Ed Adams discusses addressing the cybersecurity skills shortage and diversity imbalance. He outlines that there will be 3.5 million unfilled cybersecurity jobs by 2021 according to a Cybersecurity Ventures report. However, PCI standards have been influential in improving security and could help address these issues. If more groups like minorities and women are trained through PCI certification programs, it could help fill many open jobs. Diversity in the workplace also provides cultural and business benefits, with research showing diverse teams outperform less diverse peers. Speakers provide tips on successful diversity initiatives like mentorship programs, partnering with universities, and ensuring all groups feel included and supported in technical fields.
Featured Session: Voices Live Chicago Conference
Location: Aon
200 East Randolph
Chicago, IL USA
12-2pm CST
Panel: Cracking the Glass Ceiling: Growing Female Technology Professionals
Will be streamed on Spreecast and WebEx from 12-2pm CST on Friday, March 13th
Moderators:
Margaret Resce Milkint, Managing Partner, The Jacobson Group; WING Co-Founder; ITF Board Member
David Mendelsohn, Managing Partner, DLA Piper; WING Co-Founder
Panelists:
Danelle Kent, Consultant¸ SWC Technology Partners
Danelle is a Certified Project Management Professional (NU) with 4+ years of combined experience in detail oriented technical writing and quality assurance analysis. She currently supports full software lifecycle by facilitating different functional roles including quality assurance analyst, business analyst, and technical writer.
Arti Arora, Aon
Deanne Hettich, Vice President Practice Leadership, Aon Hewitt
Cynthia Clarke, CIO, Mesirow Financial
Jeff Hughes, Vice President Information Technology, CNA
Marisa Cabrera, IT Rotational Program Participant, CNA
Abstract: Despite the strides made recently for women in business, female tech professionals continue to be outpaced by their male counterparts. According to Silicon Valley Bank’s Innovation Economy Outlook survey, less than 50 percent of technology companies have women in the C-suite or serving on the board of directors. Only 19 percent of CIO positions for Fortune 250 companies are held by women.
In fact, the gender disparity among technology professionals seems to be increasing in spite of recent gains throughout the workplace. Fewer women are joining the tech workforce and the numbers of female students studying technology is in decline—today only 18 percent of computer science majors are women, compared to 37 percent in the mid-1980s. Add in a continued wage imbalance and a high turnover rate for female tech professionals mid-career and it is clear that there is work to be done. How can we encourage more women to join the technology field and insurance technology in particular? What can be done to break down the barriers to success as a female technology professional?
This was the breakfast keynote for the ISSA Women in Security SIG held at the Disney Contemporary in October, 2014. The session looks at the info security issues from what can be expected in the near and mid-term future, the challenges of management and leadership talent in this area, and how women can uniquely fill the leadership gap.
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
The document summarizes a presentation given by Dinesh O Bareja on the role of accountancy and finance professionals in bridging the gap between IT departments and stakeholders. It discusses how accountancy and IT professionals have different but critical roles in organizations. It also outlines challenges that can arise between the two groups, such as differences in priorities and communication issues. The presentation provides recommendations on how accountancy professionals can better partner with IT, including understanding technology, participating in budget planning, and ensuring IT investments deliver value and efficiency.
The document discusses security challenges with outsourcing business functions to Asia and responses to those challenges. It covers domains that are commonly outsourced, security concerns regarding intellectual property, privacy, and technical threats. It then discusses how Asian companies have adopted information security standards and practices to address customer demands and compares their approaches globally. Key challenges include focusing too much on certifications, slow privacy law adoption, and gaining understanding rather than just compliance.
This document discusses the challenges of auditing emerging cyber threats and IT controls. It begins with a quote about competence becoming stale and the need for continuous learning. The document then covers topics like recent cybersecurity breaches, IT audit skills and certifications needed, emerging threats like social media and BYOD, and techniques like penetration testing and incident response planning. It emphasizes that maintaining technical skills is important for IT auditors to effectively audit new technologies and security risks.
This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.
05.15.2018 Mitigating Cyber Breach Liability for Companies and Board MembersExpert Webcast
MAJOR TOPICS:
Cyber breach preventative strategies
Cyber written policies and procedures
Response during and after a cyber crisis
GDPR
Third-party vendor issues
Best practices for the middle market
Corporate and board best practices
Cyber Insurance
Transactional effects and deal due diligence
Notable legal precedent
David doret (2019) SIGS IAM Conference: Revisiting IAM FoundationsDavid Doret
The document summarizes a presentation on revisiting identity and access management (IAM) foundations. It discusses key IAM concepts like separation of duties, role engineering, and permission drift. It also proposes several IAM metrics that can be tracked, such as the percentage of access requests granted within service level agreements and the percentage of systems using single sign-on. Finally, it provides a bibliography of over 30 references on IAM topics including role-based access control models, economic analyses of IAM, and approaches for modeling IAM requirements.
