Security & Risk Summit

The Art Of Forecasting For CISOs

CISOs have earned a permanent spot in the C-suite. Now it’s time to prove that they should stay there by showing how they contribute as a profit center, not a cost center. This session will help CISOs understand one of the most important expectations of every C-level executive: the ability to forecast what’s coming next. This session will:

Explain how every C-level leader forecasts about their business … except CISOs.
Highlight how strong metrics leads to better forecasting.
Showcase how to convert business goals like growth in revenue, headcount, and market share as built-in components of forecasting for cybersecurity.

Speakers:
Jeff Pollard, VP, Principal Analyst, Forrester

The Future Of Risk Services

Risk management is poised to undergo significant transformations driven by technological advancements, evolving regulatory landscapes, and the increasing complexity of global markets. Risk services, encompassing risk management, risk assessment, and risk mitigation strategies, are critical for businesses to navigate uncertainties and protect their assets when internal resources don’t have the expertise. This session will explore several key trends and factors shaping the future of risk management and how the evolution of risk services signals that future. You will learn:

How market and industry risk profiles have evolved.
How evolving risk profiles have adapted enterprise risk capabilities.
How adapting enterprise risk capabilities require new risk-based competencies.

Speakers:
Christopher Gilchrist, Principal Analyst, Forrester

Build Resilience With Zero Trust: Think Like A Threat Actor

Threat actors are a good source of learning about our environments and how they can be attacked. They are also remarkably good at information gathering, following DRY (“don’t repeat yourself”) principles, and maintaining lean operations. This singularity of focus and creative application of technology demonstrated by attackers can be applied to organizations wishing to elevate their security with Zero Trust design principles and identity and visibility-driven analytics. Senior Analyst Tope Olufon will show how thinking like a threat actor can drive your security strategy. Attendees will learn how to:

Apply reconnaissance techniques to understand their own environment.
Employ or repurpose generic/existing tools to enhance visibility.
Jump-start Zero Trust, reduce complexity, and use automation to build resilience.

Speakers:
Tope Olufon, Sr Analyst, Forrester

Generative AI In Fraud Management

This session will look at trends of generative AI’s use in fraud management. We will explore the viability of genAI in rule- and machine learning-based model development and management, case routing, case investigation, and reporting. The presentation will also cover risks and best practices of adopting genAI in fraud management. Learn about:

How fraudsters are using AI to launch attacks.
Key use cases of genAI in fraud management, anti-money laundering, and know-your-customer.
Implementation best practices for genAI in fraud.

Speakers:
Andras Cser, VP, Principal Analyst, Forrester

Cloud Market Trends That Will Disrupt Your Security Program

Technology leaders are prioritizing cloud security and increasing their cloud security spend, but that doesn’t mean that cloud security professionals can rest easy. New cloud-based AI offerings, sovereignty regulations and directives, and the increasing pressure of maximizing cloud investments while minimizing carbon footprint all threaten the delicate stasis of securing cloud environments. In this session, you will learn:

What to expect with cloud-based AI black box models and how to harden for your cloud environment.
How to address the new sovereignty regulations coming from the EU.
Different methods to optimize your cloud spend and meet sustainability requirements.

Speakers:
Tracy Woo, Principal Analyst, Forrester

11:45 am – 12:15 pm ET

Case Study Sessions (In-Person Only)

Hear real world case studies showcasing the value of partnering with the right security and risk provider.

Attend one session:

BitSight Case Study

More information coming soon!

ThreatLocker Case Study

More information coming soon!

ProcessUnity Case Study

More information coming soon!

12:15 pm – 1:45 pm ET

Lunch & Marketplace (In-Person Only)

Marketplace breaks are your chance to connect with sponsors and catch up with colleagues on the show floor.

12:50pm - 1:00pm - ThreatLocker Spotlight Session

12:15 pm – 1:25 pm ET

Lunch & Learn Session (In-Person Only)

This session will have limited capacity and is first come, first served. Lunch will be provided.

