CISO
Retreat

Most CTI programs are built to serve only the cybersecurity teams, this session is about building one that serves the business and the board. Considering the CTI-Capability Maturity Model, we'll walk through what a world class cyber intelligence capability actually looks like: one that maps the full adversary spectrum, nation-states, organized crime, ideological actors, and insiders, to business processes and critical assets (the crown jewels), fuses and analyzes SOC telemetry, assesses the evolving opportunity for AI as a threat enabler and defensive scaler, and delivers the kind of strategic intelligence that shapes executive decisions, protects your brand and organization, and turns CTI into a strategic risk management capability.

SIEM is dead. Long live SIEM. The category has been declared dead a dozen times and yet the market has never been more crowded, more confusing, or more full of AI-washed vendor claims. Standalone SIEMs, cloud-native SIEMs, SIEM-plus-data-lake hybrids, XDR-LITE-SIEM, open-source pipelines, co-managed MDR, the deployment models multiply faster than it's possible to navigate and keep track of the ecosystem.

This session walks through seven Socratic questions that assist in cutting through vendor noise & hype, forcing clarity on your budget and team's depth, and then mapping to the architecture that genuinely fits. Let's walk through questions that put vendors on defense and give you a defensible answer to your board.

Year 2 as CISO at a Fortune Global 500 Telecom. 2,847 alerts per day. 40% analyst turnover. My solution: buy the most expensive SIEM on the market. Six months later, we had 3,200 alerts per day, and a $550K bill. In this session, Adrian Salas, The Fast CISO, unpacks the real problem most security leaders miss, reveals the 1-hour tool stack audit that surfaced $2M in wasted spending across 17 overlapping tools, and walks through the 90-day consolidation playbook that cut alerts by 95%, reduced tool costs by 39%, and reduced analyst turnover from 40% to 12%. You'll leave with a battle-tested "Murder Board" framework and a one-page audit template you can use to start cutting noise and waste on Monday morning.

Cyber Risk Quantification (CRQ) is supposed to be a means of enabling well-informed decisions, but it often becomes a pricey placebo that rewraps FUD (fear, uncertainty, and doubt) in financial finesse and becomes akin to a "check the box" exercise. In practice, CRQ forces a complex, living cyber ecosystem into fragile models built on layers of assumptions and frail data. As the pace of change accelerates, especially with the advent of agentic AI, these models increasingly produce noise, false confidence, and compounding decision debt rather than worthwhile insight. This talk cuts through conventional CRQ wisdom, challenges the status quo, and provides some practical guidance on how to pave a path toward measurement mobility fit for the modern machine age.

LLM API costs are the fastest-growing unmanaged line item in enterprise IT, and most security teams have zero visibility into how models are selected, what data enters context windows, or what the real bill will be until it arrives. This talk breaks down the cost mechanics of multi-turn AI deployments across OpenAI, Anthropic, and Google, shows how prompt caching and context engineering reduce costs by 50-90%, and makes the case that AI cost governance belongs on the CISO's desk, not buried in a DevOps backlog.

Most red team programs have more than adequate technical proficiency to perform operations. Then why do so many fail to deliver? The culprit is rarely operator skill. In this session Trevin Edgeworth draws on two decades of offensive security experience, and 5 years leading red team practices at major firms to share the pre-flight checklist every CISO needs before and after launch of a red team program. Using the Red Team maturity model he helped develop, Trevin shares the keys to building programs that earn organizational trust and deliver outcomes that move the needle while exposing structural blind spots that can quietly ground your Red Team program.

For many, BIAs are the tools used by disaster recovery and business continuity teams and are rarely a top priority for CISOs and their security programs. In this discussion, we'll show why BIAs are a CISO's best friend. BIAs highlight sources of enterprise value (which applications, services, and business functions are most important to the organization) and key operating context, including dependencies, related to the same. BIAs can be complicated, detailed, and difficult to complete. They don't need to be. We'll show how a department or business function BIA can be reasonably completed in an hour or two to improve the CISO's understanding of key operating variables for their organization.

Cybersecurity failures are rarely just technical failures. More often, they are behavior failures driven by cognitive overload, decision friction, misplaced incentives, and broken workflows. This session shows how behavioral psychology can help security leaders move beyond awareness campaigns and start shaping secure behavior at the point of decision. In 20 minutes, attendees will learn how people actually make security choices under pressure, why even smart employees take risky shortcuts, and how to design environments that make the secure path the easy path. The talk will translate behavioral science into practical cybersecurity strategy, covering decision architecture, nudges, habit formation, and risk-reducing interventions that improve compliance, resilience, and execution. Attendees will leave with a sharper framework for reducing human risk by redesigning systems around how people really think and act.

Customer identity is where CISO accountability and product authority part ways. You're responsible for the risk; someone else decides the friction, controls the auth flow, and owns the roadmap. And your customers, unlike your workforce, can walk.

That structural tension is the job. CISOs who navigate it effectively do so by knowing which risks they can address directly, which require cross-functional alignment, and which are stalled because no one has claimed them.

This talk covers where CIAM is headed and why the risks are compounding, from authentication gaps your policies can't close, to synthetic identity fraud, to regulatory exposure that IGA and PAM don't cover. Real-world examples are drawn from Mastering Digital Identity: From Risk to Revenue.

You'll leave with a concrete map of your CIAM risk surface, a clear picture of who owns each segment of it, and a prioritized action list.

What if I told you that cybersecurity strategy can be turned into a solvable math problem? Modern cyber strategy is based on security standards and frameworks, but these are not prescriptive. We then leverage vendor inputs, consultant opinions, and trend-of-the-day approaches right along with our own gut feelings and preferences. What is missing from all of these is a focus on outcomes. Very little attention is paid to what has worked well in the real world because such data is only available in narrow information silos. Imagine if we intentionally gather outcome information and create detailed models of outcomes vs. strategic approaches for organizations of various types and sizes. Imagine using open-source intelligence (OSINT) and AI capabilities to turn the immensity of security strategy into a computer-manageable math problem where correlation strength leads to cybersecurity success. This would enable practitioners to pursue the strategies that work, predict failure in an objective manner, and automatically adapt to changing threats and defenses. This talk presents an approach to such a solution, its potential strengths and weaknesses, and how the security community might benefit long-term from such a vision.

Lightning Talks