Featured Session: Voices Live Chicago Conference
Location: Aon
200 East Randolph
Chicago, IL USA
12-2pm CST
Panel: Cracking the Glass Ceiling: Growing Female Technology Professionals
Will be streamed on Spreecast and WebEx from 12-2pm CST on Friday, March 13th
Moderators:
Margaret Resce Milkint, Managing Partner, The Jacobson Group; WING Co-Founder; ITF Board Member
David Mendelsohn, Managing Partner, DLA Piper; WING Co-Founder
Panelists:
Danelle Kent, Consultant¸ SWC Technology Partners
Danelle is a Certified Project Management Professional (NU) with 4+ years of combined experience in detail oriented technical writing and quality assurance analysis. She currently supports full software lifecycle by facilitating different functional roles including quality assurance analyst, business analyst, and technical writer.
Arti Arora, Aon
Deanne Hettich, Vice President Practice Leadership, Aon Hewitt
Cynthia Clarke, CIO, Mesirow Financial
Jeff Hughes, Vice President Information Technology, CNA
Marisa Cabrera, IT Rotational Program Participant, CNA
Abstract: Despite the strides made recently for women in business, female tech professionals continue to be outpaced by their male counterparts. According to Silicon Valley Bank’s Innovation Economy Outlook survey, less than 50 percent of technology companies have women in the C-suite or serving on the board of directors. Only 19 percent of CIO positions for Fortune 250 companies are held by women.
In fact, the gender disparity among technology professionals seems to be increasing in spite of recent gains throughout the workplace. Fewer women are joining the tech workforce and the numbers of female students studying technology is in decline—today only 18 percent of computer science majors are women, compared to 37 percent in the mid-1980s. Add in a continued wage imbalance and a high turnover rate for female tech professionals mid-career and it is clear that there is work to be done. How can we encourage more women to join the technology field and insurance technology in particular? What can be done to break down the barriers to success as a female technology professional?
This was the breakfast keynote for the ISSA Women in Security SIG held at the Disney Contemporary in October, 2014. The session looks at the info security issues from what can be expected in the near and mid-term future, the challenges of management and leadership talent in this area, and how women can uniquely fill the leadership gap.
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
The document summarizes a presentation given by Dinesh O Bareja on the role of accountancy and finance professionals in bridging the gap between IT departments and stakeholders. It discusses how accountancy and IT professionals have different but critical roles in organizations. It also outlines challenges that can arise between the two groups, such as differences in priorities and communication issues. The presentation provides recommendations on how accountancy professionals can better partner with IT, including understanding technology, participating in budget planning, and ensuring IT investments deliver value and efficiency.
The document discusses security challenges with outsourcing business functions to Asia and responses to those challenges. It covers domains that are commonly outsourced, security concerns regarding intellectual property, privacy, and technical threats. It then discusses how Asian companies have adopted information security standards and practices to address customer demands and compares their approaches globally. Key challenges include focusing too much on certifications, slow privacy law adoption, and gaining understanding rather than just compliance.
This document discusses the challenges of auditing emerging cyber threats and IT controls. It begins with a quote about competence becoming stale and the need for continuous learning. The document then covers topics like recent cybersecurity breaches, IT audit skills and certifications needed, emerging threats like social media and BYOD, and techniques like penetration testing and incident response planning. It emphasizes that maintaining technical skills is important for IT auditors to effectively audit new technologies and security risks.
This document discusses bridging gaps in information security and preparing for the future. It notes that the CIO and CISO roles are similar, as both require an understanding of technology and business, branding, and leadership. It emphasizes that information security and IT do not own risk, and that a "just say yes" approach works better than fear, uncertainty, and doubt messaging. It also stresses the importance of measurement, education, and leveraging existing frameworks to improve security and reduce risks like data loss.
05.15.2018 Mitigating Cyber Breach Liability for Companies and Board MembersExpert Webcast
MAJOR TOPICS:
Cyber breach preventative strategies
Cyber written policies and procedures
Response during and after a cyber crisis
GDPR
Third-party vendor issues
Best practices for the middle market
Corporate and board best practices
Cyber Insurance
Transactional effects and deal due diligence
Notable legal precedent
David doret (2019) SIGS IAM Conference: Revisiting IAM FoundationsDavid Doret
The document summarizes a presentation on revisiting identity and access management (IAM) foundations. It discusses key IAM concepts like separation of duties, role engineering, and permission drift. It also proposes several IAM metrics that can be tracked, such as the percentage of access requests granted within service level agreements and the percentage of systems using single sign-on. Finally, it provides a bibliography of over 30 references on IAM topics including role-based access control models, economic analyses of IAM, and approaches for modeling IAM requirements.
