Arrival and registration
Opening remarks from the Chair
Opening Keynote Address: Examining the impact of people, processes, technology and regulation in combating cyber-attacks: how much progress have we made?
Charl van der Walt, Chief Strategy Officer, SecureData SensePost (UK)
- What victories have been achieved from a defender point of view?
- What advancements have been made?
- What progress has been made in terms of the push towards better identity and authentication management/processes (MFA)?
- What positive impact have regulation and compliance requirements such as GDPR had?
International Keynote Address: Unbelievable stories of cyber-horror
Graham Cluley, Independent Security Expert (UK)
Every day we read headlines of data breaches, hacks, and malware attacks. Often they're identikit newspaper stories where you could easily just change the names of the companies involved and the number of customer records they have had stolen from them. But every now and then something extraordinary happens. Like the companies who pretended to be hacked when they weren't, or the attackers who went to extraordinary lengths to steal millions from their employers. In this presentation, computer security veteran Graham Cluley explores some of the surprising and unusual ways that companies have been hacked, and the craziest things tech companies have done to put our data at risk.
- How hacked companies exploit the media to boost their brand
- How to cheat at the lottery and win $14.3 million
- Recognising the insider threat
- You won't survive unless you're skeptical
International Keynote Address: Israel's strategic response to the cyber threat
Ofir Hason, CEO & Co-Founder, CyberGym (Israel)
Israel is perceived as a world leader in cyber capabilities. In a report that examined the cyber preparedness of twenty-three countries, Israel received the highest score (4.5 stars out of 5). Israel has become a cybersecurity powerhouse at the centre of an $82 billion industry. Last year it exported $6.5 billion in cybersecurity products and convinced more than 30 multinationals to open local R&D centres. Current estimates reveal Israel has about 20% of the global private cybersecurity investment. Israel is constantly under attack. The secret to their existence is having technological superiority to their enemies. Cyber is not an exception. Developing operational capabilities in the cyber arena is essential to safeguarding Israel's national strength. Its economy and its future as a democratic and open society depend largely on the capability to protect the country's vital computer networks from any disruption of normal life. In this presentation, Ofir will discuss Israel's strategic positioning as a cybersecurity leader:
- The government as coordinator.
- The government as a business catalyst
- Investing in human capital
- Making the military a start-up incubator and accelerator
- Innovative approach: thinking outside the (cyber) box
Morning refreshments and networking
Total Wipe Out: What could happen if cyber criminals successfully attacked a country's critical infrastructure systems?
Veronica Schmitt, Lead Forensic Analyst, DFIR Labs
Cyber warfare can be described as digital attacks which are aimed against a country or nation in order to cause disruption to the computer systems which are associated with critical infrastructure. The aim of a cyber war like this would be to create the most significant damage, potential death, destruction and/or total anarchy. The term "BlackOut" is used in hacker circles to refer to a plan to cause a total blackout within a country or nation of all critical infrastructure. With the ever-increasing interconnectivity of a country's critical infrastructure, it's possible that a country could experience BlackOut and be crippled within a month. This presentation will be in the format of a reenactment of a theoretical BlackOut plan on a fictional country, "Barony of Mejis", by using information and tooling that is freely available on the Internet. The presentation will be given around a set timeline indicating a high-level approach to a BlackOut plan. All targets will be applicable in real life, and based on realistic systems, but will be fictionalised.
- Understanding the Internet of "hackable" Things
- Understanding how critical infrastructure is connected to the Internet
- Understanding the vulnerabilities within these systems
- Insights into a BlackOut plan and getting into the mind of cyber war criminals
- Using examples of real-world hacks which have taken place
Panel discussion Assessing SA's national cyber risk 'thermometer' - what is our national risk level and how prepared are we in the case of an attack?
Moderator: Craig Rosewarne, Managing Director, Wolfpack Information Risk
The probability and impact of cyber-attacks was rated as the top man-influenced risk facing countries and organisations in the recent 2018 World Economic Forum Global Risks Landscape report. The health, safety, security, economic well-being of citizens, effective functioning of government, and perhaps even the survival of the industrialised world, relies heavily upon interconnected critical systems. A country may experience widespread disruption or even loss of human life if these systems become inoperable. South African organisations responsible for critical infrastructure need to have a consistent and iterative risk-based approach towards identifying, assessing and managing cybersecurity risk. During this facilitated discussion, Craig will engage with key public and private sector stakeholders to discuss:
- The current cyber risk challenges facing SA
- Who are the main public and private institutions accountable at a national level?
- What is the current state of our country's readiness to mitigate these threats?
- Proposed initiatives and timelines and possible opportunities for joint public/private partnerships
Lunch and networking
Track One - Strategy and User Awareness
This track takes a strategic look at implementing a business-driven cyber security plan and where the responsibility for cyber security should sit within your organisation. It also examines how to raise awareness of cyber security throughout your business, from the boardroom to the shop-floor.
Developing a business-driven security strategy around prevention, detection, response and recovery
- Defining the reference framework from the technical level to executive level so that everyone understands the issues
- Balancing the need for a tactical approach to plug any immediate threats while putting in place a proactive strategy for cybersecurity
- Thinking like a hacker: identifying the systems/data that drive your business that could be attacked
- Understanding what tools you need and ensuring that they are operationalised properly
- How do you ensure that your security plan demonstrates a visible increase in security after implementation?
Where does cybersecurity belong in your organisation? Creating the right culture and structure to enable cybersecurity to be effective
- What are the pros and cons of locating cybersecurity within the following departments:
- Physical security
- Who is responsible for what? Creating appropriate reporting lines specific to your organisation and separating the governance of cybersecurity from its implementation
- Ensuring collaboration across all the different departments and encouraging the person responsible for cybersecurity to share information
- Getting the culture right: creating an environment of openness and transparency in order to manage the organisational risk
- Creating an agile structure for a fast response, e.g. emergency procurement processes
- What are the pros and cons of outsourcing the CISO function and cybersecurity services?
