Register Now
August 3-8, 2019
Mandalay Bay / Las Vegas


Black Hat CISO Summit

Tuesday, August 6, 2019
Four Seasons, Las Vegas, NV

The Black Hat CISO Summit an approval-only event during Black Hat USA which brings together 200 top security executives from global corporations and government agencies for a full day of unique discussions. Offered the day before the main Black Hat USA Briefings sessions, the CISO Summit is intended to give CISOs and other InfoSec executives leading-edge insight into the latest security trends, technologies and enterprise best practices.

* The CISO Summit is currently at capacity *

All applications will be reviewed by Black Hat management, and notifications will be sent to applicants by July 26. Attendee guidelines are located within the application form.

*Please note: In order to create an open and candid environment that promotes the sharing of ideas and discussion, the CISO Summit will follow Chatham House Rule; neither media nor event coverage is permitted. This program was designed for executive security practitioners; solution providers and vendor attendees are limited to event sponsors.

Advisory Board

Trey Ford
Jeremiah Grossman
Robert Hansen
Wendy Nather

Alex Stamos
Saša Zdjelar


Monday, August 5

5:00 - 7:00 PM
CISO Summit Welcome Reception

Tuesday, August 6

8:00 – 9:00 AM
Networking Breakfast
9:00 – 9:15 AM Welcome and Introductions
  • Jeff Moss, Founder, Black Hat + DEF CON
  • Steve Wylie, General Manager, Black Hat
9:15 – 9:45 AM

Keynote: Securing the New York Times - The Truth Is Worth It

The New York Times has an important mission: to seek the truth and help people understand the world. Journalists at The Times last year reported from more than 160 countries, publishing more than 150 articles per week, and reaching more than 150 million readers each month. Ensuring that the newsroom can work securely is essential to the company's mission. Our challenges include: a fast-paced environment, a remote workforce, and varied control over endpoints and infrastructure. This presentation shares insight into securing a unique environment whilst facing diverse threats—from everyday concerns to sophisticated actors.

  • Runa Sandvik, Senior Director of Information Security, The New York Times
9:45 – 10:15 AM
Shifting Culture to Better Secure the Department of Defense, One Asset at a Time

Three years ago, a "SWAT team of nerds" at the Pentagon formed an alliance with the global hacker community to discover and disclose vulnerabilities under the federal government's first bug bounty program. Today, the Defense Digital Service's (DDS) 'Hack the Pentagon' program has run nearly twenty bug bounties across the Department of Defense, engaged thousands of ethical hackers, and uncovered more than 10,000 vulnerabilities. The program is being replicated across government and is helping feds rethink many of the government's security approaches by going beyond just checklists and improving the overall security of systems at scale. In engaging more mission-critical systems, DDS continues to expand the definition of what can be "bountied" at the Department of Defense.

Hear from DDS Digital Service Expert and former Defense Media Activity CISO Alex Romero and renowned hacker Jack Cable. Alex has spent over a decade championing modern security approaches at the DOD, including supporting the launch of the Hack the Pentagon pilot and Department-wide vulnerability disclosure policy. As a hacker, Jack has participated in hundreds of bug bounty programs and joined DDS to reform security from within after placing first in the Hack the Air Force challenge. Alex will discuss how the hacker community is playing a critical role discovering insecure practices that can be exploited in the wild, and how this method of securing systems has succeeded and is gaining momentum at the DOD. Further, Jack will walk the audience through a demonstration of an exploitation scenario uncovered through Hack the Pentagon during this unique session.

  • Alexander Romero, Prior CISO at the Defense Media Activity; Current Digital Service Expert/Bureaucracy Hacker, Defense Digital Service
  • Jack Cable, Security Researcher, Dept. of Defense + Student, Stanford
10:15 - 10:30 AM Networking Break
10:30 – 11:00 AM
The Response Matters: How Radical Transparency Reinvigorated Timehop

On July 4, 2018, social media aggregator Timehop was attacked and lost a database containing about 21 million customer records. With nearly four million European customers, Timehop became one of the first to breach personal data under the new GDPR regime. The Timehop disclosure was stunning in its openness and detail. Hear how the response went from someone in the room while the decisions were made.