Safe Security Lunch & Learn

1:45 pm – 2:30 pm ET

Breakout Sessions + Ask An Expert

Security Organizational Structures Beyond The Three Lines Of Defense

The three lines of defense model has been widely adopted across industries, shaping how organizations approach risk management, compliance, and corporate governance. Security leaders have typically viewed it as the gold standard for security org model design, but it comes with many flaws, complexity, and cost. Security leaders scraping the three lines of defense model need to consider an alternative. In this session, we will explore:

How the three lines model has influenced security organizational structures.
The limitations that the three lines model introduces for security orgs.
Effective strategies for rethinking security organization structures in a post-“three lines of defense” world.

Speakers:
Madelein van der Hout, Senior Analyst, Forrester
Paul McKay, Vice President, Research Director, Forrester

Ditch Your Risk Heat Map: Get Actionable With CRQ

Your single biggest cyber risk is not knowing how much risk you’re exposed to. Cyber risk quantification (CRQ) gives security and risk pros a more accurate, defensible way to assess, communicate, and prioritize the risks that matter most, yet most organizations rely on qualitative methods like risk heat maps and 5×5 ratings that have proven to be useless. It’s time to ditch the subjective heat maps and use CRQ to make risk management easier. Join this session to:

Understand the value of quantitative risk assessment methods.
Build the business case for adopting CRQ.
Plan for your first successful CRQ pilot.

Speakers:
Cody Scott, Senior Analyst, Forrester

Transform Your Security Data Management Strategy

The worlds of SecOps and SIEM have fundamentally changed after a series of vendor mergers and acquisitions. What was already complicated by excessive cost, resource constraints, and required expertise has become even more complex and is changing how data storage and management for security operations must be done. Technology choices range from data pipeline management tools to security data lakes, in addition to analytics and automation technologies. Principal Analyst Allie Mellen will discuss data management strategies for SecOps and building a successful data management strategy. Attendees will:

Learn data management strategies for SecOps in a hybrid, multicloud world.
Gain understanding of the tools needed for better data management.
Discover how to evaluate security data management options and make the best architectural decision.

Speakers:
Allie Mellen, Principal Analyst, Forrester

Forrester Analyst Panel On All Things Identity And Fraud

This interactive session will discuss the current state of identity and look ahead to key themes that organizations can expect to see relating to identity in 2025. Topics discussed will include identity threat intelligence, identity threat detection and response, and emerging AI-driven methods used for fraud attacks. Learn:

How AI is being used to improve identity and access management (IAM) program effectiveness and efficiency.
The IAM trends that Forrester sees as being poised to dominate 2025.
The specific identity attack vectors that are emerging.

Speakers:
Merritt Maxim, VP, Research Director, Forrester
Andras Cser, VP, Principal Analyst, Forrester
Geoff Cairns, Principal Analyst, Forrester

Case Study: Reimagine Your Product Security Program

CISOs need to stop looking at product security as a siloed part of the security organization. Modern product security programs prioritize customer trust as a fundamental goal as well as securing the product itself. Join us for a presentation and fireside chat with members of Schneider Electric’s product security team. In this session, attendees will hear about:

The characteristics of an effective product security program.
How to integrate product security with the rest of the cybersecurity organization and the benefits of doing so.
How to increase the maturity of the product security function.

Speakers:
Sandy Carielli, Principal Analyst, Forrester

2:40 pm – 3:10 pm ET

Case Study Sessions (In-Person Only)

Hear real world case studies showcasing the value of partnering with the right security and risk provider.

Attend one session:

Illumio Case Study

More information coming soon!

Rocket Software Case Study

More information coming soon!

Safe Security Case Study

More information coming soon!

