The discussion explores the potential impact of cybersecurity incidents, such as the SolarWinds case, on the insurance industry. There's speculation about whether insurers will adapt their offerings to accommodate the demand for specialized coverage, particularly for CISOs

Here is the verbatim discussion:

Spot on there absolutely spot on so that kind of brings us back you know when we talk about this dno and Eno and uh coverage do you think this may perhaps change the insurance industry do you think the insures are going to start offering something special something unique for cesos because of this demand because of this case uh and they see an opportunity to to expand their Market what are your guys' thoughts M Michael I'll start with you I think Jim will probably have to type his answer um I I think it's absolutely possible I mean look at what happened with cyber Insurance there was not a market all of a sudden there's a huge market for cyber Insurance um it's gonna be a tough one because we I don't think we have enough data to be able to Michael what would you say I I'm gonna say potentially also because it it depends I'm going to say and it's another way of saying potentially but I'm going to say if even half of what's in the SEC complaint is true I'm gonna say yes if it isn't true or forthright then I'm gonna say ah no you know uh absolutely thank you so much for this wonderful session uh thank you to all the speakers for you know this beautiful beauti session I know we're over time and we were all you know really involved in the session so thank you so much I'm so sorry Matthew we couldn't see you on the what happens with this case as we see more and more of them absolutely there'll be a market for it I mean anytime they can drum up a market they're going to uh I think Jim still typing here oh so he says the evolution of indemn indemnification coverage originates from Delaware law based on three levels but again from a business perspective I would say generally speaking if insurance agencies and Industry you know smell blood in the water and think that they makeing Pro they can make a profit I think they would probably explore that o opportunity to um increase their overall.

Highlights:

Potential Changes in Insurance Industry:

• The participants speculate on the possibility of the insurance industry introducing specialized coverage for CISOs due to increasing demand and notable cybersecurity incidents like SolarWinds.
• The analogy is drawn to the emergence of cyber insurance as a market in response to growing cyber threats.

Uncertainty and Need for Data:

• While the potential for specialized coverage exists, there's a recognition that sufficient data on cybersecurity incidents and their financial impact is needed to inform insurance offerings effectively.
• The participants acknowledge that the evolving nature of cybersecurity incidents and regulations may influence insurers' decisions.

Business Perspective:

• The discussion also touches upon the business perspective, emphasizing that insurers may be motivated by the opportunity for profit and market expansion.

The session concludes with an acknowledgment of the evolving landscape of cybersecurity and insurance. While the potential for specialized coverage for CISOs exists, the actualization of such offerings may depend on factors like regulatory changes, market demand, and insurers' profitability considerations. Overall, the discussion highlights the importance of adapting insurance products to meet the evolving needs of organizations facing cybersecurity risks.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The discussion revolves around the responsibilities of CISOs and other senior officers regarding cybersecurity disclosures, the potential transition of accountability, and the feasibility of negotiated contract clauses for cybersecurity protections.

Here is the verbatim discussion:

Looking at that in play and I'm sure your attorney would let you know that know those are those five are great I mean that's that's what we need in order to move forward yeah I would concur the whole private attorney thing I like it and you know my advice to to cesos is it doesn't hurt asking I mean you're gonna have to be bold anyway start being bold when you're negotiating for the position you want to make sure it's covered um it doesn't hurt to ask to to float the idea uh and depending on the organization you may want to push harder right to to make sure that you do have that and there's probably going to be some barriers on when you can bring in a private attorney obviously um it's not going to be on every document and everything that you're doing for the company but definitely on public disclosures all right so we're gonna open it up I believe there's some questions here from the audience what do we have out there uh so the first one says uh did soloin and it Sayo failed to disclose material cyber security risks to investors all right Jim Michael we talked about it but what do you think potentially okay I've got one potential Michael what would you say I I'm gonna say potentially also because it it depends I'm going to say and it's another way of saying potentially but I'm going to say if even half of what's in the SEC complaint is true I'm gonna say yes if it isn't true or forthright then I'm going to say ah no you know we don't have the full picture that that's true okay question here so the second one did solar winds and it ceso ignore repeated red flags about the company's cyber security vulnerabilities and Jim you started talking about this right especially when you talked about uh you know Supply uh supply chain ISS isues and Michael you talked about right nation state attackers and I mean ultimately the the audience needs to know what there were 18,000 potential victims uh at the compromise of their primary product now not all of them were victimized but you know Jim I'll start with you uh do you think from a risk perspective and kind of gets away from the case of fraud but just from a risk management perspective did solar winds drop the ball here uh no I don't have information to support that premise at all um what I would say is that identity access management practice in software development in a cloud first model across every single Enterprise sucks right it's inadequate insufficient not enough uh and that's every Enterprise and so we all have every Enterprise has to step up and deal with that challenge and that not necessarily unique to solar winds yeah Michael your thoughts yeah we see that across the board right um and I know Jim used the word devop I'm getting away from devop it's Dev SEC off you have to include security when you start building that product you've got to understand what that flow of data is so if something happens you're right there um so yeah I think that's the first thing we need to do is make sure sdlc that software development life cycle we know what's going on with there and we're building a software platform that's going to work and it's going to be secure but that starts at the beginning that starts at the beginning of that Dev deck off I totally agree with Jim yeah um I'm in line with you guys the reality is we're the red flags yes but that's our daily job we're dealing with red flags every single day um and so I you know I haven't seen all the data I'm I you know don't know what they knew when they knew it and so I can't say that yeah there were obvious red flags that they should have jumped on I think there were red flags but okay out of the million red flags that we deal with how did we know that this combination was you know something so severe um at the point that the security firms came to them and said we can definitively show that your product is hacked which is what happened in December uh at that that point they did respond to it so I do like that fact but I'm with you guys you know it's it's it's tough especially when there's insufficient visibility insufficient controls and we do not have good security baked in as part of Product Development Across the IND industry it's not just solar winds right it's well unfortunately it's everybody this is just the state of maturity that we have another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talked with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it just to you know stick is as as Michael indicated oh can't hear you Jim I still can't hear Jim can okay then I'm gonna go to Michael on this one um I I think you can negotiate anything um even if you're already in a ciso position either you're taking a new job as a ciso or you're already the ciso the worst thing that can happen is they say no so why not try to negotiate something and and again it could be kind of strange because they may say hey we want you to use this particular law firm and if they're already using it it could be a conflict but why not give it a shot I mean you're going to go to the table and ask for things you might as well yeah the worst case they can say is no right and then you've got to make a decision whether you're comfortable with that or Notre Jim typed in here and I'll read it for him um yes you should discuss this if you are a current ceso the probability of resolution is not high given the lack of Leverage yeah you know I I think he's absolutely.

Highlights:

Transition of Responsibility:

• There's a consideration for shifting cybersecurity disclosure responsibilities away from CISOs to other senior officers like the Chief Trust Officer, CIO, or CTO.
• The importance of organizational structure in facilitating transparent and accountable cybersecurity practices is highlighted.

Negotiating Contract Clauses:

• The feasibility and importance of negotiating contract clauses for cybersecurity protections, such as appointing personal attorneys, are discussed.
• While there may be barriers and conflicts of interest, it's suggested that it doesn't hurt to ask during negotiations.

Discussion on SolarWinds Case:

• The conversation touches on whether SolarWinds and its CISO ignored red flags regarding cybersecurity vulnerabilities.
• It's acknowledged that while there were red flags, assessing their severity amidst numerous daily concerns is challenging.
• The importance of integrating security into the software development lifecycle (SDLC) from the beginning is emphasized.

The conversation concludes with an agreement on the need for bold negotiation and proactive measures by CISOs to ensure cybersecurity protections. It underscores the complexity of cybersecurity governance and the importance of organizational structures and contractual provisions in fostering accountability and transparency.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The discussion addresses the shifting responsibilities within organizations regarding cybersecurity disclosures, particularly in the context of CISOs and their relationship with other senior officers. It explores the possibility of transitioning accountability for cybersecurity disclosures away from CISOs to other senior officers like the Chief Trust Officer, CIO, or CTO.

