Meetings

Upcoming

Steve Louden - Thursday, December 7, 2023

Cyber Risk Management and IT Controls in era of fiscal responsibility – how to speak with the Audit Board Committees to convey the right risks

Steve Louden

Steve Louden

Time: 6 pm meet and greet, 6:30 start

Location: Zoom and Mercer Island (register for location)

Zoom
Eventbrite

Eventbrite tickets for in person attendance only

Summary:

Join us for fire chat with Steve Louden to discuss how Cyber Risk Management and IT Controls influence financial forecasts and impact to companies’ bottom line. During the discussion Steve will share importance of IT controls through the lens of CFO and how cyber risk management changed how companies plan and respond to cyber risk. Learn what is important to Audit Committees in context of cyber risk management and how to convey cyber priorities using business language.

Bio:

Steven Louden is a seasoned finance and strategy executive with extensive experience across consumer-oriented industries, including technology, media and entertainment, internet, retail, and financial services. Mr. Louden served as the chief financial officer of Roku, Inc. He led Roku’s successful IPO and has played a pivotal role in the company’s growth trajectory since he joined in 2015. Prior to Roku, Mr. Louden served in various finance capacities at Expedia, Inc., including most recently as its treasurer. Prior to Expedia, Mr. Louden held finance, strategy, and planning roles at Washington Mutual, Inc., McKinsey & Company, and the Walt Disney Company. Mr. Louden holds a B.A. in economics and mathematics from Claremont McKenna College and a M.B.A. from Harvard Business School. He currently serves on the board of directors of Zumiez Inc., Chair of Audit Committee for Sunpower and Advisor at Twin Ridge Capital Acquisition and Roku.

Archive

  • January | Bryan Hurd
    • Presented by a “seasoned cyber smoke jumper” who has handled thousands of breach events, espionage investigations, and is also a cyber insurance expert. This session is designed for Risk Officers, CEOs, COOs, General Counsels and CISOs in relation to cyber security. The presentation will cover technical threats including ransomware attacks, intrusions, email compromises, invoice scams, and other major incidents that can create significant financial losses and sometimes even mean the extinction of organizations. It will furnish insights from the insurance industry, discuss pertinent areas in the underwriting process that can help companies be ahead of the threat, and provide proactive measures that executives can do today to mitigate risk. The session will also cover what it’s really like to be in the boardroom during a cyber even. The session will include an interactive Q&A.
    • Archived Video
  • February | Board Panel
    • Advice from the (ISC)2 Seattle Chapter and featured guests about entering the cybersecurity field.
    • Archived Video
  • April | Tony Moor
    • Tony Moor will dive into the world of silicon hacking and hardware reverse engineering. The changes in hacker’s techniques as well as their tools as security has improved along with the natural shrinking of semiconductor devices continues (Moore’s Law). From a basic setup costing thousands of pounds in the 90’s, a potential attacker may now need significant financial backing, certainly in the range of hundreds of thousands of pounds. That and the need to learn complex scientific techniques such as SEM (Scanning Electron Microscopy) and FIB (Focused Ion Beam) in order to be successful. Tony will take us along the journey of this exciting evolution.
    • Archived Video
  • May | Aaron Sheridan
    • In this presentation, Aaron Sheridan will present the recent advanced infiltration techniques, along with a working demo of a recently used A-iTM attack method that includes Credential Harvesting.
    • Archived Video
  • June | Alan Luk
    • How do you assess your org’s security posture? Do you use a risk or controls-based framework? How often are you gathering signals to perform the assessment? In this session, we will talk about the benefits of having automated metrics to enhance your risk management process, achieve a higher level of security assurance, and streamline audits.
    • Archived Video
  • July | No Meeting
  • August | Aaron Weller
    • HP’s Privacy Engineering Center of Excellence. Providing technical leadership and data engineering solutions designed to be leverageable across HP’s global operations.
    • Archived Video
  • September | Tim Rains
    • Select Insights from Cybersecurity Threats, Malware Trends, and Strategies 2nd Edition. Tim Rains will present Cybersecurity Threats, Malware Trends, and Strategies and covers the statistical aspects and potential approaches to help decision makers be informed when creating or updating their company’s cybersecurity strategy.
    • Archived Video
  • October | Bugra Karabey
    • Strategic Partner Cybersecurity at Datacenters.
  • November | No Meeting will be at SecureWorld
    • Connecting, informing, and developing leaders in cybersecurity.
  • December |
  • December | Jake Bernstein, CISSP, CIPP/US
    • The past three years were saturated with change and upheaval. From state-level battles concerning private rights of action to the adoption of privacy laws across the globe, the data protection and security industry refuses to stand still. This presentation looks forward to 2023 by chronicling years past. Forthcoming legislation and regulations tackling data protection respond to pitfalls and triumphs under existing structures.
    • Archived Video
  • October | Paul Brunson, VP of Engineering
    • Developing a practical cybersecurity strategy can be a daunting task. Where do you start? What issues should I address? How do I know what to protect? While each company’s strategy will be unique to them, the basic ideas and concepts of an actionable cybersecurity strategy are the same whether you’re the CISO of a Fortune 500 company, or the Director of IT (who also happens to own Security!) at a mid-market manufacturer. Understanding your business, aligning with corporate strategy, and defining the scope and the risks, are just a few of the concepts that ALL companies must do, in order to develop a successful cybersecurity strategy.
    • Archived Video
  • September | Erez Benari
    • As one might expect of a company the size of Microsoft, the company operates a significant infrastructure for issuing and managing certificates using a custom system known as “SSLAdmin”. Built over decades, with multiple redundancies and controls, as well as an external auditing process, this system powers a massive amount of websites, from Microsoft.com itself to hundreds of Azure services, some of which require thousands of certificates issued daily. This 45-minute presentation will explore the technology concepts behind this system and what makes it unique, in addition to some fascinating stories from the trenches and lessons-learnt from battle-scars.
    • No Video
  • June | Javier Salido
    • The evolution of privacy and the ethical use of machine learning in the tech industry.
    • Archived Video
  • May | David Hobbs
  • April | Michael LeSueur
    • We’ll navigate through uncharted security territory by analyzing the attack lifecycle in the cloud and dissecting a real-world attack. The same technology that makes the cloud dynamic can have the opposite effect on an organization’s ability to implement detection and response in cloud environments. This includes the adding additional layer of preventative controls in addition to MFA, because it’s increasingly being bypassed in O365 as an example. Michael LeSueur, Security Engineer at Vectra, will help us navigate through the uncharted security territory by analyzing the attack lifecycle in the cloud, reviewing the top cloud security threats, and dissecting a real-world cloud attack. Additionally, he’ll provide key takeaways for managing access, detection and response, and security operations.
    • Archived Video
  • March | Trey Blalock
    • Deepfakes, Voice Cloning, Synthetic Identities, and the Future of Fraud.
      This talk is a fast-paced overview of some interesting tools and techniques used by threat actors and a discussion of the implications for the future of fraud. Trey will also be discussing some of the long-term issues that defenders need to be aware of, some mistakes businesses need to avoid, and how to protect your organizations from these types of attacks.
    • Archived Video
  • February | Jon Espenschied
    • Unified GRC approaches, or “how not to bury people in policies they won’t follow.”
    • Archived Video
  • January | Tim Rains
    • Tim Rains is the author of Cybersecurity Threats, Malware Trends, and Strategies, which covers vulnerability disclosure trends, malware trends, web-based threats, and an in-depth examination of cybersecurity strategies that the industry has used to try to mitigate them. Tim wrote this book after working as the most senior cybersecurity advisor at both Microsoft and Amazon Web Services.
    • Archived Video
  • November | Lori Murray, CISSP
    • Risk Management Framework is a process that integrates cyber security, privacy, and supply chain mitigations into the system development life cycle. Controls are selected and tailored specific to the needs of each instantiation allowing a holistic approach to defining security architectures in order to minimize security risk. During this session we explore the basics of Risk Management Framework as called out in NIST SP 800-53 and associated NIST SP 800 publications.
    • Archived Video
  • October | Ethan Shackleford
    • The technology sector today is evolving more quickly than ever – with the rise of new industries – greatly expanding the scope of knowledge required to evaluate the security of systems and environments; it can feel as we are getting further and further ‘away from the metal,’ especially with the explosion of cloud technology abstracting details even further beyond shiny APIs. But there’s a commonality behind the novel abstractions: hardware. Understanding the operations of this hardware and its exposure to threats – is the essential knowledge needed by infosec professionals of all industries to improve security operations.
    • Archived Video
  • September | Jake Bernstein, CISSP
    • Exploring the 2021 Verizon Data Breach Investigations Report. Every year the Verizon cybersecurity team publishes a report analyzing the data and trends from the past year of cybersecurity investigations. Every cybersecurity professional should review the report because it is full of amazing insights and useful trends. This presentation will adapt the content from two episodes of The Cyber Risk Management Podcast to provide a distilled version of the 2021 DBIR and provide ample opportunity for discussion.
    • Archived Video
  • August | Abraham Kang
    • GraphQL is coming to replace your REST APIs. Built on the promise of providing more flexible access to your data, there has to be a catch. Come to this talk if you would like a comprehensive overview of the known security vulnerabilities in GraphQL applications. We will also cover mechanisms and design patterns that you can use to secure your GraphQL applications from these attacks.
    • Archived Video
  • June | Bryan Hurd
    • Cyber Smoke Jumper – Days, Nights and Weekends in the Life of a Breach Responder. This session is a view into the past, present and future of cyber attacks hitting our companies, communities and families. Leading global teams that General Counsels, CEOs and CISOs call in emergencies or to avoid one, Bryan will be discussing not only some of the trends and technical issues in what the adversaries are doing, related to ransomware, intrusions and extortion, but the way that technical and executive leaders can protect, avoid, or respond to attacks from cyber criminals or insiders. Bryan will also be discussing the skills, certifications, and network of professionals that make collective response to this global threat possible.
    • Archived Video
  • May | Joe Szymusiak
    • Data the Unintended Consequences. Where, what, and how personal data has been used and abused.
    • Archived Video
  • April | Fernando Maymi
    • Collective Defense is a multiparty strategy in which each member of a community freely contributes to the cybersecurity of the others and, in so doing, improves its own security. It is the idea that organizations defend as a team. Participants trust each other and cooperate in matters of cybersecurity while remaining competitive in the marketplace. The Collective Defense Framework comprises three components. Cooperation which requires that all participants work together to achieve a collective effect that would have been impossible to be done in isolation. Intelligence which entails collaborating on the production and sharing of friendly information and threat intelligence to develop a common operational picture. Activities and initiatives in these first two components are validated, practiced and enhanced through the third component, Training and Exercises.
    • Archived Video
  • March | Frank Simorjay
    • Come join us in our upcoming ISC2 Seattle meeting where Frank Simorjay ISC2 Seattle Chapter President will share his expertise at Microsoft and present on the topic of Securing Privileged Access processes, and what you should considering in building own Privileged Access Workstations (PAW).
    • Archived Video
  • February | Dan Griffin
    • I will discuss the role that privileged access plays in preventing future Solar Winds like attacks. I will provide specific examples of hardware and toolchain security measures that you can adopt for secure software development.
    • No Video
  • January | Jean Pawluk, CISSP
    • All that glitters… Applying lessons learned to date to emerging technologies.
    • Archived Video
  • December | Marc Coady, CISSP
    • One-man Band – My personal experience as the first IT Security Manager of MOD Pizza.
    • No Video
  • November | Trey Blalock, CISSP
  • October | Jake Bernstein, CISSP
    • Creating a cybersecurity program that meets the FTC’s standard for reasonableness based on the NIST CSF.
    • Archived Video
  • December | Marc Coady, CISSP
    • One-man Band – My personal experience as the first IT Security Manager of MOD Pizza.
    • No Video
  • November | Trey Blalock, CISSP
  • October | Jake Bernstein, CISSP
    • Creating a cybersecurity program that meets the FTC’s standard for reasonableness based on the NIST CSF.
    • Archived Video