Swiss CISO Summits take place three times a year. This overview details past events.
Keynote 1: Protecting the enterprise: IT risk and security in the overall corporate context Speaker: Domenico Salvati How does information technology contribute to the protection of the enterprise? What is its role in
Keynote 1: Protecting the enterprise: IT risk and security in the overall corporate context
Speaker: Domenico Salvati
How does information technology contribute to the protection of the enterprise? What is its role in the overall corporate security context? Domenico Salvati highlights the context in which corporate boards perceive cyber security. While the important role of cyber security is unquestioned today, IT risk and security experts tend to overlook the fact that it is (only) one piece of the overall security puzzle. To further advance cyber security, the CISO needs to position it within a corporate security framework.
To sharpen the role of cyber security in the corporate context, Domenico merges the Governance, Risk and Compliance (GRC) and the Three Lines of Defense models and positions cybersecurity within this comprehensive view of the enterprise. A third concept rests on terminology and is concerned with “events” and (security) “measures”. As will be shown, the aforementioned concepts underlying information technology are also suited to position other corporate risk and compliance functions in a corporate context (cybersecurity being one of them). In conse- quence, this view of the overall corporate security context yields the opportunity to create a well-tuned reporting system including other functions such as compliance management or data protection to name a few.
For over ten years Domenico Salvati has worked in positions such as “IT Risk Response & Mitigation”, “IT Risk Compliance and Oversight” and “Operational IT Security” most of these for a large Swiss bank. During this period, he also researched the “Management of Information System Risks” at the Swiss Federal Institute of Tech- nology in Zurich (ETHZ) for which he gained his PhD. Since 2010 he holds the position of Enterprise Risk Manager for a large health insurer in Switzerland. With the change from information security to enterprise risk management, Domenico gained a new view on cyber and IT security and will share this with the audience.
Keynote 2: Cyber insurance: What is the scope and by when insurance option is a valuable option?
Speaker: Willi Stössel, Swiss Re Corporate Solutions
Cyber insurance has emerged from data risks and business continuity risk coverage to holistic approaches in order to help enterprises dealing with residual risk. Insurance is the last line of defense for many enterprises before self-carrying the nancial loss of risks. Bruce Schneier introduced the following philosophical concept cybersecurity measures are good to reduce the insurance fee, but there are little arguments only to stretch this border. In the presentation Willy Stössel, a senior experts from SwissRe provides insights on expected corporate cybersecurity measures and their impacts as well as dependencies when offering insurance contracts.
Willy Stössel, is Head of Cyber, Technology & Construction at Swiss Re Corporate Solutions 2007 on-going. The team is responsible for writing primary and excess liability covers for large industrial companies on a worldwide basis. Willy has been instrumental in launching Swiss Re‘s Cyber Liability products and building a large worldwide portfolio of Technology E&O related risks. Prior to this role, he was responsible for the underwriting various other industry segments including heavy machinery, utilities and pharmaceutical companies. He has close to 20 years of experience in the insurance industry and has been always focused on risk transfer of large cooperations.
Keynote 1: Best of Breed Security Architecture: Protection Level and Borders of State-of-the-Art Speaker: Rajesh Nair, Detecon (Schweiz) AG Moving on from the traditional focus of defense in depth, there is a need
Keynote 1: Best of Breed Security Architecture: Protection Level and Borders of State-of-the-Art
Speaker: Rajesh Nair, Detecon (Schweiz) AG
Moving on from the traditional focus of defense in depth, there is a need to come ever closer to being able to understand security from a business context. Architecting a security solution then becomes even more an integra- ted approach between the IT and Business teams, with Operations becoming more central in the entire chain. Additionally the architecture design extends outside the organizational boundaries speci cally in highly integrated environments. This presentation will explain state-of-the-art security architecture from a different «highest security» perspective.
Rajesh Nair worked with Swissgrid from 2009 in various roles covering Strategy, Archi- tecture, Cyber security and as the Chief Information Of cer. The main focus of his work in Swissgrid was the design and implementation of Swissgrid Architecture, building up a central capability to monitor and control the Swiss National Transmission grid. He led a team of over 120 ICT experts. He was responsible for the Corporate and Industrial IT of Swissgrid as well as for the design and operation of certain critical pan European ICT infrastructures. Rajesh has been in the Energy industry for over 20 years and has worked for ABB, Deloitte Consulting, Suntec and Alstom. He has also had various functional roles leading from Financial controlling, Product development, Strategy, Project Executi- on and General Management in these companies, which gives him a balanced corporate view on technology. From Oct 2016, Rajesh has been a part of the Detecon team, working on a number of strategic initiatives mainly on the topics Cyber Security, Big data and New technologies.
