SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

23-24 April 2018

Palazzo Versace, Dubai – United Arab Emirates Security, Technology and Innovation to Drive Forward-thinking in Future Generations -

Cyber Risk and Resilience by Design

Future-oriented security and intelligence and creative thinking on technological opportunities in cybersecurity. What is the new expectation? 1. Artefacts of Innovation Roundtable - Advanced Technologies, AI, Robotics - CISO and CIO as enablers of business innovation 2. Investment Perspective on Harnessing IP in Cybersecurity - Brand protection and investment in cybersecurity 3. Cyber Resilience Strategies for the Middle East – live exercises and workshops on crisis planning, open source intelligence tools,

IoT in energy and renewables and finsectech 4. Securing online commerce – corporate case studies on the risks and opportunities in Cloud, DevOps and Threat Intelligence 5. CxO Cyber Risk Governance and Assurance Boardroom – discussion on

Governance, Business Engagement and Trust

International benchmarking on cybersecurity and the threat horizon • Abu Dhabi Government Entity • Abu Dhabi Police • Al Safeer Group • Egyptian Arab Land Bank • Etisalat Digital • Marks and Spencer • Modern Times Group Sweden • Network International Africa • Regulation & Supervision Bureau - RSB • Riyad Bank • Souq.com – Subsidiary of Amazon • TDC Group Denmark • The Exercise Group7 • University of Portsmouth

"You wouldn't want to miss this. Particularly on

the Boardroom discussion, it is like a

strategic planning and facing the board of

directors. Excellent!" Acting CISO, Western Region Municipality,

Abu Dhabi Government

Agenda at a Glance 22 April 2018 Integrated Security Training Courses Course 1: New Principles for Governance & Strategy in a Crisis Course 2: Cyber Security for Ports & Vessels Course 3: Business Espionage 23-24 April 2018 CISO 360 Middle East Congress 25-26 April 2018 Integrated Security Training Courses Course 4: Cyber Policy & Standards for Systems Security Course 5: Catastrophic Risk Theory and Practice for Energy, Leisure & Transportation Course 6: Cyber Attacks – The Risk and the Fix

"A very engaging, varied and

interactive event. The best conference I have ever attended!"

Information Security Manager - Lloyd's of

London

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

2

inspire | connect | innovate Dear Colleague, Pulse Conferences is delighted to invite you to attend the CISO 360 Middle East Congress will be hosted 23-24 April 2018 at the Palazzo Versace in Dubai. Chief Information Security Officers, CIOs, directors of cyber threat intelligence and security innovators and investors from across the GCC region and internationally will unite. The tools within cyber security are useful for their forward thinking to 2071 and education and innovation to be competitive in the world with the younger generation. Innovation and harnessing key skills to build the UAE and GCC region into the world leading nation of technologists. This programme will explore how can we leverage the tools within cyber security to drive forward thinking in future generations? What are communications and cultural transformation strategies for reputation and cyber security that work? How can we develop skills for industry focus – ehealth, fintech, renewables and sustainable technologies? What are emerging international public private partnerships? How can CISOs and CIOs use cybersecurity to drive revenue and increase shareholder value? Today’s CISO is uniquely positioned to deliver bold, game-changing leadership, engender transformational innovation, and steer the enterprise into the next era of digital business as technologies such as blockchain, artificial intelligence, data analytics and hyper-convergence offer new ways for doing business. Against the backdrop of technological innovation with the the Internet of Things (IoT), Artificial Intelligence (AI), Robotics and other advanced technologies that are enabling major digital transformation programmes, this event will enable deep benchmarking on the priorities and challenges that matter. The focus will be on the CISO how to leverage innovation and technology, cyber security for forward thinking in the era of digital innovation and cyber resilience.

International speaker panel includes… • Aladdin Dandis, Information Security Manager, Souq.com - Subsidiary of Amazon • Anshul Srivastav, Chief Information Officer, Information Technology, Union Insurance Company P. S. C. • Dimitrios Stergiou, Chief Information Security Officer, Modern Times Group MTG AB • Dr. Mohammad Khaled, CIO, IT Digital Transformations, Regulation & Supervision Bureau (RSB) • Dr. Major. Hamad Khalifa Al Nuaimi, Head of Telecommunications Security, Abu Dhabi Police GHQ • Kumar Prasoon, Group Chief Information Officer (CIO), Al Safeer Group • Eng. Manan Qureshi, Vice President - Head of Business Continuity, Riyad Bank • Intelligence Specialist, North Cyber Ltd • Irene Corpuz, Section Head - Planning & IT Security & Acting CISO, Western Region Municipality - Abu Dhabi Government • Jenny Reid, CEO, iFacts • Jonathan Martin, EMEIA Operations Director, Anomali • Joseph Makram, CIO, Egyptian Arab Land Bank • Kamran Ahsan, Senior Director/Digital Security Solutions, Etisalat Digital • Lady Olga Maitland, Chairman, Copenhagen Compliance • Lee Barney, Head of Information Security, Marks and Spencer • Marcus Alldrick, Former CISO, Lloyd’s of London & Current Advisor, Santander • Michael Waheeb, Head of Information Security, Network International Africa • Dr. Vasileios Karagiannopoulos, Senior Lecturer in Law and Cybercrime; Director of the Cybercrime Awareness Clinic; Course

Leader for BSc Criminology and Cybercrime; Chair of ICJS Ethics Committee, University of Portsmouth • Ray Stanton, SVP/Group Chief Security Officer, TDC Group • Richard Hollis, CEO, Risk Crew & Risk Factory • Tim Sandwell, Director, Barclay Simpson • Robert Shaw, Senior Advisor, United Nations, and Co-Founder, The Exercise Group7 • Dr. Sally Leivesley, Director, Newrisk Ltd, A Founder Member, The Exercise Group7 • Simon Scales, Recently Head of Investigations EMEA, BP plc. • Sofiane Chafai, EMEA Advisory Board Member, (ISC)²

