Black Hat Executive Summit

As organisations undertake digital transformation and connectivity the digital security perimeter is evolving; this talk will discuss the leading-edge topics of risk management in the modern enterprise and explore the protection of assets across operations with a focus on supply chain and extended enterprise risk.

I'm in your supply chain, and you're probably in mine. Our increasingly interconnected infrastructure leaves us all vulnerable. With hundreds of millions of devices and millions of enterprises betting on the cloud, we see sophisticated attacks every day. Hardware, software, and service-based attacks, good and bad engagements with suppliers and partners — we've seen it all.

Go behind the scenes and learn about how Microsoft thinks about supply chain attacks — from the techniques and objectives of adversaries, the mechanisms that were effective in blunting their attacks, and the challenges dealing with the upstream and downstream partnerships that enable our shared technology ecosystem.

Startup successes, mergers, new investors, woken boards, new laws, security breaches – there are numerous reasons why established profitable organisations can have missing Information Security functions and be searching for their first CISO to hurriedly solve their perceived problems.

Greenfield specialist Darrin Johansen will share his knowledge and experiences of approaching these unique situations and highlight the differences in approach required from a normal CISO role.

With large investments in security, it is imperative you hire great people as they will be the difference between an average or awesome security function. We all know the basics of hiring people, but what secrets do people that hire large and successful teams have? In this session, a panel of experts offer insights on the current strategies and solutions being deployed by enterprises for finding the right candidates and hiring great people.

The C in CISO has long driven calls for organisations to take security more seriously and give the CISO a 'seat at the table' but just like the CIO we have often struggled to break out of our own discipline and become true business leaders.

Phil will talk about how uninformed expectations from our bosses and peers and our own behaviours are holding us back. He will discuss practical ways we can become valued business leaders through clearly articulating our role, challenging impossible expectations, understanding our stakeholders needs and communicating in ways that gain traction with executives and board members outside our specialist field.

Information Cyber Security professionals face a number of varying challenges; changing people's perceptions of our industry and business function; continually educating on the importance of investing in capabilities; lack of independent representation within the 'c' suite; to be understood as a business risk not an IT problem; skills, resource and budget shortages; all of which accumulate and lead to complete burnout and stressed individuals and teams.

As important as it is for us to support organisations in building their Cyber Resilience, are you spending an equal amount of time, if not more, building your Personal Resilience? Have you felt burnt-out and stressed? Has there been a consistent imbalance between your personal and professional life? Are your teams overwhelmed?

The focus of this session is to share experiences, tools and techniques, supporting you in building your personal resilience and facing your challenges by re-balancing and re-gaining control in order to thrive, not just survive.

Daniel Cuthbert, a member of the Black Hat Review Board, will provide a review of the hottest topics being covered during the Black Hat Briefings to give summit attendees a leg up on what to attend and what to look for during the conference. This conversation will set the premise for audience conversation and offer a framework for post-event action items for attendees.

Incidents happen, how you manage them could make or break your reputation. In this session, Canon's Head of Corporate Communications — David Cook, will with a small panel of experts explore some of the golden rules for managing a crisis. The panel will discuss incidents relevant to InfoSec participants and help you understand how to come out of an incident with your reputation intact.

Thinking about launching a vulnerability disclosure or bug bounty program and not sure where to start or how ensure you get ROI? What should your program's goals be and how does align with your BAU security testing? How can you manage risks and engage your legal team(s)? Do you use a bug bounty platform or self-host; hire a 3rd party service provider or run things in-house? How much should you reward, and how do you safely pay researchers? How do you build partnerships with engineering teams and what do long product release cycles mean? There are lots of things to consider and this briefing will give you an actionable punch list of strategic and operational decisions to ensure you're set up for success!