Skip to content Skip to footer

Convene: Washington, D.C. 2023 Sessions

Washington, D.C.September 6-7, 2023

Featured Sessions

Most MFA Is No Better Than a Password: Attacks and Defenses

Most people think MFA is pretty secure and definitely a stronger defense than a password. For most MFA that most people use this isn’t true. I can hack, bypass, or socially engineer you out of the most popular MFA as easy as if it were a password. Come see how. Come learn how to better defend your MFA and what MFA is strong and resilient.

After the Breach: Process Analysis + Empathy = a Stronger, Prepared Cybersec Team

There is ample information on how to prepare for a data breach, but we rarely discuss how to manage the security team’s Breach Post-Traumatic Stress Disorder. This session will highlight the steps leaders can take to ensure that their security teams are mentally prepared – and staffed for the next potential attack. Building unit cohesion before the attack is paramount to keeping a resilient team. The session will offer tips on organizational restructuring, how to conduct a COBIT-styled process analysis, cross training and procedural reframing. We will also discuss the criticality of empathy and how to build it into the culture.

You Better Behave: An Introduction to the World’s First Open Source Security Behavior Database
User security behaviour sits at the heart of human risk management. If we can influence security behaviours, we can reduce human risk.  Some security teams are having a really clear and measurable impact on their users’ security behaviours. Others aren’t even sure where to start. “Which behaviours?” “Why these specific behaviours?” “How do I prioritise amongst them?” “And how do I know that we’re focused on the right ones, in the right way?” In this lighthearted and entertaining talk, Oz Alashe will introduce the audience to the world’s most comprehensive security behaviour database, SebDB. Freely accessible, open to all and vendor agnostic, SebDB is a digital compendium that contains information on every security behaviour known to reduce human cyber risk. It’s an open source research initiative that’s been developed by the global security community. It’s now on its third iteration.
LIVE Hack: See How Cyber Gangs Get Into Systems

Risk of data loss and operational disruption can stem from more than the ransomware in news headlines. Join ThreatLocker’s Co-Founder and CEO for a live hacking demonstration of a Rubber Ducky and discussion on methods of control to minimize data exfiltration.

Operation Nowhere to Hide – A Case Study on Sextortion

This presentation takes a deep dive into cyber investigative techniques utilized to target, identify, and prosecute cyber criminals participating in an international sextortion scheme, including working with foreign LE counterparts while facing the challenges that come along with having no mutual legal assistance treaty (MLAT) between our countries.

What’s Old is New Again – and What’s New is Old!
Despite recent hype, AI has been built into cybersecurity tools to spot threats and keep consumers safe for decades.
While cybersecurity companies are always evolving to adopt new technology and stay one-step ahead of bad actors, we know that many of the tried-and-true cybersecurity best practices we used 10 and 20 years ago still work. No matter how advanced tech and AI get, the biggest threat – and the best defender – to security is always the person behind the device.​
The future of cybersecurity will require a holistic approach that combines AI-enhanced tools and foundational basics to protect internet users​.
Staying Left of Boom: The Real Way of Preventing Insider Risks from Becoming Insider Threats
With the increasing number of vulnerabilities to data theft, protecting sensitive IP is becoming challenging, and current responsive action isn’t working. The key to staying left of boom begins by defining the problem and understanding the difference between insider risks and insider threats. In this presentation, DTEX will provide a pragmatic approach to understanding and influencing human behavior. The discussion will explore three key pillars to reducing insider risk in today’s evolving threat landscape:
– Communication – cultivating a trusted workforce.
– Information – capturing the right data to accurately identify risk.
– Technology – collecting/correlating datasets that accelerate proactive risk detection.
Make a Killing by Reskilling: Building Deep Security Skills within your Organization

Security Awareness leaders recognize the importance of reducing the human attack surface to protect their organization, but those attack vectors go well beyond phishing or social engineering. As businesses shift to the digital realm, security skills should be federated across the organization to ensure proper resilience and integration of security best practices. But how do you engage these cyber champions? By identifying hidden talent and interests, as well as providing access to best-in-class learning opportunities. Cyber acumen is the new business acumen… how do we get ready?

LIVE! The CISO Series Podcast

Two special guests will join host David Spark to discuss topics in cybersecurity leadership, dealing with security issues, and how cybersecurity practitioners work with security vendors, with a few games and audience participation too!