  • Nick Selby, Director of Cyber Intelligence and Investigations, NYPD
11:00 – 11:30 AM
Highway to the Logger Zone: Enabling High Speed Big Data Analytics with a Multi-Terabyte Logging Pipeline Strategy

CISOs are being inundated with requests to exploit telemetry from old and new log sources, not to mention old and 'new' ideas about what to do with those logs. While most of this intense marketing is focused on 'helping' you make decisions on which techniques and tools will help you search and analyze the logs (ML/DL/AI, ELK/Splunk/Backstory/Sentinel/etc), very little attention is paid to the critical but non-sexy plumbing that gets the logs from their sources to the different tools that use those techniques (the sexy stuff...)

Even a remotely realistic PoC for a new analytical platform can be a daunting task, since these logs over here have to get to that platform over there... in the right format/schema/latency appropriate for that particular test case, in addition to where they currently need to be.

This talk focuses on the fundamental plumbing problem, and answers the following questions at a management level, with key Dos and Dont's for each of these questions that you can take back to your org next week. You can benefit from this talk without having to know the technical difference between syslog and a distributed commit log:

  • How do I estimate the size of this effort? Gigabytes become terabytes, terabytes become petabytes... faster than we're ready for them. What is a realistic approach to getting the most out of your current logs: Capturing them in a scalable and forward-compatible pipeline, analyzing and transforming them in real time, then distributing them to where they need to go?
  • How do you onboard new sources to get business value out of previously unexplored logs?
  • How do I future-proof my logging strategy, so that if I need to add/remove/upgrade analytical and storage products and services, I'm not stuck re-building the logging infrastructure before I can benefit from those changes?
  • How do I get my CTO/CIO/CFO colleagues to work with me on this logging strategy? What do they get out of this?
  • How do you reduce MTTD/MTTR with a logging strategy that enables real-time work, while also enabling long time-horizon batch analytics and cold storage for DR/BCP?
  • How do I get cybersecurity value out of non-'cyber' sources by leveraging this logging strategy?
  • How do I save money on the 'water meter' costs that many analytics platforms charge, so that I'm paying for a good signal-to-noise ratio and not just shoving a lot of useless information into an expensive tool? (FYI: You pay for this noise three times: Ingestion-point water meter costs, storage, and query performance).
  • What is the order of operations involved in terms of hard dependencies vs parallel work, so that you can minimize time-to-value, while preserving your future options and avoiding vendor lock-in?
  • What tools are available for on-prem and cloud environments?

  • Gal Shpantzer, Independent Security Professional
11:30 AM – 12:00 PM
FAKING IT: Attacking the Economics of Fraud and Abuse

Minimizing fraudulent activity has less to do with stopping each attack instance and more to do with undermining the economic viability of an attacker's business. Motivated by an infinite number of gains, but limited by their finite resources, attackers can only sustain their business operations when the cost of executing abuse is less than the value that can be extracted. Accordingly, the motivation of attackers is diminished when they stand to gain very little from their attacks — with such attacks representing a profound problem that exists beyond the realm of the incumbent security products that have already been commercialized to solve them. This session contextualizes fraudulent activity in the greater abuse economy and discusses how attritional techniques can sap attackers' operational resources, break their business models, and compel them to surrender. It also invites a distinct shift in long-standing industry practice, which has primarily focused on restriction, and examines real-world examples of an attacker's bottom line to explain why they should matter to every CISO. After all, if leading security practices continue to behave like a hammer, everything will look like a nail — hitting both end-users and vendors hard.