Here is the verbatim discussion:

To you do you think that the responsibility for all this should transition away from the ceso and it almost sounds like hey you get pushed down to the Kids Table Right and one of the more senior officers right that Chief trust officer or that CIO or um CTO or whomever it is uh that they should own the you know accountability and the final say for cyber security disclosures in those forms we talked about right what do you think Michael um I I think this could be a division in the road right here because we've always and I gotta be careful how I this to that we've always said look if a ceso is reporting to a CIO it's a very Gray Line right it's almost like the fox guarding The Henhouse um if you have an issue within your it department where they're not disclosing something and you as AO report to that CIO and the CIO is not reporting it then you another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talk with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it yeah it's a great Point great Point Michael uh any thoughts on those those five areas any anything resonate with you no I agree the only one I was going wow this could cause some issues would be having your own attorney um but in this case I I believe if you go back and read some of the transcripts um they both have the same law firm as CLA Piper so they're being represented by the same attorney at this point which may be okay in this particular case um in the Uber case it it would not have worked out to have the same attorney or the same Law Firm for both it's definitely a conflict of interest so you got.

Highlights:

Division of Responsibility:

• There's a suggestion that CISOs may be pushed down to the "kids' table" in terms of cybersecurity accountability, with other senior officers taking on greater responsibility.
• The idea is floated that senior officers like the Chief Trust Officer, CIO, or CTO should have final say and accountability for cybersecurity disclosures.

Implications for Organizational Structure:

• Concerns arise when CISOs report to CIOs, potentially leading to conflicts of interest and challenges in disclosing cybersecurity issues.
• The discussion touches on the importance of organizational structure in facilitating transparent and accountable cybersecurity practices.

Negotiating Contract Clauses:

• Negotiating contract clauses to provide protections and rights to private defense, including the appointment of personal attorneys, is discussed.
• While having individual attorneys may pose conflicts of interest, the choice of legal representation could vary based on specific circumstances.

The conversation concludes with agreement on the importance of clarifying and potentially redefining the responsibilities of senior officers regarding cybersecurity disclosures. The possibility of transitioning accountability away from CISOs is considered, with a focus on organizational structure and the need for clear contractual provisions to protect individual interests. Overall, the discussion underscores the ongoing evolution of cybersecurity governance and the importance of adaptability in organizational structures and practices.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The discussion centers on the inadequacies of identity access management (IAM) practices in software development within a cloud-first model across various enterprises. It highlights the necessity of incorporating security measures early in the software development life cycle (SDLC) to ensure robust and secure platforms.

Here is the verbatim discussion:

Support that premise at all um what I would say is that identity access management practice in software development in a cloud first model across every single Enterprise sucks right it's inadequate insufficient not enough uh and that's every Enterprise and so we all have every Enterprise has to step up and deal with that challenge and that's not necessarily unique to solar winds yeah Michael your thoughts yeah we see that across the board right um and I know Jim used the word Dev off I'm getting away from devop it's Dev SEC off you have to include security when you start building that product you've got to understand what that flow of data is so if something happens you're right there um so yeah I think that's the first thing we need to do is make sure SDC that software development life cycle we know what's going on with there and we're building a software platform that's going to work and it's going to be secure but that starts at the beginning it starts at the beginning of that Dev de off I totally agree with Jim yeah um I'm in line with you guys thank you so much to the speakers extremely grateful and honored to have you in this discussion and to all the audience we were full today there were people who weren't able to join us us so that is great it was in a very exciting session and I think it was houseful till almost the end and now we'll wrap and hope to see you all in another very interesting session the next one which we'll plan soon thank you so much Jim Michael Matthew extremely grateful for joining us today have a good morning.

Highlights:

IAM Challenges Across Enterprises:

• Identity access management practices are found lacking in numerous enterprises, not just SolarWinds.
• The consensus among the speakers is that IAM implementation is insufficient and needs improvement across the board.

Incorporating Security in SDLC:

• The speakers advocate for a shift towards a DevSecOps approach, where security is integrated into the development process from the outset.
• Understanding the flow of data and ensuring security measures are in place early on can mitigate risks and enhance platform security.

Collaborative Efforts for Improvement:

• All speakers concur on the importance of prioritizing security in software development.
• They emphasize the need for collective efforts across enterprises to address IAM challenges and improve security practices.

The discussion concludes with gratitude towards the speakers and the audience for their participation. It acknowledges the importance of the session in raising awareness about cybersecurity challenges and advocating for proactive measures to enhance platform security. The speakers' insights underscore the imperative for enterprises to prioritize security in their software development processes, emphasizing the adoption of a DevSecOps approach to mitigate risks effectively.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

 The conversation delves into the complexities of cybersecurity management, including the responsibilities of CISOs, the implications of security breaches, and potential changes in insurance coverage. It explores the challenges faced by CISOs in negotiating contract clauses and the evolving landscape of cybersecurity insurance.

Here is the verbatim discussion:

Especially when you talked about uh you know Supply CH uh supply chain issues and Michael you talked about right nation state attackers and I mean ultimately the the audience needs to know what there were 18,000 potential victims uh at the compromise of their primary product now not all of them were victimized but uh you know Jim I'll start with you uh do you think from a risk perspective and kind of gets away from the case of fraud but just from a risk management perspective did solar winds drop the ball here uh no I don't have information to support that premise at all um what I would say is that identity access management practice in software development in a cloud first model across every single Enterprise sucks right it's inadequate insufficient not enough uh and that's every Enterprise and so we all have every Enterprise has to step up and deal with that challenge and that's not necessarily unique to solar winds yeah Michael your thoughts yeah we see that across the board right um and I know Jim used the word devop I'm getting away from devop it Dev SEC off you have to include security when you start building that product you've got to understand what that flow of data is so if something happens you're right there um so yeah I think that's the first thing we need to do is make sure sdlc that software development life cycle we know what's going on with there and we're building a software platform that's going to work and it's going to be secure but that starts at the beginning that starts at the beginning of that Dev de off I totally agree with J yeah um I'm in line with you guys the reality is were the red flags yes but that's our daily job we're dealing with red flags every single day um and so I you know I haven't seen all the data I'm you know I don't know what they knew when they knew it and so I can't say that yeah there were obvious red flags that they should have jumped on I think there were red flags but okay out of the million red flags that we deal with how did we know that this combination was you know something so severe um at the point that the security firms came to them and said we can definitively show that your product is hacked which is what happened in December uh at that point they did respond to it so I do like that fact but I'm with you guys you know it's it's it's tough especially when there's insufficient visibility insufficient controls and we do not have good security baked in as part of Product Development Across the IND industry it's not just solar winds right it's well unfortunately it's everybody this is just the state of maturity that we have another question came in here you know what do you think about a negotiated contract clause that provides protections and rights to private defense I think we talked about that a little bit um is that something that should be negotiated when you're taking the job do you think uh you know Jim and you talk with a lot of cesos here do you think that's something that cesos that are currently in the job is that something that they can BR you know bring up with the CEO or the board to kind of implement retroactively is this something feasible or is it just to you know sticky as as as Michael indicated oh can't hear you Jim I still can't hear Jim can okay then I'm gonna go to Michael on this um I I think you can negotiate anything um even if you're already in a Cil position either you're taking a new job as a ciso or you're already to SEO the worst thing that can happen is they say no so why not try to negotiate something and and again it could be kind of strange because they may say hey we want you to use this particular law firm and if they're already using it it could be a conflict but why not give it a shot I mean you're going to go to the table and ask for things you might as well yeah the worst case they can say is no right and then you've got to make a decision whether you're comfortable with that or Notre Jim typed in here and I'll read it for him um yes you should discuss this if you are a current ceso the probability of resolution is not high given the lack of Leverage yeah you know I I think he's absolutely spot on there absolutely spot on so that kind of brings us back you know when we talk about this dno and Eno and coverage do you think this may perhaps change the insurance industry do you think the insurers are going to start offering something special something unique for cesos because of this demand because of this case uh and they see an opportunity to to expand their Market what are your guys's thoughts Mike Michael I'll start with you I think Jim will probably have to type his answer um I I think it's absolutely possible I mean look at what happened with cyber Insurance there was not a market all of a sudden there's a huge market for cyber Insurance um it's going to be a tough one because we I don't think we have enough data to be able to support that right now um as we see depending on what happens with this case as we see more and more of them absolutely there'll be a market for it I mean anytime they can drum up a market they're going to uh I think Jim's still typing here oh so he says the evolution of indemn indemnification coverage originates from Delaware law based on three levels but again from a business perspective I would say generally speaking if insurance agencies and Industry you know smell blood in the water and think that they makeing Pro they can make a profit I think they would probably explore that opportunity to um increase their overall.

