Best of GSX 2022: Focus on Cybersecurity

Today’s security professionals manage risks from all sources. Ever evolving cybersecurity threats need controls and mitigation to protect your organization’s assets.

This Best of GSX package contains 4 recordings covering multiple aspects of managing cyber risks.

This package includes:

• Validating Security Controls – Taking “We Think” to “We Know”

  We all have security controls in place that we hope are detecting or blocking threat actor behaviors. But do they? Which behaviors? How do you know? If one of your security controls fails, will the activity still be detected? Traditionally, security control testing has been performed by red team operators. Unfortunately, these are point-in-time assessments. Ideally, the red team would be involved in revalidating the control with every software update or configuration change, but this is often cost prohibitive. During this session, Jake will help define the value proposition for security control validation and provide advice on how to operationalize and scale the practice. The next time an executive catches you in the hall worried about something they read about an incident at a competitor, you can confidently say "don't worry, we *know* we'd detect that."

• Lessons Learned From One CISO’s Experience Starting and Running a Bug Bounty Program

  Managing an organization’s external vulnerabilities is a daunting task for CISOs. Unfortunately, comprehensive vulnerability management programs and penetration testing is not always enough. Motivated cybercriminals will find a way in. This session will outline a case study of how one global company fought back and filled the security monitoring gap with an in-house Bug Bounty program that rewarded threat researchers and individuals who flagged verified vulnerabilities. After multiple mergers and acquisitions, the company had accumulated a sprawling internet-facing global presence, increasing risk and requiring a fast solution. Leveraging humor in telling the successes and hard lessons learned from the program, this session will share the ins and outs of establishing, managing and running a Bug Bounty program.             

• Developing A Cyber Tabletop Exercise That Touches Everyone

  This case study shows how security management practitioners can develop a cyber tabletop (discussion-based) exercise that is designed to include a broad and diverse set stakeholders such as internal departments and external law enforcement partners. The case study exercise will show the manner in which the scenario elements were created in order to intertwine four main goals: 1. Develop a credible cyber exercise scenario that would include many departments; 2. Foster interdepartmental communications and coordination; 3. Incorporate partner public safety agencies into the exercise; and 4. Present the exercise scenario information in a manner so that the tabletop exercise players could more easily visualize the cyber incident's effects and impact on the entire organization. Learn how to incorporate the following exercise scenario elements into a discussion-based tabletop exercise by considering the following: the highest aspirational goals of the exercise, internal and external stakeholders, contemporary and probable cyber incident scenarios, and focus of the attack.    

• 10 Disciplines of Effective Cyber Security Leadership

  At the intersection of physical and cyber security, the asymmetric threat has left the building and the attack surface area has exponentially increased. The threat surface area, vulnerabilities and opportunities for attack have exponentially increased, allowing infiltration of critical ecosystems. There is no “black box” that can be seamlessly integrated into customer’s or partner’s ecosystems to solve all their problems. To streamline organizational strategy and mitigate risk effectively, leadership must address all four pillars of risk: physical, technology, people and process. Here are 10 disciplines leaders can use in any business — small, medium or large — to mitigate their cyber risk, and the impact to their businesses, communities and people.