Top of Page

Best of (ISC)² Security Congress 2022



We Missed You. Watch the Best of Security Congress 2022 – Curated Just for You.

On-Demand + CPE credits

Couldn’t make it to our 12th annual (ISC)² Security Congress last fall? The hybrid in-person/virtual conference welcomed more than 3,700 attendees with 130+ sessions on the hottest cybersecurity topics, five dynamic keynotes and 27 sponsors.

Now it’s your chance to experience the best of Security Congress 2022. We’ve curated this collection of top-attended and highly-rated sessions across a variety of focus areas. Earn CPE credits and take back actionable ideas you can put into practice at your organization. Purchase now and access the on-demand content through June 30, 2023.

Cybersecurity & Third-Party Risk: Third-Party Threat Hunting Digital Governance: A Fireside Chat with IAPP and (ISC)² Effective Cybersecurity Board Reporting Emerging Threats Against Cloud Application Identities and What You Should Do About It Enterprise Security Risk Assessment (ESRA) Elite Security Champions Build Strong Security Culture Hacking Gamification: Going from Zero to Privileged PWNED How to Establish a (Successful) Security Strategy from Scratch Search Warrants, Subpoenas and Court Orders: What You Need to Know Security Metrics: How to Measure it Efficiently The Power of Community Trust No One: Practical Zero-Trust for Cloud

Pricing and CPE credits


MemberU.S. $79
Non-MemberU.S. $99

CPE credits

Purchase now and gain access to on-demand content through June 30, 2023. Members earn up to 12 CPE credits. CPE credits will automatically transfer to member accounts within 10 business days of completion.
Purchase Now

Session Descriptions

Cybersecurity & Third-Party Risk: Third-Party Threat Hunting

Presented by: Gregory Rasner, CISSP, CCNA, CIPM, ITIL, Author of “Cybersecurity & Third-Party Risk” and SVP, Cybersecurity, Truist Financial Corp

Based upon the book _Cybersecurity & Third-Party Risk: Third-Party Threat Hunting_ (endorsed by (ISC)²), we break the old way of thinking that third-party risk is a compliance, check-box activity into one that is innovative and forward-leaning into the risk. Billions of dollars have been spent by CISOs to secure their organizations, and yet we've largely ignored our supply chain and third-party risk. From physical validation, contractual terms and conditions, fourth parties, due diligence optimization and predictive analysis, methods are explored to drastically lower this risk area with solid cybersecurity due diligence and due care.

Digital Governance: A Fireside Chat with IAPP and (ISC)²

Presented by:
Trevor Hughes, President and CEO, IAPP
Clar Rosso, CEO, (ISC)²

Join IAPP President and CEO, Trevor Hughes and (ISC)² CEO Clar Rosso as they discuss the future of digital governance. Where is the intersection of privacy and security in digital governance and how can professionals position themselves to be at the forefront?

Effective Cybersecurity Board Reporting

Presented by: Kurt Manske, Managing Principal, Kurt Manske

Boards and Executive Leadership Team interest in understanding cybersecurity risks and the responses by their organization in the face of those risks continues to increase year over year. As a result, cybersecurity leaders are increasingly called upon to be the “face” of cybersecurity and give effective BOD and ELT level reporting internally, and often to others outside the investors and key business partners. Knowing your audience is just the starting point to having successful and engaged reporting and updates to key stakeholders. How can today’s cybersecurity leader find the right balance of content width and depth, have and engaged conversation, provide information that resonates with your stakeholders through effective storytelling, and build confidence with your stakeholders.