Guest Lecturer BSU CS 498 Presentations. Discussion to show the different type of roles in cyber security and the value of a team with diverse experience with diverse talent.
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
The document summarizes the first session of a CISSP mentor program. It introduces the instructors and provides an agenda for the session. It discusses the history of the mentor program and the severe talent shortage facing the cybersecurity industry. It notes that while some claim the shortage is overhyped, most estimates indicate there will be millions of unfilled cybersecurity jobs in coming years. The document explores reasons for the shortage, including barriers to entry, lack of educational opportunities, and challenges with acquisition, retention and the male-dominated culture of the industry.
CyberSecurity has multiple facets. This talk will cover the various aspects. This talk will also highlight the fundamental problems in the space; from the technical, policy and personnel perspectives. A diverse agenda with a singular, focused mission needs to have multiple voices and cultures at the table. Thus, this talk will focus heavily on bias and ways of addressing them in the effort of creating a world class cybersecurity program.
This document provides information about an upcoming HDI Capital Area event. It includes details about the event such as date, location, speakers, agenda, and registration information. It also lists the chapter officers and provides announcements about upcoming HDI events, training opportunities, and programs. The main presentation will be on a simple approach to security and how to assess security risks and implement basic protections.
Cyberskills shortage:Where is the cyber workforce of tomorrowStephen Cobb
I created this presentation, "Cyberskills shortage:Where is the cyber workforce of tomorrow" for a webinar to raise awareness of the need to educate more people about cybersecurity. The webinar recording is here: https://www.brighttalk.com/webcast/1718/106371
2-sec "A Day in the Life of a Cyber Security Professional" Interop London Jun...2-sec
Tim Holman, CEO of 2-sec, presents his average day including work on data breaches, penetration testing and security audits. He also discusses the skills gap in the information security industry and how ISSA-UK is attempting to coordinate training across the industry to improve the problem.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
The document summarizes key insights and takeaways from the UK CIO Executive Summit. It thanks attendees for participating and highlights some of the main discussions from keynote speeches and breakout sessions. These included the need for CIOs to take a more strategic role and focus on business outcomes, embracing change and new technologies like blockchain, and cultivating diverse workforces. Information about participating companies and executives is also provided. The document promotes connecting again at future events to continue the discussion.
The boom in the digital space has increased the cyber-attacks and, cyber security threats are requiring special attention for Critical Sectors.Cybersecurity analysts use a combination of technical and workplace skills to assess vulnerabilities and respond to security incidents.the docoment help you for career of cybersecurity analyst
This document provides an overview of the CISSP Mentor Program session #1. It introduces Evan Francen and Brad Nigh, who lead the program. It discusses the severe talent shortage problem in cybersecurity, noting projections of millions of unfilled jobs by 2021 and factors contributing to this problem. It also outlines the agenda, schedule, and structure for the mentor program classes, which will cover CISSP domains and preparation for the exam.
CISSO Certification | CISSO Training | CISSOSagarNegi10
Our CISSO Certification course is designed for forward-thinking security professionals that want the advanced skill set necessary to manage and consult businesses on information security.
The document provides tips for job seekers on "hacking hired" in cybersecurity careers. It discusses four key vectors to focus on: tools, technology, people, and organizations. For each vector, it highlights important trends for 2021 and strategies. These include tailoring cover letters and social profiles to employers, leveraging video interviewing and automation appropriately, networking extensively, and standing out within the first few minutes of interviews. The document aims to help job seekers understand hiring processes and craft effective strategies for their unique situations.
ISACA is a global nonprofit focused on IT governance, assurance and security. It was founded in 1969 and now has over 100,000 members worldwide. ISACA provides certifications in areas like information systems audit, IT governance, and security. It also develops frameworks like COBIT for enterprise IT governance. ISACA membership offers opportunities for professional development, networking, and advancement in fields like IT auditing, security, risk management and governance.
CISSO Certification| CISSO Training | CISSOSagarNegi10
You will gain practical knowledge regarding a range of aspects in the INFOSEC community as part of the CISSO Certification program. It will teach you how to secure assets, monitor them, and comply with data security policies.
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
The IT world seems to be exploding with certifications, with new ones being offered practically every month. How does one chose from all of the options available, and are they worth it?
This session discusses the plethora of Governance, Risk, Compliance, Security and Technology related certifications being offered today. What are the benefits, and which are the most highly valued? Most importantly, which ones are right for you? Can one get too many certifications, and what’s the balance?
Practical tips and recommendations are offered to help the person who decides on attaining certifications. Including, how to select the best certifications, how to plan a roadmap for achieving them, and successfully completing the plan they set out.
Lastly, the benefits of certifications are discussed, and how to maximize their value.