Keynote 2: Detection and Response: Empowered by Intelligence led Security Operations
Speaker: Will Semple, PwC
Observing the market, a relevant shift in security budgets has happened towards detection and response in recent years: By today it is a well-known fact, that anybody will be breached. Readiness for detection and response is the key for mastering the situation and means storing data over a long period (two or more years), understanding the intelligence management lifecycle on strategic, tactical operational and technical level as well as the attack models. Content Detection needs threat intelligence, security analytics and use cases, against which the data are screened. Finally, knowing about a potential breach, in the rst step a veri cation is necessary: if the breach is con rmed prepared measures which can be invoked timely help to master the situation.
This presentation highlights background on the functional principles, how detection and response really work.
Will Semple is a Leader in the PwC Cyber Security Practice responsible for Managed Threat Detection and Response Services, Advanced Security Operations and a Security Analytics SME. Will works with PwC clients globally helping to solve some of the their most challenging cyber risk questions. Prior to PwC Will has served as Head of Global Threat for the New York Stock Exchange, managing cyber risk from nation state attackers, industrial espionage, hacktavism and cybercrime related incidents. Will was later appointed CISO for the European, APAC and Commercial business units of the NYSE overseeing EU and US Regulator interactions for the Exchange on Cyber matters. Will has actively contributed to the industry by serving as Chair of a European Council working group on Network Information Sharing and Incident Response and assisted in the formulation of policy and legislation for Cyber Security in the EU.
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
Keynote: Security Startups: Global trends in security startup investments and the digital identity revolution in Switzerland Speaker: Thomas Dübendorfer, President Swiss ICT Investor Club (SICTIC) Information security is in dire need of innovation
Keynote: Security Startups: Global trends in security startup investments and the digital identity revolution in Switzerland
Speaker: Thomas Dübendorfer, President Swiss ICT Investor Club (SICTIC)
Information security is in dire need of innovation as attackers are getting more and more sophisticated, better funded and run better targeted attacks. Thanks to security startups, new cyber defense methods and more secure systems are transferred from research or military to products used daily by corporations around the globe. The talk will show investments in security startups globally that are contributing to innovation and which areas are especially hot. Furthermore, the talk will discuss how to work with a security startup as a corporate customer and which risks to be aware of. Finally, I‘ll highlight some recent developments on digital identities in Switzerland, which will be essential for the security of online business transactions as they are at the core of many digital business processes.
Thomas Dübendorfer is the president of the Swiss ICT Investor Club (SICTIC), an IT security expert and angel investor. He is the co-founder of several Internet technology based start-ups in Switzerland, including Contovista, Frontify, Spontacts and YES Europe AG. He has shaped the Information Security Society Switzerland (ISSS) as president for five years. He has lectured on network security for ten years at ETH Zurich and is the co-founder and chairman of swisssecurity.org, which connects the leaders of all key information security organizations active in Switzerland. He has served in a variety of technology leadership, research, development, teaching, board and consulting roles. He has worked as software engineer in Silicon Valley and seven years as tech lead for fraud detection, security and privacy engineering projects at Google and has received three prestigious EMG awards from the Google founders.
First-hand presentations from startups
Instead of a second speaker we have been inviting eight well selected and distinguished security startups (Futurae, Notakey, Cybellum, IRONSCALE, Minerva, Morphisec, Dathena, and Fireglass) to present in a Pecha Kucha style presentation (7 Minutes) the company and the strategy, functional specification and early adopter case studies of the product.
Innovative “World Coffee” style discussion
The discussions will be between the participants and the startups representative in world coffee style: 15 minutes discussion with each founder / delegate in small groups of 3-5 participants.
