It’s the only place in the world where you can swap cybersecurity war stories with your peers in the AM before freefalling 130 feet in a haunted hotel ride later that evening (if you’re feeling so bold).
That’s right. InfoSec World 2023 is upon us, hosted once again in the Magic Kingdom’s own backyard in Orlando, Florida. This three-day event (held September 25th to 27th) is expected to draw thousands of cybersecurity professionals from around the globe for discussion on the latest trends and challenges affecting the business of security.
After reviewing hundreds of call-for-presentation responses, the event’s organizer – CyberRisk Alliance – has produced a short report highlighting the most common themes and trends you can expect to see driving this year’s agenda of workshops and panels. While the full report can be downloaded here, we thought you might appreciate the TLDR version we’ve put together below.
Without further ado, here are the top 5 things you should look out for as you plan your InfoSec World itinerary:
#1: AI – ally or enemy?
AI is like the most popular kid in school. The rapid advancements shown by ChatGPT and other generative AI tools in the last six months have brought the cybersecurity community to a crossroads — can AI be a force for good, or will it be yet another weapon in the black hat arsenal? You can expect much of the AI conversation to grapple with the ethical applications of the technology. Sessions will touch on the risk of handling AI coding assistants, the spread of AI-generated misinformation, the legality of ChatGPT, data protection laws, AI-driven phishing and social engineering attacks and more.
We anticipate AI’s ongoing impact on the workforce and job market to be another major point of discussion. More companies are taking AI governance seriously, now that they’ve seen the first fruits of its use, developing frameworks and setting boundaries on how AI tools can be used responsibly and ethically.
#2: Navigating new compliance and regulatory acts
Regulators and governments are saying enough is enough, slapping heavy fines on corporations that don’t abide by laws respecting consumer privacy and data use. As reported by SC Media, the Biden administration believes that opening companies to potential lawsuits tied to poorly developed software, while creating legal safe harbor for those who follow best practices, can incentivize the industry to rally around secure-by-design software development norms.
At InfoSec World, much of the discussion will likely touch on the raft of new cybersecurity and data regulations scheduled to take effect in the coming year, as well as what organizations need to do to stay compliant. This includes pending regulations by the SEC that govern how soon publicly traded companies need to disclose cybersecurity incidents. We can also expect to hear discussion around the updates to PCI DSS v4.0, which adds more than 60 requirements for organizations that accept payment cards. Last but not least, expect some of the panels to talk about the evolving responsibilities of CISOs, who are increasingly put in the crosshairs for data breaches and compliance violations that occur under their watch. Sessions like “Benefits of Legal and CISOs Uniting in a Post-Uber and Twitter World” and “The Uber CISO Prosecution and What it Means for Your Infosec Program” will be must-see for anyone interested in how security leaders must work with legal counsel to better address compliance and governance issues.
#3: The ongoing complexity of securing the cloud
In June 2022, the grocery chain Wegmans was fined $400,000 by the New York State Attorney General for allegedly exposing PII (personal identifiable information) of 3 million customers. Earlier this year, Meta was fined under GDPR law for €1.2 billion for unlawfully transferring EU users’ data to US-based servers without having the proper security measures in place.
These cloud security lapses have become, unfortunately, an all-too-common reality since many organizations migrated to the cloud during the pandemic years to keep their dispersed workers connected. Now that the hybrid workforce is here to stay and SaaS/PaaS models have become a staple in enterprise IT, we have every reason to believe cloud security will continue to be a headline talking point at InfoSec World 2023. Much of the cloud dialogue will address cloud misconfigurations that attackers exploit to gain backdoor access to organizations' networks. These issues can range from a failure to change default settings that allow overly permissive access, to a lack of strict monitoring and logging, as well as neglecting third-party components. At InfoSec World, attendees will get access to workshops where they will be paired with expert instructors on how to secure AWS and Azure cloud environments. There will also be panels devoted to reigning-in cloud tool sprawl and what organizations can do to get better visibility over cloud assets.
#4: A workforce that continues to be stretched thin and under constant stress
“I can’t get no satisfaction,” sings Mick Jagger, and he’s not alone on that front. Security leaders from across the industry are reporting record levels of burnout and stress as they’re increasingly called to do more with less. According to one survey, the average CISO works 11 hours more than contracted each week, and 10% of CISOs say they work 20 to 24 extra hours a week. On top of this, the competition for experienced practitioners is fierce and some organizations can’t afford to pay top-dollar to hire, much less retain, these skilled workers.
At InfoSec World, expect to hear experts weigh-in on the workforce shortage and what can be done to combat persisting rates of burnout. There will also be talks dedicated to championing diversity and gender representation in the workforce, as well as providing students and recent graduates with more opportunities to pursue careers in cybersecurity.
#5: The ever-expanding threat landscape
If you’re interested in learning about how the latest threats affect you and your organization, InfoSec World has you covered.
The Cloud Native Application Architecture Threat Hunting workshop will help attendees build and refine knowledge, skills and capabilities to hunt for threats against enterprise cloud deployments. Meanwhile, the two-day Adversarial Purple Teaming workshop will examine the “purple team” approach as it goes through tactics, techniques and procedures (TTPs) of attacks while building knowledge on how to write rules that focus on behavior exhibited in order to better detect and defend).
But if expert lectures are more your speed, there are sessions you should definitely check out. One will focus on how to use STIX to generate machine readable representations of cyber adversary behavior. Another examines the requirements for securing API endpoints from the ground up. And yet another looks at how model-based systems engineering can help facilitate a DevSecOps strategic approach to system assurance.
Expect plenty more talks to focus on the maturation of ransomware-as-a-service and organized cybercrime, the rise of nation-state attacks and the use of AI to launch social engineering attacks, business email compromise and other data poisoning tactics.