Highlights:

Risk Management Perspective:

• While there were red flags, determining the severity of the breach amidst countless daily security concerns is challenging.
• SolarWinds may not have "dropped the ball" but rather struggled with insufficient visibility and controls, a common issue across the industry.

Impact on Industry Maturity:

• The incident highlights the need for improved security practices in product development across the industry, moving away from traditional DevOps to DevSecOps.

Negotiating Contract Clauses:

• Negotiating protections and rights for CISOs, particularly in terms of indemnification, is feasible and advisable, whether when taking a new job or already in the position.
• While there may be challenges, such negotiations can potentially enhance CISOs' security posture and provide peace of mind.

Changes in Insurance Coverage:

• The SolarWinds case could prompt changes in the insurance industry, leading to the development of specialized coverage for CISOs.
• Insurers may see an opportunity to expand their market and meet the growing demand for coverage tailored to cybersecurity leadership roles.

Balancing Risk and Market Dynamics:

• The evolution of indemnification coverage, influenced by Delaware law, underscores the need for both legal and business considerations in negotiating insurance contracts.
• Insurance agencies may capitalize on perceived market opportunities, driven by heightened awareness of cybersecurity risks and the need for adequate coverage.

The conversation highlights the multifaceted nature of cybersecurity management, encompassing risk assessment, contract negotiations, and insurance coverage. CISOs face challenges in navigating these complexities but can leverage negotiation strategies and industry trends to enhance their security posture and protect their interests. The SolarWinds incident serves as a catalyst for reflection and action, driving improvements in cybersecurity practices and insurance offerings.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

The discussion explores the complex dynamics between regulatory actions, cybersecurity practices, and the responsibilities of CISOs. It delves into the consequences of regulatory overreach on the industry and contrasts differing viewpoints on the role of the SEC in fostering or hindering collaboration and resilience in cybersecurity.

Here is the verbatim discussion:

Uh no no I don't think there's a wider net of culpability in fact um I think it's probably more narrow I think they've overextended a bit uh in their reach uh and their enforcement action and as I said I think it's going to there's a consequence of doing damage to the entire industry in uh reducing the incentive to share information early and share uh you know sensitive information with The Regulators overall and I think that's actually not helping resilience across Enterprises it's hurting resilience across Enterprises so um you know I think the any regulatory agency uh has to balance uh a relationship with the private sector recognizing that majority of critical infrastructure resides in the private sector uh and achieve a level of resilience um that is necessary uh means cooperation uh and collaboration and uh this doesn't this doesn't Foster collaboration or Co cooperation it uh actually constrains it going forward and that's not a healthy indication uh for the industry at whole well let me take an opposing view on that because the sec's mission what we pay our tax dollars for the SEC to accomplish is not to Foster SE um there has to be an intentional deceit on behalf of you in your capacity so okay so then second question same scenario if you were a shareholder right of solar winds at the time would you want to know as part of that disclosure because you have a right to be informed would you want to know that the management of your investment has known about attacks.

Highlights:

Regulatory Overreach and Its Consequences:

• The argument is made that the regulatory reach in the SolarWinds case may have been overextended, potentially harming the industry by reducing the incentive for early and transparent information sharing.
• Overzealous enforcement can damage resilience across enterprises by discouraging cooperation and collaboration between the private sector and regulatory agencies.

Balancing Regulation and Cooperation:

• Effective regulation should balance enforcement with fostering a cooperative relationship with the private sector, which holds the majority of critical infrastructure.
• The aim should be to enhance resilience through collaboration, rather than creating an environment of fear and reluctance to share critical information.

Opposing View on Regulatory Role:

• An opposing view highlights that the SEC’s primary mission is to protect investors and ensure fair and efficient markets, not necessarily to foster the cybersecurity industry.
• The SEC is tasked with enforcing regulations that ensure transparency and accountability, even if it means taking strict actions against companies and individuals who fail to disclose significant security breaches.

Shareholder Rights and Expectations:

• Shareholders have a right to be informed about significant security incidents affecting their investments.
• Timely and accurate disclosure of security breaches is crucial for maintaining investor trust and ensuring informed decision-making.

The conversation underscores the need for a balanced approach to cybersecurity regulation, one that promotes both accountability and collaboration. While regulatory agencies like the SEC have a duty to protect investors and enforce transparency, overly aggressive actions can undermine industry resilience and cooperation. CISOs and companies must navigate these dynamics carefully, ensuring that they meet regulatory requirements while fostering an environment of trust and collaboration to enhance overall cybersecurity resilience.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

The discussion examines the multifaceted perspectives surrounding cybersecurity disclosures, focusing on the responsibilities of CISOs, expectations of shareholders, and the rights of customers. The conversation also explores how CISOs should adapt in light of recent high-profile security breaches, like the SolarWinds incident.

Here is the verbatim discussion:

It's because I'm I'm approaching this from different perspectives the ceso perspective the shareholder perspective if you were actually a customer right you had solar winds products installed in your system uh can we collectively agree that we would also want to be inform from our vendor that yes um not only were they hacked but they knew of this situation and there were other customers that going back six months uh you know as as a customer of theirs I I I assume we would want to know uh that information and if that has to be revealed in an A so be it but is there any disagreement that as a customer they were probably expecting to be informed uh prior or at least with complete information here right it sounds like this is a precedent it sounds like a message is being sent whether it's direct or indirect and it's going to be concerning to see we've already seen that and it's probably going to shape future cesos so my question and and and Michael I want to start with you here how should cisos today adapt and again the case isn't decided there is no conviction innocent till proven guilty but from the perspective of what we're seeing in the news and what we're all discussing as a community how should cisos start to adapt your thoughts yeah it's a game Cher it really is um and we can say oh no we kind of saw some of this happening and the cesos you know they want to se at the table we're going to give them that it changes the direction of what a ciso is going to be responsible for and I think Jim had a great point you know he's working right now with a company they look at Verso you had two.

Highlights:

Customer Expectations:

• Customers expect to be informed if their vendor, like SolarWinds, experiences a security breach. They want to know the extent of the breach and any previous incidents, especially if these have been known for months.
• Full disclosure is essential for customers to assess the risks and take necessary actions to protect their own systems.

Precedent and Future Implications:

• The handling of the SolarWinds case sets a precedent for future cybersecurity disclosures. It sends a message to the industry about the importance of transparency and accountability.
• This precedent will likely influence how CISOs and companies handle similar situations moving forward.

Adapting CISO Responsibilities:

• CISOs must adapt to the increasing expectations for transparency and accountability. They need to ensure that their companies are proactive in disclosing security incidents to customers and shareholders.
• The role of the CISO is becoming more integral to corporate governance, requiring a seat at the executive table to influence decision-making and resource allocation for cybersecurity.

Case Study: SolarWinds Breach:

• The SolarWinds incident highlights the need for CISOs to be prepared for legal and ethical scrutiny. They must document and communicate security issues promptly and accurately.
• CISOs must work closely with legal, executive leadership, and communication teams to ensure coherent and comprehensive disclosure strategies.

