Before the Conference:
The preparations leading up to the event were impressive. I appreciated the personal touch and receiving emails to ensure everything was set, including details like my agenda, dietary preferences, and more.
Check-in and Set-up:
Smooth check-in with some coffee, juice, and bagels. The conference utilized the Agorify app, making it very easy to explore various presentations and create your own personalized agenda. There were quite a few stands from different sponsors, mainly security product vendors. The conference started with a main stage that later branched into two different tracks with talks, allowing attendees to switch between them easily. In the center of the conference, it was a good space for socializing, networking, and discussions. There were also many extended breaks that facilitated networking and discussions. The lunch was delicious.
Talks in general:
Several of the presentations at the summit seemed to lean heavily towards product demonstrations, with sponsors promoting their offerings as the solution to cyber risk. From my personal standpoint, this approach might not entirely match the attendees' expectations. Ideally, conferences should provide a more diverse experience, going beyond just product pitches, as participants generally anticipate a broader spectrum of topics. It could be beneficial for the Nordic Cyber Summit to contemplate whether a more balanced content approach, encompassing various perspectives, could elevate the overall conference experience. This topic sparked discussions among multiple participants during the breaks.
Now, let's delve into my impressions of some of the presentations I attended.
Panel discussion: How to simplify security and compliance in the cloud while ensuring the protection of sensitive data.
Participants:
- Deepak Subramanian, Axa
- Meysam Khalili, NCC
- Thomas Baasnes, Verdane
- Alexander Peters, Mimecast
- Ori Mankali, Akeyless Security
In general, the panel discussion proved to be a valuable exchange where multiple participants shared their insights and experiences. Thomas Baasnes, Cybersecurity Director at Verdane, shed light on his role in conducting due diligence for potential investments and how he aids portfolio companies in crafting cybersecurity strategies and setting priorities. One notable aspect of Thomas's approach is his emphasis on fostering knowledge-sharing among different portfolio companies, which proves advantageous for everyone involved. Another valuable point he underscored was the importance of ensuring that the security products you procure not only align with your needs but can also seamlessly integrate with your existing technology stack. For instance, it's crucial that the EDR tool you acquire can smoothly mesh with your IAM, MDM, and SIEM solutions.
Meysam from NCC shared that their journey into the cloud realm had begun somewhat abruptly, with security being a belated addition, making it more challenging to retrofit security compared to having it integrated from the outset. This perspective echoed throughout the panel discussion, highlighting that the "shift left" approach, prioritizing security from the beginning, is more effective and cost-efficient than attempting to add security later in the process.
I believe the panel discussion could have been significantly enhanced by providing some context to the audience. Such context would have aided the panelists in forming opinions and engaging in more in-depth discussions. Many important questions were raised during the session, but the limited time available for responses and discussions meant that most conversations remained high-level without delving deeply into the topics at hand.
Trust the Process: Compliance and Governance Across Your IT System
Thomas Zuliani, Global CISO at Arla Foods
Thomas delivered an insightful talk on the NIS 2 directive, underlining that it doesn't fundamentally differ from other frameworks. He pointed out that companies with a well-established security posture likely already adhere to many of its requirements. Additionally, Thomas shared Arla Foods' approach to implementing NIS 2 and stressed the importance of having a dedicated NIS 2 initiative within each company covered by the directive.
Some noteworthy details about the NIS 2 directive include the potential for sanctions of up to 10 million EURO or 2% of worldwide turnover, whichever is higher. Notably, senior management can also be held directly responsible for any infringements.
In cases of significant incidents, essential or important entities need to submit an early warning within 24 hours, followed by an incident notification.
Working Together: Building a Culture of Information Sharing Among Different Organizations
Andreas Bergqvist, CSO at BankID
Andreas highlighted the importance of transparent communication, using an example where they promptly disclosed information only ten minutes after experiencing one of the most substantial and sophisticated DDOS (Distributed Denial of Service) attacks he had ever encountered. Their cybersecurity team responded with defensive measures, while the adversary continually adapted their techniques, resulting in an ongoing battle.
Furthermore, Andreas stressed the significance of stakeholder management and underscored that a Chief Information Security Officer's (CISO) role is often comprised of 60% salesmanship and 40% security. He emphasized that achieving security goals can be challenging without aligning the organization and its management. Andreas encouraged proactive engagement, advising not to wait for board members or managers to initiate contact but rather to approach them and assist them in comprehending the organization's risks, roadmap, and how they can contribute to its security efforts.
Appsec: Preventing and Addressing Cyber Threats to Applications
Jahanzeb Farooq, Danske Bank
Jahanzeb discussed Danske Bank's approach to application security and the security measures they incorporate throughout different stages of the Software Development Lifecycle (SDL), which encompass requirements, design, development, testing, and deployment/maintenance. He emphasized the critical concept of "shifting security left," signifying the integration of security measures as early as feasible. Above is a diagram illustrating the security activities they undertake as part of their SDL.
Copenhagen is a beautiful city
During our time in Copenhagen, we made sure to savor the city's charms. In the photo below, we're headed to Reffen, eager to soak up the last rays of sunshine before autumn settles in.