The document summarizes several presentations on cybersecurity and the Internet of Things (IoT). It discusses the risks posed by IoT devices, including potential data breaches and network vulnerabilities. It provides examples of past IoT hacks, such as a 2014 incident where a Jeep's systems were remotely hacked. The document also outlines recommendations for securing IoT technologies, such as only collecting necessary data and maintaining strong access controls and encryption. Presenters emphasized that securing numerous diverse IoT devices poses major challenges that may require new security approaches from those used in traditional information technology.
Information Security Management Education Program - Concept Document Dinesh O Bareja
The document proposes an information security management program to train future security managers. It notes shortcomings in existing education and certification programs. The proposed program would [1] provide practical skills training using real-world scenarios, [2] cover technical, business, audit and legal topics to prepare students for security leadership roles, and [3] include soft skills development and fieldwork opportunities. The program differentiators include an experiential learning lab, partnerships with industry, and mentoring to support career placement.
As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.
Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.
Making some good architectural decisions up front can help you:
- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls
More Related Content
Similar to Opening the Talent Spigot to Securing our Digital Future
Guest Lecturer BSU CS 498 Presentations. Discussion to show the different type of roles in cyber security and the value of a team with diverse experience with diverse talent.
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
The document summarizes the first session of a CISSP mentor program. It introduces the instructors and provides an agenda for the session. It discusses the history of the mentor program and the severe talent shortage facing the cybersecurity industry. It notes that while some claim the shortage is overhyped, most estimates indicate there will be millions of unfilled cybersecurity jobs in coming years. The document explores reasons for the shortage, including barriers to entry, lack of educational opportunities, and challenges with acquisition, retention and the male-dominated culture of the industry.
CyberSecurity has multiple facets. This talk will cover the various aspects. This talk will also highlight the fundamental problems in the space; from the technical, policy and personnel perspectives. A diverse agenda with a singular, focused mission needs to have multiple voices and cultures at the table. Thus, this talk will focus heavily on bias and ways of addressing them in the effort of creating a world class cybersecurity program.
This document provides information about an upcoming HDI Capital Area event. It includes details about the event such as date, location, speakers, agenda, and registration information. It also lists the chapter officers and provides announcements about upcoming HDI events, training opportunities, and programs. The main presentation will be on a simple approach to security and how to assess security risks and implement basic protections.
Cyberskills shortage:Where is the cyber workforce of tomorrowStephen Cobb
I created this presentation, "Cyberskills shortage:Where is the cyber workforce of tomorrow" for a webinar to raise awareness of the need to educate more people about cybersecurity. The webinar recording is here: https://www.brighttalk.com/webcast/1718/106371
2-sec "A Day in the Life of a Cyber Security Professional" Interop London Jun...2-sec
Tim Holman, CEO of 2-sec, presents his average day including work on data breaches, penetration testing and security audits. He also discusses the skills gap in the information security industry and how ISSA-UK is attempting to coordinate training across the industry to improve the problem.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
The document summarizes key insights and takeaways from the UK CIO Executive Summit. It thanks attendees for participating and highlights some of the main discussions from keynote speeches and breakout sessions. These included the need for CIOs to take a more strategic role and focus on business outcomes, embracing change and new technologies like blockchain, and cultivating diverse workforces. Information about participating companies and executives is also provided. The document promotes connecting again at future events to continue the discussion.
The boom in the digital space has increased the cyber-attacks and, cyber security threats are requiring special attention for Critical Sectors.Cybersecurity analysts use a combination of technical and workplace skills to assess vulnerabilities and respond to security incidents.the docoment help you for career of cybersecurity analyst
This document provides an overview of the CISSP Mentor Program session #1. It introduces Evan Francen and Brad Nigh, who lead the program. It discusses the severe talent shortage problem in cybersecurity, noting projections of millions of unfilled jobs by 2021 and factors contributing to this problem. It also outlines the agenda, schedule, and structure for the mentor program classes, which will cover CISSP domains and preparation for the exam.
CISSO Certification | CISSO Training | CISSOSagarNegi10
Our CISSO Certification course is designed for forward-thinking security professionals that want the advanced skill set necessary to manage and consult businesses on information security.
The document provides tips for job seekers on "hacking hired" in cybersecurity careers. It discusses four key vectors to focus on: tools, technology, people, and organizations. For each vector, it highlights important trends for 2021 and strategies. These include tailoring cover letters and social profiles to employers, leveraging video interviewing and automation appropriately, networking extensively, and standing out within the first few minutes of interviews. The document aims to help job seekers understand hiring processes and craft effective strategies for their unique situations.
ISACA is a global nonprofit focused on IT governance, assurance and security. It was founded in 1969 and now has over 100,000 members worldwide. ISACA provides certifications in areas like information systems audit, IT governance, and security. It also develops frameworks like COBIT for enterprise IT governance. ISACA membership offers opportunities for professional development, networking, and advancement in fields like IT auditing, security, risk management and governance.