3:20 pm – 3:50 pm ET

Breakout Sessions

Build An Optimal Alliance With Your CIO

Each day, IT and security teams and execs face major risks together. Unfortunately, they are often working against each other, sometimes with outward hostility, yet they have a multitude of benefits to reap from a unified security vision and from working together to enable the business:

Explore the root causes of these tensions.
Build humanity in interactions with tech execs and teams.
Learn how to operationalize the collaboration required to build trust.

Speakers:
Jinan Budge, VP, Principal Analyst, Forrester

A Fun (Yes, Really) Crash Course In AI Regs And Frameworks

AI and generative AI are revolutionizing business in every department. But without adequate risk management, things will go awry more quickly than you think. Fear not, for brand-new regulations such as the EU AI Act and specific standards are emerging to help companies take care of the risks. Join this session to learn about the AI risk management frameworks and standards that your peers are using and to deep-dive into the new AI rules, including the EU AI Act, to which US and international companies must comply due to their extra-territorial scope. In this session, you will learn about:

The AI risk frameworks and standards that global companies are adopting.
The new regulatory requirements of the EU AI Act and to what extent they apply to you.
Best practices from your peers about their AI compliance and AI risk management efforts.

Speakers:
Enza Iannopollo, Principal Analyst, Forrester

Next-Level Your Zero Trust Initiative

Organizations adopting Zero Trust are now well into their journey, moving past the basic foundational steps and maturing their implementations, but getting to that “next level” of Zero Trust requires even more. This panel discussion, moderated by Forrester Senior Analyst Carlos Rivera, will explore the insights, challenges, and recommendations for maturing Zero Trust by those who have lived it. Attendees will:

Gain an understanding of common challenges faced with Zero Trust adoption.
Understand the value of developing outcome-based use cases.
Learn best practices to mature Zero Trust initiatives from people who are doing it.

Speakers:
Carlos Rivera, Senior Analyst, Forrester

Welcome To The Machine Age: Machine Identity Management Comes Alive

Amidst the rise of cloud, DevOps, internet of things, and generative AI, organizations are contending with an explosion of machine identities (aka nonhuman identities). As organizations increasingly rely on machines for their operational processes, ensuring that these entities are securely authenticated, authorized, and monitored becomes paramount. Session attendees will learn:

The unique risks and challenges that machine identities present.
How to establish a unified identity and access management strategy that accounts for machine identities.
The technologies to apply for automation and resiliency.

Speakers:
Geoff Cairns, Principal Analyst, Forrester

Secure Software At Speed With DevSecOps

Enterprises are eager to adopt DevSecOps but encounter challenges including securing executive buy-in, unifying siloed teams, selecting the appropriate technology, and understanding the necessary processes to facilitate the transition. In this talk, we will explore a DevSecOps maturity model designed to help leaders navigate these challenges and articulate a vision that encourages buy-in and investment. Session attendees will learn:

The crawl, walk, run maturity model for DevSecOps.
How to create a culture where security and development share responsibility and work collaboratively together.
The processes and technologies to implement as you mature in your DevSecOps journey.

Speakers:
Janet Worthington, Senior Analyst, Forrester

3:20 pm – 4:35 pm ET

Level-Up Workshop: Thwarting Social Engineering: A Balancing Act

Attackers prey on your workforce’s better angels – the desire to be helpful and efficient. This opens them up to social engineering attacks like phishing, SMShing, and business email compromise (BEC). Thwarting social engineering attacks means striking the right balance between effective technology, skilled security practitioners, and a human-centric approach to building an empowered security culture across the workforce. This interactive workshop will help security leaders and practitioners:

Understand security practitioner and workforce needs and motivations.

Explore strategies for optimizing the synergy between technology and people to protect data and IP.

Create people and technology “balance sheets” for specific social engineering scenarios.

Speakers:
Jess Burn, Principal Analyst, Forrester

3:50 pm – 4:35 pm ET

Marketplace Coffee Break & Networking (In-Person Only)

Marketplace breaks are your chance to connect with sponsors and catch up with colleagues on the show floor.