The conversation emphasizes the critical need for CISOs to adapt to the evolving landscape of cybersecurity expectations. Customers and shareholders demand transparency and timely information about security breaches. The SolarWinds case serves as a significant precedent, underscoring the importance of ethical behavior, clear communication, and proactive measures in cybersecurity management. CISOs must be prepared to meet these challenges and take on a more prominent role in their organizations to ensure trust and integrity.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

The discussion focuses on the ethical and practical considerations for CISOs when disclosing cybersecurity incidents. The conversation examines the role of intent, the responsibilities of corporate leadership, and the expectations of shareholders in the context of significant security breaches like the SolarWinds incident.

Here is the verbatim discussion:

Answer I'm fine with that but my first question and um Michael I'll start off with you if you were the ceso in that situation right would you fill out the 8K SEC form and choose to Omit that important information to the shareholders the fact that you had seen this attack other customers going back six months would you omit that I would not omit that and and I think one of the other problems to that is if you if you read on this the 15th item it's admitted that he knew it was omitted and made a comment to somebody else well I just lied in quotes um that doesn't help the case and I I get that's where when Jim was talking about intent right if if you're going to be the bad guy there has to be intent to what you're doing this is where I look at hey there could be some intent right here if you just take it for for face value again I haven't seen the other side you're saying one side of the story um and we don't know if all if that's Jim yeah what I would want as a shareholder is for the uh company that's in this case a software company to recognize that software supply chain poisoning which is the net effect and impact on Enterprises uh is probably the number one risk to the Enterprise from a cyber security standpoint and therefore um the the right attention right level of resource allocation and right level of uh practice needs to be put in place uh as part of a response to ultimately the first indication of a of an incident or a you know a breach uh and so what I would want to see as a shareholder perspective is actually the response to the event and what Lessons Learned are being applied to Improvement and practice going forward to reduce the probability of similar events in the future simply because Supply software supply chain poisoning is absolutely critical to uh any software company uh and certainly solar winds that you know sells a lot of Frontline protective uh capabilities from a network perspective uh to their customers uh they uh their customers deserve um you know to know what the response was and what the uh proactive steps to reduce the probability of that happening in the future are and that's actually more important than the actual incident information is is to know what the response is and that's reasonable I think from a investor standpoint as well as a customer.

Highlights:

Ethical Disclosure:

• The CISO should not omit critical information when filing a Form 8-K disclosure with the SEC. Transparency is crucial, especially when prior attacks on other customers have been identified.
• Intentionally omitting information or lying can imply intent, complicating the situation legally and ethically.

Shareholder Expectations:

• Shareholders expect the company to be transparent about security incidents and the steps taken in response.
• The focus should be on the company's response, resource allocation, and the implementation of practices to prevent future incidents.

Case Study: SolarWinds Breach:

• The SolarWinds incident underscores the critical nature of software supply chain security.
• Shareholders and customers deserve to know how the company responds to breaches and what measures are in place to reduce future risks.

Intent and Accountability::

• The admission of intentional omission or lying, as suggested in the case, highlights the importance of intent in legal and ethical considerations.
• The CISO and other executives must collaborate to ensure accurate and timely disclosures.

The conversation emphasizes the importance of ethical behavior and transparency for CISOs when handling cybersecurity incidents. Shareholders and customers expect not only to be informed about breaches but also to understand the company's response and proactive measures. The SolarWinds breach serves as a reminder of the significance of software supply chain security and the need for robust incident response protocols.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

The discussion centers on the evolving role of CISOs in the wake of significant cybersecurity incidents, such as the SolarWinds breach. The conversation explores the responsibilities of CISOs, the interaction between different departments, and the need for clear protocols and accountability in security disclosures.

 Here is the verbatim discussion:

Yeah and and I've had some interesting conversations with the industry you know with a number of recommendations and and let me list off five here and and tell me if you guys agree or if there's a particular one that you guys you know think is is more valuable or maybe one you think should be off the list number one is to clearly document the roles and responsibilities of that ceso right are they going to have final say do they actually have to sign off on it um you know after leg reviews it and gives a thumbs up does any minor changes does it have to go back to the ceso to get approval for these types of disclosures that'd be one uh the the clear document of roles and responsibilities the second if you're going and getting a job as a ceso you really should have you know dno pointing out is somewhat reasonable the content for any kind of security disclosure publicly should come from the experts and the experts are in the cyber security organization and the cyber security leader represents that so uh no I have no quals about that that and I think most cesos would say hey I'm I'm willing to step up to that responsibility and uh that that's part of the pr package here and that's the way it should be so so I I accept that uh as kind of one of the responsibilities um but I I just want to point out that you know it takes two to tango in other words the ciso has to convince the legal department on both what information to share and when to share that information and I don't think that's necessarily A bad thing I think that um there's you know some uh some give and take that uh is probably helpful in protecting the Enterprise uh but uh but ultimately in terms of the technical content of the disclosure it really does fall upon the ceso and I think most cesos are willing and ready to accept the accountability for that yeah and and just to add on to your point I think it's not only legal I think the CEO has probably more culpability than legal or any other executive other than the ciso in this the ciso provides the information and and can make very informed statements and call out you know um uh things that are not factual but at the end of the day I think the the CEO has certain responsibility at being at the top of that pyramid to also make sure that everything that's being said is meeting with their fiary duties is you know accurate and the compan is being forthright to their investors or in this case also prospective investors um and we're not necessarily seeing this right the case is uh pointed at solar winds the company and then specifically calling out the ceso so maybe they're a document so if people want to go look at that right the SEC claims and again this is claims they haven't proven it yet but the SEC claims that the ceso knew of attacks against three different customers one in May 2020 one in October 2020 and the other in December 2020 now after the last attack the one in December they then decided to file a Form 8K disclosure to the SEC this is the form that basically says something bad has happened something material here we need to inform the investors because this can impact them right but they failed to disclose that the vulnerability at issue had been exploited over the previous six months and impacted two other customer much.

Highlights:

Documenting Roles and Responsibilities:

• Clearly outline the roles and responsibilities of the CISO.
• Determine if the CISO has the final say and approval on security disclosures, including any minor changes after legal review.

D&O Insurance for CISOs:

• CISOs should ensure they have Directors and Officers (D&O) insurance as part of their employment package, given the potential liabilities they face.

Responsibility for Security Disclosures:

• The content for security disclosures should come from the cybersecurity organization, with the CISO being the primary representative.
• CISOs are generally willing to accept this responsibility, acknowledging it as part of their role.

Collaboration with Legal and CEO:

• The CISO must work with the legal department to determine what information to disclose and when.
• There is a necessary balance between the CISO and legal to protect the enterprise.
• The CEO also has significant responsibility in ensuring the accuracy and forthrightness of disclosures, fulfilling their fiduciary duties to investors.

Case Study: SolarWinds Breach:

• The SEC claims the SolarWinds CISO knew of attacks in May, October, and December 2020 but failed to disclose them promptly.
• The Form 8-K disclosure was filed only after the December attack, without mentioning the earlier breaches.
• This raises issues of transparency and timely disclosure to investors.

The conversation highlights the critical need for clear documentation of CISO responsibilities and collaboration between the CISO, legal, and executive leadership in managing security disclosures. The SolarWinds case serves as a stark reminder of the importance of timely and accurate communication of cybersecurity incidents to protect investors and maintain corporate integrity.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

The conversation revolves around the challenges and necessary changes in cybersecurity practices, particularly in light of recent incidents like the SolarWinds breach. The speakers discuss how CISOs (Chief Information Security Officers) need to adapt to evolving threats and the importance of transparency and proactive measures in cybersecurity management.

