CISO Brisbane schedule

Credentials, API tokens, certificates, keys. All of these secrets are growing at a rapid rate as we work towards building least privilege patterns. This proliferation introduces significant challenges for visibility, lifecycle, and user experience, and poses significant risk when they fall into the hands of bad actors. In this talk, we’ll look at the necessary shifts that you need to make to keep your secrets safe.

Dive into a comprehensive exploration of strategic security planning amid the dynamic landscape of cyber threats. This session will discuss a useful framework of to-do’s for formulating a robust and future-oriented security strategies. By asking the right questions, we'll uncover critical insights and approaches that help your organisation anticipate and mitigate risk, thereby securing a more resilient future in an era of growing uncertainty.

The foundational component of a modern security architecture is a secure identity system. And though most organizations are thinking "cloud first", identity doesn't start in the cloud - it starts on premises. And overwhelmingly that on-premises identity system is Microsoft’s Active Directory (AD).
 
AD is involved in more than 90% of all cyberattacks today because when it's compromised it gives attackers near-total control over your IT systems. And once crippled by a cyberattack, it requires an average of two weeks to rebuild and regain trust manually - while your business is down.
 
In this session, we will review:

• Why AD is such a target
• How you can increase operational resilience of this mission critical identity system by
• Mitigating attacks against your AD
• Significantly reducing its recovery time objective (RTO)

• Streamlining your controls to avoid duplicative effort and align them with business objectives
• Influencing stakeholders to ensure a more business focused approach to cybersecurity
• Proactively managing for changes in the environment to ensure continuous compliance
• Building cyber risk awareness and culture to influence change 

Working in cybersecurity can seem like an uphill battle, a daily unrelenting, and often thankless grind.

Preventing breaches is a team effort that depends primarily on the dedication and wellbeing of your cybersecurity professionals. Sure, factors like the company's risk appetite and senior management's commitment play a role, but the real key is having an engaged and motivated cyber team. Throwing money at the problem with big budgets is no substitute for having the right people in place.

That's why it's crucial for CISOs to keep their teams happy, motivated, and engaged. During this interview, Stephen Bennett will be grilled by one of his own team members, Peter Johnsson, and will share the challenges and the successful strategies to ensure the wellbeing of the team and work towards preventing burnout. Because let's face it, a happy cyber warrior is an effective cyber warrior – and we could all use a few more of those in this crazy digital world.

Speakers:

Stephen Bennett, CISO, Domino’s

Peter Johnsson, Group Head of Cyber Services, Domino’s

As long as we’ve used email, we’ve experienced email attacks. From basic malware to the Nigerian Prince scam to gift card fraud, organisations and individuals have become accustomed to receiving a nefarious email or text.

But with the rise of generative AI, attackers are exploiting vulnerabilities in generative AI models like ChatGPT to create incredibly sophisticated email attacks.

Learn what security leaders are doing to stop these malicious attacks on their organisations, as well as best practices for defending against the AI-created email attacks of the future.

• Sharpening standards and compliance practices
• Assessing the cost-impact of compliance from a strategic perspective
• Complying with CPS 234, CPG 234, CPG 235, and other standards such as ISO27001, NIST and Essential 8
• Sharing information and intelligence to support the wider ecosystem
• How do industry and boards keep up with all the government led changes such as SoNs and the multiple reporting obligations across various government regimes?

Panellists:

Kat McCrabb, CISO, Brisbane Catholic Education

Johnny Serrano, Head of ICT, Thiess

Gabriela Guiu-Sorsa, Information Security Principal Advisor, GRC, Queensland Fire and Emergency Services

• Build a well-developed program that supports and is tailored to the organisation’s needs
• Create a well-designed program with cooperation and support from stakeholders and management
• Develop effective metrics and KPIs for program design, implementation, and management performance assessment

• Setting up your cyber programs from scratch
• Getting buy-in from the board and steering committee
• Deciding on the most suitable techniques to implement a successful program
• How to ensure internal stakeholders understand the objectives and needs of security controls
• Defining metrics and adopting assurance frameworks
• Uplifting your program’s maturity by focusing on continuous improvement

Extensive knowledge of assets that need to be secured is foundational for any effort to secure any type of asset. It’s no surprise that the Security of Critical Infrastructure Act 2018 (SOCI) addresses this in its initial requirements and recommendations.