Keynote I: Addressing General Threats and APT: Experience with an all-in-one approach Speaker: Stefan Lüders Like any other enterprise, university and organization, CERN is under permanent cyber-attack: automatic scans, script-kiddies, white hats, hacktivists,
Keynote I: Addressing General Threats and APT: Experience with an all-in-one approach
Speaker: Stefan Lüders
Like any other enterprise, university and organization, CERN is under permanent cyber-attack: automatic scans, script-kiddies, white hats, hacktivists, but also through advanced persistent threat (APT) actors trying to infiltrate the organization. Given CERN’s academic environment, however, CERN cyber-security must be well balanced with CERN’s academic mandate and the free and open operation of its assets. This presentation shall outline CERN’s computing environment, the identified cyber-risks associated with it, and the various measures implemented and deployed in order to prevent, protect and detect any kind of cyber-attack.
Stefan Lüders, PhD, graduated from the Swiss Federal Institute of Technology in Zurich and joined CERN in 2002. 2009 on-going, he is heading the CERN Computer Security Incident Response Team as CERN’s Computer Security Officer with the mandate to coordinate all aspects of CERN’s computer security – office computing security, computer centre security, GRID computing security and control system security – whilst taking into account CERN’s operational needs. Dr. Lüders has presented on computer security and control system cyber-security topics at many different occasions to international bodies, governments, and companies, and has published several articles.
Keynote II: Communication throughout incidents and crisis
Speaker: Juan Carlos Lopez Ruggiero
The communication concept in security incidents and crisis management is a subject that involves three disciplines with common elements: Security, Risk and Compliance. By identifying how to communicate, it means knowing how to handle it. The speaker will bring up communication processes and notions used in case of incidents and crises and share some “do and dont’s” from real environments with an eye on the imminent GDPR regulation. Three basic aspects of the speech are:
- The Incident must stay underground.
- The Incident can be communicated internally, but to a limited group (still secret).
- The Incident must be brought to media.
Juan Carlos Lopez Ruggiero is global Risk and Security Executive with 20+ years experience in implementing complex IT solutions in Risk Management, Cyber Security, Regulatory Compliance and Quality Management across multiple countries and industries. He lead IT organizations in implementing COSO, COBIT, ERM, ISO 27001, 6SIGMA, ISO 31000 and CMMI tenets, Lean Manufacturing strategies, and metric-based management. Having been the global CISO and Chief Risk Officer for Royal Philips, Juan Carlos is currently the CSO for DXC Technology in Switzerland and GDPR Lead for the EMEA region. He owns a degree in Law and speaks at least 7 languages fluently.
Culture and Congress Centre Luzern (KKL)
Europaplatz 1, 6005 Luzern
Keynote I: How to crack the problem of insider threats – practical experiences Speaker: Igor Podebrad The starting point and rst line of defense against insider threats is
Keynote I: How to crack the problem of insider threats – practical experiences
Speaker: Igor Podebrad
The starting point and rst line of defense against insider threats is always a well-designed awareness campa- ign. But awareness itself is just a piece in a complex puzzle. Identifying core information assets and its threat model leads to the risks. These risks will be evaluated with a business impact analysis such that transparency of the risk exposure is reached and can trigger an internal discussion for addressing this topic on executive level.
As second and third line of defense measures such precise description of processes i.e. process frameworks, multidimensional attribution of data, four or multiple eyes principle during execution and control, Chinese Walls (the strict segregation of duties and critical or contradicting roles), as well as technical measures such as log- ging of relevant actions and their context frameworks, adequate monitoring, evaluation and alarming schemes are effective in mitigation of insider threats. In special areas additional cameras will help to defend against insi- der threats and have evidence, in case it happens anyway. Experience, which measures have proven as effective, and which measures did not meet the expectation, will be shared.
Igor Podebrad is Group Chief Information Security Of cer at Commerzbank AG, Germa- ny. In addition, he is adjunct professor for digital forensics and cybercrime at university of applied sciences Brandenburg at Havel, owns a PhD from Freie Universität Berlin and relevant research experience in secure computer architectures in collaboration with Helmut Schmidt Universität of the German defense forces in Hamburg. His work experience comprises management positions with tasks in IT security standards, thread analysis, digital forensics and threats mitigation & defense.
Keynote II: What kind of insider threats must we expect and how can we optimize effective counter measures?
Speaker: Andrea Gergen
The cyber security industry is developing more and more sophisticated solutions to make it even more complex for external attackers and insiders to steal the crown jewels of the company. Besides implementing these new solutions, companies are concentrating on implementing policies and awareness programs to mitigate the risk that arising from insiders, the weakest link in the cyber security processes.