Here is the verbatim discussion:

It happens but if you've got that documentation to show hey yes you were acting in good faith you know it's it's kind of tough for somebody to get convicted uh uh for fraud uh when they can show that so Jim you know how do we change what should we be thinking about what's your advice to CE as we look forward even not knowing the resolution of this case yeah I think there's actually three levels of fundamental change that we are seeing and will continue to see going forward uh from a ceso perspective the first is that um identity access management capability embedded in a devops process in a software pipeline uh is really weak from a practice perspective in the industry today uh and there's a whole bunch of drivers and reasons for that but you know essentially Cloud first software development is fundamentally different than on-prem software development and as cyber security practitioners we have to understand the differences esos today adapt and again the case isn't decided there is no conviction innocent till proven guilty but from the perspective of what we're seeing in the news and what we're all discussing as a community how should cisos start to adapt your thoughts yeah it's a GameChanger it really is um and we can say oh no we kind of saw some of this happening and the cisos you know they want to see at the table we're going to give them that it changes the direction of what a ciso is going to be responsible for and I um there has to be an intentional deceit on behalf of you in your capacity so okay so then second question same scenario if you were a shareholder right of solar winds at the time would you want to know as part of that disclosure because you have a right to be informed would you want to know that the management of your investment has known about active attacks for six months in their primary product Jim yeah what I would want as a shareholder is for the uh company that's in this case a software company to recognize that software supply chain poisoning which is the net effect and impact act on Enterprises uh is probably the number one risk to the Enterprise from a cyber security standpoint and therefore um the the right attention right level of resource allocation and right level of uh practice needs to be put in place uh as part of a response.

Highlights:

Documentation and Good Faith:

• It's challenging to convict someone of fraud if they can demonstrate they acted in good faith. Proper documentation can be a crucial defense.

Impact of SolarWinds Breach:

• The SolarWinds incident is a significant game-changer, highlighting the need for CISOs to have a prominent role in organizational strategy and decision-making.
• There needs to be intentional effort and transparency regarding cybersecurity threats and responses.

Shareholder Expectations:

• Shareholders would want to be informed about significant cybersecurity incidents, such as active attacks on key products.
• They expect the company to recognize and address software supply chain risks, which are now considered one of the top threats to enterprises.

The conversation underscores the necessity for CISOs to adapt to the changing cybersecurity landscape, emphasizing the need for robust identity access management, transparency with shareholders, and proactive resource allocation to mitigate risks. The SolarWinds breach serves as a catalyst for these changes, pushing for an elevated and strategic role for CISOs in safeguarding enterprise security.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Welcome to today’s webinar on the CESA platform. We are exploring the critical and contentious legal implications of the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This case has ignited significant debate within the cybersecurity community, splitting professionals into opposing camps. Our expert speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, will provide insights into the complexities of this case and its broader impact on the industry.

Here is the verbatim discussion:

Well there's there two there's two dimensions of the fundamental this is simplistic but there's two Dimensions to uh the SEC complaint one is the timing of the notification and the second is the content of the notification and you can take it in either order but those are essentially the two things the thing to remember I was a ciso in uh six large public companies uh and every single one of them had a policy that at any time information going to a regulator had to be funneled through the legal department so the general Council was essentially accountable responsible for all filings uh in any kind of regulatory basis and any uh security incident uh in terms of notifying the regulator it had to go through legal it was actually controlled by uh the general council's office uh in every question though qu or clarification on that because you said something that that that kind of raised the hair on on the back of my neck here you said it goes through legal and they're responsible now every law every lawyer corporate lawyer I've talked to has said no we advise we don't take responsibility the content is still yours you're still making the Declaration we will advise you but we don't own it are you saying for the companies you worked for the attorneys were the responsible parties or were they simply a pass through to advise um and and maybe you know make recommendations prior to it being released what I'm saying is that the corporate policies clearly defined the responsibility for when to uh uh offer information to a regulator and uh and to vet that information that goes to a regulator uh so the legal departments controlled the process and were accountable now look were accountable for the process not necessarily for the content so they weren't the ones signing off on the accuracy and legitimacy of the content they were overseeing process getting it from the company to the regulator correct they're also determining when to share information with the regulator like the notification so a ciso independently can't say I'm going to notify law enforcement I'm going to notify a regulator of a particular security incident that is not in the that's you know in at least in my experience that's not uh what the ciso has is accountable for the ciso is accountable for bringing that information to the legal uh organization and there were very frequent times where I as aiso said I think we need to tell a regulator and this is what I think we need to tell them but that was always vetted and edited by the legal department the legal department handled the actual notification my point is that it the ceso is the one in both the Joe Sullivan case Uber case and the SEC actions against Tim Brown the ciso is the one that's bearing the accountability for uh when did notify the regulator and what content of information to provide and that is inconsistent with corporate policy where it clearly states that no one uh in the company ciso or anybody else uh can notify Regulators of uh security incidents without uh going through the you know the the process that's controlled by the legal department so but then that's that's a policy issue then right it is a corpor so what what this is in what this action is enforcing is in a direct contradiction to corporate policies in most major companies so then what takes precedent in your mind does the federal SEC guidelines take precedent and say heyy you should craft your policy to be in alignment with it or does the policy of independent companies take a precedent and say oh no follow the policy ignore even if it's in conflict with the SEC Federal requirement my point is that the SEC action for enforcement against solar winds is inconsistent with the majority of corporate policies today in the notification of a regulator and law.

 Welcome to today’s webinar on the CESA platform. We're exploring the legal and professional implications of the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This discussion has ignited significant debate within the cybersecurity community, splitting professionals into opposing camps. Our expert speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, will provide insights into the complexities of this case and its broader impact on the industry.

Here is the verbatim discussion:

Question though qu or clarification on that because you said something that that that kind of raised the hair on on the back of my neck here you said it goes through legal and they're responsible now every law every lawyer corporate lawyer I've talked to has said no we advise we don't take responsibility the content is still yours you're still making the Declaration we will advise you but we don't own it are you saying for the companies you worked for the attorneys were the responsible parties or were they simply a pass through to advise um and and maybe you know make recommendations prior to it being released what I'm saying is that the corporate policies clearly defined the responsibility for when to uh uh offer information to a regulator and uh and to vet that information that goes to a regulator uh so the legal departments control the process and were accountable now look they were accountable for the process not necessarily for the content so they weren't the ones signing off on the accuracy and legitimacy of the content they were overseeing process getting it from the company to the regulator correct they're also determining when to share information with the regulator like the notification so a ciso independently can't say I'm going to notify law enforcement I'm going to notify a regulator of a particular security incident that is not in the that's you know in at least in my experience that's not uh what the ciso has is accountable for the ciso is accountable for bringing that information to the legal uh organization and there were very frequent times where I aiso said I think we need to tell a regulator and this is what I think we need to tell them but that was always vetted and edited by the legal department the legal department SEC for those who don't know is an independent federal administrative agency with the mission of protecting investers and their rights and that includes making sure there is not unfair Market manipulations this is part of their role in Mission and we're going to be talking about the complaint that the SEC has published now the full 68 page complaint is available on their website and it provides details on all the different claims especially going to be a new president um you know Jim mentioned the whole Uber case with Joe Sullivan that was a a fact that they said hey we're going to hit you with a three-year probation and there's their statement that were made is we're going to go after and we're going to do harsher penalties in the future and so I think this is a chance for the sec to step up and say now we're going to implement those harsher punishments and we're really going after solar winds and and Timothy Brown on this um I I think we need to be careful and not just what I'm going to call check the boxes when we're doing our security um questionnaires that Sig that we always have to fill out everybody just kind of goes through the motions and says yeah we're doing this we're doing this if you start looking at what the SEC filing is out it it really looks like hey people were just checking boxes and saying hey we're doing this and they're really not doing it so it we're going to have to start really walking the the walk and you know saying what we're doing and showing that we're really doing and it's no longer just a verbal yeah we did that we checked the Box um it it's more than that it's really coming down to that GC governance risk and compliance questionnaire and being really truthful about it because you're going to be liable and it's nothing new it just you know this one kind of went a little wild and the SEC is trying to make an example out of him and I think we're gonna have to be careful because it could could go either way and it could really hurt us as Tios or it can give us a better foothold and really be able to go and say we need these extra tools we need this extra money and really get it.

