IT Security Insights 2023

Conference kicks-off with morning breakfast 

John Wallhoff, Board member & Co-Founder B4 Investigate

Key takeaways:

• Continuously changing threats require new ways for protection
• How we built a fit for purpose security organization and skillset that complies with business risk appetite

Software is at the very heart of digitalisation. But building software that is cybersecure while keeping desired time to market is often seen as impossible. Until now…

Key takeaways:

• Cybersecurity and digitalisation as a single discipline
• Cybersecurity begins with well-designed and well-built software
• Automation is a critical success factor

As of today, there is a need for two major changes in most large organisations. The first is driven from regulatory demands and a rapidly changing risk landscape including cyber security risks. The second is driven by the digital transformation and the agile ways of working that often comes with it. Many organisations struggle with how to align GRC processes with the agile at scale processes that are introduced to accelerate digital transformation.

Key takeaways:

• In this session both Emilie and Magnus will address common challenges and what to do about them. They will discuss this both from the GRC perspective as well as the agile perspective and give you hands on tips and tricks on how to meet each other

Participate in one of the 3 following workshops from our partners that will also be showcasing their own solutions during the conference: 

• Omegapoint session - Room Congressen
• Qualys  session - Room Team
• NTT Security - Room Spirit

Management and review of suppliers security status requires a lot of effort. In this workshop we will show you how to manage this more efficiently by using a tool based approach with automation.

Key takeaways:

• Manage information security with a tool based systematic approach
• Manage security requirements for suppliers
• Assess and manage the security status of your suppliers

For many organizations their digital transformation strategies are leading towards a convergence of OT and IT. As OT networks that have traditionally had very little visibility become more connected from the subsequent use of modern operational solutions, the attack surface naturally expands. In this workshop you will learn how NTT's Samurai MDR service, which is powered by the Samurai XDR platform provides a holistic detection capability across both OT and IT, and is delivered from a single Security Operations Center by highly trained Security Analysts with competency in both OT and IT threats.

Key takeaways:

• Learn how you can move from zero visibility in your OT networks to a mature OT and IT detection capability within a single holistic solution
• Through a client case study gain insight into how NTT's Security Operations Center in Gothenburg, Sweden has years of demonstrated experience delivering an MDR service for converged OT and IT networks

The presentation will provide a comprehensive overview of the current state of patch management and offer practical guidance on how organizations can manage patching effectively through technologies such as automation and prioritisation.

Key takeaways:

• Learn about the latest advancements in patch management and how they can be leveraged to improve security, reduce patching times and reduce risk.
• Seize this valuable opportunity to learn about modern solutions for efficient and secure patch management and stay ahead of the curve in terms of protecting your own digital assets

Round Table Discussions are designed to give event participants an opportunity to exchange ideas and  experiences on some of the hot topics in the security market place in a more intimate setting. The discussions will last for 45 minutes and are open to all participants. Each round table is limited to 8-10 persons including the moderator. Below is our line-up of round table moderators and the topics to be discussed during the conference.

The digitization of society continues at a rapid pace, but security issues often end up in the shadows. The gap between new functionality and security is widening, creating major risks. At the same time, Sweden is in third place in the world in terms of innovativeness. How can we use this innovative ability to create a more secure Sweden?

Key takeaways:

• What needs can we see in Sweden regarding cybersecurity innovation?
• Which are the Swedish key actors regarding cybersecurity innovation?
• Which activities could enhance Sweden’s cybersecurity innovation ability?
• How can you and your organization benefit from cybersecurity innovation?

Detection of 1% of undetected cyber threats can be a challenging task, but there are several techniques that organizations can use to increase their chances of identifying those potential security breaches. It's important to note that no single technique is foolproof and that combining different approaches is often the best way to detect and prevent advanced cyber threats. Join Senad's round-table discussion as he deep dives into the different techniques one could apply in identifying potential security breaches.

Background: We security professionals want to improve the security posture of organizations. But to do that we must first decide which security activities we should invest in. Some believe that awareness education is the way to go, others might rely on audits. Join Christian in a round-table discussion on building a secure foundation for resilient organizations.

Key takeaways:

• How would you do it? And where would you start? 

Background: What do we mean when we talk about "Security", how do we define the legal interfaces between Cyber Security, Information Security and IT Security? Does it matter from a legal perspective or with regards to how we choose to organize our security work?

Key takeaways:

• Are there any legal definitions regarding Cyber Security, Information Security and IT Security?
• Are there any laws that particularly concerns each different type of security?
• How can different understanding between lawyers and technicians regarding the different types of Security become a problem?

The cloud shift is evolving strongly where IaaS, PaaS and SaaS has become delivery models that challenge security professionals to keep up-to-speed with business developers and coders. This SaaS insights round table is about identifying security considerations for some of the building blocks that define a SaaS solution. Building blocks can be a specific technical solution such as “serverless” to activities like “penetration testing”. For you as a Security Professional, you will add your experience and thoughts into this framework of shared knowledge and you will also be able to add building blocks that are missing on the table when we start. We will work together in the whole group as well as in break-out constellations, to be able to capture the individual knowledge and experience and we will wrap-it up at the end of the session.