CISSO Certification| CISSO Training | CISSOSagarNegi10
You will gain practical knowledge regarding a range of aspects in the INFOSEC community as part of the CISSO Certification program. It will teach you how to secure assets, monitor them, and comply with data security policies.
William Diederich - Security Certifications: Are They Worth the Investment? A...centralohioissa
The IT world seems to be exploding with certifications, with new ones being offered practically every month. How does one chose from all of the options available, and are they worth it?
This session discusses the plethora of Governance, Risk, Compliance, Security and Technology related certifications being offered today. What are the benefits, and which are the most highly valued? Most importantly, which ones are right for you? Can one get too many certifications, and what’s the balance?
Practical tips and recommendations are offered to help the person who decides on attaining certifications. Including, how to select the best certifications, how to plan a roadmap for achieving them, and successfully completing the plan they set out.
Lastly, the benefits of certifications are discussed, and how to maximize their value.
The document summarizes several presentations on cybersecurity and the Internet of Things (IoT). It discusses the risks posed by IoT devices, including potential data breaches and network vulnerabilities. It provides examples of past IoT hacks, such as a 2014 incident where a Jeep's systems were remotely hacked. The document also outlines recommendations for securing IoT technologies, such as only collecting necessary data and maintaining strong access controls and encryption. Presenters emphasized that securing numerous diverse IoT devices poses major challenges that may require new security approaches from those used in traditional information technology.
Information Security Management Education Program - Concept Document Dinesh O Bareja
The document proposes an information security management program to train future security managers. It notes shortcomings in existing education and certification programs. The proposed program would [1] provide practical skills training using real-world scenarios, [2] cover technical, business, audit and legal topics to prepare students for security leadership roles, and [3] include soft skills development and fieldwork opportunities. The program differentiators include an experiential learning lab, partnerships with industry, and mentoring to support career placement.
As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment.
Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include:
• Common cloud threats and vulnerabilities
• Exposing data with insufficient Authorization and Authentication
• The danger of relying on untrusted components
• Distributed Denial of Service (DDoS) and other application attacks
• Securing APIs and other defensive measures
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
This talk will help you, as a decision maker or architect, to understand the risks of migrating a thick client or traditional web application to the modern web. In this talk I’ll give you tools and techniques to make the migration to the modern web painless and secure so you can mitigate common pitfalls without having to make the mistakes first. I’ll be doing demos, and telling lots of stories throughout.
Making some good architectural decisions up front can help you:
- Minimize the risk of data breach
- Protect your user’s privacy
- Make security choices easy the easy default for your developers
- Understand the cloud security model
- Create defaults, policies, wrappers, and guidance for developers
- Detect when developers have bypassed security controls
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
To ensure critical data can only be accessed by authorized personnel, it is paramount to integrate security best practices during development. It’s equally important to protect deployed systems, especially in CI/CD (continuous integration and deployment) and DevOps environments.
Attend this webcast to learn techniques to define, design, develop, test, and maintain secure systems. Particular focus will be paid to software-dependent systems.
Topics include:
• Identifying and risk-rating common vulnerabilities
• Applying practices such as least privilege, input/output sanitation, and system hardening
• Implementing test techniques for system components, COTS, and custom software
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
The document discusses 5 ways to train cross-functional DevOps teams in security: 1) elevate security knowledge across the entire team while developing security champions, 2) balance traditional training with hands-on learning using real scenarios, 3) offer role-based security training tailored to each role rather than trying to make everyone security experts, 4) use shorter, modularized training modules rather than long-form courses based on education research, 5) establish a training plan for DevOps teams as Gartner predicts DevSecOps practices will be embedded in 80% of rapid development teams by 2021.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
The cloud is a cost-effective way to provide maximum accessibility for your customers. However, organizations often fail to optimize and configure it properly for their environment, leaving them inadvertently exposed.
These slides are from our recent webinar covering proven techniques that reduce cloud risk, including:
• Building applications to leverage automation and built-in cloud controls
• Securing access control and key management
• Ensuring essential services are running, reachable, and securely hardened
Security Innovation is a leader in software security that provides various security services and training solutions. Their CMD+CTRL Cyber Range is a cloud-based cybersecurity simulation and training platform that allows users to build and assess their skills through hands-on practice in simulated real-world software environments and scenarios. The platform aims to improve cybersecurity skills in a more engaging and effective manner compared to traditional cyber ranges.
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
This session provides an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discusses the emerging delivery, adoption and organizational lessons learned that are driving further adoption.
Blockchain is a promising technology getting a lot of attention these days; however, organizations aren’t entirely sure how it might improve business operations, what the risk implications are, and the security savviness needed to implement securely.