Trends are showing that on the one hand the attack surface, i.e. motivations and possibilities for insider threats, is continuing to grow and on the other hand the cyber security programs are concentrating to build more com- plex solutions, additional barriers and more awareness programs. The speaker presents a holistic view about the current state, future trends and a potential way, how to get more out of the current measures by taking an insider-type-centric view.
Andrea Gergen is director in the area of cybersecurity and privacy at PwC Switzerland. In her function as lead of the Cyber-as-a-Service (CaaS) team she is supporting clients in transforming security solutions into an end to end working, risk and cost optimized security platform. Andrea has over 15 years of experience in IT- and strategy consulting in different industries like nancial services, telecommunication, pharma, chemical and automotive focusing on the implementation and transformation of IT security service management, process- and service optimization and standardization, IT strategy ma- nagement and innovation as well as Business Transformation Management.
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich
IoT and Industrial Control Systems (ICS) – Concepts, Risks, and the new Role for the CISO Internet of Things (IoT) services, Industrial Control Systems (ICS)
IoT and Industrial Control Systems (ICS) – Concepts, Risks, and the new Role for the CISO
Internet of Things (IoT) services, Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) are connected today to internet via the corporate network. In many corporationsthese systems are in separate network security zones, with strong firewalls in-between. The securityrisks of these technologies come from many sides, internal devices as well as mass installation from outside such as DDoS attacks from COTS cameras world-wide directed on a few servers. For both security risks CISO must elaborate security plans. With two leading speakers, one from research and innovation, one from an early adopter of the upcoming technologies the discussion at the round table will be introduced and stimulated.
IoT services, Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Industry 4.0 and Digital Transformation are pending issues in any enterprise, and future business success will depend on timely and proper application and integration of these new concepts. In this context the CISO’s organisation must be included in such projects and provide solutions for security and resilience in the three phases „protect, detect and response“.
As usual, the goal of Summit 13 is to learn from the speakers, from each other and from the background material which will be distributed before the meeting for exploring today’s baseline and designingeffective and efficient security solutions in these new fields.
For a long time it has been well-known and well-recognized that information security policies are the cheapest and most effective tool to increase security.
For a long time it has been well-known and well-recognized that information security policies are the cheapest and most effective tool to increase security. However a proper strategy to reach the precious goals set in the policy is needed. This is where things start getting complicated in practice: The implementation of Information Security Strategies.
More often than not the term “Information Security Strategy” is defined circumstantially and thusdoes not possess a commonly agreed upon, well established meaning. It could represent the real implementation strategy of a security policy, but it is often used as an umbrella term for several high- level documents forming the foundation for information security governance in a company. In general, the Information Security Strategy needs to be well-tuned to the enterprise needs and socio-cultural ecosystem. If this is done successfully the implementation of and adherence to the strategy will fall into place smoothly. If the socio-cultural eco- system is not ready, a change program will help to pre- pare for the next steps.
The Information Security Strategy is a context related document, and must be different before the cloud, with the cloud, with anywhere / any time work and with massive IoT inclusion in to the com- pany’s network. In addition, changes in society and new behavior of youngsters will challenge the CISO for having a buy-inn. To be successful in the long term, societal change needs to be modelled,understood and taken into account. Careful, early verification of the applied models can help to avoidobstacles and lengthy discussions.
At the 14th Swiss CISO Summit you will hear two leading speakers. One giving a retrospective on theexperience of aligning the strategy during his first 100 days in his new position as CISO, and the otherproviding a research and innovation perspective which will give some essential background and intro- duce the round table discussions.
As usual, the goal of Summit 14 is to learn from the speakers, from each other and from the material distributed before the meeting for exploring today’s most recent tendencies in preparing, governing and implementing successfully high-level information security steering documents.
Third Party Security and Patching: How to face this major vulnerability? In analyzing root causes of incidents, third party security and patching is strongly represented as a solution to attacks around
Third Party Security and Patching: How to face this major vulnerability?
In analyzing root causes of incidents, third party security and patching is strongly represented as a solution to attacks around 80% of the time. It is, thus, an utmost and urgent issue that needs addressd.
From the perspective of attackers, it is essential to run the attack-business well, which is why they invest 10-20% of their time investigating the weakest point in the targets’ defense concepts. Well protected multi-billion-dollar global companies are hard targets to hit, but their suppliers, their contractors, their clients and partners are often protected on a SME level only.