The round table is intermediate/advanced level and we recommend that you have experience from SaaS solutions that goes beyond 3rd party audits and certifications that a SaaS provider and its Cloud Providers/Subcontractors provides.

The new EU digital operational resilience act (DORA) regulation that recently went into effect brings new challenges to the financial services industry. One of these is its increased scope of applicability – a number of financial institution types that previously had few or no prescriptive obligations regarding cyber security now have. To soften the landing DORA has a lot of provisions regarding proportionality. In this round table both Peter and Sebastian will discuss how DORA implements proportionality and how it can be interpreted.

Key takeaways:

• What are the regulators' views of proportionality?
• How does DORA define proportionality?
• What are micro-, small and medium-sized enterprises?
• What should a simplified ICT risk management framework look like?

DPOrganizer will discuss how businesses' approach to GDPR compliance and data protection management has changed over the last few years, and explore what are currently the biggest challenges and focus areas, and what kind of solutions exist to solve them. Participants should have some data protection experience and most importantly an interest in discussing and learning how the work can be improved.

Background: Cyber resilience refers to the ability of an organization to continue to function in the face of cyber attacks or other cybersecurity breaches. There are big challenges to continuously adapt and uphold resilience! Technological complexity, evolution of threats, resource limitations and cross-functional coordination are just some of the hurdles to overcome.

Key takeaways:

• What is your approach? How do you uphold resilience in your organization, what challenges are you facing? - Let’s discuss and share insights on how/if Cyber Resilience requires a different security strategy approach, what the necessary components are and how to adapt to uphold resilience capabilities

Security is often considered as something hindering progress and development. A necessary evil that adds friction to the application delivery process and is cumbersome to scale and operate. As application environments grow across multiple clouds and platforms, adding a complete security framework often implies adding significant complexity. If publishing an application is too complex, it will directly impact the time-to-market and thus the value it can deliver to the business. 

Key takeaway:

• Can we overcome this challenge somehow, and add comprehensive security and application delivery capabilities without increasing complexity?

Your organization is either the target or the transport. That’s a problem because even if you could do everything right, you can still suffer a breach.Even worse, most organizations can be described as “secured by luck”, through no fault of their own, because the complexity of the security industry has made it impossible for many organizations to get everything right.

Key takeaways:

• In this keynote session Ian will talk about cyber security as a long game you can influence and win, whatever the size of your security team, and how you can position luck, judgement, chance, and choice in your favour to mitigate and reduce cyber risk

Background: Schibsted is one of the largest media groups in the Nordics with well known media brands like Aftonbladet and Svenska Dagbladet in Sweden but also VG and Aftenposten in Norway. Schibsted also runs the number one digital marketplaces in Norway, Sweden, Finland and Denmark. With a total of almost 1 million visitors per month on their websites, cybersecurity threats are one of the most critical business risks for Schibsted. Over the last 3 years Schibsted has been running a global cybersecurity program to ensure that the cybersecurity posture across the group improved.

Ralph will take us through their journey on how they improved their cybersecurity posture through their cybersecurity program. He will share how they engaged with top management and the board of the directors not only to get the approval for the program, but also how they throughout the program create a better understanding, security awareness and engagement.

Key takeaways:

• How do you engage with top management and the board of directors on cybersecurity?
• How to build security awareness and improved engagement by top management?
• What are the learnings from running a multi year global cybersecurity program?
• How do you ensure that the engagement continues after the closure of a cybersecurity program?

The Swedish Civil Contingencies Agency (MSB) receives it-incident reports from the public sector and all private companies that operates important societal services (NIS-operators). Every year MSB releases its annual it-incident report. This year the report has combined those insights with the results from the Infosec Checkup (Infosäkkollen), as well as a study on the development in Ukraine from 2014 to today. Combined MSB has identified five key lessons learned for an improved Swedish cyber defence.

Almost three years ago, on 16th of July 2020, the Court of Justice of the EU issued its judgement in case Schrems II. The case is named after the privacy activist Max Schrems and was based on his complaint on Facebook's transfer of his personal data from the EU to the US. The case ruled that the EU-US Privacy Shield, which was previously used as a mechanism to transfer personal data between the EU and the US, did not adequately protect the privacy rights of EU citizens under the GDPR. The court also found that the Standard Contractual Clauses, which are widely used by businesses to transfer personal data outside the EU, are valid - but require additional measures to ensure that the data is adequately protected in the destination country. Since then there have been some legal developments, although it's going slow. The European Data Protection Board has issued recommendations on how to implement the Schrems II ruling, including recommendations for additional measures to address concerns about US surveillance practices. Further, the US and EU have been in negotiations to develop a new framework for transatlantic data flows, which would replace the Privacy Shield. So far, no actual agreement has been reached, and companies that previously relied on the Privacy Shield have had to find alternative legal mechanisms for transferring data to the US. Let's deep dive into the crucial questions and challenges ahead!