Emerging Threats Against Cloud Application Identities and What You Should Do About It

Presented by:
Etan Basseri, CISSP, Senior Product Manager, Microsoft
Bailey Bercik, Product Manager II, Microsoft

Many organizations have been laser-focused on user account security to defend against the increase in password spray and phishing attacks, implementing measures such as MFA and even moving to passwordless authentication. But recent cyber attacks show that adversaries are turning their attention toward application identities. Do you know what risky behavior your application identities are up to and how to protect them? Just as with user accounts, organizations will need to address application identities that are compromised through a compromised administrator, credentials-in-code or a malicious application pretending to be legitimate. In this session, learn about attacks against application identities -- how to detect these attacks as well as how to recover and defend application identities going forward against these emerging threats.

Enterprise Security Risk Assessment (ESRA)

Presented by: Julian Talbot, CISSP, Chief Technology Officer, SECTARA

Thirty years ago, cybersecurity was a small, often overlooked part of protective security. In 2022, cybersecurity is the core of all security activities. Cybersecurity, physical security, insider threat management, information security and security governance have never been more interdependent. Enterprise security risk assessments (ESRA) are essential in providing an integrated view of all aspects of an organization. But what is an ESRA? Some people might have you believe an ESRA involves conducting security audits on every network and physical site. Nothing could be further from the truth. The presenter has conducted enterprise security risk assessments for some of the world's largest government and commercial organizations for more than 30 years. This presentation describes what enterprise security means in the 21st century and how to conduct an ESRA.

Elite Security Champions Build Strong Security Culture

Presented by: Christopher Romeo, CSSLP, CSO, Security Journey

Everyone has a security champion program, but how effective is yours? Are you getting a solid return on investment? Security champions and application security mutually support each other through a security culture. Elite security champions require top-shelf skills and experience. We explore the qualities needed for elite security champions. After unpacking individual abilities, we cover the significant issues that must be addressed when building or enhancing an elite program, like branding, strategy and value proposition. Security champions provide a scalable solution for security capacity, providing an outlet for overworked security teams to magnify their efforts. If you do not have a program today or need a reboot, learn how to fill the halls of your organization with elite security champions.

Hacking Gamification: Going from Zero to Privileged PWNED

Presented by: Joseph Carson, CISSP, Chief Security Scientist & Advisory CISO, Delinea

Staying up to date and learning hacking techniques is one of the best ways to know how to defend an organization from cyber threats. Hacking gamification is on the rise to help keep cybersecurity professionals up to date on the latest exploits and vulnerabilities. This session is about helping you get started with hacking gamification to strengthen your security team. We chose two systems from Hack the Box and walked through each of them in detail, explaining each step along with recommendations on how to reduce the risks. Going from initial enumeration, exploitation, abusing weak credentials to a full privileged compromise.

How to Establish a (Successful) Security Strategy from Scratch

Presented by: Esther Pinto, CISO & DPO, Anecdotes

Maintaining a healthy security culture in a company is no easy feat. However, establishing such a culture can be even more challenging. In this session, Esther Pinto, CISO & DPO at anecdotes, shares her experience and presents a roadmap for establishing a successful security strategy from scratch. Participants will learn where they should start, what to prioritize and who their key allies should be. Furthermore, the presentation dives into how to approach balancing business and security needs at a young company looking to grow, and how to assess and define the company’s risk appetite.

Search Warrants, Subpoenas, and Court Orders: What You Need to Know

Presented by:
Scott Giordano, CISSP, V.P., Corporate Privacy, and General Counsel, Spirion, LLC
John Bandler, Esq., CISSP, Founder and Principal, Bandler Law Firm PLLC
John Bates, JD, CCSP, CIPP/US, CIPP/E, Senior Manager Cyber Security, EY
Jody Westby, JD, CEO, Global Cyber Risk LLC

If law enforcement shows up at my datacenter with a search warrant, what are my options? What if I receive a subpoena in my inbox? And what about a discovery order – is that the same thing? In fact, there are at least seven separate ways that law enforcement and regulatory agencies can demand to inspect your documents or your systems. Add to that court orders on behalf of civil litigants and the broad ability of lawmakers to demand that you testify in person, and the potential for harm or embarrassment becomes immense. In the presentation by information security legal veterans, we break down the many ways that government authorities can make demands of you and what you can do about it.

