Arrival and registration
Opening remarks from the Chair
Opening Keynote Address: Examining the impact of people, processes, technology and regulation in combating cyber-attacks: how much progress have we made?
Charl van der Walt, Chief Strategy Officer, SecureData SensePost (UK)
- What victories have been achieved from a defender point of view?
- What advancements have been made?
- What progress has been made in terms of the push towards better identity and authentication management/processes (MFA)?
- What positive impact have regulation and compliance requirements such as GDPR had?
International Keynote Address: Unbelievable stories of cyber-horror
Graham Cluley, Independent Security Expert (UK)
Every day we read headlines of data breaches, hacks, and malware attacks. Often they're identikit newspaper stories where you could easily just change the names of the companies involved and the number of customer records they have had stolen from them. But every now and then something extraordinary happens. Like the companies who pretended to be hacked when they weren't, or the attackers who went to extraordinary lengths to steal millions from their employers. In this presentation, computer security veteran Graham Cluley explores some of the surprising and unusual ways that companies have been hacked, and the craziest things tech companies have done to put our data at risk.
- How hacked companies exploit the media to boost their brand
- How to cheat at the lottery and win $14.3 million
- Recognising the insider threat
- You won't survive unless you're skeptical
International Keynote Address: The future of security analytics: from static lists to machine learning
TK Keanini, Distinguished Engineer, Advanced Threat Solutions, Cisco (USA)
As we look back 20 years, what and how we defended our digital business was drastically different, yet the analytical outcome remains the same: detect and remediate threats in a timely manner. Threat actors have evolved, our environments have changed to include everything from traditional data centres to public clouds, network sessions are dark to direct inspection, and as a result, security analytics has had to innovate to keep pace. You should not have to be a data scientist to be an educated consumer of these advanced analytical techniques. In this talk, we will quickly review what machine learning is and set a foundation for talking about the different techniques, but more importantly, when to use it in certain applications and when not to use it. You will leave with six simple questions every security vendor applying machine learning should be able to answer and you will be a more educated consumer of this technology.
Morning refreshments and networking
International Keynote Address: Israel's strategic response to the cyber threat
Ofir Hason, CEO & Co-Founder, CyberGym (Israel)
Israel is perceived as a world leader in cyber capabilities. In a report that examined the cyber preparedness of twenty-three countries, Israel received the highest score (4.5 stars out of 5). Israel has become a cybersecurity powerhouse at the centre of an $82 billion industry. Last year it exported $6.5 billion in cybersecurity products and convinced more than 30 multinationals to open local R&D centres. Current estimates reveal Israel has about 20% of the global private cybersecurity investment. Israel is constantly under attack. The secret to their existence is having technological superiority to their enemies. Cyber is not an exception. Developing operational capabilities in the cyber arena is essential to safeguarding Israel's national strength. Its economy and its future as a democratic and open society depend largely on the capability to protect the country's vital computer networks from any disruption of normal life. In this presentation, Ofir will discuss Israel's strategic positioning as a cybersecurity leader:
- The government as coordinator.
- The government as a business catalyst
- Investing in human capital
- Making the military a start-up incubator and accelerator
- Innovative approach: thinking outside the (cyber) box
Total Wipe Out: What could happen if cyber criminals successfully attacked a country's critical infrastructure systems?
Veronica Schmitt, Lead Forensic Analyst, DFIR Labs
Cyber warfare can be described as digital attacks which are aimed against a country or nation in order to cause disruption to the computer systems which are associated with critical infrastructure. The aim of a cyber war like this would be to create the most significant damage, potential death, destruction and/or total anarchy. The term "BlackOut" is used in hacker circles to refer to a plan to cause a total blackout within a country or nation of all critical infrastructure. With the ever-increasing interconnectivity of a country's critical infrastructure, it's possible that a country could experience BlackOut and be crippled within a month. This presentation will be in the format of a reenactment of a theoretical BlackOut plan on a fictional country, "Barony of Mejis", by using information and tooling that is freely available on the Internet. The presentation will be given around a set timeline indicating a high-level approach to a BlackOut plan. All targets will be applicable in real life, and based on realistic systems, but will be fictionalised.
- Understanding the Internet of "hackable" Things
- Understanding how critical infrastructure is connected to the Internet
- Understanding the vulnerabilities within these systems
- Insights into a BlackOut plan and getting into the mind of cyber war criminals
- Using examples of real-world hacks which have taken place
Panel discussion Assessing SA's national cyber risk 'thermometer' - what is our national risk level and how prepared are we in the case of an attack?
Moderator: Craig Rosewarne, Managing Director, Wolfpack Information Risk
Gerhard Cronje, Head: Cyber and Information Security Unit, South African Reserve Bank (SARB)
Kalyani Pillay, CEO, South African Banking Risk & Information Centre (SABRIC)
Mike Silber, General Counsel & Group Head: Regulatory, Liquid Telecom
Dr Kiru Pillay, Chief Director: Cybersecurity Operations, Department of Telecommunications and Postal Services
Kovelin Naidoo, Mr Robot, FNB
The probability and impact of cyber-attacks was rated as the top man-influenced risk facing countries and organisations in the recent 2018 World Economic Forum Global Risks Landscape report. The health, safety, security, economic well-being of citizens, effective functioning of government, and perhaps even the survival of the industrialised world, relies heavily upon interconnected critical systems. A country may experience widespread disruption or even loss of human life if these systems become inoperable. South African organisations responsible for critical infrastructure need to have a consistent and iterative risk-based approach towards identifying, assessing and managing cybersecurity risk. During this facilitated discussion, Craig will engage with key public and private sector stakeholders to discuss:
- The current cyber risk challenges facing SA
- Who are the main public and private institutions accountable at a national level?
- What is the current state of our country's readiness to mitigate these threats?
- Proposed initiatives and timelines and possible opportunities for joint public/private partnerships
Lunch and networking
Track One - Strategy and User Awareness
This track takes a strategic look at implementing a business-driven cyber security plan and where the responsibility for cyber security should sit within your organisation. It also examines how to raise awareness of cyber security throughout your business, from the boardroom to the shop-floor.
Developing a business-driven security strategy around prevention, detection, response and recovery
Gerhard Cronje, Head: Cyber and Information Security Unit, South African Reserve Bank (SARB)
- Defining the reference framework from the technical level to executive level so that everyone understands the issues
- Balancing the need for a tactical approach to plug any immediate threats while putting in place a proactive strategy for cybersecurity
- Thinking like a hacker: identifying the systems/data that drive your business that could be attacked
- Understanding what tools you need and ensuring that they are operationalised properly
- How do you ensure that your security plan demonstrates a visible increase in security after implementation?
Where does cybersecurity belong in your organisation? Creating the right culture and structure to enable cybersecurity to be effective
Alex Bowdler, IT Operations & Security Manager, Aspen Pharmacare
- What are the pros and cons of locating cybersecurity within the following departments:
- Physical security
- Who is responsible for what? Creating appropriate reporting lines specific to your organisation and separating the governance of cybersecurity from its implementation
- Ensuring collaboration across all the different departments and encouraging the person responsible for cybersecurity to share information
- Getting the culture right: creating an environment of openness and transparency in order to manage the organisational risk
- Creating an agile structure for a fast response, e.g. emergency procurement processes
- What are the pros and cons of outsourcing the CISO function and cybersecurity services?
Afternoon refreshments and networking
Cybersecurity: Increasing your reputational resilience
Marina Bidoli, Partner and Office Head, Brunswick South Africa
"When, not if" has long been a stark warning from cyber experts and regulators. Despite growing awareness that businesses can be brought to a standstill, too many organisations still do not take adequate steps to prepare in advance for a cyber breach or significant data incident. The reputational impact of a poor response can be severe, compounding the initial financial and operational impacts. Trust in leadership and the brand is eroded and badly handled communications can worsen the situation. It becomes a case of "You should have seen this coming. You should have been better prepared. Why did you not protect my information?" Recent Brunswick Insight research shows that, fairly or unfairly, there is much finger pointing, with the brunt of the blame for a cyber incident falling on the victim of the attack not the perpetrator. There has also been an increase in class action suits and, in significant breaches, the resignations of either their CEO, CISO and/or Head of Legal. So what does one do in such a toxic environment? In this presentation the speaker, Marina Bidoli, will look at reputational aspects of cyber breaches. She will provide some highlights of what works, and what does not.
- Preparation pays: how can you prepare for a cybersecurity breach?
- Toolkits, messaging, stakeholder maps and simulations matter: what should you have ready for a rapid response?
- Case studies and tips on how best to navigate through the crisis
- Steps needed to rebuild reputation and regain trust
Panel discussion How do you increase user awareness and keep your workforce 'cyberfit'?
- Understanding cyberpsychology: what is the impact of human behaviour on security within your organisation?
- How do you demonstrate to users the risks on a business and personal level, e.g. what happens if you click on a link?
- How do you design and implement an effective, ongoing phishing awareness campaign?
- Creating a culture of reporting security incidents based on trust and understanding rather than fear
Cyber insurance: what are the benefits and what to look out for when choosing a cyber insurance product?
Ryan van de Coolwijk, Product Champion: Cyber, ITOO Special Risks
- Examining the benefits of cyber insurance: what does it cover?
- Understanding how a cyber insurance policy helps to mitigate risk exposure in the case of a breach
- What should you look out for when choosing a cyber insurance policy? What questions should you ask?
- What do cyber insurance providers look for when deciding whether to provide coverage and what level?
Closing remarks from the Chair and End of Day One
Track Two - Governance, Risk, Compliance and Regulation
This track will provide an update on all the current and proposed legislation around cyber security, most notably, the Cybercrimes Bill. It also examines the need to quantify your cyber risk and how to empower your internal audit team to assist with cyber security.
