear CISO, how are you preparing your organization for the future? Scenario, Attack Pressure, Strategies, and Actions
In 2020 Germany suffered losses of 220 billion Euro related to cyber security incidents, according to the asso- ciation Bitcom. Scaling this down to Switzerland will result in more than 22 billion CHF, more than four times the Swiss military budget. Hackers are rewarded with good money, and they re-invest the money in better tech- nology for attacking. This dream budget of hackers is not available in the counterpart, the CISO offices, which must defend their IT infrastructures. How to communicate the new conditions towards executive offices and get them aware that early investment into the security office might be better than sponsoring hackers later?
The pressure towards hackers to get caught is relatively small, especially if they operate from countries
with no contracts with Switzerland regarding law enforcement and countries not cooperating with other law enforcement agencies. The hacking business has better profitability rates than drug and other criminal businesses. Hackers realized that the ransom works better when attacking critical infrastructure. Of course, they need more and new knowledge when attacking SCADA and ICS, but investments will pay back soon,
as e. g. the colonial pipeline case demonstrated.
The Corona home office period displaces secure corporate working spaces to warm and beautiful homes. However, the security measures are not on the same level, and through diverse family interaction in the same net will the attack surface grow. In other words, hackers have easier access.
Innovation of technology is not to stop: Internet of things, cloud shift, choices of networks (4G, 5G, fiber, DSL), cellphones which have enormous computing and storage capacity, and the new generation of software open up for further attacks.
Against this background, we will discuss how security should be shaped in the following strategic period:
- What are the intentions of the top executives in respect to security? To which function should CISO report? And how should CISO deal with the new pressure of the management, which wants more reporting, more reliable security, and more control over the security function?
- Which strategies must be followed to succeed with security in the next period?
- How to reorganize security and security offices for counter-fighting attacks in the new area?
- Which actions are most urgent to be taken?
- How to speed up the implementation of security measures for new technologies the company has procu-red?Against this background, we want to have an open exchange stimulating each other to have a better picture of preparedness and a greater awareness of the many options to deal with the new and more challenging situation.
Time
January 25, 2022 - February 1, 2022 (All Day)(GMT+02:00)
May 2022
Zunfthaus zur Schmiden, Zurich, Marktgasse 20, Zurich2022tue17mayAll DayCISO Summit No 25
Event Details
In light of ever-increasing and more rewarding criminal activities, “Zero Trust” promises a solution. But what does it mean, and how to implement it? Zero
Event Details
In light of ever-increasing and more rewarding criminal activities, “Zero Trust” promises a solution. But what does it mean, and how to implement it?
Zero Trust is perceived as a practical approach in today’s cloud-first world. But what does it take to move from a Zero Trust strategy to active implementation? Gartner recommends as best practices for building a Zero Trust foundation the following measures:
- Create a secure, standard federated identity management system
- Apply adaptive access for more granular resource and access control
- Roll out user-to-application segmentation (Zero Trust Network Access (ZTNA))
Today, a cloud-first strategy can be considered default and promotes building software directly in the cloud rather than building on-premises and migrating to the cloud. The goal is to create software faster and reduce the overhead associated with on-premises resources and cloud migration.
Platform advantages of a Cloud-First approach are flexibility, less overhead, more resources available without investments i.e. cost-effective upgrades, Improved recovery abilities, support options from the cloud provider, faster release cycles, and an integrated option for collaboration. And the business advantages embrace innovation, new business models, new composition and design of applications.
A central role in the cloud and Zero Trust plays secure identities: with two and more factors, we can nail down the acting identity and make them responsible for their actions.
The Zero-Trust-Modell (NIST 800-207) applies the following principles:
- Permanent control: access must be controlled at any time for any resources.
- Limitation of impact: by segregation, the impact of a compromise is limited. Later movement is not possible.
- Automated context detection and reaction: behavioral data are analyzed, and the contexts of all information technologies (Identity, End-device, Workload, etc.) are gathered and processed such that targeted responses are enabled.
These nice “promises” are compelling. First, however, we need to reflect on how to implement Zero Trust, which steps must be taken, and whether the security gain justifies investments and work effort. The more fine- grained we implement access control, the more work must be invested in the design and implementation of access control: What is the CISO’s experience? Where to cut the refinement of access control to limited efforts? And by when is the second line of defense (SOC) the better option?
We want to have an open exchange for creating a sharp picture of prerequisites for the success of implementing Zero Trust and having resilience success in defending our system against new forms of attack.
Time
May 17, 2022 All Day(GMT+02:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
October 2022
Event Details
At first glance, vulnerability management does not look very attractive. However, for many enterprises, engaging with the processes around vulnerability and asset management is very beneficial. It lowers
Event Details
At first glance, vulnerability management does not look very attractive. However, for many enterprises, engaging with the processes around vulnerability and asset management is very beneficial. It lowers the attack surface relevantly.
