16th e-Crime & Cybersecurity Mid-Year Summit

Simplifying cyber: is reducing complexity the key to better security?

17th October 2024 • Park Plaza Victoria, London

Kubernetes, Containers, Cloud, OT/IT, BYOD, Defence-in-Depth, point solutions – how can CISOs make security manageable again?

 

If complexity is vulnerability, then how can CISOs simplify? What’s the new paradigm? 

 

We often ask why it is that so many of today’s security problems were yesterday’s and the day before’s. One answer is that while security technology and processes have greatly improved, the problem has become vastly more difficult.
 

This is not simply because attackers have multiplied and become more sophisticated; it’s not just because of AI or geopolitics or the expansion of the IoT and OT – although all of these have hugely increased attack surfaces and the scale of threats to them.
 

No, the underlying problem is more simply described as complexity. As one researcher says, “The simple combinatorial mathematics of the sheer increase in endpoints not only means a greater number of systems to manage but also much more complex network architectures and webs of connections underlying IT and technology infrastructure and systems.”
 

For example, the rise of cloud computing, microservices, containers, IPv6, has created a vastly more complex endpoint infrastructure than existed before, even though that was comprised of billions of connected, physical devices. The default premise of cloud is to make services, APIs, storage, computing, and networking accessible – the default for a service is exposed to the world. Cloud storage is no longer segregated and sitting behind a server.
 

And at the same time as this increase in complexity and vulnerability, Cloud services (e.g. the IP blocks used by Amazon’s S3 storage service) are increasingly easy to identify and attack.
 

The response of security teams to these paradigm shifts in technology, scale and complexity has often been to meet each challenge piecemeal as it occurs. So global firewalls have been supplemented with various technologies to cater for the fact that these firewalls must be porous due to the growing number of APIs and services that must connect to the outside world.
 

Critical processes, services, and instances have been placed inside security groups, with access controls applied on a per-group basis, associated with identity providers and authentication systems.
 

At the same time, security teams put in place more defence technologies, often layering them to address specific threats or assets: data is protected one way, applications another, APIs are guarded by API gateways, Kubernetes clusters are guarded by specialized Web Application Firewalls and Ingress Controllers, SecDevOps teams mandate smaller, more lightweight firewalls in front of every public service or API and application security teams require that SAST and SCA scans be run on any code.
 

But what we end up with are security stacks too complex to fully understand or fully utilise. We create governance and assurance nightmares. We introduce insecurity because of the complexity and because of the additional third-party issues we create.
 

We need a new way to think about all this. But that would that look like?
 

The e-Crime & Cybersecurity Mid-Year Summit will look at how we all need a new kind of security. Join our real-life case studies and in-depth technical sessions from the security and privacy teams at some of the world’s most admired brands.

  • Maximising the utility of threat intelligence

    • The UK's NCSC highlighted emerging threat to CNI.
    • Attack surfaces are increasing and geopolitics are expanding the range of threat actors and types.
    • How can organisations make the best use of threat intelligence to genuinely reduce their risk of breach?
  • Personal liability for CISOs? It’s here now.

    • CISOs and CIOs are in the dock in the US. They’ve been fined and banned in the UK.
    • The idea of driving corporate accountability through personal prosecution is now firmly embedded in regulatory and legislative thinking.
    • But CISOs cannot be held responsible for corporate failings, can they? We think they can.
  • Defeating ransomware and malicious malware

    • The NCSC still assesses that ransomware remains one of the greatest cyber threats to UK CNI sectors.
    • In other words, the threat of malicious malware has still not been adequately confronted and, in the context of CNI, the losses can be catastrophic.
    • Forget about basic cyber hygiene and awareness, how do we protect the UK from this?
  • The dangers of digitalisation – securing IoT and OT ecosystems

    • “There continues to be a heightened threat from state-aligned actors to operational technology (OT) operators.
    • The NCSC urges all OT owners and operators, including UK essential service providers, to follow the recommended mitigation advice now to harden their defences.”
    • How can you help CNI-related companies harden their OT?
  • Why regulation will drive better cybersecurity

    • Governments have ceded power to private sector organisations with more money, better agility and all the technology.
    • But as governments belatedly recognize their dependence on private companies to deliver the modern state, they will remember their power to regulate, control and even nationalize.
    • What are they thinking today?
  • Getting real about cyber risk management