  • Michael Vergara, VP of Consumer Risk Services at PayPal
  • Kevin Gosschalk, CEO & Founder at Arkose Labs
12:00 - 1:20 PM Networking Lunch
1:20 – 1:50 PM
Cyber Readiness and Small Businesses: How to Secure Global Value Chains

Following the work of the independent, bipartisan Commission on Enhancing National Cybersecurity, the Cyber Readiness Institute (CRI) was launched in July 2017. CRI convenes senior executives of global companies, including ExxonMobil, Mastercard, Microsoft, Maersk, and General Motors, to share best practices and lessons learned in cybersecurity for small businesses. In December 2018, CRI launched the Cyber Readiness Program, a free, web-based, self-guided program for small businesses to help them become more secure, resilient, and cyber ready. This session will discuss the unique cyber challenges small businesses confront and why it is necessary to focus not just on compliance and technical requirements when it comes to cybersecurity, but to encourage a culture of cyber readiness and enforce the accountability and responsibility of every employee when it comes to cybersecurity.

  • Kiersten Todt, Managing Director, Cyber Readiness Institute
1:50 – 2:20 PM
Can't Touch This - The ECPA Says We Can!
* ECPA - the US 'Electronic Communications Privacy Act'

Security design, testing, and audit don't always factor for judicial process. Threat models probably need to consider how a "request" in writing to a provider could grant US or other governments access to your data.

Public cloud security is a present reality for technology executives. There are aspects of law that may undermine your team's assumptions, and authority-wielded by third parties (like law enforcement) to access your data without you (or your legal team) ever hearing about it.

This briefing will cover federal authorities such as the Electronic Communications Privacy Act, framing how state laws and international directives might shape your security design strategies - as the law exists today, potential changes on the horizon, considerations on data locality, warrants, and NDOs (non-disclosure orders) on government order notifications, and how cloud architectures are now being considered by law*.

* - this briefing will primarily consider US law, illuminating how to factor for other countries.

  • Leonard Bailey, Special Counsel for National Security, Department of Justice
2:20 – 3:00 PM
Black Hat Briefings Preview

Three Black Hat speakers will offer early 10-minute previews of their highly-anticipated talks ahead of their Briefings at the main conference.

  • Kelly Shortridge
  • Jamil Farshchi
  • Natalie Silvanovich
3:00 - 3:20 PM Networking Break
3:20 – 3:50 PM
Entering the Age of Enlightenment in Vulnerability Management

Vulnerability management is one of the oldest domains in the cybersecurity field, but anyone who's worked in it knows that this old dog would benefit from learning some new tricks. And it could be argued there's no area where that's more true than prioritizing vulnerability remediation efforts to minimize risk to the organization. For some, that process boils down to little more than gut instinct. Others follow the prevailing wisdom, which is usually instantiated in scoring systems like CVSS. Approaches like the latter sound more scientific, but empirical data shows few perform any better than random chance. Clearly, we need a better way forward for making more rational remediation decisions. For the last year and a half, a huge amount of data has been analyzed with the goal of finding that better way. Over 100,000 published vulnerabilities were examined, exploits developed against those vulnerabilities, and the remediation practices of hundreds of real organizations to understand the principles at work. A ton of important lessons were learned, practical lessons from that research including insights on why only 1 in 3 firms manage to gain positive ground on remediating security vulnerabilities in their environment. Those key lessons will be shared in this presentation to support security leaders in guiding their vulnerability management programs into a new age of enlightenment and effectiveness.

  • Wade Baker, Professor, Virginia Tech & Founder, Cyentia Institute
3:50 – 4:20 PM
Building an Enterprise Application Security Program at Scale in 2020

Everyday we see the massive technological rebalancing taking place. Company-managed data centers are being mothballed, while cloud-based commoditized infrastrcture is exploding in popularity. Meanwhile, software continues to evolve at a blistering, parabolic rate. Information security programs also must correspondingly rebalance, with increased proportion of effort and expertise directed towards securing software, and ensuring a level of security assurance throughout the lifespan of software applications. In this talk, we will tackle these challenges head-on by detailing out one-by-one critical and fundamental cornerstone activities necessary for a modern, enterprise-level application security program.

