IT Security Insights

The mass expansion and proliferation of IT, IoT and OT devices poses new questions to network security: Legacy and vulnerable devices, non-compliant and misconfigured endpoints, and IoT and OT devices must all be identified. Without a complete picture of connected devices across network domains, the ability to act quickly to mitigate risks is all but lost.The increased inter-connectivity across the campus, data center, cloud and operational technology, drives a further growth in complexity in today’s networks and associated security risks

Key Takeaways:

• Please join Forescout Technologies, Inc. in this session to learn how to build and deploy network segmentation at scale.

Your vendors often handle your most sensitive data. This presents new challenges as third-party risk, security, privacy, legal and IT teams struggle to vet and manage the vendors they rely on most.
Key takeaways:

• OneTrust will discuss emerging vendor management trends and breakdown how risk exchanges are key to more efficient business operations

The future of network security is in the cloud! - There have been several major shifts in computing technology, networking, mobility and cloud. Each has caused us to rethink the ways in which we do business. In this presentation, James will provide some insights into how we got here, what the future may hold, and what you can do today to better enable your digital business.

In this round table session John will use the ENISA definition of security measures for operators of essential services (OES) to discuss what best practice and baseline security measures to be applied and relate it to our joint experience from working with cyber security.

The targeted sectors for this session include; Energy (Electricity, Oil & Gas), Transport (Air, Rail, Water, Road), Financial & Banking, Healthcare, Drinking Water Supply & Distribution, Digital Infrastructures.

• "Everything should be outsourced to the cloud!"- But is there information that cannot be outsourced? If so, which one?- How can one handle a separation between the two types of information?

• Our confidence in the cloud suppliers- Can we have confidence in that security requirements are met? How?- What role does the Cloud Act and Patriot Act play for our trust in suppliers affected by these requirements?
• Conflicts of interest between new business opportunities and regulatory changes- How should legislation or other regulation be modified so that new business opportunities, e.g. based on cloud services or other new technology, can be utilized?- Is it eg appropriate to specify requirements and conditions in law, or should they be given in regulations or other directions from the regulator or supervision authorities?
• About 95% of personal data incidents reported to the Swedish Data Inspection Board (‘Datainspektionen’) are closed, and as a private individual you can never receive relevant compensation in a possible dispute.- Can we, as individuals or companies, trust GDPR to work?- Or is GDPR and ‘Datainspektionen’ just window dressing?

The expansion of regulatory frameworks in multiple domains (e.g. PSD2, NIS, GDPR) had led to increased focus in how organizations manage their Information Security and how they verify that the deploy effective controls. One of the verifications methods suggested is the execution of a penetration test on regular (or well-defined) intervals. But, do these mandatory penetration tests add value to the target organization? Or is it just to check one more box in a long compliance checklist? 

• What are your experience with penetration testing?
• How can one select the most appropriate vendor for the activity?
• What do you (as a customer of the test) want to see more of (

The TIBER-EU has been developed by the European Central Bank. The purpose is to establish a common framework for testing, and improving, resilience against sophisticated cyber attacks. The TIBER-EU framework has been designed for companies and organizations that are part of the core financial infrastructure, whether national or European. However, it can also be used for all types or sizes of companies and organizations in the financial and even in other sectors.
Takeaways:

• Advantages and disadvantages of TIBER EU?
• What obstacles need to be crossed to implement TIBER EU?
• How can / should we prepare for the introduction of the TIBER EU framework?
• How will TIBER EU affect your organization and your daily work?  

In this round table session, Secana will explore information security awareness and cyber hygiene as a mean to improve cyber security within organizations and, by extension, in society at large. The session will entail discussions on best practices to improve information security awareness within organisations in various sectors and at various levels, including training initiatives and exercises.

Key takeaways:

• What does it mean to have sufficient information security awareness/cyber hygiene in an organisation?
• What role does information security awareness play in the enhancement of societal cybersecurity and resilience?
• What measures have been proven effective to improve information security awareness in organisations?
• How can training initiatives and exercises improve information security awareness and skills within an organisation?

It is hard to keep track of our it-environment as new initiatives are taken, transformation to cloud and mobility is constantly moving. This session is a discussion about how we manage to take control over a complex situation and how we decide what countermeasures are needed to obtain adequate security.

Key takeaways:

• How do we keep track of all attack vectors in our it-environment?
• Guidelines, standards, ways-of-working.
• How do we avoid overlapping, cluttering and gaps in our protection?
• Who has the IT-security map – for real?
• How do we define enough?

Many regulations and contractual requirements are addressing information and cyber security requirements. The session has ISO 27000 series as a possible base.

Key Takeaways:

• What are the expectations and solutions for an effective approach?
• 3-Compliance – Yes or No – Is that the question?
• What is expected from the security organization?
• How will compliance affect the strategic business development?
• How does compliance regulations affect the view on security risk management and security control sets?

The Swedish tax agency does not think that just smoothing och tuning it's old processes is enough to maintain trust from it's own customers. If we want people and businesses to keep paying tax voluntarily, we need to step up and offer them the possibility to handle tax in their own preferred environment, integrated in real time transactions. To pull this through, we need completely new technical solutions and business models. This offers many serious challenges, not the least from an it-security perspective.

Key takeaways:

• Everyone is talking API´s, and so are we. But why has it been so hard for us to walk the talk?
• Why is the API strategy so crucial for our transformation?
• Securing data and the integrity of the customer in house is hard enough; How will we manage security if we share your data to others?

Today's increased cyber attacks and breaches have prompted us to act fast and with precision thanks to the new emerging technologies. With Ai, Machine Learning, Blockchain, Big Data, IoT and Cloud, it's safe to say we are facing a paradigm shift.

Key takeaways:

• What are biggest challenges in terms of the new landscape?
• Do we have sufficient skilled security workforce to drive current and future projects? Or do we need the same people in the near future as we have now?

More than a year on from GDPR, one could assume we all know what is needed and are implementing it all flawlessly? Are we really? Or has GDPR triggered a global evolution on data privacy regulatory reform? And do we know how to handle it? Or Who to handle it? Or who is best to handle it? These are all questions that all of us in the privacy space have encountered at least once, and we have come up with some solutions, some workable ways, in the companies we work in and the teams we drive.  The session is set up to be a knowledge sharing session, to provide some insights into how I believe a workable solution can be found, and lessons we have learnt along the way.

Key takeaways:

• Implementing GDPR; what are the common challenges and how to overcome them
• How does one keep track of all the global requirements?

• Navigating agendas for Privacy; Legal, Security Compliance – working towards seamless implementation and workable synergies

 A photograph of the current challenges in adapting Cybersecurity policies and discipline across the continuum of IT and OT. Existing risks and vulnerabilities in extending the perimeter of Cybersecurity protection across operating environments in critical infrastructures, factories, and office environments with an explosion of IOT devices and gateways. The cultural challenges of understanding what are the differences between the well standardised world of IT and the heterogenous world of operations and industrial controls. The session presents several use cases and examples from several segments. It highlights the practical challenges from companies in automotive, transport, energy and public sector who are implementing projects at the global level and are faced with significant change management processes

Ket Takeaways:

• What IT-OT security approaches have been tried and failed . Which have worked and Why?
• What are the key principles underlying a positive outcome?
• What are the overall benefits in mitigating what is in essence the reputation risk of large and complex organisations?
• What can we expect from future developments?