3:55pm - 4:05pm - Recorded Future Spotlight Session

4:10pm - 4:20pm - ExtraHop Spotlight Session

4:25pm - 4:35pm - ServiceNow Spotlight Session

4:35 pm – 5:05 pm ET

Keynote: Security & Risk Enterprise Leadership Award

Welcome to the highly anticipated Forrester Security And Risk Enterprise Leadership Award, the only assessment dedicated to recognizing excellence in security, privacy, and risk strategy, integral to building a trusted and resilient business.

In this session, we will hear from this year’s award winner on how they continually build trust with customers, employees, and partners.

Speakers:
Stephanie Balaouras, VP, Group Director, Forrester

5:05 pm – 5:35 pm ET

Keynote: It’s Not You! The Three Lines Of Defense Create False Assurances

The “three lines of defense” model is no longer fit for purpose. Organizations struggle to retrofit this two-decades-old compliance model to meet modern risk management needs. Not only does this not work, it creates false assurances. Instead, leaders need better processes to break out of their silos and align risk decisions with business goals. Stop managing risk via artificial lines and level up your organization with continuous risk management. This session will:

Highlight common pitfalls when relying on three lines of defense as a risk management strategy.
Introduce Forrester’s new continuous risk management model.
Chart a path to start using continuous risk management today.

Speakers:
Alla Valente, Senior Analyst, Forrester
Cody Scott, Senior Analyst, Forrester

5:35 pm – 5:40 pm ET

Closing Remarks

5:40 pm – 6:40 pm ET

General Reception

Wednesday Dec 11

8:00 am – 9:00 am ET

General Breakfast

8:15 am – 9:00 am ET

Breakfast Boardroom (In-Person Only)

This session will have limited capacity and is first come, first served. Breakfast will be provided.

ExtraHop Breakfast Boardroom

9:00 am – 9:00 am ET

Welcome Back

9:10 am – 9:40 am ET

Keynote: Biometric Frontiers: Unlocking the Future Of Engagement

Biometrics holds the keys to a range of engagement models of the future. But that future comes with a lot of baggage, including profound geographical fragmentation from a cultural, regulatory, and implementation perspective, as well as unnerving reports of deepfakes. This keynote compares and contrasts regional approaches to biometrics; explores the good, bad, and ugly of face, voice, and fingerprint biometrics; and examines the security, risk, and privacy challenges; and the benefits of their implementation. Join us to:

Learn proven best practices on how to bolster adoption.
Prepare to defend against deepfakes.
Prevent legal, regulatory, and audit failures.

Speakers:
Andras Cser, VP, Principal Analyst, Forrester
Enza Iannopollo, Principal Analyst, Forrester

9:40 am – 10:10 am ET

Keynote: From Fragile To Agile: Reimagining Software Supply Chain Security

The fragility of software is all too evident in worldwide outages, targeted attacks on customers, and needless breaches due to vendor vulnerabilities and missteps. To stop the onslaught, U.S. and international governments are pushing for better transparency, resiliency, and security. This won’t be enough; Security leaders must adopt a systematic approach that treats software as an interconnected supply chain, ensuring robust security at every link. This keynote is a must-attend event to:

Learn the crucial roles and responsibilities of software supply chain: chooser, producer, and operator
Grasp the vital steps and processes of a secure software supply chain
Gain real-world perspective from peers who are actively implementing a software supply chain program.

Speakers:
Janet Worthington, Senior Analyst, Forrester

10:15 am – 11:05 am ET

Marketplace Coffee Break & Networking (In-Person Only)

Marketplace breaks are your chance to connect with sponsors and catch up with colleagues on the show floor.