 Welcome to today's webinar on the CESA platform. We're discussing the significant legal and professional implications arising from the SEC's enforcement action against SolarWinds and its CISO, Timothy Brown. This topic has sparked intense debate within the cybersecurity community, polarizing professionals into two camps. Our esteemed speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, bring their expertise to help us navigate this complex issue.

Here is the verbatim discussion:

And we have to ask ourselves so why are we discussing this case and the answer is this topic has created a number of heated discussions in the hallways of cesos across the country and Globe bifurcating the cyber security professional Community into into two opposing groups or camps if you will and this is for this year this has been one of the most p passionate topics people have just dove into with one side declaring SEC actions to be an affront to the role of cesos essentially unfairly targeting them as scapegoats and making their already difficult job unnecessarily more problematic and the other side tends to be stating that this is a matter where individuals broke something so I think this as a precedent type of case I think it will change our industry one way or another regardless of whether someone's convicted or not I think it will change the behaviors in our industry hopefully matured in a good healthy way and it may require tools it may just require kind of Behavioral changes on the ciso part but I think it's it will leave an indelible mark on our community so you know one of the things I want to talk about here is you know what are what are the charges right what is is actually being stated in there because different people throw different things around there so you know the SEC requires that public companies on a quarterly basis when they're seeking funding and when a material incident occurs that they're required to file very specific SEC forms um S1 S8 8K and these formally attest to as these certain aspects that investors or prospective investors they need that information and they have a right to this information but they need that information to decide if they want to put their money into the company or keep it in the company and this is about disclosure and it it enables investors to make informed decisions and generally speaking right if you tell the truth on these forms you're fine nobody's going to come slap you on the hand um if you're telling the truth regardless.

Highlights:

Community Division:

• The SEC's actions have split the cybersecurity community. One side views the actions as an unjust scapegoating of CISOs, making their challenging roles even harder. The other side believes that individuals who fail in their duties should be held accountable, regardless of their position.

Precedent and Industry Impact:

• This case is seen as a landmark that will influence the cybersecurity industry significantly, irrespective of the final verdict. It has the potential to change behaviors, possibly leading to both positive and negative outcomes for the industry.
• There is hope that it will lead to a maturation in practices, though it may also necessitate new tools or behavioral changes among CISOs.

Legal Obligations and Charges:

• The SEC's case hinges on the requirement for public companies to file specific forms (S1, S8, 8K) quarterly, especially when seeking funding or after a material incident. These forms are crucial for investor information and decision-making.
• The core of the charges involves alleged failures in disclosure, which is a critical component of corporate transparency and investor trust.

Disclosure Requirements:

• Accurate and truthful disclosure on these forms is essential. The SEC’s enforcement action underscores the importance of providing complete and honest information to enable investors to make informed decisions.
• The case exemplifies the severe consequences of failing to meet these obligations, highlighting the critical role of transparency in corporate governance.

The SEC's enforcement action against SolarWinds and its CISO, Timothy Brown, has brought to the forefront the intense scrutiny and significant responsibilities faced by cybersecurity leaders. This case, whether resulting in a conviction or not, will leave a lasting impact on the cybersecurity industry. It serves as a pivotal moment that could either strengthen the role of CISOs through improved practices and support or deter talented professionals from taking on these critical roles due to increased personal risk.

As we move forward, it is essential for the industry to balance accountability with fair and supportive measures for cybersecurity leaders. This will ensure that while transparency and compliance are upheld, the vital role of CISOs is protected and empowered to continue defending against ever-evolving cyber threats.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

In today's webinar, we delve into the legal implications and ramifications stemming from the SEC's enforcement action against SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown. This case has significant implications for cybersecurity professionals, particularly those in leadership positions. Our speakers, Matthew Rosenquist, Jim Ralph, and Michael Rees, bring their extensive experience in cybersecurity to discuss these critical issues.

Here is the verbatim discussion:

In some cases we've gotten that seat at the table and look what's happened now we have the seat at the table and a lot of cesos aren't under the indemnify policy um even though your CEO your CFO might be your ceso is not so your ceso is sitting alone um and we're seeing what can happen with that and this is a perfect example and again let's let's make sure we're not being the judge and jury here we're seeing the filing from the SEC we see what they have coming to the table they've kind of put their cards on the table and said this is what we're going to charge both solar winds and Timothy brown with um you can look at that and say yeah man it's pretty clear that there's some fraud involved here we haven't seen the other side of that right we haven't seen the discoverable items from the you know you've seen the prosecution side but you haven't seen the defendant side once you see all of that evidence put together and as forensic investigators we go out and we we find the facts and we put the facts on the table then the attorneys start dealing with those facts and they can manipulate and change them and make them kind of go in the favor they want them to go so again let's be real careful not to say hey we're going to be judging jury here and we just we find him guilty because of what this SEC filing says um again for us as CEOs we need to be very careful because this is and there's somewhat of a collaborative effort between the regulator and the Private Industry to kind of work out the Kink so to speak but when there's an enforcement action taken like this it sets a precedent for how the agency in this case C SEC will uh do enforcement and in this particular case uh we've got a ciso that's uh basically uh being reprobated Ed for not sharing uh information at the right time around uh security posture as well as uh not sharing the right information uh in on both counts uh and the enforcement action uh against an individual uh as a ciso it sets a precedent and that precedent has ramifications and that's what's creating a backlash of practitioners saying ho wait a minute here this you know this enforcement action appears to be a bit Draconian uh in enforcing on an individual and not necessarily warranted and then as we peel back uh kind of the layers uh there's some pretty good arguments to support the notion that uh this is not a precedent that is good for the industry it's actually a precedent that is negative has negative consequences uh to the industry so some of those negative consequences include uh potential Chief information security officers interviewing for a ceso role and deciding during the interview process that they're uncomfortable with the potential risk to them as an individual and they step down and say take me out of the Hat you know I'm.

Hello everyone, welcome to the CESA platform. I would like to extend my gratitude to all our speakers today and our community partner, Farus, for supporting this webinar. Farus is recognized by Gartner as a leader in continuous penetration testing, red teaming, and attack surface management. Farus is trusted by top ten telecommunications, Fortune 500 companies, and also mid-market companies. Thank you so much for supporting this webinar.

Today's session is a CISO panel on the Solo's breach, discussing its legal implications and the resulting ramifications. This topic is very contextual and has garnered significant interest, as many people are reaching out to understand how to better protect themselves. Our speakers today are Matthew Rosenquist, Jim Ralph, and Michael Rees. We will take audience Q&A in the last 10 minutes of the session after the panel discussion. Today's moderator is Matthew, who unfortunately has a malfunctioning webcam but will still effectively moderate this panel.

Here is the verbatim discussion:

Hello everyone welcome to cesa platform I would like to thank all our speakers today and our community partner farus for supporting the webinar farus is a recognized Leader by Gartner in continuous pen testing red teaming and attack surfice management parus is stressed by topon Telos Fortune 500 hello everyone welcome to cesa platform I would like to thank all our speakers today and our community partner fireus for supporting the webinar pmus is a recognized Leader by Gartner in continuous pen testing red teaming and attack service management par compus is stressed by top 10 Telos Fortune 500 companies and also midmarket companies thank you so much for supporting this webinar at today's session uh is a ceso panel on Solo's breach legal implications and C ramifications I did not want to mention it but it's a very contextual Topic at the moment and I have multiple multiple people just reaching out to me to you know deal with this and to know how to better protect themselves our speakers today are Matthew rosenquist Jim ralth and Michael ree thank you so much for joining us uh I think we'll take the audience Q&A in the last 10 minutes of the session after the panel discussion and today's moderator is Matthew yeah unfortunately my webcam is not g to be working today but uh that will not inhibit me from moderating this wonderful panel so let's go ahead and jump into it welcome everyone to the live panel uh discussing the recently announced Security and Exchange commission's case against solar winds and specifically against its Chief Information Security Officer and I'm joined by two fellow cyber Security Professionals Jim Ralph and Michael Reese now Jim has over 22 years in cyber security leadership as a ceso board member adviser uh for companies such as KPMG JP Morgan Chase Etna Mass Mutual and most recently as the chief trust officers for civant did I pronounce that right Jim civant uh Sav saviant saviant saviant my apologies and Michael's got 17 years in cyber security and it as a director a ceso uh a junk professor and is currently the ciso of charge EPC welcome gentlemen.