  • Jerry Hoff, Enterprise CISO, Sony Electronics
4:20 – 4:50 PM
CISO Summit Soundbites
  • Moderator: Jeremiah Grossman, Black Hat CISO Summit Advisory Board
4:50 - 5:00 PM Closing Remarks
5:00 – 6:00 PM Cocktail Reception

Premium Sponsors

Carbon Black (NASDAQ: CBLK) is a leader in endpoint security dedicated to keeping the world safe from cyberattacks. The company's big data and analytics platform, the CB Predictive Security Cloud (PSC), consolidates endpoint security and IT operations into an extensible cloud platform that prevents advanced threats, provides actionable insight and enables businesses of all sizes to simplify operations. By analyzing billions of security events per day across the globe, Carbon Black has key insights into attackers' behavior patterns, enabling customers to detect, respond to and stop emerging attacks.

More than 5,000 global customers, including 34 of the Fortune 100, trust Carbon Black to protect their organizations from cyberattacks. The company's partner ecosystem features more than 500 MSSPs, VARs, distributors and technology integrations, as well as many of the world's leading IR firms, who use Carbon Black's technology in more than 500 breach investigations per year.

Roman Brozyna
Rick McElroy
Mike Viscuso

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions with over 12,200 customers and active users in more than 130 countries. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes and substantial cost savings. The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance and protection for IT systems and web applications on premises, on endpoints and elastic clouds.

Philippe Courtot
Laurie MacCarthy
Sumedh Thakar

Foundation Sponsors

Why Cisco Security?

In a world with more data, more users, and more services, there's more to protect. Meanwhile, cyberthreats are constantly changing, evolving – getting smarter and more sophisticated.

What's the answer? The traditional approach has been to bolt on the latest threat protection product in the hope that adding to the patchwork of security solutions does the trick.

It's time to put cybersecurity above everything.
With our integrated portfolio and industry-leading threat intelligence, Cisco gives you the scope, scale, and capabilities to keep up with the complexity and volume of threats. Putting security above everything helps you innovate while keeping your assets safe. Cisco prioritizes security in all that we do, and only with Cisco can you attain effective network security to face tomorrow's evolving threats.

What differentiates us:
Our Talos Group, Cisco's elite Threat Intelligence and Research Group detects and correlates threats in real time using the world's largest threat detection network, protecting against known and emerging cyber security threats to better protect the Internet.

Cisco Umbrella is a cloud security platform that provides the first line of defense against threats on the internet wherever users go. Because it's built into the foundation of the internet, Umbrella delivers complete visibility into internet activity across all locations, devices, and users. By analyzing and learning from this activity, Umbrella automatically uncovers attacker infrastructure staged for current and emerging threats, and proactively blocks requests before a connection is established.

With Umbrella, you can stop attacks earlier, identify already infected devices faster, and prevent data exfiltration. Umbrella provides an effective solution that is open, automated, and simple to use.

Cisco's Security portfolio is designed to work together, to simplify security complexity, keep business more secure and make IT more productive.

Thomas Wood
Mark Stanford

Fortinet (NASDAQ: FTNT) secures the largest enterprise, service provider, and government organizations around the world. Fortinet empowers its customers with intelligent, seamless protection across the expanding attack surface and the power to take on ever-increasing performance requirements of the borderless network - today and into the future. Only the Fortinet Security Fabric architecture can deliver security features without compromise to address the most critical security challenges, whether in networked, application, cloud or mobile environments. Fortinet ranks #1 in the most security appliances shipped worldwide and more than 385,000 customers trust Fortinet to protect their businesses.

Joan Ross

Breakfast Sponsors

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP and Oracle applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis's solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cybersecurity solution on the market. Unlike generic security products, Onapsis's context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data.

For more information, please visit, or connect with us on Twitter, Google+, or LinkedIn.

Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud workloads, networks, and endpoints. All our products work together to seamlessly share threat intelligence and provide a connected threat defense with centralized visibility and investigation, enabling better, faster protection. With more than 6,000 employees in 50 countries and the world's most advanced global threat research and intelligence, Trend Micro enables organizations to secure their connected world. For more information, visit

Networking Break Sponsors

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world's largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With 477,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at

Microsoft is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more. We enable this digital transformation on a foundation and capability for cybersecurity with products and services that have security built in from the start. Our unique approach combines a comprehensive, agile platform together with unparalleled intelligence and strategic partnerships in order to better protect your endpoints, move faster to detect threats, and respond to security breaches across even the largest of organizations.

Event Sponsors

CrowdStrike is the leader in cloud-delivered endpoint protection. Leveraging artificial intelligence (AI), the CrowdStrike Falcon® platform offers instant visibility and protection across the enterprise and prevents attacks on endpoints on or off the network. CrowdStrike Falcon deploys in minutes to deliver real-time protection and actionable intelligence from Day One. It seamlessly unifies next-generation AV with best-in-class endpoint detection and response, backed by 24/7 managed hunting. Its cloud infrastructure and single-agent architecture take away complexity and add scalability, manageability, and speed.

CrowdStrike Falcon protects customers against all cyber attack types, using sophisticated signatureless AI and Indicator-of-Attack (IoA) based threat prevention to stop known and unknown threats in real time. Powered by the CrowdStrike Threat Graph™, Falcon instantly correlates 1 trillion security events a week from across the globe to immediately prevent and detect threats.

There's much more to the story of how Falcon has redefined endpoint protection but there's only one thing to remember about CrowdStrike: WE STOP BREACHES.

CyberArk, the #1 provider of privileged access security, provides a critical layer of IT security to protect data, infrastructure and assets across the enterprise, in the cloud and throughout the DevOps pipeline. CyberArk delivers the most complete solution to reduce risk created by privileged credentials and secrets. The company is trusted by the world's leading organizations, including more than 50% of the Fortune 100, to protect against external attackers and malicious insiders, and address audit and compliance requirements. CyberArk is the only public company 100% focused on privileged access security, delivering innovative solutions to stay one step ahead of attackers.

We built the LogRhythm NextGen SIEM Platform with you in mind. Our single, end-to-end platform is designed by security experts for security experts. It gives your team the advanced solutions they need to reduce the challenges and complexities they face every day.

With LogRhythm, your team will uncover threats faster and spend precious time on work that's important. You've already built a team of smart people — but managing multiple tools and manual tasks is holding them back. Protecting your business is about to get a whole lot easier.

Organizations around the globe rely on Rapid7 technology, services, and research to securely advance. The visibility, analytics, and automation delivered through our Insight cloud simplifies the complex and helps security teams reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks.

Splunk Inc. (NASDAQ: SPLK) turns machine data into answers. Organizations use market-leading Splunk solutions with machine learning to discover their moments with machine data and solve their security challenges, including risk mitigation, incident response and compliance. Use Splunk software in the cloud and on-premises to improve the detection of insider and advanced threats, fraud and ransomware. Join millions of passionate users by trying Splunk software for free:

Welcome Reception Sponsor

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and compliance solutions with over 12,200 customers and active users in more than 130 countries. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes and substantial cost savings. The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance and protection for IT systems and web applications on premises, on endpoints and elastic clouds.

Executive Dinner Sponsors

Agari is the only cloud-native solution that uses predictive AI to stop advanced email attacks. Winner of Best Email Security Solution by SC Magazine in 2018, the Agari Email Trust Platform™ prevents ransomware, ATO, phishing, and BEC attacks, restoring trust to digital channels for businesses, governments, and consumers worldwide.

ServiceNow makes work, work better for people. Our cloud-based platform and solutions deliver digital experiences that help people do their best work. Now, security, risk, and IT teams can identify and prioritize security incidents, vulnerabilities, and enterprise risks quickly, and respond faster using digital workflows, automation, and orchestration.