Before starting with vulnerability management, the processes of the organizations must be mature and well defined: This means that patch management, lifecycle management, and adjunct processes are established on a high maturity level. In addition, it includes the perception turnaround from patch management for fewer errors to patch management as a strategic security activity.
It is a well-recognized fact that asset management will never be 100% perfect, but approaching a state of “near perfect” is highly desirable. It includes hardware, software (applications), middleware, firmware, and services like encryption (note: remember SSL heart bleed). In addition, the link between assets and responsibilities is of critical importance, where a group or a person may be responsible for an asset entity or an asset entity group.
Two levels of automation we face today: the automation of software production with DevOps and DevOpsSec, which is not relevant for this context. But the automation and orchestration of vulnerability scanners are highly relevant. Main processes must be efficient and automated; meanwhile, zero-day-exploits must be followed and evaluated still hand-picked. Those two approaches must be connected and tuned to each other.
Another issue is the gravity of CVSS rating depending on the respective security zone they show up: The rating may differ from the systematic rating because of enhanced or diminished business impact. The number of false positives, i.e. of false alarm is paramount. Unless this number is sufficiently low, these systems bring no value for the company. Finally, the everyday day routine, including the human factor within groups and between groups, plays a major role in the success of the next generation of vulnerability management.
Time
October 25, 2022 12:15 - 19:00(GMT+02:00)
January 2023
Event Details
It is very simple: CISOs need more security investments to improve security. Decision-makers want to innovate businesses and create more revenue. In this role, decision-makers
Event Details
It is very simple: CISOs need more security investments to improve security.
Decision-makers want to innovate businesses and create more revenue. In this role, decision-makers must be risk-takers: no risk means no new business. On the other hand, CISOs feel responsible for the company’s security and hate to have serious incidents. The anger would be even higher if a serious incident could be avoided with a recently rejected security project proposal. And the natural tendency of CISOs is to be risk averse. CISO must be aware of this opposing attitude of the decision-makers.
In the analysis of optimizing this ecosystem, there are two tools CISOs are using:
Reporting: This is how decision-makers receive information: There was sufficient education for them, and they know how to process the information.
Risk communication and reporting: Cyber risks are not in the core competence of decision-makers. And cyber risks are competing with many other risks for funding. The usual way of risk evaluation, likelihood, and anticipated damage is somewhat shaky because it is often a quite heuristic approach. Science and companies are developing new tools for making the risk assessment process more transparent and with better traceability. Does this change the mind of the decision-maker? Of course, there is still a gap between formal risk and business impact. But only business impact is relevant for decision-makers, and CVSS vulnerability scoring does not usually trigger any action.
Addressees of these efforts are board and executive management. Both addresses have different roles, and we want to elaborate on these roles and the variation between the various companies that will be present.
This summit aims to enrich each other with strategies, a successful mix of reporting and risk communication, and a topic and methodologies that look great but could be better in this context. Marcel Zumbühl will open the board perspective. We can learn how to prepare the communication with the most important facts and eliminate all that bothers the decision maker but has no real effect.
As a result, we hope less work will result because prepared information is more targeted and tuned to the decision maker. And probably, in some cases, also a new dimension of humility because we have better acceptance and understanding of the decision maker’s views.
Time
January 31, 2023 12:00 - 19:00(GMT+02:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
May 2023
Event Details
Cloud is a non-stoppable development and transformation of IT infrastructure: the trend is paramount and does not depend on whether we like it or not: it is a
Event Details
Cloud is a non-stoppable development and transformation of IT infrastructure: the trend is paramount and does not depend on whether we like it or not: it is a fact. For example, regarding security, we need to understand many details to secure the cloud: We understand many concepts today for single cloud solutions. But by today, any company uses many applications in the cloud, software-as-a-service (SaaS), as well as data storage and cloud servers which run our corporate applications. As a result, the infrastructure landscape has developed to be powerful but more complex.
At the other end, we run our endpoints in the companies and urgently need endpoint security & resilience and Endpoint Detection and Response (EDR). These concepts are promising, but their interaction with multi-cloud environments is not obvious. An exchange based on experience should make what works and needs more attention transparent.
Regulation is another issue. Is Richard Clarke, counselor for cyber security to US presidents for two decades, right, when he states in a Słotwińska computer world interview: “the Swiss Cloud is just a business model, and does not inhibit US access to the servers”? And, of course, we have a relevant Swiss community that wants the cloud data center in Switzerland because of regulations. So our debate may result in a better understanding of the arguments of both sides: global geographic spread vs. in-country focused data residency.
Mark Barwinski will explain how SOC requirements change with EDR and multi-clouds. We must know a lot behind the scenes, such that the expected advantages of a multi-cloud SOC are to be achieved.
Manuel Fluri will share his experience with security products in the multi-cloud context. In short: it is not as expected that products can be moved from onprem to the cloud, and the performance remains. It will be interesting to follow his experience.
Andrew Hutchison will explain what encryption and key management options customers will have to be the only ones who can access and decrypt the cloud data.