Gold Sponsors

"It is a very different event,

the way it is organized

facilitates the exchange of

information in a circle of

confidence where CISOs from

different sectors and continents

expose their problems and

share strategic visions," Head of

Governance, GMV

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

3

inspire | connect | innovate 8 reasons to attend the CISO 360 Middle East Congress

Advanced technologies innovation workshops Designed for CISOs and CIOs to reposition as the enablers of business

innovation and to ask the right questions of their technical teams: AI; Open source hacking; Business espionage; Cybersecurity policy standards

International multi-faceted speaker panel Local and global insights and exchange between CEOs, CIOs, CISOs, corporate governance, innovators and investors from around the world

Cybersecurity Boardroom engagement

Cyber risk management and business engagement discussion between CISOs and non security board and c-level will break down traditional siloes between business-security-technology-legal! Technology governance, business engagement and trust.

Future facing with an R&D and investment on innovation focus Natural integration between inhouse security, technology innovators and investors. None of the typical industry barrier between buy and sell

Immersive agenda with real-time benchmarking and exciting debates

Dynamic debates, corporate Q&A, on-stage fireside chats, ‘live’ polls!

Intimate and inspiring networking - community based trusted ‘closed door’ environment The entire event is held under the Chatham House Rule. Networking dinners included! Enduring connections guaranteed.

Optional add on - Integrated security training courses

Available pre and post Congress - gain intelligence on emerging techniques and maximise your time and budget in Dubai! 1) Governance & Strategy in a Crisis 2) Cyber Security for Ports & Vessels 3) Business Espionage - Threat and Mitigation 4) Cyber Policy & Standards for Systems Security 5) Catastrophic Risk Theory and Practice 6) Cyber Attacks – the Risk and the Fix

Working locally, thinking

globally…

Taking an approach of ‘local solutions with the insight of global best practice’, the Pulse team has over 14 years’ experience working

with senior cybersecurity and governance executives in the Middle East and is well-positioned to cover enterprise-wide risks across a wide

range of markets including: e-commerce, AI, automotive, health,

financial services, fintech, infrastructure, IoT, mobile, smart

city, energy, defense, manufacturing, retail, health,

consumer goods and transport. CISOs/ Heads of Information

Security, CIOs and cyber threat intelligence directors will share

approaches to emerging cybersecurity challenges pertinent to

the region. This event follows the success of our inaugural CISO 360

Congress held in Barcelona.

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

4

inspire | connect | innovate

PROGRAMME Day One: Monday 23 April 2018 09:00 Chairman’s Opening - Global Risk Horizon 2018 and Beyond

Marcus Alldrick, Former CISO, Lloyd’s of London & Current Advisor, Santander

09:20 Keynote Harnessing technology innovation and cybersecurity skills for the future generations - innovation, robotics, AI

• Skills for industry focus - ehealth, fintech, renewables and sustainable technologies

• International public private partnerships participation

• A government road-map to national security cyber threat Senior UAE government representative – invited

09:40 Investor 360 Keynote Transformational cyber security investment initiatives - How can security reposition as

enablers of business innovation? Is cybersecurity IP the next gold? Hear the investor perspective on the advanced and emerging technologies that lie within cybersecurity - data analytics,

robotics, cloud and assistive technologies. Where are the most patents being filed that directly link to cybersecurity? Is the security industry fully monetizing all the cybersecurity IP out there? How can this be monetized? What is the role of incubators – who are the key market players? Incumbents versus disruptors and game changers

Major technology investor – invited

10:00 Case study how M&S integrate security into rapid development

Agile Security… it’s not an oxymoron, but it is an accurate description of how we secure e-commerce development! If you have in house software engineers and an ecommerce platform or even a team of developers working on a dynamic website then you will no doubt have pressure to release code quickly – with static code analysis and sometimes overzealous security colleagues, the process of securing that code base can become slow and cumbersome which leads to delays in your release cadence. M&S has developed an agile security process that integrates into the fast-flowing world of modern ecommerce. Lee will explain to you how his team do this and use gamification to ensure the security teams are finding the problems first. Why should I listen to this speaker? Lee has come up with a unique way of using gamification between Blue and Red teams which he has integrated into ecommerce development. A worked example of how M&S integrate security into rapid development and examples of gamification algorithms used in this process. Lee Barney, Head of Information Security, Marks and Spencer

10:40 Case Study BlockChain, cyber resilience, and continuity

Eng. Manan Qureshi, Vice President / Head of Business Continuity, Riyad Bank 11:10 Morning Coffee Break

11:30 FinSec Panel How are banks and fintechs protecting themselves against organized crime and state nation threats in

cyberspace?

• Who are the emerging attackers, what are their motives and what methods do they use?

• What are the new opportunities that will revolutionize payments, what would this mean for online security?

• Can the use of blockchain/distributed ledger technology improve security?

• How is AI being used in authentication?

• What are the key challenges of how sensitive data is protected now?

• Financial regulators - are their demands realistic and achievable?

• Insurance of cyber risk - How to manage the risk and not just transfer it? Chaired by: Eng. Manan Qureshi, Vice President - Head of Business Continuity, Riyad Bank Panellists: Michael Waheeb, Head of Information Security, Network International Africa Marcus Alldrick, Former CISO, Lloyd’s of London & Current Advisor, Santander Anshul Srivastav, Chief Information Officer, Information Technology, Union Insurance Company PSC

Joseph Makram, CIO, Egyptian Arab Land Bank

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

5

inspire | connect | innovate

12:10 Case study How to Secure Your Business on the Cloud? Practical Approach, from Strategy to Implementation

Hear how the region’s leading online retailer is approaching cloud security – from strategy to implementation. Why should I listen to this speaker? You will leave with practical insights on how to promote the commercial advantages of managing information security risks in the cloud. Aladdin Dandis, Information Security Manager, Souq.com - Subsidiary of Amazon

12:50 Futurist keynote + Panel Security implications of AI, Big Data, IoT, Blockchain

CISO and CIO as enablers of business innovation: What are the risks, opportunities and game-changers of AI, Big Data, IoT, Blockchain? Cut through the hype and hear strategy and predictions from innovators, investors and CISOs on how disruptive technologies are radically transforming modern business and where the opportunities lie for cybersecurity.

• Futurist view of security implications of AI, Big Data, IoT, Blockchain – predicted game changers? • How AI will help on achieving UAE 100 years vision which is the first Vision in the world • Role of innovation in future foresight and future accelerations • Change management and convergence of security disciplines for next generation security • Security controls/ standards/ considerations for safe city architecture built based on AI, Big Data, IoT, Blockchain without

compromising public safety • Cyber resilience that became national resilience - what are the strategical actions to be adopted for readiness to

response to cyber resilience? Co-chaired by: Dr. Mohammad Khaled, CIO, IT Digital Transformations, Regulation & Supervision Bureau – RSB Kumar Prasoon, Group Chief Information Officer (CIO), Al Safeer Group

Dr. Major. Hamad Khalifa Al Nuaimi, Head of Telecommunications Security, Abu Dhabi Police GHQ 13:20 Lunch

14:40 A Tested Roadmap Current challenges and future opportunities for cyber security

• How has the Western Region Municipality, Abu Dhabi pursued a secure digital transformation? • Lessons learned so far and roadmap for the future • Reducing the gender gap in IT Irene Corpuz, Head of the IT Security Section & acting CISO, Western Region Municipality Abu Dhabi

15:00 Role-Playing Exercises Threat from business espionage

Hear advanced methods of intelligence gathering, insights on the insider threat and counter intelligence and how security is compromised by human nature with a series of case studies through the medium of role playing exercises and case studies. Why should I listen to this speaker? Learn from real world examples of the sheer breadth of vulnerabilities in almost all organisations, all facilitated by freely and legally obtainable information and how to mitigate the risks.

• Who collects intelligence and why, advanced methods of intelligence collection

• Physical and Information security methods

• Counter intelligence and the insider threat

• How security is compromised by human nature

• Role playing of intelligence gathering techniques and security responses Robert Shaw, Senior Advisor, United Nations, and Co-Founder, TEG7 LLP

15:40 Afternoon Tea Break

16:00 Panel IoT cybersecurity with energy and renewables

Discuss emerging cyber threats and technical issues and solutions for control room operations relating to AI and IoT challenges.

• Securing data across big data processing and analytics

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

6

inspire | connect | innovate • Identifying how to mitigate human errors in the energy infrastructure

• Specific cybersecurity challenges with IoT and critical national infrastructure

• Sustain operations under all- hazards events - change management techniques

• New threats from interconnected systems Led by: Dr. Sally Leivesley, Director, Newrisk Limited and TEG7 LLP Ray Stanton, SVP/Group Chief Security Officer, TDC Group (Denmark)

16:30 Open Source Hacking Workshop Open Source Intelligence (OSINT) - penetrating organisations infrastructure

cyber vulnerability assessment No matter how well defended the organisation’s intellectual property is against cyber attack, the staff are the way in. The talk focuses on the mindset and techniques of the attacker, whether a cyber criminal, a state actor, a corporate spy or frivolous hacker, and shows how surprisingly low-tech most attacks are - often deriving cyber attack-enabling information from nothing more than a search engine before launching a devastating exploitation of infrastructure or the human workforce. Why should I listen to this speaker? Hear real world examples from a covert online operations and digital forensics expert on the sheer breadth of vulnerabilities in almost all organisations - all facilitated by freely and legally obtainable information and how to mitigate the risks! Former Intelligence Officer, North Cyber Limited (UK)

17:10 Close of day one 18:00 Dinner

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

7

inspire | connect | innovate

Day Two: Tuesday 24 April 2018

08:30-09:00 Breakfast Briefing - Emerging Risks and Opportunities Training

Robert Shaw, Senior Advisor, United Nations, and Co-Founder, TEG7 LLP Intelligence Specialist, North Cyber Ltd Dr. Sally Leivesley, Director, Newrisk Ltd, A Founder Member, The Exercise Group7

09:05 Chairman’s Re-opening

Marcus Alldrick, Former CISO, Lloyd’s of London & Current Advisor, Santander

09:10 CxO Cyber Risk Governance and Assurance Boardroom

How can CISOs reposition cybersecurity as a robust business investment strategy to keep the Board happy? What do Board members and other GRC assurance leaders need to know to ask the right questions? Investors are increasingly asking questions of the board about cybersecurity because of litigation risks and disclosures. In this session you will hear and share how to align culture and mindset across security-business-technology and legal. How can CISOs improve their offering? What can CIOs, GCs, CPOs, CROs offer the CISO internally? What will you learn? Practical take-aways on how we can best reposition cybersecurity as a robust business investment strategy.

• How can we take current security practices to create new models and strategies to build security value?

• How can we strive for higher quality security practices, standards and sharing?

• GDPR - challenges for the region

• What best practice security strategy looks like now and how is this rapidly evolving with digital transformation?

• Quantitative risk models applied to security - can we leverage internal knowledge to apply financial risk models

• How can we place measures on controls – balancing process and power to increase the surface areas of attacks?

• How will CFOs, GCs and CCOs provide compliance in the era of digital transformation? Co-led by: Jonathan Martin, EMEIA Operations Director, Anomali Lady Olga Maitland, Chairman, Copenhagen Compliance

Richard Hollis, CEO, Risk Factory

09:50 Panel Advancing tomorrow’s holistic security leaders

The tools within cyber security are useful for their forward thinking to 2071 and education and innovation to be competitive in the world with the younger generation. Innovation and harnessing key skills to build the UAE into the world leading nation of technologists. This panel discussion will ask how can we leverage the tools within cyber security to drive forward thinking in future generations?

• Communications and cultural transformation strategies for security/ IoT/ IT/ threat/ response/ intelligence disciplines

• Skills for industry focus – ehealth, fintech, renewables and sustainable technologies

• Defending people, systems and infrastructure – building national resilience

• International public private partnerships participation

• Changes in international salary trends and expectations

• Advancing younger security leaders - passing on the legacy merged with new ways Chaired by: Ray Stanton, SVP/Group Chief Security Officer, TDC Group (Denmark) Panellists: Aladdin Dandis, CISO /Information Security Manager, Souq.com Irene Corpuz, Section Head - Planning & IT Security & Acting CISO, Western Region Municipality - Abu Dhabi Government Tim Sandwell, Director, Barclay Simpson Sofiane Chafai, EMEA Advisory Board Member, (ISC)² Dr. Vasileios Karagiannopoulos, Senior Lecturer in Law and Cybercrime; Director of the Cybercrime Awareness Clinic; Course Leader for BSc Criminology and Cybercrime; Chair of ICJS Ethics Committee, University of Portsmouth

10:30 Keynote + Discussion What makes for a world-class business intelligence, BCP, investigations and cybercrime unit?

Insights on managing cybercrime investigations from a highly experienced and sought after investigative and security subject matter expert, who has directed and led law enforcement and corporate investigation teams for nearly 30 years into matters of regulatory compliance, fraud, bribery, corruption, money laundering, employee misconduct and reputational risk across the globe.

• How do you leverage the value and investment from cyber threat intelligence?

• What makes for a world-class threat intelligence team? Who do you share this with internally?

• How does this leverage value and actionable intelligence to the board to advise appropriate strategy?

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

8

inspire | connect | innovate • Practical steps to conduct an insider threat investigation

• Sharing ROI of strategic decisions made on the back of cybercrime investigations, intelligence, data and the patterns of employee behaviour Chaired by: Simon Scales, Recently Head of Investigations EMEA, BP plc. Jenny Reid, CEO, iFacts

10:50 Morning Coffee break

11:20 Integrating cyber function into BCP to deal with the massive attacks

Sofiane Chafai, EMEA Advisory Board Member, (ISC)²

11:35 ‘Live’ Response Exercise Shamoon Version X – What is next?

New threats to technology in the region can be reduced by innovative team thinking and effective response planning within companies and government departments. This ‘live’ group scenario exercise draws on 2018 public information on the Spectre threat to hardware. Working in table groups with fellow participants, this is an interactive challenge for participants to build defensive and offensive actions within their organisation to protect against future advanced threats to the sustainability of infrastructure and business operations in the region. You will tasked to deliver information that is vital to CISOs and senior company managers in government, telecommunications, energy, banking and other critical infrastructure.

• Benchmark innovative solutions and assess off-the-shelf solutions currently available

• Integrate business continuity and CISO security to avert a catastrophic threat

• Integrating cyber function into BCP to deal with the massive attacks

• Assess company-wide effects on delivery and supply chain

Co-led by: Irene Corpuz, Section Head - Planning & IT Security, Western Region Municipality UAE Government and Dr. Sally

Leivesley, Director, Newrisk Ltd, A Founder Member, The Exercise Group7

12:10 Case study Sweden Psychology in practice of social engineering

Social engineering is nothing new, but it has become the “king of attacks”, being (relatively) easy to deploy and requiring minimal commitment from the attackers’ side. Why listen to this speaker? MTG has seen its fair share of social engineering attacks. You will hear how MTG has chosen to deal with this threat. Key takeaways:

• The 6 influence principles (by Dr. Cialdini) and how these principles are utilized to improve the success rate of social engineering attacks

• The driving forces of what makes us “click on the link” and how we should defend against them

• What MTG is doing to prevent these types of social engineering attacks Dimitrios Stergiou, Chief Information Security Officer, Modern Times Group MTG AB (Sweden)

12:30 Security Collaboration Challenges and best practice

• Why is collaboration across the business essential?

• What needs to be disseminated, what doesn’t and why?

• What are the benefits? What are the obstacles?

• How do you overcome them? Richard Hollis, CEO, Risk Crew 12:50 Lunch

14:00 Social Media Scandals Human factor - social media risk and policies

• Current figures indicate that over 6,000 tweets are made per second globally, 5 new Facebook profiles are opened every 10 seconds

• Social Media gives a glimpse into the person that will enter your workplace and gives a good indication of whether they will fit the corporate culture of your organisation and if they could pose a possible risk to your organisation

• All it takes is one person to gain media exposure and traction, costing an organisation millions in losses

• Social media scandals cost South African businesses in excess of R500 million during 2016 alone Jenny Reid, CEO, iFacts

14:20 Case study Understanding hacktivism as a first step to mitigating its cybersecurity implications

Dr. Vasileios Karagiannopoulos, Senior Lecturer in Law and Cybercrime; Director of the Cybercrime Awareness Clinic; Course Leader for BSc Criminology and Cybercrime; Chair of ICJS Ethics Committee, University of Portsmouth

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

9

inspire | connect | innovate

14:40 Artefacts of Innovation Roundtable

CISO and CIO as enablers of business tranformers. How can we truly achieve security by design? Co-facilitated by: Kamran Ahsan, Senior Director/Digital Security Solutions, Etisalat Digital

By 2018, it is estimated that 70% of enterprise cybersecurity environments will use cognitive/AI technologies to assist humans in dealing with the vastly increasing scale and complexity of cyber threats. The artefacts of innovation that constitute the transformative digital economy are: big data & analytics; the cloud & mobility; IoT; Artifical Intelligence. Combine peer group brain power on the different risk perspectives associated with each technology to share the latest approaches and updates on security deployments.

Format: Each of the 4 tables will focus on a given different 'perspective’ of security. Attendees will select 2 out of the possible 4 roundtables below, rotating in groups. Facilitators and a note-taker will remain fixed to each table to lead and capture the key discussion points, observing The Chatham House Rule. This Roundtable is ideal to benchmark with other CISOs and CIOs to share experiences with peers to strengthen your capacity - including receiving threat intelligence about cloud vulnerabilities, due diligence for 3rd party supply chain, incident response, measures and defending appropriately. Notes will be taken throughout all of the roundtable discussions, observing the Chatham House Rule. Roundtable 1 Cloud and mobility Roundtable 2 IoT

Roundtable 3 AI Roundtable 4 Big data and analytics

15:40 Close of congress, afternoon tea and goodbyes

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

10

inspire | connect | innovate

Training Courses – pre and post Congress Integrated Cyber- and Physical Protection Systems *Enquire for pricing of training courses. *All courses are also available on an in-house bespoke request basis. 22 April – 1-day course COURSE 1: New Principles for Governance and Strategy in a Crisis A one-day training course for Regulators, CEOs and Board members, CISOs, CSOs, COOs, senior managers in finance, planning, government policy planners and senior officers in intelligence, emergency services, defence and cyber security, innovators in disruptive technologies, AI, IOT, banking, internal auditors, insurance and financial services, post-graduate students in Masters and higher degree courses, cyber security technology vendors and designers. The course is strongly based on peer-to-peer learning and practical tests to build capability and confidence in their leadership skills and strategic decision making that will benefit the employer and the stakeholders in their organisation. All attendees will have access to the on-line training manual through the Pulse website and will find this manual useful for ongoing reference in the workplace. New governance principles help senior managers understand strategy and make decisions in a crisis. The five new Governance steps taught in this course build a general crisis governance framework for government and business. Also learned will be the operational decision-making skills for each Governance Principle. Alongside the theory, the know-how is taught through scenario exercises so each participant will become confident over the two days in how to apply the new governance principles for the benefit of their workplace. It is well recognised that when insider threat actors, criminals, terrorists, nation states or natural disasters impact on a country it is the experience and know-how of team leaders that prevent losses and strengthen government and business response. Strategic decision making is rarely offered in training but participants will personally develop new skills when studying each of the five new governance principles and benefiting from peer-to-peer discussions and solutions based on their experience. Module 1: Governance when building a Risk Framework

• Understanding strategy

• Testing strategy with case studies

• Managing internal transformation risks

• Threat intelligence and dynamic risk framework

• Exercise catastrophic risk

• Identifying new Governance Principle 1 Module 2: Trust and Assurance

• Reputation risk

• Assurance testing methodology

• Designing a test

• Exercise Brand Protect

• Identifying new Governance Principle 2 Module 3: Interface with Board and Stakeholders

• Communication skills and crisis leadership

• Reviewing organisation strategy with Board and Stakeholders

• Structuring time-lines, goals, opportunities for growth in the communication

• Exercise Fast Talk

• Identifying new Governance Principle 3 Module 4: Crisis Management and Recovery

• Exercise Insider Threat

• Understanding Sensor and Intelligence Data

• Strategic decisions for brand protection

• Personnel issues and human intelligence during increasing tension

• Team leadership strategy

• Identifying new Governance Principle 4

• Strategic decisions for recovery

• Strategy for pre-emptive systems feedback design

• Identifying new Governance Principle 5

• Individuals complete personal review of skills development

• Course summary and take-aways

About the instructors:

Nigel Somerville MBE MC, Linton Dragon Limited and TEG7 LLP Nigel has a UK Military background with significant cross-cutting security experience in the most challenging of land and maritime environments. He holds strategic experience providing ministerial advice to Whitehall, COBR and the Cabinet Office on security risk. Masters educated and appointed to the Register of Chartered Security Professionals (CSyP) his focus is counter-terrorism, crowded space threat management, security by design and the cyber-physical threat within the built environment. He studies the tactics and vulnerabilities that terrorists have exploited in recent complex attacks to inform crisis planning and prevent catastrophic impact.

Dr. Sally Leivesley PhD Lond., MSPD, BA(Hons) Qld., FICPEM, FRSA, MACE, MIABTI, Director, Newrisk Limited and TEG7 LLP Sally has a UK Home Office background and trained as a Scientific Advisor to respond to all aspects of nuclear attack and chemical, biological and radiological events. She plans, directs and participates in major exercises concerning critical components of industry and specialises in testing catastrophic threat impacts on critical functions of business. She has experience in all phases of risk assessment, planning, crisis management and post-loss recovery including psychological interventions in communities, post-disaster. Sally is a respected media adviser on public protection and is a member of the Register for Security Engineers and Specialists (RSES).

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

11

inspire | connect | innovate 22 April – 1-day course COURSE 2: Cyber Security for Energy, Ports and Vessels With the increasing use of information and communications technology (ICT) in the port and maritime sectors, and the connection of operational technologies (OT) such as control systems, there is a need to address the cyber security issues. The IMO’s ISPS Code requires port and vessel operators to put in place appropriate controls and supporting business practices to address security risks, including those that are cyber related. This course is based on the UK Department for Transport (DfT) sponsored Codes of Practice for Cyber Security of Ports and Port Systems, and Vessels, that were prepared by the Institution of Engineering and Technology (IET). The objectives of the course are to enable delegates to:

• understand and appraise the cyber security threats to their port or maritime operations;

• undertake a risks assessment of their cyber-physical systems and operations;

• develop an appropriate and proportionate security strategy, management plan. Module 1: The cyber security threat Using case studies to illustrate the issues, this module will provide a holistic view of the background to and nature of cyber-related threats, vulnerabilities and risks that can affect the port and maritime sectors. Module 2: Cyber security for ports This module will examine use and implementation of the DfT/IET Code of Practice for Cyber Security of Ports and Port Systems. It will highlight the steps that port and port facility operators should take to achieve compliance with the ISPS Code. Module 3: Cyber security for vessels

This module will examine use and implementation of the DfT/IET Code of Practice for Cyber Security of Vessels. It will highlight the steps that vessel owners and operators should take to achieve compliance with the ISPS Code. Module 4: Developing and maintaining cyber security assessment and plan This module will take delegates through the process required to create the cyber security assessment for the port, port facility or vessel, and the associated cyber security plan. It will examine a typical range of policies, processes and procedures required to support the plan, and outline the recommended approach to implementing and maintaining this suite of documents.

• Individuals complete personal review of skills development

• Course summary and take-aways

About the instructor:

Hugh Boyes BSc(Hons) MBA CEng FIET CISSP Hugh is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the Certified Information Systems Security Professional (CISSP) credential issued by the International Information Systems Security Certification Consortium [(ISC)2]. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security training and consultancy assignments. Hugh is an industry expert on cyber threats to cyber-physical systems, including those in the built environment, ports and maritime sectors. He has written four guidance documents for the IET covering cyber security in the built environment, ports and vessels. His research work focuses on the protection of control systems, whether traditional industrial controls or employing IoT technologies. He is the co-author of British Standard’s PAS 1192-5:2015 [Specification for security-minded building information modelling, digital built environments and smart asset management] and PAS 185 [Smart Cities - Specification for establishing and implementing a security-minded approach]. He regularly reviews standards to assess their handling of security issues and sits on the drafting committee for the forthcoming British Standards BS10754 suite of documents. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

12

inspire | connect | innovate 22 April – 1-day course COURSE 3: The Threat from Business Espionage This training is designed to develop new skills and knowledge for corporate operations and security managers at all levels of management. The first module discusses what intelligence is, who collects it and methods of intelligence gathering. The second module discusses physical and information security methods, the insider threat and counter intelligence and how security is compromised by human nature. The third module is a series of case studies through the medium of role playing exercises and case studies. Module 1

• Overview of intelligence

• Who collects intelligence and why

• Methods of intelligence collection

Module 2

• Physical and Information security methods

• Counter intelligence and the insider threat

• How security is compromised by human nature

Module 3

• Role playing of intelligence gathering techniques and security responses

• Theory and practical exercises

• Case studies

About the instructor: Robert Shaw TEG7 LLP Robert is a security, intelligence and EOD executive with a UK Military background. He has broad strategic and operational experience and has advised senior staff, diplomats and government officials on aspects of security, intelligence, threat analysis, crises management, and resilience strategies. He has been the UN Security and EOD Advisor; Liaison officer for the UNMAS and UNOPS and has experience with NATO, the GCC, African Union, OSCE, EUPOL, FCO and others. Robert is a respected expert, has specialist research background on suicide bombing and has provided thematic briefs on worldwide security issues relevant to UNMAS/UNOPS missions.

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

13

inspire | connect | innovate 25-26 April – 2-day course COURSE 4: Cyber Policy and Standards for Systems Security In a rapidly changing business and technical environment the choice of standards and codes of practice can make a significant difference to the success of your organisation. There are a range of existing cyber security related standards, publicly accessible specifications (PAS) and codes of practice. The choice of whether to implement specific standards can have a significant impact on your organisation’s costs and performance. The objectives of the course are to enable delegates to:

• examine the nature and role of standards, publicly accessible specifications and codes of practice;

• review of the security standards landscape;

• understand factors to be taken into account when specifying or implementing standards, both within the organisation and its supply chain.

Module 1: The nature and roles of standards The module will examine the nature and standing of organisations that produce standards, the types of standards produced and the lifecycle of a typical standard from concept through to its replacement or revision. Module 2: Understanding testing, validation and verification This module will examine the use of certification to confirm conformance of organisations, processes, products and services to particular standards. It will examine the assessment processes and the potential pitfalls

Module 3: The security standards landscape There are a range of security standards available covering organisation, personnel, physical and cyber-security. This module will examine a number of cyber security standards, ranging from those produced by international standards organisations to those developed by industry bodies and professional organisations. Module 4: Choosing and using standards This module will use case studies to illustrate the selection and use of standards to address security both within your organisation and in your organisation’s supply chain.

Individuals complete personal review of skills development Course summary and take-aways

About the instructor: Hugh Boyes BSc(Hons) MBA CEng FIET CISSP

Hugh is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the Certified Information Systems Security Professional (CISSP) credential issued by the International Information Systems Security Certification Consortium [(ISC)2]. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security training and consultancy assignments. Hugh is an industry expert on cyber threats to cyber-physical systems, including those in the built environment, ports and maritime sectors. He has written four guidance documents for the IET covering cyber security in the built environment, ports and vessels. His research work focuses on the protection of control systems, whether traditional industrial controls or employing IoT technologies. He is the co-author of British Standard’s PAS 1192-5:2015 [Specification for security-minded building information modelling, digital built environments and smart asset management] and PAS 185 [Smart Cities - Specification for establishing and implementing a security-minded approach]. He regularly reviews standards to assess their handling of security issues and sits on the drafting committee for the forthcoming British Standards BS10754 suite of documents. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).

SHAPING THE FUTURE CYBER RISK AND RESILIENCE AGENDA

www.CISO360MiddleEast.com +44 (0) 20 7936 8989 sara.hook@pulseconferences.com

14

inspire | connect | innovate 25-26 April – 2-day course COURSE 5: Catastrophic Risk Theory and Practice Energy, leisure and transportation sectors are critical to the productivity of nations in the region. A course on catastrophic risk theory and practical work with case studies is offered to CISOs, CEOs, CSOs, COOs, finance managers, Board Directors, auditors, City Planners and policy experts, intelligence experts, big data analysts, financial technology developers, mobile data and financial services, team leaders and senior managers and first responders to incidents. Catastrophic risk methodology delivers high value through integrated risk assessments which reduces costs. The course applies an ‘all-risks’ approach that adds value to commercial and government operations. Through an all-risks approach, business operations can be sustained in many new ways. This novel approach will give course participants an opportunity to be innovative with solutions to prevent and respond to extreme threats. The two-day catastrophic risk course covers methodology to quantify risks that threaten critical operations of energy, leisure and transportation infrastructure. The course takes participants beyond general risk frameworks they are already using to understand the value of adding procedures to sustain their operations when catastrophic events threaten the survival of the organisation, services or people. Dependence on interconnected activities using cyber platforms which might be private networks, cloud, web based services, mobile devices, as brought a new threat of catastrophic failures. There are also insider risks that may breach defences and geopolitical threats and consequences from world- wide events such as nuclear instability in DPRK which are covered in case study briefings in this course. The world-wide risks to the region’s supply chains, energy security, transportation and important leisure industry will be discussed in the course. Successful application of catastrophic risk methods can grow the business by increasing the risk appetite for innovative and transformative projects. Entry into new markets and applications of new technology are challenges that may be made easier with the benefit of catastrophic risk knowledge.

Module 1: Catastrophic case studies and Exercise Degradation

• Catastrophic risk – scope of the course

• Peer-to peer discussion on experiences with catastrophic risk

• Energy distribution, transportation vulnerabilities, leisure market

factors

• Developing a Catastrophic Risk Index (CRI) for an industry

• Cost benefits of Health and Safety integration with Risk

Management

• Cyber and physical security risks

• Pre-defining catastrophic risk to innovation teams in the business

• Unusual threats to the Built Environment: hotels and offices

transport control rooms, energy infrastructure and including

renewables.

• Scenario on energy sector and terrorism- Exercise Degradation

• Principles for senior personnel when facing uncertainty in daily

risk management

Module 2: Risk matrix building and Exercise Hotel Attack

• Building a multidimensional matrix for catastrophic risk

• Using the Catastrophic Risk Index in the matrix

• Calculating consequences to quantify for the business

• Working on sustainability of critical processes and control of

operations and services

• Identifying controllable and uncontrollable variables

• Scenario Exercise Hotel Attack cyber and physical threats and risk

management processes

• Revisiting the catastrophic matrix design and adding dimensions

• Finding the residual risks in energy, transportation and leisure in

well managed operations

Module 3: Business risk model and Case Studies

• Using case studies to test assumptions of a business risk models

• Participant’s choice of case studies

• Analysis of critical factors and risk management

• Identification of fast track ways to save the business or operation or workforce

• Communication to stakeholders – techniques and assessing stakeholder response

• Participant’s presentations of case studies Module 4: Risk intelligence and Exercise Aviation and Port Attacks

• Quantification of catastrophic risk – testing the matrix

• Quantification of residual risk – testing cost effective controls

• Identifying threat intelligence for energy, transportation and

leisure industries

• Controlling insider threats when the insider is not identified

• Scenario Exercise Coordinated Aviation and Port Attacks to test

catastrophic risk theory and practice

• How to design, document and apply brief exercises to test

sustainability of operations

• Evaluating other forms of testing risk measures for sustainability

of business operation

*Individuals complete personal review of skills development

*Course summary and take-aways

About the instructor: Dr. Sally Leivesley PhD Lond., MSPD, BA(Hons) Qld., FICPEM, FRSA, MACE, MIABTI, Director, Newrisk Limited and TEG7 LLP Sally has a UK Home Office background and trained as a Scientific Advisor to respond to all aspects of nuclear attack and chemical, biological and radiological events. She plans, directs and participates in major exercises concerning critical components of industry and specialises in testing catastrophic threat impacts on critical functions of business. She has experience in all phases of risk assessment, planning, crisis management and post-loss recovery including psychological interventions in communities, post-disaster. Sally is a respected media adviser on public protection and is a member of the Register for Security Engineers and Specialists (RSES).

Shaping the security agenda for chief information security officers, cyber threat intelligence directors and security and risk innovators

www.ciso360middleeast.com

inspire | connect | innovate

25-26 April – 2-day course COURSE 6: Cyber Attacks – The Risk and the Fix North Cyber advises that this course is suitable for any officials in government, business, critical infrastructure, banking, transportation, energy, shipping and ports, retail, leisure, police, intelligence and security operations whether government or private sector. The case studies and work will be drawn from Europe, Africa, Middle East and South Asia depending on the persons attending and the region where the course is delivered. Over two days, delegates are shown the reality of just how easy real cyberattacks can be - even those with the most devastating effects - and the implementation of simple measures to avoid catastrophic risk. The course is suitable for entirely non-technical officers as well as cyber managers and administrators who wish to develop a sound understanding of just how easy and low-tech the efforts of an attacker can be, and how to implement mitigation or who wish to upgrade their existing skills to become more cost effective for their organisation. The practical elements are comprehensively taught in a walk-through manner to demonstrate the vulnerabilities in realistic targets. A key theme running through the course is that of workforce vulnerability – no matter how well defended the organisation’s intellectual property is, the staff are the way in.

Day One - The Risk Focuses on the mindset and techniques of the attacker, whether a cybercriminal, a state actor, a corporate spy or frivolous hacker. Students are equipped with tools and techniques to perform investigations of targets in the preparation for a notional attack, essentially becoming the hacker to demonstrate just how easy those attacks often are due to the visibility of staff and corporate data online. Introduction to Cyber Risk

• "It's not about the tech" - why the attackers' techniques are surprisingly low-tech, and why the information security risk lies with the human workforce, not their computers.

• Real world examples of catastrophic attacks and the vulnerabilities in every organisation.

• One size fits all - the common vulnerabilities used by any attacker against any target: corporate, government and personal. Attacker Methodology Part One - reconnaissance Scoping a target. A practical module demonstrating to delegates how an attacker uses OSINT (open source intelligence) to obtain corporate data and personal details using nothing more than search engines and free, legal tools. Part Two - Attack

• Compare and contrast of 'technical' attacks with low tech and no-tech hacking by social engineering.

• Teach a man to phish. Understanding the myriad ways an attacker uses the freely obtained data to quickly penetrate an organisation through simple influence. The Persistent Threat of Leaked Data The permanent threat to corporations that arises from leaks of staff data from breaches such as Yahoo - even when non-corporate in nature, and even when many years old. Delegates are show the surprising amount of leaked data online and what to do about it. Wi-Fi - the Corporate and Personal Risk The largely unknown risks of wi-fi, not only as a vehicle for corporate intrusion by attackers but also for tracking the physical movement of individuals and identifying their homes. A practical module in which students are walked through the steps of an attacker breaking into corporate wi-fi and tracking of staff members using freely available tools.

Day Two - The Fix Focuses on mitigating the identified risks. Real world examples of damaging attacks are dissected, with particular emphasis on correct implementation of cyber incident response. Delegates are presented with the most effective measures to mitigate an attack to bring a business back online at minimum expense. Exercise: Attack the Corporation WHAT HAPPENS NOW? - The reality of an attack, and the art of incident response. The Devastation Lessons learned from a vast number of cyber incident responses, where basic lack of security procedures and response plans allow simple attacks to have catastrophic effect. Mitigation From lessons learned in the 'attack methodology' modules and further illustrated in 'What happens now?' we explore the steps to secure the company. Again, the technical aspect is secondary to the information and 'human' security.

• The technical penetration test - learning why most companies waste time and money with incomplete or ineffective testing.

• Cyberattack response plan - The blueprints of the towering inferno. Why you must engage with your incident responders BEFORE an attack, and why incident response should cost thousands not millions.

• Staff data - reducing the target surface by educating the workforce in simple, effective ways that require no technical knowledge.

• Threat intelligence - the utility and strengths of currently available threat intelligence systems.

• 'Convenience is an attack vector. ' Overcoming perceptions of inconvenience by removing certain technical privileges to maximise information security and aiming to become hack-proof.

About the instructor: North Cyber Limited North Cyber are team of former intelligence officers with expertise in covert online operations and digital forensics. The company teaches government and corporate clients how find and fix the unseen holes in their security. They specialise in all levels of capability including low-tech and no-tech hacking, using freely available information to circumvent vastly expensive but ineffective security systems. The teaching draws on many and varied real-world examples from the private and government sectors, from the perspectives of the attacker and incident responder. Participants in these courses will evaluate their own experience on the course in gaining additional skills and understanding of the threats to their organisation and they will gain confidence in tackling these catastrophic risks to the comparate or government operation.

Shaping the security agenda for chief information security officers, cyber threat intelligence directors and security and risk innovators

www.ciso360middleeast.com

inspire | connect | innovate

Recent Delegate Testimonials

"The conference is full of expert speakers. You wouldn't want to miss any of them. Particularly on the Boardroom/ Roundtable discussion (last day), it is like a strategic planning and facing the board of directors, but with less pressure. Excellent!" Irene

Corpuz, Section Head - Planning & IT Security, Western Region Municipality - UAE Government

"I very engaging, varied and interactive event. The best conference I have ever attended!"- David Colbourne, Information Security Manager, Lloyd's of London

“Top class speeches and presentations at the CISO 360 Congress in Barcelona! Thanks for such a worthful and enjoyable time”

Blueliv (Official Sponsor)

"The best speaker line-up of any security conference in Europe!" - Michael Colao, Head of UK Security, AXA

"Pulse Conferences stand out for being up to the minute with developments and concerns. First rate speakers and an agenda that is total appropriate and informative. Excellent buzz and networking.” Lady Olga Maitland, Chairman Copenhagen

Compliance; Founder, Defence and Security Forum

"Thank you, Pulse Conferences, for a great event. CISO 360 combined interesting varied talks with fantastic networking opportunities, facilitating very interesting thought provoking conversations" Dr. Jessica Baker, Co-Founder, Socio-Technical

Lead, Redacted Firm

"I found CISO360 Conference a great place to share ideas about current and future problems" Head of Section, GMV

"Excellent event, opportunity to meet likeminded professionals, sharing risk, worries, tools, best practices with CISOs from

other industries sharing same issues, great eye opener, looking forward to the next event" CISO, MS Amlin

“Excellent conference, brilliantly put together. Look forward to the next one.” Partner, Bridewell Consulting (Official Sponsor)

"The CISO 360 conference brought together a collection world leading experienced security leaders who shared their

knowledge and experience with their peers in an open and collaborative manner under Chatham house rules. This was complimented with case studies from selected top tier partners and organisations to provoke further debate and discussion during the talks or later during 1x1 networking conversations. The presentations; case studies; and strategy sessions were

practical and relevant because they were born out real world security challenges faced by Global CISO’s across multiple sectors. I found the open knowledge sharing; networking; and presentations were very valuable to either validate existing

approaches or provoke fresh ideas by getting a different perspective.” Global Head of Information Security Architecture & Transformation, Royal Bank of Scotland

“Interesting exchange of insights and experiences from different companies, sectors, and levels of maturity. An honour to

have been there.” Head of Information Security, Risk Management and Quality, Almirall

“Pulse organised a fantastic CISO360 conference in Barcelona, which brought together some of the world's most successful CISOs to discuss pressing cyber security issues and share experiences. The agenda was diverse, with senior professionals from across the globe sharing their experiences, and great networking sessions were facilitated by the organisers with good food and flowing conversation. I would highly recommend CISO360 and look forward to this conference going from strength to

strength” FC, Co-Founder, Head of Ethical Hacking, Redacted Firm Ltd

About Pulse Conferences Pulse Conferences is a community platform for the distinct yet inter-related professionals who deliver corporate

governance, protection and oversight to businesses and governments across the globe. Our international conferences, bespoke events and trainings focus on cybersecurity, corporate security, resilience, investigations, audit, privacy, risk,

governance, legal and compliance. Connecting minds, assuring the future. Working locally thinking globally. www.pulseconferences.com