When an Asset Intelligence platform is implemented as the bedrock of a cyber security initiative asset information is continuously collected, aggregated, correlated and analysed making all subsequent activities easier.

Join me to learn what constitutes an Asset Intelligence platform and how specific capabilities optimise every step of the process to compliance.

• Having an effective incident declaration process in place is key when developing your compliance strategy and meeting critical infrastructure regulations and standards. During this session, we’ll explore:
• Managing lack of clarity of SOCI Act and SoNS by developing documented interpretation of the frameworks
• Good practices defining and fine-tuning incident declaration processes and response plans
• How to identify what your organisation is doing right and what needs improvement
• Effective ways to advance your maturity model

Panellists:

Jack Cross, Associate Director, Information Security, Queensland University of Technology

Stephen Power, Cyber Security Manager, Cairns and Hinterland Hospital and Health Services

How cyber leaders in critical infrastructure organisations are adopting Zero Trust Segmentation as a simple way to not only protect themselves and the public interest from immediate and evolving threat, but also to strategically balance innovation and cyber risk. Rethinking security architectures for modern platforms that run critical infrastructure and economy vital systems - from conscious reaction to resilient anticipation.

Cybersecurity takes on its full meaning when all stakeholders work together in reaching the highest security standards acknowledging that each third-party has its own maturity and dependencies which makes it challenging to have a joint security posture. During this session, we will explore how to deal with third-party partners to mitigate risks and raise the bar together.

• Setting up your cyber programs from scratch
• Getting buy-in from the board and steering committee
• Deciding on the most suitable techniques to implement a successful program
• How to ensure internal stakeholders understand the objectives and needs of security controls
• Defining metrics and adopting assurance frameworks
• Uplifting your program’s maturity by focusing on continuous improvement

One of the aims of a security program is to address the risk associated with the ‘threat landscape’ faced by an organisation. But what is a threat landscape? In this talk, we will discuss some approaches on how to characterise and map the threat landscape, derive an organisational risk profile, and set objectives for a workable security program. We’ll look at how the characterisation of the threat landscape aligns with the desirable characteristics of a security program. This approach has a strategic focus and guarantees an optimal security spend in terms of product selection, implementation, and operational parameters for the program.

• Effective ways to educate – engaging diverse people with cybersecurity and online safety
• People centric – adopting an in-person tone and using real-life examples of how a cyberattack can impact everyone’s lives
• Relevant – what’s in it for them and why they should care
• Providing resources – setting clear expectations and providing resources

Panellists:

Darron Richardson, CISO, Southern Cross University

Andrew McMutrie, Head of Security (ANZ & Asia), Corporate Travel Management

Jane Hogan France, Senior Manager Cyber Security, Allianz Australia

Charles McDermid, Senior Partner Operational Risk, Technology, Bank of Queensland

Mariya Novakova, Advisor Cyber Security Risk, Rio Tinto

• How to develop a roadmap and implementing specific initiatives to your projects
• Discover effective ways to build a zero-trust security framework
• Identify key components of a zero-trust model to protect the current environment

A fun and entertaining presentation on why as businesses we need to implement cyber security training for staff, with real world examples of training (and testing) implemented in several organisations, including an environment with zero prior training. We’ll explore how all implementations have resulted in an increase in reports of suspicious behaviour, false positives as a byproduct. More importantly, this session will give you an idea if your business is actively being targeted. Join us for examples of how to implement phishing testing of staff and how to reward staff to graduate them from being Cyber Aware to becoming Cyber Judges.

• Assessing the status of your incident response capability: when should you perform read-through, table-top, and red team exercises?
• How can pen-testing and vulnerability management be most effective?
• What are the challenges and benefits of CMDB from an IM perspective?
• Incident Management Systems – benefits of EDR systems, IDPS, and other managed incident strategies
• Reactive Incident response vs Proactive Incident response – how well organisation manage that and how well those tasks are defined and segregated among defensive teams

Panellists:

Sadeed Tirmizey, Deputy CISO, Airservices

Michael Poezyn, CSO, Derivco

Discusses the utilisation of machine learning and AI-driven technologies to streamline compliance efforts, enhance risk assessment, and ensure regulatory adherence.

During this session, Tim Eichmann will share his experiences developing and implementing a 10-years cybersecurity program to ensure Queensland is cyber-ready for the Brisbane 2023 Summer Olympics. He’ll discuss the need to create a strategic roadmap to support the enterprise’s plan to advance its cyber maturity.