This webcast will address the most pressing issues and misconceptions surrounding Blockchain today, including:
• What is Blockchain?
• What are the new technologies I need to understand?
• Use Cases: where is Blockchain most advantageous?
• Snooze Cases: where/when is Blockchain a bad idea?
• What are the most common pitfalls with Blockchain?
Software runs our world — the cars we drive, the phones we use, the websites we browse, the entertainment we consume. In every instance privacy risks abound. How do software development teams design and build software to ensure privacy data is protected?
Attend this webcast to learn practical tips to build software applications that protect privacy data. Understand the requirements of new laws such as GDPR and the impact they have on software development.
Topics covered:
• Designing for Privacy: least privilege and compartmentalization
• Creating privacy impact rating
• Implementing application privacy controls
• Techniques for effective privacy testing
This document summarizes a webinar on privacy secrets and how systems can reveal personal information. It discusses defining privacy, the seven types of privacy, and the differences between privacy and security. It also covers threats to privacy like big data, location tracking, and metadata analysis. The webinar examines data types like PII, PHI, and anonymous/pseudonymous data. It provides examples of data lifecycles and analyzing how data flows through systems and to third parties. The goal is to help organizations understand privacy risks and comply with regulations like GDPR.
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
When GDPR becomes law in a few months, it will be the most wide-ranging and stringent data protection initiative in history. To prepare for this sea change, most organizations have streamlined and detailed their information security policies; however, many are unaware that immature application security programs arguably pose the biggest threat of a data breach. This oft-forgotten piece of data protection puts organizations at risk of GDPR fines.
Attend this joint webinar with Security Innovation and Smarttech247 to learn practical tips on incorporating application security best practices into an InfoSec program to achieve GDPR compliance.
Topics include:
* Summary of GDPR key concepts
* Security of data processing in software and the CIA triad
* The people and process problem of GDPR: Governance
* Using Data Protection by Design for secure design and business logic
* Assessments to verify the security of processing
Presenters:
Roman Garber, Security Innovation
Edward Skraba, Smarttech247
Why you need to recognize your employees? (15 reasons + tips)Vantage Circle
Discover the top reasons for employee recognition. Learn practical tips for creating an effective recognition program that benefits employees, managers, and the entire organization.
The Rules Do Apply: Navigating HR ComplianceAggregage
https://www.humanresourcestoday.com/frs/26903483/the-rules-do-apply--navigating-hr-compliance
HR Compliance is like a giant game of whack-a-mole. Once you think your company is compliant with all policies and procedures documented and in place, there’s a new or amended law, regulation, or final rule that pops up landing you back at ‘start.’ There are shifts, interpretations, and balancing acts to understanding compliance changes. Keeping up is not easy and it’s very time consuming.
This is a particular pain point for small HR departments, or HR departments of 1, that lack compliance teams and in-house labor attorneys. So, what do you do?
The goal of this webinar is to make you smarter in knowing what you should be focused on and the questions you should be asking. It will also provide you with resources for making compliance more manageable.
Objectives:
• Understand the regulatory landscape, including labor laws at the local, state, and federal levels
• Best practices for developing, implementing, and maintaining effective compliance programs
• Resources and strategies for staying informed about changes to labor laws, regulations, and compliance requirements
HRMantra is a cutting-edge HR technology solution that harnesses artificial intelligence for digital transformation of HR operations. It streamlines processes like attendance management, performance evaluations, project progress tracking, employee database management, and payroll processing with automated income tax & benefit plans calculations. Unlock productivity, compliance automation, and data-driven insights with this innovative HR cloud platform for the future of work.
2. About Me
• Director, ICMCP
• CEO, Security Innovation Inc.
• Mechanical Engineer, Software Engineer
• Research Fellow, Ponemon Institute
• Privacy by Design Ambassador
• In younger days, built non-lethal weapons
systems for government & law enforcement
3. Agenda
Cybersecurity Skills Shortage & Diversity Imbalance
• PCI Impact on Cybersecurity
• Lessons Learned, Tips and References
4. Cybersecurity Skills Shortage
* Cybersecurity Jobs Report, Cybersecurity Ventures, sponsored by Herjavec Group
# The National Association of Software and Services Companies (NASSCOM)
“Until we can
rectify the quality
of education and
training that our
new cyber experts
receive, we will
continue to be
outpaced by the
Black Hats.”
- Robert Herjavec
• 3,500,000 million unfilled cybersecurity positions by 2021*
• India alone will need 1 million cybersecurity professionals by 2020#
• Israel (2nd largest exporter of cybersecurity tech after USA) leads
employer demand for cybersecurity talent by a wide margin
• “The Cybersecurity Talent Gap Is An Industry Crisis” – Forbes
• Cybercrime to cost the world $6 trillion annually by 2021*
No wonder the PCI DSS is so Necessary!
