Business professionals are no longer waiting for IT to address their needs. Instead, they are increasingly building their own applications with Low-Code/No-Code platforms. Recent surveys show that most enterprise apps are now built outside of IT by business professionals who hold no previous experience in building software.

In this presentation, we will share extensive research on the security of Low-Code applications based on scanning >100K applications across hundreds of enterprise environments. We will show how this research led to the creation of the OWASP Top 10 Security Risks for Low-Code/No-Code and showcase those risks. Next, we will demonstrate how most applications get identity, access and data flow wrong, cover a wide range of security issues found in real environments, and share their backstories and implications.

The Azure Cloud Adoption Framework specifies a reference architecture for building secure Azure landing zones. This architecture democratises cloud adoption and innovation for application/workload owners and developers, while ensuring that the required security controls are automatically applied and enforced. Based on Microsoft's extensive experience in the trenches with the largest global customers, what are the critical security lessons-learned and gotchas to consider? What security mindsets and architecture anti-patterns must evolve, to succeed at cloud speed and scale? How do attackers compromise environments leveraging this architecture, and how do you effectively defend it?

A deep-rooted cyber security culture is crucial, and it goes as far back as the hiring process…

10 years ago, a typical hiring process consisted of working your way through a checklist, hiring individuals based solely on a CV. Today, the ‘Simon Sinek’ culture is gaining more prevalence, with employers realizing that hiring the right person, rather than the CV, can have immeasurable benefits for business. Ryan will talk about why this is particularly true within the cyber security sphere, and why business leaders should follow this particular ‘Simon Sinek’ strategy to build a successful security operation, and secure business, starting directly with the human’s that run it.

At Stripe OLT, Ryan’s Security Operations team has been built upon diverse collective experiences, from military personnel and laborer’s, to teachers and university graduates. Through focusing on direct experiences and personal encounters, this presentation will place emphasis on the importance of a CIA Triad hiring structure and demonstrate how fostering a culture of internal trust is integral in defending against cyber-threats and protecting all businesses.

You will walk away from this session knowing why it is important to employ the right individual rather than the CV, and how adopting this approach can drastically improve how a business responds to and manages security threats, company wide.

In this talk, the audience will hear about current challenges organizations face when driving cybersecurity culture in alignment with company values, strategy and culture. It will discuss the traditional approach of enforcing rules and controls as a means of preventing security breaches, and how this approach can often be ineffective and demoralizing for employees. I will then propose an alternative approach: empowering employees to take ownership of their own cybersecurity practices. This involves continuous educating and training, as well as giving them the tools and resources they need to protect themselves and their organization. By shifting the focus from enforcement to empowerment, we can create a culture of security that is proactive and collaborative, rather than reactive and punitive.

In this talk, attendees will learn the benefits of empowering approach, including increased management commitment, employee engagement, reduced risk of security breaches and overall organizational security. I will also provide practical strategies for implementing this shift in culture within organizations.

In this talk, I will explore the concept of gamified learning and how it can be used to amplify the effectiveness of incident response Tabletop Exercises (TTX). TTXs are a critical tool for organisations to simulate and practise their response to potential cyber security incidents or emergency situations. By using gamification in TTXs, organisations can increase the engagement and motivation of their participants, and therefore increase the overall effectiveness of their incident response plans.

Gamification is the process of adding game-like elements, such as points, badges, and leaderboards, to non-game activities to increase engagement and motivation. By gamifying incident response TTXs, we can create a more engaging and interactive experience for participants, which can lead to increased participation and a better understanding of the IR process.

Attendees of this talk will leave with a deeper understanding of gamified incident response TTXs and its potential to increase overall effectiveness of incident response plans, as well as practical strategies and tools for incorporating gamification into their own incident response TTXs.

Information security is a crucial aspect of modern society, as our reliance on technology and the internet has only grown in recent years. However, despite the importance of maintaining secure systems and protecting sensitive information, we often find ourselves blaming individuals for failing to follow proper security protocols or making mistakes that lead to security breaches.

There are several reasons why we may be prone to blaming people for information security failures. One reason is that it is easier to blame an individual rather than looking at systemic issues or flaws in security protocols. Additionally, we often hold people accountable for their actions and mistakes, and information security is no exception.

However, it is important to recognise that blaming individuals may not always be the most effective approach to addressing information security failures. In some cases, the root cause of a security breach may be a lack of training or inadequate resources, rather than an individual's failure to follow established protocols.

Ultimately, it is important to take a holistic approach to addressing information security failures and to consider the various factors that may contribute to these incidents. By understanding the underlying causes of security breaches and working to address them, we can create a more secure environment for all.