10:20am - 10:30am - Incode Technologies Spotlight Session

10:25 am – 11:40 am ET

Level-Up Workshop: Transform Your Collaboration Efforts To Protect OT Environments

CISOs are being tasked with implementing cybersecurity strategies to protect OT environments from cyberattacks. Despite this directive, initiatives to improve cybersecurity controls in OT environments are lagging. Workshop participants will learn:

Why traditional cybersecurity processes and technologies fail in OT.

How to customize cybersecurity initiatives to fit the unique characteristics of OT.

Ways to collaborate more effectively with a new set of OT stakeholders and coworkers.

Speakers:
Brian Wrozek, Principal Analyst, Forrester

11:05 am – 11:35 am ET

Breakout Sessions

The Future Of The CISO: Six Archetypes, Revisited

For decades, current and future CISOs sought opportunities based on their personal network, industry experience, mentorship, and, in some cases, pure luck. There’s nothing wrong with this, but our research has uncovered that there’s an added dimension to job opportunities for CISOs to consider in order to maximize their personal and professional success: their past, present, and future archetypes. Join this session to learn:

The six types of CISOs and the skills, behaviors, and experiences that define them.
A methodology to understand the archetype desired based on details of open positions.
How to use the methodology to ensure that your career progresses with opportunities that fulfill your personal and professional goals and ambitions.

Speakers:
Jess Burn, Principal Analyst, Forrester

A CISO’s Life Preserver For SEC Disclosure Requirements

New SEC requirements issued in 2023 made cybersecurity an important part of investor data, with spots reserved for it on 10-Ks and 8-Ks. Unfortunately, plenty of ambiguity still exists on what information should be included, the definition of materiality, and what best practices organizations will follow to provide investors with the right amount of detail. We conducted an analysis of disclosures related to items 1.05 and 106 and will provide a detailed analysis based on over a year’s worth of content for publicly traded companies attempting to comply with the rules. Join this session to:

Examine how companies are dealing with the ambiguous nature of materiality and its definition in context of cybersecurity.
Learn the common approaches to cybersecurity governance for publicly traded companies.
Discover the common security controls and frameworks used by companies based on investor materials.

Speakers:
Jeff Pollard, VP, Principal Analyst, Forrester

Data Defenders: A Collaborative Blueprint To Insider Risk Management

Insiders have privileged access to sensitive data and systems, and accidental or malicious data misuse by insiders is a risk to organizations. Data security is the first layer of protection against accidental data loss and data theft. Insider risk management focuses on reducing the risk of accidental and malicious insider incidents. While the functions have differences, they must collaborate to defend data. Principal Analyst Heidi Shey and VP, Research Director Joseph Blankenship will discuss how these functions can work together for a successful data protection strategy. Attendees will learn:

How data security and insider risk management differ and how they overlap.
Best practices for protecting sensitive data from insider incidents.
Recommendations for data security/insider risk management collaboration.

Speakers:
Heidi Shey, Principal Analyst, Forrester
Joseph Blankenship, VP, Research Director, Forrester

AI Agents And Fraud: What To Expect

Forrester predicts that AI agents will expand over the next couple years. While enterprise use cases dominate today, AI agents will expand and proliferate to consumer use cases and, eventually, consumer-owned AI agents. What does this mean from an identity and fraud perspective? Join this session to learn about:

The five categories of AI agents.
The fraud risks that each AI agent category may bring.
How to prepare for a future of AI agents.

Speakers:
Stephanie Liu, Senior Analyst, Forrester

“The Not-So-Premature Burial”: Rethinking Application Threat Modeling

Application threat modeling gets a bad rap thanks to its misuse as an audit checkbox and unrealistic expectations that a model will find every eventuality. Confusion is abundant about which of the various threat modeling frameworks to use. If you take a fresh look, however, you will see that threat modeling adds another layer of defense and saves dev and security teams time later. It doesn’t require a heavy, overengineered 300-line spreadsheet. In this session, attendees will:

Dispel common application threat modeling myths.
Understand how to build a business case for application threat modeling.
Learn how to discard the old approaches to threat modeling and embrace a new paradigm that meets business, development, and security needs.