Against this background, the weakest links are often represented by a third party, which is an ideal situation for hackers to get an easy hook in to the well protected castle.
There are many statistical reports on patching., With an observed share of 50% of patched systems functioning 10 days after a patch has been implemented, it is clear that the patching sequence is in many cases far less effective than what it should be. However, the other 50% of systems are vulnerable with known weaknesses for which attack suits can be downloaded from the internet or the darknet. For any hacker, these are easy targets that can be conquered at very low cost.
The theory behind the topic is really very easy to understand, however, counter measures need many careful steps. There are two enlightening presentations on this topic in this summit. The first one deals with third party and patching issues in procurement and creates a binding framework for security issues in partnerships. The second one is based on real-time measurements in which the partners are controlled with software and information will be presented on the real important issues of how the observed weaknesses can be presented and eliminated.
As usual, the goal of Summit 16 is to learn from the speakers, from each other and from the material distributed before the meeting in order to explore today’s most compelling trends in addressing the information and cyber security challenges with the best set of controls.
Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values.
Culture could be considered as “the ideas, customs, and social behavior of a particular people or society” and represents commonalities of specific groups of people, including beliefs in specific values. Typically, most people think that culture is rather static than dynamic.
Our observation of the recent past depicts fast changes in technological and communicative means such as the internet, smartphones, group building (including on-line groups), innovation and societal integration. An additional factor is the seamless mixture of societies, such that we work today naturally in teams from many nations, while 50 years ago, we immediately felt a difference, even from people of another city in Switzerland.
As a security offi cer, we are concerned with all three issues simultaneously: fast changes, a seamless mixture of people with different origin, and nearly any mixture of beliefs and values. Without governance and clear direction, companies might develop a nearly unlimited number of very different odd subcultures. Now begins our tasks to care for a forward-directed and agile security culture, which adapts continuously to new situations.
We will get a report from Swisscom (main issue: business IT, Mobility, and cloud) and from SBB (Main issues OT, digitization, industrial control systems), and how they approach this enormous challenge. First turn around the employees to accept net technology, processes and human interaction, and then demand on top of these aspects a new security culture. How to keep motivation at a high level, create identification with the security controls, and protect the IPR and the data? How to measure these aspects, and how to select the best option in specific situation for well-defined change program? Now we welcome you in the world of the 17th Swiss CISO Summit.
The perception of cloud services has changed dramatically: in the beginning, there were statements from national administrations that deeply distrusted cloud services and dis-encourage
The perception of cloud services has changed dramatically: in the beginning, there were statements from national administrations that deeply distrusted cloud services and dis-encourage organisations to move their data and operations to cloud service providers. Today the largest banks closed a deal for their highly sensitive data with a cloud provider: the world has changed.
The gap may be explained by changes within the cloud architectures including options to use strong customer-managed encryption keys to ensure ownership and privacy for the application and data.
A purey one-to-one relation between cloud providers and organizations may be reality for some at the moment. However, a multi-cloud approach is more likely to be adopted by a majority of organizations to mitigate systemic risks, use differentiated services and optimize costs. Not a core topic, but inte- resting for us as individuals, we relate to multiple cloud providers (e.g. WhatsApp, Twitter, Skype, etc.) even when we are unaware of it.
We can conclude that cloud usage is today a preferred model to profit from the economy of scale effects of hardware and operating system maintenance, but even more from the highly sophisticated security management: The larger the cloud provider is, the more people work in security engineering, security operations and therefore provide a service on higher level. The numbers in the background are enormous and can be between 50 to 5.000 professional security engineers. Happily, organizations can select from a variety of service providers, such that after a contractual period, a change is feasible. But what are the exit scenarios, what needs to be prepared when already when entering the contract?
Andrew Hutchison (T-Systems) will present some of the key challenges for a hybrid cloud environ- ment from a security perspective. Rolf Becker (UBS) will elaborate on UBS’s approach considering the requirements of one of the most sensitive cloud user groups. These keynotes will introduce and stimulate the discussion with questions such as how do we negotiate with cloud providers to use of private encryption keys, how to test security concepts and how to create preparedness for switching between cloud providers.
All Day (Tuesday)
Zunfthaus zur Schmiden, Zurich
Marktgasse 20, Zurich