Improving Security Interactions With Journey Maps

Whenever we ask someone to do a “security thing”, we also affect their perception of the security function in our organisation, and their perception of security things more generally. We also require them to spend some of their limited compliance budget. Using interaction journey maps we can explore what people are thinking and feeling when they are required to interact with security-related applications and functions. A focus on improving these interactions reduces the demand on someone’s compliance budget, and also avoids driving people to adopt shadow IT or shadow security.

Secure By Design: Shifting the Balance of Cybersecurity Risk

Secure by design means building technology products and systems with security in mind from the start. It’s time to build cybersecurity into the design and manufacture of technology products. Find out what it means to be secure by design and what that looks like. We will discuss this proactive approach to addressing security that emphasizes the importance of building security into the design of products and systems.

Building a ChatGPT Governance Program that Works for Your Organization

ChatGPT and similar generative AI tools have exploded into our lives and into many organizations. Some companies (and countries) have banned ChatGPT completely, while others encourage its use. This presentation explains how to craft a ChatGPT governance program unique to your organization’s needs and risk tolerance. Controlling risk involving generative AI tools is accomplished by combining policies and processes, technical controls, and targeted user awareness training. There is no right answer for how to implement or restrict generative AI. Like any new security and privacy challenge, the solution is proactive risk assessment, well-designed controls, and effective user education.

The Nexus Between Data Privacy and Data Security

Concerns around personal data collection and use continue to rise, including from adversarial countries and emerging technologies and applications leveraging it. Yet, the United States does not have a comprehensive law to protect data privacy and security. This talk will explore the threat and risk, the current legal and regulatory landscape to protect data, policy solutions underway at the state and federal level, and how new technologies connect to this topic like artificial intelligence.

Lessons Learned from the Largest Coordinated Cyberattack Against Local Government in US History: Ransomware across Texas in August of 2019

How bad could it be? This engaging session will cover the ins and outs of the August 2019 ransomware attack that impacted 23 local government entities across the state of Texas. The Lone Star State responded in kind by activating the statewide incident response plan which had been developed over the prior two years and spot tested across a number of other incidents and exercises. Come hear the good, the bad and the ugly on how the plan worked and was able to clean up this large scale incident and get operations restored across the board in just 8 days, for under $300,000, without paying any ransom.

Operation K12: Infusing Cybersecurity Education into Public Schools

Cyber Florida’s Operation K12 program engages more than 40 schools districts across Florida that represent 89% of Florida’s public school children. A multi-pronged approach, Operation K12 provides a variety of resources and pathways to engage kids in cybersecurity awareness and career education beginning in elementary school and including a high school course that prepares students for cyber careers right out of high school. Learn how Cyber Florida established and implemented this effort statewide in under two years, successful approaches and resources, and challenges overcome.

Panel: Empowering Kids to Stay Safe Online…and Have Fun!

It’s never too early to talk to kids about online privacy, security, and risky online behavior. In this session, learn key takeaways from recent research, including best practices on how parents can influence their kids’ online activities. Today’s children are “digital natives” and most have never experienced a world without social media and smartphones – everything is at their fingertips. Fortunately, current research shows that kids view online privacy and security as things they can control, but parents are instrumental in helping children understand risks and potential consequences.

The Importance of Using Real Threat Intel in your Awareness Program

Using real threat intelligence in your cyber security awareness efforts gives your target audience insight into the threats they may encounter. Making the threats as real as possible helps drives audience engagement and reduce information security risk. We will be sharing examples and a framework to help you implement this into practice.

CISO Get Out of Jail Free Card: U.S. v. Sullivan and What it Means for Criminal Liability for Cyber Professionals  

Last year Joe Sullivan, the former CSO of Uber, was found guilty of covering up a data breach.  While some believe this case is an outlier, Congress has attempted to pass legislation holding executives personally responsible for data breaches.  In addition, Federal Agencies have taken a similar approach, and earlier this year, the SEC sent out “Wells” notices of potential enforcement actions to SolarWinds executives regarding its 2020 data breach, including for the first time to a CISO.  Sullivan’s case and the recent actions from the SEC raise questions about whether similar charges will be brought against executives that fail to report breaches, how employees and executives can protect themselves, and the complexities of having 50 different state reporting requirements.  This presentation will explore Sullivan’s case and other recent enforcement actions against cyber professionals.  Next, there will be a discussion of the various attempts by Congress to expand liability against executives for data breaches and what it may mean for future legislation. Third, the presentation will explore the difficulties in determining whether a company must report because of the various state reporting requirements.  Finally, the presentation will discuss how companies, boards, and executives can protect themselves from potential liability.  

Sign Up to Our Newsletter

Be the first to know the latest updates

[yikes-mailchimp form="1"]