Speakers:
Sandy Carielli, Principal Analyst, Forrester

11:40 am – 12:10 pm ET

Case Study Sessions (In-Person Only)

Hear real world case studies showcasing the value of partnering with the right security and risk provider.

12:10 pm – 1:25 pm ET

Lunch & Marketplace (In-Person Only)

Marketplace breaks are your chance to connect with sponsors and catch up with colleagues on the show floor.

12:30pm - 12:40pm - Safe Security Spotlight Session

12:10 pm – 2:10 pm ET

Level-Up Workshop: Take Tactical Steps To Adopt Proactive Security

Join Senior Analyst Erik Nost for a workshop that breaks down the steps organizations can take to begin implementing more proactive security. Grounded on the three principles of proactive security (visibility, prioritization, and remediation), this workshop will provide methods to:

Identify inputs and synergies for visibility, prioritization, and remediation.

Guide participants in data management strategies.

Discuss options for asset categorization and remediation prioritization.

Learn how to work with a diverse set of vendors.

Speakers:
Erik Nost, Senior Analyst, Forrester

1:25 pm – 2:10 pm ET

Breakout Sessions + Ask An Expert

Choose The Optimal CISO Role For You

Forrester first defined the archetypes of CISO roles in 2021. In an earlier session, Principal Analyst Jess Burn will present our updated definitions of those archetypes. This panel session will feature CISOs who will demonstrate how the competencies of each archetype translate into their practice. Join us to learn how to:

Choose the CISO role that will suit you best.
Articulate your capabilities to show that you’re the best CISO for the job.

Speakers:
Laura Koetzle, VP, Group Director, Forrester
Daniel Ayala, Chief Trust Officer, Dotmatics
Jeff Greene, CISO, International Paper
Patricia Titus, CISO, Booking Holdings (Booking.com)

Cracking The Code: Decipher Third-Party Cyber Risk Management

Organizations globally report higher levels of enterprise risk due to their increased reliance on third parties. Combined with the volume of cyberattacks, breaches, and IT disruptions attributed to third parties, businesses recognize that they need more data to determine whether they should partner with a supplier and how to protect themselves during the relationship lifecycle. External cyber risk ratings and security posture signals are becoming an invaluable decoder ring for mitigating third-party cyber risk. Join this session to:

Understand the relationship between cyber risk ratings and third-party risk management.
Examine the limitations of cyber risk data in a third-party context.
Learn the key lifecycle phases and maturity levels for third-party cyber risk management.

Speakers:
Alla Valente, Senior Analyst, Forrester
Cody Scott, Senior Analyst, Forrester

Leverage Zero Trust And AI To Enhance Mobile Security

Mobile devices are ubiquitous for users’ personal lives and have become equally as pervasive in their work lives. When surveyed, however, the majority of enterprises don’t employ even the basic level of security on mobile devices that they require on other endpoints such as laptops. This protection gap makes these devices vulnerable and introduces risk into the enterprise. In this session, Senior Analyst Paddy Harrington will discuss why mobile security is a critical part of a security strategy and how enterprises can use Zero Trust and AI to enhance mobile security. Attendees will learn:

Why mobile devices require advanced protection.
Recommendations for applying Zero Trust policies to mobile devices.
How changes in AI can better protect the enterprise through mobile device access.

Speakers:
Paddy Harrington, Senior Analyst, Forrester

A Customer's Journey to Passwordless Authentication

Given that so many data breaches relate to authentication issues or theft, organizations are under pressure to enhance existing employee authentication methods. The hardware token or app-centric push notification methods are no longer fool-proof which is why many organizations are actively migration from their existing multi-factor authentication approaches to methods like passwordless that are phishing resistant, improve security without impeding the user experience, Join this session to hear how a well-esteemed customer migrated their entire workforce to passwordless authentication.