Security Metrics: How to Measure It Efficiently

Presented by: Ilia Tivin, CISSP-ISSMP, Managing Director, Locked Jar

Many organizations struggle to measure the effectiveness of their security controls, mostly due to misunderstanding what is actually a good metric. Organizations too often apply metrics and measurements that are out of their control. Is having more vulnerabilities better or worse? Well, it depends on who you ask. A software company wants to show it is diligent in identifying vulnerabilities; for others, it's more about showing they are more secure. We explore good and bad metrics, including how to define, track and understand their contribution to the organization.

The Power of Community

Presented by:
Bryson Bort, Founder and CEO, SCYTHE
Mari Galloway, BBACIS, MSIS, CISSP, GIACx6 Pentest+ CySA+ Security+ IT Project+ CEH, CEO, Women’s Society of Cyberjutsu
Andrew J. Smeaton, CISSP, CISM, CISA,CGEIT, CRISC, Chief Information Security Officer, Afiniti
Clar Rosso, CEO, (ISC)²

We are empowered to change the world together — all it takes is YOU. We kick off this series with compelling explorations of the binds that tie the cybersecurity community together. First, (ISC)² CEO CLAR ROSSO discusses how our association is advocating for you and taking on a growing role in connecting governments, businesses and individuals to create a more secure cyber world. ANN DUNKIN, Chief Information Officer for the U.S. Department of Energy, shares her insights on the importance of collective defense. Next up, SCYTHE Founder and CEO BRYSON BORT explores the implications of emerging technologies, why attackers continue to win and what it means for our community. In her address, CEO and Founding Board Member of the Women’s Society of Cyberjutsu MARI GALLOWAY, CISSP, speaks to the ways you can follow in her path of giving back and empowering the next generation of cybersecurity professionals. Finally, DataRobot Chief Information Security Officer ANDREW SMEATON, CISSP, shares his personal, harrowing experience traveling to war-torn Ukraine to ensure members of his team were out of harm’s way. Join us. Be inspired. Learn how you, too, can help make the cyber world more safe and secure.

Trust No One: Practical Zero-Trust for Cloud

Presented by:
Joshua Bregler, CISSP, CCSP, Head of Information Security, McKinsey Digital, McKinsey & Co
Jeffrey Caso, Associate Partner and Cyber Expert, Mckinsey & Co

The concept of zero trust has become the gold standard of security methodologies enabling remote work and BYOD. This became even more critical as the pandemic continues to revolutionize the work-from-home paradigm. The challenge here, however, is that implementation can be daunting. There are different interpretations of "zero trust" and a whole field of products claiming to bring a full-field solution. In this session, we discuss practical implementations of zero trust in cloud environments that can get you well on your way to an agile, secure and maintainable environment that can extend out to any of your organization resources. At the conclusion of the session, resources are shared to help you get started on zero trust initiatives in your own organization, public sector or private.

What attendees say about (ISC)² Security Congress:

“(ISC)² Security Congress has raised the bar I set for myself to become more knowledgeable and take the information I've learned back to my job.”
“I’m impressed. After each session I attended, I commented on how it was the best one yet — then the next one topped it.”
“The topics and speakers keep getting better year after year.”
“The quality of instruction is phenomenal — not just informative but inspiring and motivating. (ISC)² Security Congress is goldmine of takeaways.”
“Excellent Congress! The virtual platform worked flawlessly for me.”

Don’t Miss Out Next Time.

(ISC)² Security Congress 2023
October 25-27, 2023
Nashville, TN

Mark your calendars now for (ISC)² Security Congress 2023, where cybersecurity innovation and leadership take center stage. Learn and network with thousands of your professional peers, October 25-27, 2023, at the spectacular Gaylord Opryland Resort and Convention Center in Nashville, TN. It’s going to be grand!

Register Your Interest Explore The Venue