    • Until cybersecurity is truly seen as risk management, hackers will continue to evade outmoded control frameworks.
    • Quantification is key, but so is how it is used.
    • Part of this is down to CISOs, part of it to Boards and part of it to solution providers.
    • The banks have done it. When will the rest of business catch up?
  • Securing the xIoT

    • The extended internet of things is a security headache, riddled with vulnerabilities.
    • There are multiple challenges with cloud-based XIoT systems.
    • Can you help secure these systems?
  • Evolving incident response: lessons from the past

    • CNI organisations need well-rehearsed playbooks, Boards who have experienced realistic war games, to be battle-tested against sophisticated Red Teams and to pay attention to the successful attacks of the past and present.
    • How can you help them develop and hone incident response procedures that work?
  • AI for CISOs: the hype versus the reality

    • Is ChatGPT really relevant to CISOs still struggling with foundational cyber hygiene, preventing attacks and avoiding DDoS and ransomware?
    • How is AI, in all its forms, being incorporated into security offerings?
    • What should you ask providers about their products?
  • Insuring the uninsurable?

    • Cyber-insurers need to understand the risks they are insuring if they are to set premiums at a level that makes sense.
    • They also need to know that they are insuring risks that clients have taken steps to mitigate properly.
    • Why insure those who leave their digital doors open?
    • What can and can’t be insured?
  • Developing the next generation of security leaders

    • If cybersecurity is to change to meet the evolution of our digital world, then so must those who implement it.
    • CISOs cannot cling to an IT paradigm and companies must move away from hiring on false pretences (on budget and commitment) and firing at the first breach.
    • What does a next-gen CISO look like and are you one of them?
  • Mobile device vulnerabilities and mitigations

    • Hybrid working means an ever-changing ecosystem of devices to secure, a non-existent perimeter, and the threat of unknown connections and applications.
    • Yes, zero trust is part of the solution.
    • But what else should security teams watch out for in a mobile-centric world?
  • Do you know your APIs?

    • For APIs, visibility is critical in most areas of cybersecurity.
    • On average, organisations employ around twice as many APIs as their security teams know about.
    • So, what should CISOs do about opaque API estates?
  • Is it time to rethink your Cloud strategy?

    • Cloud was once seen as a business and security panacea.
    • But hurried, indiscriminate use of Cloud has caused problems from costs to security and business challenges.
    • Is the Cloud backlash justified?
    • What should CISOs do now?
  • The pros and cons of managed services

    • If single point solutions and on-prem security are failing the business, what about the alternatives?
    • What kinds of company need what kinds of third-party help, and where does that leave the in-house security team?
    • Do you have solutions that can help relieve the pressures on under-resourced CISOs?
  • The answer really is zero trust, isn’t it?

    • Look at the key security and resilience challenges: ransomware, third-party, malicious insider, and the rest.
    • None of them have been solved by better technology or better awareness or better security culture. And AI and OT insecurity will make things worse in CNI.
    • Unless we decide to abandon the public internet, and take security seriously, then zero trust is the only answer. So, how to get there quickly?

Who attends

Job titles

Security Architect
Global Manager, Service Continuity
CISO
Head of Payments
Global IS Manager
Head of Digital Risk
Group I.T. Audit Manager
Global Security Supervisor
Head of Penetration Testing
Chief of Cybercrime Section
CISO, Head of Information Security
Global Head I.T. Governance
Head of ISAG
Global Fraud Risk Controller
Head of Global I.T. Security
Head of Data Protection
CISO
Head of I.T. Security Risk Management
Global IS Risk Manager
Global Head of IT Security
Head of Information Security Risk
CISO, Head of Digital Security & Risk
Group Finance & Compliance Director
Chief Security Officer
Chief Information Officer
Head of Cybercrime Unit
Head of Cyber Threat Intelligence
Head of Internal Audit
Head of I.T. Security
Chief Information Security Officer
Group I.S. Manager
Chief Executive
Head of Emergency Response
Head of I.T. Security
Director Of Information Security
Chief Information Security Officer
CISO
Head of Operational Risk Management
Group Data Security Manager
Head of Information Security
CIO
Head of Specialist Crime
Director of Security
Head of Informantion Security Risk
Head of Cyber & Investigations
Chief Information Security Officer
Head of Group I.T.
Head of Information Security
Global Head of Fraud Investigations
Chief Information Security Officer
Global Security Manager
Group CISO
Chief Information Security Officer
Director Global Investigations
Head of Policy & Performance
Head of Information Security
Global Head of Cyber Intelligence
Head of Information Security
Director Cybercrimes
Head of Payments & Fraud
Director of Risk & Compliance
Head of Information Security
Head of I.T. Security Operations
Group Information Security Manager
Head of Operational Security
Head of Payment & Financial Crime
Chief Information Security Officer
Head of Internal Audit
Head of Information Security
Head of IT Risk & Control
Director Enterprise Technology
Head of Business Controls
Director
Director of Security
Head of Cybercrime Investigations
Head of I.T. Security
Director, Global Security
Group I.T. Security Officer
Head of I.T.
Head of Risk & Resilience
Director Group Risk Management
Head of Investigations
Head of Customer Security
Chief Technology Risk Officer
Group Fraud Manager
CISO
Chief, Cyber Crimes
Chief Risk Officer
Head of Business Risk
Group IT Security Analyst
CIO Risk Manager
Group Infrastructure Manager
Head of Operations & Infrastructure
Head of Technical Support
Head Cybersecurity Operations
Head of Fraud Oversight
Director, Technical Investigations
Director