Track Chair: Corien Vermaak, CyberSecurity Specialist, Cisco
Quantifying cyber risk - bridging the divide between technology and the Board
Johan Botha, Chair, South Africa Chapter, FAIR Institute
Cybersecurity is being considered as a top-three risk by most organisations today as cyber-attacks, online fraud and internal threats make a material impact on their businesses. And, while boards and executives expect to be informed about cyber risk, they are not getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard to understand risk registers and heat maps. Those responsible for cybersecurity - from the Board and the CEO on down - are urgently looking for better ways to measure and report risk that will enable well-informed decision-making, regarding questions such as:
- What are the organisation's top cyber risks and how much exposure do they represent expressed in financial terms?
- Which cyber risk management investments matter most?
- Are they investing enough (or too much) in cyber risk management?
This presentation will provide an overview of a pragmatic solution and approach to cyber risk quantification that is based on the Open Group's Open FAIR risk quantification standard that enables Chief Information Security and Chief Risk Officers with the means to bridge the divide between IT and information security on the one side, and the Board and executive management on the other. Open FAIR provides a model for understanding, analysing and measuring information risk in financial terms, thereby addressing the current challenges of cyber risk reporting and enabling the organisation to prioritise effectively, making trade-offs and choosing cost-effective cyber risk mitigation solutions.
- Understanding the current challenges to measuring and reporting cyber risk
- Examining a solution to quantifying cyber risk that enables well-informed cyber risk decision-making
- Understand how the FAIR methodology, coupled with software, can empower information security and risk professionals to improve cyber risk reporting
Developing a cybersecurity programme based on the NIST framework
Raymond du Plessis, Senior Managing Consultant, Mobius Consulting
The NIST Cybersecurity Framework is being adopted by many organisations because it focuses on the key capabilities required to identify, protect, detect, respond and recover from cyber related threats and incidents. However, improving cybersecurity capabilities comes with a significant investment, which is why some companies are reluctant to fully adopt the framework. During this talk Raymond will discuss using the framework to develop a risk-based approach for cybersecurity improvements that will help motivate the investment required. This presentation will include the high-level steps you can use to go from developing a threat profile, performing an initial assessment, through to developing your improvement programme. The presentation will also include some of the key aspects to consider for your improvement programme and the adoption of the framework such as operational capacity, prioritisation, budget and programme governance.
- Using the NIST Cybersecurity Framework to assess your organisation's current capabilities and threat profile
- The high-level steps to take when developing a cybersecurity programme
- Aspects to consider for your improvement programme
Afternoon refreshments and networking
An update on the Cybercrimes Bill
Corien Vermaak, CyberSecurity Specialist, Cisco
- Examining the latest version of the Cyber Crimes Bill: what does and doesn't it cover? When will it be passed into law?
- How will the broad phrasing in the Bill impact CIOs and companies, i.e. to what extent could they become criminals based on their use and handling of data?
- Does this legislation go far enough to address the issues that SA is currently facing in terms of cyber crime and cybersecurity? What more needs to be done from a policy/legislative point of view?
- Comparing the Bill with equivalent international legislation – what is done globally?
Achieving compliance with security and privacy regulations: POPIA & GDPR
Yvette du Toit, Senior Manager, EY
- An update on GDPR and POPIA: when will POPIA come into force? What has been the impact so far of GPDR on South African-based companies?
- Comparing GDPR and POPIA: to what extent do they overlap? If they both apply to the same information, which piece of legislation will prevail?
- Understanding the need for your organisation's approach to PoPIA and GDPR to be driven by the Board and not IT
- How will POPIA and GDPR be enforced?
- If GDPR applies to your organisation, do you need to appoint an EU-based representative?
No organisation is an island: Managing security under data processing relationships with empathy
David Luyt, Associate, Michalsons
How you manage data processing relationships matters, because no organisation is an island entirely of themselves. Every organisation is a piece of the archipelago, a part of the island chain.
Your organisation is probably a link in a chain, beginning with a sole or joint controller at the top, generally passing down to a processor and often ending with a sub-processor (or even additional subsequent processors) at the bottom. There are strict data protection laws (including the GDPR in the EU, the DPA in the UK and POPIA in South Africa) that regulate how that chain operates and require each link to enter into written data processing agreements (DPAs) with their neighbours.
Those DPAs need to meet certain requirements related to the security of personal data. In this presentation, David will explore them and what they mean for your organisation, based on your position in the chain. You will learn:
- How to have better relationships with other organisations that you share data processing with when it comes to the security of that personal data
- The significant steps you need to take towards complying with relevant data protection laws, when it comes to your data processing relationships and security
- How to stand a better chance of escaping fines and other penalties for failing to comply with relevant data protection laws, when it comes to your data processing relationships and security