Highlights:

Introduction of Panelists:

• Matthew Rosenquist: Moderator.
• Jim Ralph: Over 22 years in cybersecurity leadership roles including CISO, board member, and advisor for companies like KPMG, JP Morgan Chase, Etna, Mass Mutual, and most recently Chief Trust Officer for Savient.
• Michael Rees: 17 years in cybersecurity and IT, a director, CISO, adjunct professor, and currently the CISO of Charge EPC.

Discussion Topic:

• The recently announced Security and Exchange Commission's case against SolarWinds, focusing on the legal implications and consequences for its Chief Information Security Officer.

Importance of the Topic:

• Given the high-profile nature of the SolarWinds breach, understanding the legal landscape and implications for cybersecurity leadership is crucial.
• This breach has highlighted the critical need for robust cybersecurity measures and the potential personal liabilities for those in leadership roles.

This webinar aims to provide valuable insights into the legal and operational challenges faced by cybersecurity leaders in the wake of significant breaches like SolarWinds. The discussion with seasoned professionals like Jim Ralph and Michael Rees will shed light on best practices and strategies to mitigate such risks. We look forward to an engaging session and encourage the audience to participate actively in the Q&A segment to maximize the learning experience.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

The recent enforcement action by the SEC against SolarWinds' CISO has sparked significant debate within the cybersecurity industry. This unprecedented move has set a precedent that raises important questions about regulatory governance, enforcement practices, and the individual accountability of Chief Information Security Officers (CISOs). In this blog, we explore the ramifications of this action, its impact on the industry, and the broader implications for cybersecurity professionals and organizations.

Here is the verbatim discussion:

Industry so what's gotten people's goat about this one yeah I think first and foremost this is a precedent setting event uh and and that you know is not uncommon for the enforcement of new regulatory requirements uh once the the way you know our legal regulatory process works is legislation typically initiates the need for change in regulatory governance uh and then The Regulators figure out how to enforce that change and that usually takes years and there's lots of interaction between the private sector and the public sector to work through the mechanics of how to actually do enforcement and then the practices that enterprises need to adjust are kind of worked out during that process as well and there's somewhat of a collaborative effort between the regulator and the Private Industry to kind of work out the Kink so to speak but when there's an enforcement action taken like this it sets a precedent for how the agency in this case C SEC will uh do enforcement and in this particular case uh we've got a ciso that's uh basically uh being reprimanded for not sharing uh information at the right time uh around uh security posture as well as uh not sharing the right information uh in on both counts uh and the enforcement action uh against an individual uh as a ciso it sets a precedent and that precedent has ramifications and that's what's creating a backlash of practitioners saying ho ho ho wait a minute here this you know this enforcement action appears to be a bit Draconian uh enforcing on an individual and not necessarily warranted and then as we peel back uh kind of the layers uh there's some pretty good arguments to support the notion that uh this is not a precedent that is good for the industry it's actually a precedent that is negative has negative consequences to the industry so some of those negative consequences include uh potential Chief information security officers interviewing for a ceso role and deciding during the interview process that they're uncomfortable with the potential risk to them as an individual and they step down and say take me out of the Hat you know I'm not interested in uh in interviewing any longer and as a case Point um I sometimes do some work helping companies um bring on cesos uh and uh I'm I'm doing a uh a Consulting engagement right now and there's a dozen candidates two of the 12 candidates have chosen not to pursue the role simply because they're concerned about their own personal liability and this case the sec's case against Tim Brown and solar winds uh is used as the Catalyst for uh triggering that response or action now when you're in a marketplace where cyber security Talent is scarce in terms of the availability of talent and the demand for that Talent.

Highlights:

Precedent-Setting Event:

• The SEC's enforcement action marks a significant shift in regulatory practices, focusing on individual accountability rather than corporate responsibility.
• This move has highlighted the evolving landscape of regulatory enforcement and the critical role of CISOs in maintaining security postures and compliance.

Regulatory Process and Enforcement:

• Typically, regulatory changes involve collaborative efforts between the private and public sectors to develop practical enforcement mechanisms.
• The sudden enforcement action against an individual, rather than a corporation, has disrupted this collaborative dynamic, causing concern among cybersecurity professionals.

Draconian Measures and Industry Backlash:

• The enforcement action has been perceived as draconian, with many arguing that it unfairly targets individuals and sets a negative precedent.
• The backlash stems from concerns that such actions could deter talented professionals from pursuing CISO roles due to fears of personal liability.

Impact on CISO Recruitment:

• The case has already affected the recruitment process for CISOs, with potential candidates withdrawing from consideration due to liability concerns.
• This trend exacerbates the existing scarcity of cybersecurity talent, making it even more challenging for organizations to find qualified security leaders.

Negative Consequences for the Industry:

• The precedent set by this case could lead to broader negative consequences, including reduced cooperation between private industry and regulators.
• It may also hinder the development of effective security practices, as fear of personal repercussions could stifle open communication and proactive risk management.

The SEC's enforcement action against SolarWinds' CISO has undeniably set a controversial precedent with far-reaching implications for the cybersecurity industry. While intended to enhance accountability and transparency, this move risks deterring top talent from critical security roles and undermining the collaborative efforts needed to develop effective regulatory enforcement. As the industry grapples with these changes, it is crucial for both regulators and private organizations to find a balance that ensures robust security practices without unfairly burdening individual professionals. Moving forward, ongoing dialogue and cooperation will be essential to navigate these challenges and foster a more secure and resilient cybersecurity landscape.

Speakers:

Jim Routh a board member, advisor and investor with specific expertise as a transformational security leader focused on applying risk management discipline to a converged security function for global enterprises to achieve enterprise resilience. Demonstrated track record of designing security control using innovation and data science to align senior executives to deliver world-class level security capabilities to drive positive business results in a digital world.

https://www.linkedin.com/in/jmrouth/

Micheal W. Reese Over 30 years’ experience in Information Technology serving in senior executive positions encompassing security, general operations management, project management, process change and development, business development as well as service and product management functions. A Cybersecurity Specialist, licensed as a Computer Forensics Investigator, Certified Information Systems Security Professional, Hacking Forensic Investigator and Fire and Explosion Investigator . Assisted both the DOJ and FBI on several matters, worked with High Tech Crime Units in Portland and Sacramento. Given expert witness testimony in hearings, depositions and at trial.

https://www.linkedin.com/in/michael-w-reese/

Matthew Rosenquist is a seasoned cybersecurity strategist and Chief Information Security Officer (CISO) with over three decades of experience. With a remarkable career at Intel Corporation spanning 24 years, he spearheaded key security initiatives, including establishing Intel's first Security Operations Center and leading cyber crisis response teams. As an influential figure in the industry, he currently serves as the CISO for Eclipz and advises numerous organizations worldwide on cybersecurity, emerging threats, privacy, and regulatory compliance. With a unique ability to bridge technical expertise with business acumen, Matthew is renowned for developing effective security strategies and enabling organizations to navigate complex cyber risks while optimizing security, privacy, and governance.

https://www.linkedin.com/in/matthewrosenquist
https://twitter.com/Matt_Rosenquist

Pritha Aash managing parts of content strategy and marketing in a startup called FireCompass. The team has built things first time in the world and i'm overexcited to be part of it. I decided to share some of it and more. I'm an Information Technology Engineer. Prior to that I did my schooling from Sri Aurobindo, Loreto House, Loreto Convent Entally, Kolkata. I like to volunteer in interest groups, communities to help the world we live in be a better place. Currently volunteer at WWF, Khan Academy, SaveTrees.

https://in.linkedin.com/in/prithaaash

https://twitter.com/prithaaash

Gregory Pickett, the speaker, extends gratitude to the audience and opens the floor for questions, emphasizing the interactive nature of the session. The moderator encourages participants to engage either through the chat or by raising their hand, ensuring an inclusive discussion environment.