5. Cybersecurity Diversity Imbalance
by the numbers
Sources: Europa Eurostat May 2019; Center for Cyber Safety and Education;
https://www.catalyst.org; www.icmcp.org
“The under-
participation by large
segments of our
society represents a
loss of opportunity for
individuals, a loss of
talent in the workforce,
and a loss of creativity
in shaping the future of
cybersecurity.”
- Aric Perminter
• EU-28 Female workforce = 45%; Cybersecurity = 7%
• US Workforce
• Black/AA = 12%; STEM = 6%
• Hispanic = 15%; STEM = 7%
7. Cybersecurity Diversity Imbalance
by the numbers
“Measures that can
be taken by
organizations to
help foster,
promote and
nurture the
success of this
group include
mentorship and
training
programs.”
8. Agenda
• Cybersecurity Skills Shortage & Diversity Imbalance
PCI Impact on Cybersecurity
• Lessons learned, Tips and References
9. PCI DSS
“Arguably the most
influential, widely-
adopted non-
government/regula
tory standards ever
created for
cybersecurity”
- Ed Adams
• Since December 2004:
• Number of PCI certifications available 0 10+
• Introduced AppSec requirements in June 2006
• Full-stack coverage: network & systems, encryption, access controls,
identity management, staff training, etc.
• New PCI SSF addressing biggest threat to cybersecurity: software
• Cross-referenced and mapped to other standards
o e.g., NIST Cybersecurity Framework
• No breach of a fully PCI-DSS compliant organization in 14 years*
Always ahead of threat and attack landscape
* 2018 Verizon Data Breach Investigation Report (DBIR)
10. PCI DSS compliance
Worldwide
Overall compliance increasing but…
• Small dip in 2017
• GDPR pre-occupation?
• Not equal across industries
• IT services 77.8%
• Retail 56.3%
• Financial Services 47.9%
• Hospitality organizations 38.5%
• Is customer accountability a driver?
*Verizon 2018 Payment Security Report
11. PCI Training & Qualification Programs
Talk about Specialization
12. 3.5M
Jobs
PCI
Standards
Large
Body of
Keen
Talent
The easiest puzzle we’ll ever do!
• Supply: Those looking for cybersecurity jobs
o Master a PCI domain and be in demand
• Demand: Those looking to hire cybersecurity talent
o Consider developing via PCI/cybersecurity training
o Partner with minority groups for mentorship, recruitment,
train-to-hire paths, etc.
• Motivation: Get involved, personal or corporate
• ICMCP: https://www.icmcp.org
• WISP: https://www.wisporg.com/
3 highly complementary pieces
13. PCI Related Careers
Technical or Business
Sample Titles
• PCI Consultant
• PCI Analyst
• Project Manager – PCI
• InfoSec Manager
• PCI DSS Auditor
• Data Architect
• Compliance Officer
• Information Risk Manager
Jobs can focus
directly on PCI DSS,
have it as a subset,
be technical, or
more business
focused
14. Cybersecurity & PCI Education Resources
Many excellent free (and paid) options
PCI SSC
• https://www.pcisecuritystandards.org/program_training_and_qualification/webinars
• https://www.pcisecuritystandards.org/program_training_and_qualification/
US FTC
• https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity
NIST National Initiative for Cybersecurity Education (NICE)
• https://niccs.us-cert.gov/training
• https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework
OWASP Academy:
• https://owasp-academy.teachable.com/
Security Innovation CBT and Cyber Range:
• https://www.securityinnovation.com/training/
• https://www.securityinnovation.com/about/community/
15. Benefits of Workplace Diversity
Diversity means
varying gender, age,
religion, race,
ethnicity, cultural
background, sexual
orientation,
language, education,
abilities, etc.
16. The Proof is in the Pudding
Diversity has positive cultural AND business benefit
• Harvard Business Review
Diverse teams are able to solve problems faster than cognitively similar people.
• McKinsey’s research
Gender-diverse companies are 15% more likely to outperform their peers
Ethnically-diverse companies are 35% more likely to do the same
• Catalyst research
Companies with more women on the board statistically outperform peers
• Deloitte research
Inclusive teams outperform their peers by 80% in team-based assessments
Engagement is an outcome of diversity and inclusion.
17. Agenda
• Cybersecurity Skills Shortage & Diversity Imbalance
• PCI Impact on Cybersecurity
Less Learned, Tips and References
18. Edna Conway, CSO
Global Value Chain, Cisco
• Need for education at multiple levels
• Pre-college STEM program, e.g., middle school digital natives
• Girl scouts cyber badge
• Embed security into existing (and excellent) programs
• e.g. FIRST https://www.firstinspires.org/
• Mission: position security as not just for engineers and scientists
• Her path: English Literature undergraduate degree then law school
• Invest in diversity groups at enterprises
• Many grass roots efforts; combine to gain economies of scale
• Men for Women / Him for Her
• “Do it with love. Do it because you care.”