Afternoon refreshments and networking
Panel discussion How do you increase user awareness and keep your workforce 'cyberfit'?
- Understanding cyberpsychology: what is the impact of human behaviour on security within your organisation?
- How do you demonstrate to users the risks on a business and personal level, e.g. what happens if you click on a link?
- How do you design and implement an effective, ongoing phishing awareness campaign?
- Creating a culture of reporting security incidents based on trust and understanding rather than fear
Cyber insurance: what are the benefits and what to look out for when choosing a cyber insurance product?
- Examining the benefits of cyber insurance: what does it cover?
- Understanding how a cyber insurance policy helps to mitigate risk exposure in the case of a breach
- What should you look out for when choosing a cyber insurance policy? What questions should you ask?
- What do cyber insurance providers look for when deciding whether to provide coverage and what level?
Panel discussion Less cybersecurity and more business
Businesses exist to create value for their shareholders, not to perform security ceremonies and obscure security rituals. Cybersecurity became an industry because computer hardware and software vendors and online service providers neglected to ship products that took confidentiality, integrity and availability into account. This separate industry exists because of poor vendor choices and the lack of foresight as to what is possible. The cliché that information technology must enable business has evidently spilled over to cybersecurity, where in fact it is a result of a shortfall of IT. This means the cost of doing business is increasing and will increase more as a result of security incidents. The key is to reduce system complexity, introduce seamless controls that don't create hurdles and processes that are clear and transparent with as little cybersecurity theatre. The question is how to do so?
Closing remarks from the Chair and End of Day One
Track Two - Governance, Risk, Compliance and Regulation
This track will provide an update on all the current and proposed legislation around cyber security, most notably, the Cybercrimes Bill. It also examines the need to quantify your cyber risk and how to empower your internal audit team to assist with cyber security.
Quantifying cyber risk - bridging the divide between technology and the Board
Moderator: Johan Botha, Chair, South Africa Chapter, FAIR Institute
Cybersecurity is being considered as a top-three risk by most organisations today as cyber-attacks, online fraud and internal threats make a material impact on their businesses. And, while boards and executives expect to be informed about cyber risk, they are not getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard to understand risk registers and heat maps. Those responsible for cybersecurity - from the Board and the CEO on down - are urgently looking for better ways to measure and report risk that will enable well-informed decision-making, regarding questions such as:
- What are the organisation's top cyber risks and how much exposure do they represent expressed in financial terms?
- Which cyber risk management investments matter most?
- Are they investing enough (or too much) in cyber risk management?
This presentation will provide an overview of a pragmatic solution and approach to cyber risk quantification that is based on the Open Group's Open FAIR risk quantification standard that enables Chief Information Security and Chief Risk Officers with the means to bridge the divide between IT and information security on the one side, and the Board and executive management on the other. Open FAIR provides a model for understanding, analysing and measuring information risk in financial terms, thereby addressing the current challenges of cyber risk reporting and enabling the organisation to prioritise effectively, making trade-offs and choosing cost-effective cyber risk mitigation solutions.
- Understanding the current challenges to measuring and reporting cyber risk
- Examining a solution to quantifying cyber risk that enables well-informed cyber risk decision-making
- Understand how the FAIR methodology, coupled with software, can empower information security and risk professionals to improve cyber risk reporting
Panel discussion How do you empower your internal audit team to assist with cybersecurity?
Afternoon refreshments and networking
An update on the Cybercrimes Bill
Corien Vermaak, CyberSecurity Specialist, Cisco
- Examining the latest version of the Cyber Crimes Bill: what does and doesn't it cover? When will it be passed into law?
- How will the broad phrasing in the Bill impact CIOs and companies, i.e. to what extent could they become criminals based on their use and handling of data?
- Does this legislation go far enough to address the issues that SA is currently facing in terms of cyber crime and cybersecurity? What more needs to be done from a policy/legislative point of view?
- Comparing the Bill with equivalent international legislation – what is done globally?
Achieving compliance with security and privacy regulations: POPIA & GDPR
- An update on GDPR and POPIA: when will POPIA come into force? What has been the impact so far of GPDR on South African-based companies?
- Comparing GDPR and POPIA: to what extent do they overlap? If they both apply to the same information, which piece of legislation will prevail?
- Understanding the need for your organisation's approach to PoPIA and GDPR to be driven by the Board and not IT
- How will POPIA and GDPR be enforced?
- If GDPR applies to your organisation, do you need to appoint an EU-based representative?
No organisation is an island: Managing security under data processing relationships with empathy
David Luyt, Associate, Michalsons
How you manage data processing relationships matters, because no organisation is an island entirely of themselves. Every organisation is a piece of the archipelago, a part of the island chain.
Your organisation is probably a link in a chain, beginning with a sole or joint controller at the top, generally passing down to a processor and often ending with a sub-processor (or even additional subsequent processors) at the bottom. There are strict data protection laws (including the GDPR in the EU, the DPA in the UK and POPIA in South Africa) that regulate how that chain operates and require each link to enter into written data processing agreements (DPAs) with their neighbours.
Those DPAs need to meet certain requirements related to the security of personal data. In this presentation, David will explore them and what they mean for your organisation, based on your position in the chain. You will learn:
- How to have better relationships with other organisations that you share data processing with when it comes to the security of that personal data
- The significant steps you need to take towards complying with relevant data protection laws, when it comes to your data processing relationships and security
- How to stand a better chance of escaping fines and other penalties for failing to comply with relevant data protection laws, when it comes to your data processing relationships and security