Here is the verbatim discussion:

Now thank you Gregory so much I would request everyone in the audience if you have any questions for the speaker that you would like to ask please uh post your questions in the chat box and we'll address those to the speaker or even you can raise your hand we will unmute you and you can ask a question directly to the speaker pretty quiet out there so do we have any questions coming up you can ask a question to the speaker if you want I believe they can send questions to you later right if they think of something later yes uh so I am uh sharing the email ID you can uh you know send us your questions if you have for the speaker and we will pass on that questions to the speaker and get the answer for it so you can uh see the email ID that's there in the chat box itself key factors Our Stars will mature that those that aren't shifting to understanding the problem will fall away those that do will be around to mature and get better that'll be part of the mat maturation process or get bought by somebody who is already mature and start putting uh some of these ideas into practice you also that's the technical level and also from the management level risk management right uh additional controls Insurance all sorts of things to handle at that level you know strategy planning preparation practice of things especially around instant response tools will broad you know tools set will broaden not only to give more options at the technical level but also at the management level and again I said you know strategies will evolve right they'll begin to to understand that the things are happening they'll begin to plans to improve and things will turn out better I don't think people realize how bad it was in the early days of traditional Banks right it was very bad Banks.

Highlights:

Understanding Security Challenges: Piet discusses the pivotal role of cybersecurity understanding in the maturation of web3 startups. Those adept at comprehending security issues are likely to thrive, while others may face acquisition or failure.

Management-Level Adaptations: The discourse extends to the management level, highlighting the evolution of risk management strategies and instant response tools. Proactive measures and adaptive strategies become imperative for sustainable growth and resilience.

Lessons from Traditional Banking: Drawing parallels to the evolution of traditional banking, Piet underscores the significant improvements in security practices over time. These historical insights inform the trajectory of web3 startups towards enhanced security and risk management.

The session offers insights into the intertwined journey of web3 startups and cybersecurity evolution. By embracing proactive security measures and adaptive strategies, startups can navigate challenges and position themselves for long-term success in the dynamic digital landscape. Audience engagement is encouraged through questions, ensuring a collaborative exchange of ideas beyond the session's conclusion.

Here is the verbatim discussion:

Better now as far as what I wanted to say um from a personal perspective you know why am I not doing it right um not that I have to be forced to be a whab but why am I not out there you know taking that money and then uh saying haha and giving it back well you know that profit is money on top of what you had to invest originally to get to that point you know it's quite expensive to do that and I don't know if I feel comfortable um you know putting all that money out there on that line um to to to then such a gamble that I'm going to actually be able to pull this off um and then get it back so you know I like traditional hacking where I don't have that kind of I don't have my money at risk right so I don't like that also five was really poor encryption so it chose broke ass Cisco if I can say that um encryption from I don't decades ago that was easily easily broken and then I started mirroring traffic from a port to Uplink and then dumping it to sing out uh actually to my hacker server where it's being dumped and then checking taking a look at it turns out at some point in time that was number six right they weren't monitoring any sort of activity like that so looking through that traffic found out that someone was in fact transferring a copy of the user table the database uh into the network and so out from from the U internet so not out butut in from the internet into the Enterprise Network down and around to a Dev environment on Prem right and it was not encrypted that was number seven okay so flat network default.

This discourse explores the essentiality of cybersecurity fundamentals in both traditional IT spaces and the emerging landscape of Web 3.0. It underscores the importance of proactive threat intelligence and attribution methodologies while advocating for the operationalization and adaptability of smart contracts to effectively respond to security threats.

Here is the verbatim discussion:

Fundamentals now what person did who knows what all may happened in the end what they get away with also who knows they found this I believe through threat intelligence right through threat intelligence and threat hunting and why do I say that because they really had not a lot of information on how this happened uh without a lot of information how can you do attribution and they did strategy contracts are talking about you know understanding your fundamentals in the traditional it space doing that now in web 3 contracts need to be instrumented internal measurements need to be taken with relevant events being admitted internal State needs to be admitted right you need to make sure that you have visibility on that contract so monitoring can happen right something can be done speaking of something that can be done your contracts need to be operationalized now I can't say I'm the first person to to uh use that word but I can tell you that um you know word processors don't consider it a real word uh Google I don't believe consid it a real word it's just something that I think fits so contracts need to be able to take action I say operationalized operational parameters must be able to be changed right producing effect whereby the contract can deny some activity based on perceived threat blacklisting walls is a really good example now I believe.

This discussion offers a comprehensive exploration of cybersecurity challenges, from user-level vulnerabilities to strategic risk management practices. By dissecting real-world incidents and industry insights, it sheds light on the evolving nature of cyber threats and the imperative for adaptive security strategies.

Here is the verbatim discussion:

So right like as a hacker can't use that attack them so it would seem to them that everything is fine that that they're right they have a VPN client all right and if you got a user with that password someone steals that password you can just go ahead and and I did this and installed the VPN client on on my hacker workstation logged in using the VPN client to the network there I am what happened to your zero trust hacker device wasn't authenticated right you weren't then implementing zero trust was not about the user it's also the device right it's authenticating important key engineer was hacked fishing attack and we'll talk about that as well as why it's so important to mention that uh and why and how that's related to web 3 and protecting web 3 not public again it's fishing attack on the key engineer they were lacking cyber SEC fundamentals and it's not uh what you may think and it's not secured awareness buying products to solve problems instead of mastering the Cy SEC fundamentals now what person did who knows what all may happened in the end what they get away with also who knows they found this I believe through threat intelligence right through threat intelligence and threat hunting and why do I say that because they really had not a lot of information on how this happened uh without a lot of information how can you do attribution and they did level and also from the management level risk management right uh additional controls Insurance all sorts of things to handle at that level you know strategy planning preparation practice of things especially around instant response tools will broad you know tools set will broaden not only to give more options at the technical level but also at the management level and again I said you know strategies will evolve right they'll begin to to understand that the things are happening they'll begin to plans to improve and things will turn out better I don't think people realize how bad it was in the early days of traditional Banks right it was very very bad Banks got robbed all the time but critical mass was hit people learned how to do it better we don't have that problem with banks anymore now.

Highlights:

Exploiting VPN Credentials: A hacker's account underscores the limitations of relying solely on user authentication, highlighting the ease with which VPN credentials can be exploited to gain unauthorized access. This narrative challenges the efficacy of zero trust models and emphasizes the importance of device-level authentication.

Phishing Attack on Key Engineer: The disclosure of a phishing attack targeting a key engineer serves as a cautionary tale, emphasizing the criticality of cybersecurity fundamentals and awareness. It prompts reflection on the pitfalls of relying solely on product solutions and the necessity of mastering cybersecurity fundamentals.

Evolving Risk Management in Web3: The discussion extends to the realm of web3, where traditional techniques like phishing attacks continue to pose significant threats. Attribution through threat intelligence underscores the importance of proactive threat detection, while the integration of advanced risk management practices at the management level reflects the industry's adaptation to emerging cyber risks.

This discourse highlights the multifaceted nature of cybersecurity challenges and the importance of holistic approaches in mitigating cyber risks. By addressing vulnerabilities at both the user and management levels, organizations can fortify their defenses and proactively adapt to the evolving threat landscape. It emphasizes the continual evolution of cybersecurity strategies, from mastering fundamentals to implementing advanced risk management practices, as essential components in safeguarding digital assets and ensuring resilience against cyber threats.