With this setup, we want to contribute to this novel multi-cloud era and exchange best practices and experiences within the security community.
Time
May 9, 2023 12:00 - 19:00(GMT+02:00)
October 2023
Event Details
In an era where cyber threats loom large over organizations, the role of Security Operation Centers (SOCs) has never been more vital. The urgency is clear – it’s
Event Details
In an era where cyber threats loom large over organizations, the role of Security Operation Centers (SOCs) has never been more vital. The urgency is clear – it’s not a matter of if you’ll be targeted, but when. Statistics tell us that the average cyberattack inflicts a staggering CHF 4 million in damage in Switzerland alone. Imagine what this sum could achieve if you proactively secured your digital infrastructure.
Establishing their own SOC is a daunting challenge for many small and medium-sized enterprises (SMEs). This is where fully managed SOC service providers offer comprehensive monitoring and incident response capabilities. Outsourcing SOC functions allows SMEs to access professional-grade security services without breaking the bank. However, rigorous training and exercises are imperative in this evolving landscape to ensure seamless cooperation between companies.
On the other hand, larger corporations often choose to build their in-house SOCs, establish collaborative networks with peers, and acquire real-time threat intelligence feeds. While these strategies offer unparalleled control, they demand a more sophisticated approach to training and development.
Learning from the collective experiences of SOC experts is paramount in optimizing SOC services. The pace of SOC advancements necessitates swift adaptation. Our upcoming round table presents an exceptional opportunity to share insights, explore red and purple teaming exercises, and uncover the benefits of these simulations. We also aim to delve into change and transformation processes, discussing strategies to elevate SOC maturity and identifying the prerequisites for transforming proficient SOC teams into exemplary units.
Time
October 24, 2023 12:00 - 19:00(GMT+02:00)
January 2024
May 2024
Event Details
Overview Keynote 1: How can we build High Performance Teams (HPTs) and ensure their successful development through exceptional leadership?Peter Kosel, Founder
Event Details
Overview
- Keynote 1: How can we build High Performance Teams (HPTs) and ensure their successful development through exceptional leadership?
Peter Kosel, Founder & Talent Community Manager cyberunity, and Former Board Member Sensirion - Keynote 2: High Performance Teams in Cybersecurity – Our Experience at Swiss Post
Marcel Zumbühl, Group CISO Swiss Post and Board Director terreActive and Hacknowledge, and
Davy Claude, Head of Security Champions Swiss Post - Discussion Round 1: Refinement of HPT understanding, and how to apply methodologies in the CISO core team
- Discussion Round 2: How to transfer the ideas of HPT in the collaboration with stakeholders, teams and other related groups?
Keynote 1 – How can we build High Performance Teams (HPTs) and ensure their successful development through exceptional leadership?
High-Performance Teams (HPTs) in the Cyber Security sector offer unparalleled opportunities to address and surmount the industry’s most daunting challenges. As we delve into this discussion, one may wonder, how exactly do we construct such teams? Where do High Performance Teams find their most effective applications, and how do they distinguish themselves from other group constructs? Moreover, the choice of organizational design appears to be pivotal for nurturing HPTs, but what specific frameworks align best with their unique culture? Leadership, without doubt, plays a fundamental role in transforming average teams into high-performing powerhouses. But what kind of leadership is required? We will explore the essential components and strategies for developing HPTs, including the leadership styles and organizational designs that facilitate their growth and ensure their success.
Keynote 2: High Performance Teams in Cybersecurity – Our Experience at Swiss Post
We’ll share our story about creating high performance security teams in particular our security champions community of practice. Let’s delve into crafting a robust security culture within DevOps teams by leveraging various strategies and partnerships. We’ll explore empowering DevOps through collaborative efforts with Bug Bounty Programs for rapid vulnerability resolution and Security Operations for addressing zero-day threats efficiently. Additionally, we’ll discuss the significance of fostering inclusivity and diversity among collaborators to stimulate innovation and enhance performance.
Our conversation will extend to the importance of a learning culture, including how it impacts organizational dynamics. We’ll emphasize the necessity of allocating time and trainings for DevOps teams to sharpen their security skills and boost confidence, thereby fortifying security resilience over time. Remember, recognizing the human element as an essential part of the solution.
Our goal is to give you as take away various approaches to build a resilient security culture in your organization. Key take aways:
- diversity is a key ingredient to high performance teams. We need a balanced mix of gender, experience and skills to form robust and performing teams. Reach-out to include non-tech people to cross into cybersecurity
- psychological safety – foster a climate that is blame-free, allows for mistakes, learning and speaking about vulnerabilities. Push away micro aggressions and other hinderances that block people’s performance
- Create a unified vision and strategy – Cybersecurity is all about purpose and forward thinking. Explore the vision of your team and have all participate in shaping the security strategy of the organization.
Time
May 14, 2024 12:00 - 19:00(GMT+02:00)
Location
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich