Wednesday, April 27th
Conference introduction by the arrangement committee.
Living in the Digital Ecosystem - How to Survive and Prosper
Much has been said and written about the global digital transformation. In Europe in particular, some scepticism exists, and there is concern about what the digital ecosystem will bring. This keynote session will highlight new developments and the way forward in the global digital age. It will further outline how professional organizations - like ISACA - can and must move forward to meet the challenges of the new ecosystem.
Rolf von Rössing, Former International Vice President, ISACA Board of Directors
When Russian Trolls and Fake News become Security Threats - How to Counter Them
Jessikka Aro is a Finnish journalist working for Finland's public service broadcaster Yle. In September 2014, she began to investigate pro-Russian Internet trolls, but became a victim of their activities herself.
This harassment led to three people being convicted in October 2018. In 2019 she was notified that she was to receive an International Women of Courage Award but this was rescinded just before the ceremony.
Jessikka Aro, awarded reporter and public speaker
Break - make sure you change into (warm) and comfortable clothing in preparation for..
Wilderness Evening - the Arctic Experience
Camp Barentz boasts an amazing location right below Mine 7, at the foot of the mountain Breinosa. One of the buildings at the camp, Barentz Hus, is a copy of the cabin that the discoverer of Svalbard, Willem Barentz, overwintered in on Novaya Zemlya in 1596. At Camp Barentz, one often see Svalbard reindeer, and even grouse and foxes if you are lucky, and the hosts are prepared in the unlikely event a polar bear should get close.
As we arrive at the cosy wooden cabins we will be met by the evening’s host. Good drinks and a delicious homemade reindeer stew will be served, together with campfire coffee and dessert. Welcome to a real Svalbard meal!
After a tasty dinner, it is time to learn more about the King of the Arctic. Whilst sitting around the bonfire, the host will share information and photos about our most famous residents. Here you’ll learn lots of new fun facts about polar bears.
We recommend wearing comfortable, warm outdoor clothing and warm shoes, since there can be a cold draught from the floor. Remember that we will spend some time outdoors also. Clothes may smell of smoke after the tour.
Thursday, April 28th
The Art of Cyber War: The SolarWinds hack from a security operational perspective
Want to learn more about one of the most sophisticated hacks in the history of cyber security? We try to look past the media coverage and focus on the when, how and why of the incident and what questions you should ask internally in your organization in the aftermath of this incident.
Koen Fosse Matthys, Senior Consultant, Transcendent Group
Audit Committee - How to critically assess your current and future GRC strategic investment.
In the last century most of the boards could rely solely on management to oversee and manage risk, not directly dealing with risks involving social media, cyber security and other technology related matters, or risk management beyond financial risk. The nature of risk enterprises are facing today in everyday business means that boards must factor risk as an integral part of organizational strategy incorporating technology as well as other environmental factors.
In many of my assignments, executives and boards were facing challenges of “doing more with less”. Whilst managing complex business transactions, managers struggle to strike a balance between adding value while managing risks. The most common methodologies they wanted to see in the recommendations relate to productivity improvement, capacity building or employee engagement. However, these methodologies are not always an appropriate response.
If so, how do you critically assess your current and future GRC strategic investment? How can you develop your own insights and create pragmatic guidance for when to stop and when to accelerate in your digitalisation journey?
Today’s businesses operate with business complexities we have never managed before—facing operational risks that hold the potential to destroy them overnight. In this session we will cover one approach to developing the GRC strategy by strategic sorting of priorities.
Lilliana Grbic, VP Cloud Engagement & Communications at SAP
How to break into any company: Tales from a (professional) hacker
Rob Shapland is an ethical hacker with 13 years of experience of planning and executing full-scale criminal attack simulations against all types of companies.
Rob specialises in dressing up as various different characters in order to break into buildings, and in this session will tell stories of how the attacks unfolded and teach valuable lessons on how you can protect your company.
Rob Shapland, Head of Cyber Services at Falanx Cyber
Cybercrime - a real threat to society
Are we prepared for the escalating cyber threat?
Do we protect ourselves well enough, what are the costs of the cyberattacks for society and companies, what will be the social consequences of this evolution, is it possible to protect ourselves-in such cases how?
Adressing these issues, there will also be presented some possible solutions.
Jan Olsson, Swedish Police Authority
Quantum Computing: A Re-Evolution
Quantum Computing modifies many of things we take for granted in businesses today. The way we create and keep secret is challenged and quantum technologies disrupt different vertical, many sectors. Built on the theory of quantum physics, if quantum computers would exist they would represent a gigantic leap in computing power and the way we use technology.
But do they exist and what can we do with them? There are massive investments around the world in this discipline and, in the very same way that the space race and the fight for nuclear power have been instrumental in recent decades, we are experiencing now not an era of changes but the change of an era.
By attending this session attendees will understand the actual situation of quantum technologies and what they mean for organizations, the challenges we will encounter and, most importantly, the impact it has on the way we govern the Enterprise IT. Since quantum computing is not an evolution. It’s a Re-Evolution.
Ramsés Gallego, Security, International Chief Technology Officer, CyberRes - a Micro Focus line of business, and Former International Vice President, ISACA Board of Directors
Quantum Safe: Is your crypto prepared for quantum computing?
Large scale quantum computing is seen to pose a great threat to many important cryptographic schemes used today. Protecting against this is seen to require additional, or even replace controls.
While there has been quite many tech forecasts on when each type of QC technology will be ripe enough to crack something worthwhile (the “quantum event”), the practical information security domain is less studied. The most hyped scenarios for the “quantum event” are not even clear what exactly the event is, and are based on the most pessimistic assumption.
We will in this talk take a look at the more common use cases for cryptography (such as integrity-related services, like bitcoin; data-at-rest, etc.), and lay out the practical reasons why, when, and what to do when the quantum threat seems ever more imminent. This is explained with via an example of a quantum-readiness risk management model we developed for IoT protocols.
Dr. Mikko Kiviharju, Research Manager at Finnish Defence Research Agency
Protecting your enterprise with Human Risk Intelligence
With over 90% of information security incidents caused by human errors or behaviour, the effectiveness of cybersecurity culture program becomes paramount for a successful cybersecurity program.
Improving cybersecurity culture is always challenging, as it is a long-term project that has to go beyond the classical Security Awareness. This session focuses on importance of using objective data to measure human risk and on how it can be used to unleash the power of your security culture program. It also covers available methods of measuring human security risk and most effective security culture program enablers.
Vadim Gordas, Head of IT & Cyber Risk at Zopa
Operational technology security – What is it and why you should care about it
Operational technology (OT) is responsible for processes that if breached could impact outages of critical services that result in loss of life. Emergency services, water treatment plants, traffic management, and other critical infrastructure rely on operational technology solutions to operate correctly. Even a successful attack on OT organizations not responsible critical infrastructure can cause dire consequences. Come and listen what OT is and why you should pay attention to securing it.
Viivi Tynjälä, Director, Alliances Nordics for Fortinet
H@cking for Everybody
Tobias Schrödel introduces his audience to the world of hackers and gives them a sneak peak into the dirty secrets of IT. In that, he uncovers various security gaps of personal computers and mobile phones that concern all of us – all while being entertaining. Not only are there many “aha“-moments, but at least equally as many “ahahaha“-moments.
Passwords are being cracked within seconds, discrediting information from the "darknet" is made public, information gathering is explained and a smartphone gets hacked aside all that. All examples shown on stage are real and live, but anonymized. For information on risks and side-effects ask your data security officer - or Tobias Schrödel.
Tobias Schrödel, IT Comedian and professional speaker
Break - have a drink at the bar, and get your groove on in preparation for..
A full, four course dinner, carefully paired with wine from the well renowned wine cellars of Svalbard will be served as we go into our last evening of the official program.
During dinner, we'll be subject to these two interesting performances from the stage:
Robot Drone Hacking
Old vulnerabilities have new consequences when code and hardware meet the physical world. In this session, Carsten from Transcendent Group, will demonstrate how wireless network vulnerabilities make a robotic drone vulnerable to hijacking while operating in the air. In addition, he will talk about how both toy drones and semi-professional robots can be vulnerable to manipulation and hacking.
Finally, the audience will have the opportunity to hack a robot drone live on stage
. If you want to hack, you need a mobile phone with the following app installed (the winner gets the drone!):
(and optionally a mac with macOS or PC with Linux.)
|Friday, April 29th|
Can’t change the Cyber-security Game? Change Its Structure.
Within companies, cybersecurity has a finite setup; with procedures, protocols, plans and structures all taking up capacity and time. When created, these setups align with available cycles. Today, however, with agile development cycles, we must adjust and align the update cycles with testing cycles. No longer does “one-size-fit-all” work. Recognizing this requirement is the first step - and not being aware is a recipe for disaster.
In this session you will learn:
- How an elite army of global ethical hackers with infinite creativity and tools can help you overcome these challenges.
- How these vetted hackers can support you in your fight against hackers with malicious intentions.
- And how to let them help you win the infinite game you are up against.
Martin Szabo, Sales Director BEN & NOR, Synack
Out of Control – How users are exploited by the online advertising industry
As we move around on the Internet and in the real world, we are continually tracked and profiled for advertising purpose, despite privacy legislation such as the General Data Protection Regulation (GDPR). This is something most of us are dimly aware of, but it is hard to get a grasp of what it means in practice. What kind of information is actually collected and shared? Who is it shared with? How does it impact my daily life? Do mobile devices introduce any additional risks?
In a joint research project with the Norwegian Consumer Council, mnemonic investigated 10 popular Android apps in order to answer these questions. We dove into the dark ecosystem of digital advertising and emerged with staggering results: app developers and third party advertisers are systematically violating GDPR, and sharing personal information with hundreds of shadowy companies about our interests, habits and behaviours. These practices have a direct impact on our daily lives, and is sometimes referred to as “the largest data breach ever recorded”. Targeted advertising is, quite literally, out of control.
Our research has led to GDPR violation complaints filed against six companies, as well as global media coverage from agencies such as the New York Times and BBC. The Norwegian Data Protection Authority imposed a record fine of NOK 65 000 000 against the dating app Grindr in 2021, for lack of compliance with the GDPR rules on user consent. Yet final decisions in these cases are still pending, as they slowly make their way through the legal system.
Andreas and Tor carried out the technical investigations for the #OutOfControl project. They will present highlights from the research, key findings, and subsequent impact and fallout.
Read the report here: https://www.forbrukerradet.no/out-of-control/
Andreas Claesson, Senior Security Consultant, mnemonic
Tor E. Bjørstad, Principal Security Consultant, mnemonic
Workshop: COBIT - Transition into 2019.
Released way back in 2012, COBIT 5 was finally uptdated again to it latest version - COBIT 2019. The 2018 winner of John Kuyers award for best speaker, Bruno Horta Soares, will through this workshop take us through the major changes coming with this latest version, and how to best adapt the new framework to governance of IT in todays digital businesses.
Bruno Horta Soares, President ISACA Lisbon Chapter
DevSecOps: So what else is new?
This presentation will give an alternative view on how continuous development, operation and security works hand in hand, and show that the DevSecOps we in the IT industry have “invented” actually have been best practice in other industries for ages.
Esten Hoel, SVP Quality & Security, Basefarm
The Importance of standardization in cyber security
Do leaders understand the cyber-consequences of digitalization? And how do you apply cyber security and follow up on your suppliers?
The latest cyber events have shown us the importance to follow up on cyber security, not just for the organization itself but also in regards to the organization’s suppliers and their suppliers again. Using standards is an efficient and proven way of structuring this work. With the new version of the ISO27001 standard on its way, updated to meet current cyber threats, you have a solid foundation on which to build your security organization.
With a better understanding of best practices and available frameworks and standards in cyber security, organizations can reduce their risk posture. To illustrate why planning and preparations is key to cyber security, I will draw parallels between your cyber security work and planning of my scooter trips here at Svalbard earlier this year.
Christopher Kiønig, Senior Security Advisor, Watchcom
Visma Security Program and the power of a strong security culture
Visma is a company that on average acquires one company a week. With this in mind I would like to share with you how we have organised Visma's security efforts. I will also talk about Vismas security culture, which we have built during several years and why this is essential and prioritised at Visma.
Isabel Quiroga Arkvik, Head of Security Awareness & Training, Visma
ISACA Norway Chapter board member
Intelligence-led Read Teaming
Ever-changing threat landscape, geopolitical scenarios, and pandemic has mandated firms to relook at their cyber security strategies. With cyber-attacks occurring more frequently than ever, most organizations are found unprepared and are unable to defend themselves, and their customers. Even with the best solutions and large teams in place, there are often some blind spots left out that could be exploited by the hackers.
In this session, we are going to talk about the most efficient way to ensure that your organization is prepared enough to address these challenges. We are going to talk about how intelligence-led red teaming is being adopted as a practice around the world, and even being mandated by some of the regulators like the European Central Bank (TIBER-EU framework) and Hong Kong Monetary Authority (iCAST framework).
We will also talk about how cyber security service providers like Agrim with their skilled workforce and automated solutions deliver the Intelligence-led Red Teaming services that help clients across the world in identifying their weaknesses before the bad guys do.
Maninder Singh, Partner, Cybersecurity Practise, Agrim