• “Choose to help just 1 person and watch the ripples.”
19. Julian Waits
GM Cyber BU, Devo
• Frequent speaker at colleges, universities, and tech conferences
• What works well
• Must have commitment and passion from the people at the top of the organization
• Must fund initiatives for diversity & inclusion (D&I) … build a program
• Community of people with one voice, willing to push comfort boundaries on D&I issue
• Pick your area of focus: women, minorities, LGBTQ, whatever
• What doesn’t work
• D&I initiative that alienates others
• Others outside of your group aren’t the enemy
• Cybersecurity mentor was Caucasian
• Passion without a realistic strategy for success… treat your D&I program like a business
• PCI standards represents hugely important component of cybersecurity
• Only part of the security equation
20. Marybeth Westmoreland
CTO, Blackbaud
• What worked well
• Partnering with local universities through sponsoring equipment, clubs, etc.
• Cross functional Executive Women’s Leadership Council
• Spreads the “why”?
• Form allies with other internal groups: veterans, LGBT, etc.
• Make sure people feel secure in participating, promoting, etc.
• Challenges faced
• Minorities felt isolation in Scrum chain (worked hard to correct)
• Women/minorities went into product management & marketing instead of tech
• Career pathing was unclear; engaged HR to help
• Disparity widens as one elevates up the seniority ranks (sensitize C-suite)
• Unconscious biased training – must match to corporate culture
21. Vandana Varma
Security Solutions Architect, IBM Software Labs
Women in Cybersecurity Advocate
• Initiated InfoSec Girls in India to remove intimidation barrier
• Delivers free OWASP training to all diversity groups (3rd gender, any religion, whatever)
• Personal and professional impact
• Encourages continual dialogue
• Focuses on removing obstacles, primarily knowledge ones
• Had a mentor (male) who exposed her to InfoSec
• Thoughts on PCI Standards
• Has been a great door opener for women & minorities, especially in audit
• Mandatory gives it teeth and keeps security top of mind
• HUGE opportunity for minorities to get into Cybersecurity
• Advice
• Need for differentiation; focus on niche sectors (e.g. law and psychology)
• “Remove group think.” Go beyond “xyz for xyz”
22. Partnered with SI for D&I
Me
• Motivation
• Wife’s personal and professional experiences
• Tired of seeing ”myself” at CEO roundtables, board meetings, etc.
• Professional and personal initiatives
• Participate in Glassdoor Equal Pay Day
• Lean In member: practice tips as CEO of Security Innovation
• Run regular hacking events for LGBT, Women, Minorities
• DEFCON and ICMCP scholarship programs
• 13-week child leave policy
• Staff sensitivity training for transgender employees
• Impact I’ve seen
• Employees “coming out of shells”
• Employees getting involved
• Career changes
23. Conclusion
• Perfect storm to address multiple industry problems
PCI standards + Keen, Capable Minority Population + Training Fill millions of cybersecurity jobs
• Rising tides lifts all boats
• Cybersecurity is a business problem, not technical problem
“Getting into security” doesn’t mean you have to be a hacker or coder
• Start early
Promote STEM programs; encourage girls and minorities to stick with it
• Start small
One mentorship, one program, one person
Good social, cultural, and business reasons to build diverse workforce
24. Ed Adams
Opening the Talent Spigot
Securing our Digital Future
@AppSec linkedin.com/in/edadamsboston/
Editor's Notes
In Israel, 80 percent of those interviewed reported a shortage of workers
Aric Perminter, co-founder and President of ICMCP
For 6 years SI partnered with PCI SSC to build and host all online PCI-sanctioned CBT and we put hundreds of thousands of people thorough those courses.
Here’s an example, when ICMCP had it’s West Coast Summit several months ago, an African-American male participant informed me that he was having a hard time finding a Black mentor and did not know what to do. My response, find a white, Asian, or something else mentor. I explained to him that I started my IT career in the ‘80s when there were no other people who looked like me there to mentor me. If it had not been for my white manager, a guy from Mississippi, who saw something of interest in me, I most probably would have chosen another discipline for my occupation.
Before joining the effort to create ICMCP, I had been approached by several organizations that had been around for years, but had no real impact. When I dug into why this was the case, I learned that while several of these organizations had passionate leadership, that leadership never looked at its weaknesses from the lens of how to successfully execute a plan to fulfill their vision.
I feel that PCI, while hugely important, only represents a component of the security equation. Many organizations only commit to the minimum as it relates to PCI, so they can check the box. The problem is attackers change their tactics incessantly and the standard will never have the capacity to keep up with the velocity of attacks that enter the market seemingly daily.