Companies

DPD
Trafigura
GE Capital
Babcock International Group
Scotia Gas Networks
Telefónica O2
Bank of America Merrill Lynch
ING
Catella Bank
Channel 4
H&M
BP
John Lewis Partnership
Royal Canadian Mounted Police
Experian
Jordan Cyber Crime Project
Zamir Telecom
John Wiley & Sons
Halma
Zurich Financial Services
Security Service of Ukraine
HSBC
British Medical Association
Romanian Directorate
TUI Travel
Markit
Western Union
Pennant International Group
TSL Education
Liverpool Victoria
The Finance Practice
Camelot Group
Capital One
Noble Group
HSBC
Dixons Carphone
Halma
Ghana International Bank
British American Tobacco
First Rate Exchange Services
Unum Provident
Santander
Rexam
Matalan
John Lewis Partnership
Home Retail Group
Allen & Overy LLP
ITV
Virgin Money
Spamhaus
Rank Group
EveryMatrix
Shop Direct
Sky
QVC
Lloyds Banking Group
General Motors Corporation
Tullett Prebon
Atcore Technology
Aviva
CIFAS
Premier Oil
HSBC
Rothschild
HSBC
Liverpool Victoria
Permanent TSB
Auto Trader
Public Health England
Selfridges
NBC Universal
Office of Civil Nuclear Security
UBM
Citigroup
SABMiller
Legal & General
Post Office
JD Sports
CERT-UK
Eurostar
Mayer Brown LLP
Swiss Re
UBS
Open University
The Bank of Tokyo - Mitsubishi UFJ
Dixons Carphone
Post Office
JustGiving
Bank of America Merrill Lynch
FIA Pakistan
Norgren
GE Capital
Unipart Group
Heathrow
Inmarsat
Modern Times Group
Ocado
Capital One

Industries

Logistics
Commodities
Banking
Industrial Engineering
Oil/Gas
Telecommunications
Banking
Banking
Banking
Media
Retail
Oil/Gas
Retail
National Law Enforcement
Banking
National Law Enforcement
Telecommunications
Publishing
Electronic/Electrical Equipment
Insurance
Central Government
Banking
Healthcare
National Law Enforcement
Travel/Leisure/Hospitality
Media
Banking
Aerospace/Defence
Media
Insurance
Banking
Casinos/Gaming
Banking
Mining/Metals
Banking
Retail
Electronic/Electrical Equipment
Banking
Food/Beverage/Tobacco
Banking
Insurance
Banking
Household/Personal Products
Retail
Retail
Retail
Legal
Media
Banking
Technology
Casinos/Gaming
Software
Retail
Media
Retail
Banking
Automobiles
Banking
Software
Insurance
Not-for-profit association
Oil/Gas
Banking
Banking
Banking
Insurance
Banking
Publishing
Central Government
Retail
Media
Central Government
Media
Banking
Food/Beverage/Tobacco
Insurance
Transportation/Shipping
Retail
National CERT
Transportation/Shipping
Legal
Insurance
Banking
Education
Banking
Retail
Transportation/Shipping
Charity
Banking
National Law Enforcement
Industrial Engineering
Financial Services
Logistics
Transportation/Shipping
Telecommunications
Media
Transportation/Shipping
Banking


Venue

Park Plaza Victoria, London

vpp

Location:
Park Plaza Victoria
239 Vauxhall Bridge Road, London, UK, SW1V 1EQ
Telephone: 0333 400 6140

Directions:
Please click here